Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe
Analysis ID:	1482888
MD5:	3ac2ab389629ee685878da77c511f359
SHA1:	05a6ccb19d32aa653a942dea5d6401249bb8f7d2
SHA256:	5cb06070e2428b600080a8b4a21fde3ed5d773ca0a1cf3bea381ce96c1fa305d
Tags:	AgentTeslaexe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains potential unpacker

.NET source code contains very large array initializations

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Contains functionality to log keystrokes (.Net Source)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe (PID: 7016 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe" MD5: 3AC2AB389629EE685878DA77C511F359)

powershell.exe (PID: 6400 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7240 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 2496 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UTiPLNuHYu" /XML "C:\Users\user\AppData\Local\Temp\tmpA5DD.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 3684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe (PID: 6784 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe" MD5: 3AC2AB389629EE685878DA77C511F359)

UTiPLNuHYu.exe (PID: 7176 cmdline: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe MD5: 3AC2AB389629EE685878DA77C511F359)

schtasks.exe (PID: 7408 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UTiPLNuHYu" /XML "C:\Users\user\AppData\Local\Temp\tmpBDCA.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

UTiPLNuHYu.exe (PID: 7460 cmdline: "C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe" MD5: 3AC2AB389629EE685878DA77C511F359)

UTiPLNuHYu.exe (PID: 7468 cmdline: "C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe" MD5: 3AC2AB389629EE685878DA77C511F359)

UTiPLNuHYu.exe (PID: 7476 cmdline: "C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe" MD5: 3AC2AB389629EE685878DA77C511F359)

mpTrle.exe (PID: 7596 cmdline: "C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe" MD5: 3AC2AB389629EE685878DA77C511F359)

schtasks.exe (PID: 7804 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UTiPLNuHYu" /XML "C:\Users\user\AppData\Local\Temp\tmpDED0.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

mpTrle.exe (PID: 7856 cmdline: "C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe" MD5: 3AC2AB389629EE685878DA77C511F359)

mpTrle.exe (PID: 8064 cmdline: "C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe" MD5: 3AC2AB389629EE685878DA77C511F359)

schtasks.exe (PID: 8148 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UTiPLNuHYu" /XML "C:\Users\user\AppData\Local\Temp\tmpFE1F.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 8156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

mpTrle.exe (PID: 6452 cmdline: "C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe" MD5: 3AC2AB389629EE685878DA77C511F359)

mpTrle.exe (PID: 6280 cmdline: "C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe" MD5: 3AC2AB389629EE685878DA77C511F359)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "us2.smtp.mailhostbox.com", "Username": "wethem@aklaneah-sa.com", "Password": "Password:  )NYyffR0   "}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000005.00000002.2980248436.00000000032BC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000018.00000002.2980111716.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000D.00000002.1936939570.000000000347A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.1936939570.000000000347A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000013.00000002.2979395334.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000013.00000002.2979395334.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000013.00000002.2979395334.0000000002EFC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000014.00000002.2015893720.0000000003DBA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000014.00000002.2015893720.0000000003DBA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1791421661.0000000004179000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1791421661.0000000004179000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000C.00000002.2980306612.000000000303A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000018.00000002.2980111716.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000018.00000002.2980111716.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000C.00000002.2980306612.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.2980306612.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000002.1851368813.00000000042A9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.1851368813.00000000042A9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.2980248436.0000000003291000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.2980248436.0000000003291000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe PID: 7016	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe PID: 7016	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe PID: 7016	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe PID: 6784	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe PID: 6784	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: UTiPLNuHYu.exe PID: 7176	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: UTiPLNuHYu.exe PID: 7176	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: UTiPLNuHYu.exe PID: 7176	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: UTiPLNuHYu.exe PID: 7476	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: UTiPLNuHYu.exe PID: 7476	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: mpTrle.exe PID: 7596	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: mpTrle.exe PID: 7596	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: mpTrle.exe PID: 7596	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: mpTrle.exe PID: 7856	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: mpTrle.exe PID: 7856	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: mpTrle.exe PID: 8064	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: mpTrle.exe PID: 8064	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: mpTrle.exe PID: 6280	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: mpTrle.exe PID: 6280	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 34 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
20.2.mpTrle.exe.3dba728.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
20.2.mpTrle.exe.3dba728.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
20.2.mpTrle.exe.3dba728.4.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31bd0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31c42:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31ccc:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31d5e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31dc8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31e3a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31ed0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31f60:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
6.2.UTiPLNuHYu.exe.42a9c70.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.UTiPLNuHYu.exe.42a9c70.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
6.2.UTiPLNuHYu.exe.42e4c90.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.UTiPLNuHYu.exe.42a9c70.4.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31bd0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31c42:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31ccc:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31d5e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31dc8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31e3a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31ed0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31f60:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
6.2.UTiPLNuHYu.exe.42e4c90.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
6.2.UTiPLNuHYu.exe.42e4c90.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31bd0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31c42:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31ccc:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31d5e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31dc8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31e3a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31ed0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31f60:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.4179208.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.4179208.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.4179208.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31bd0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31c42:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31ccc:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31d5e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31dc8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31e3a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31ed0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31f60:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
13.2.mpTrle.exe.34b5788.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.2.mpTrle.exe.34b5788.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
13.2.mpTrle.exe.34b5788.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31bd0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31c42:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31ccc:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31d5e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31dc8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31e3a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31ed0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31f60:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.41b4228.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.41b4228.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.41b4228.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31bd0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31c42:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31ccc:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31d5e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31dc8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31e3a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31ed0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31f60:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
20.2.mpTrle.exe.3df5748.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
20.2.mpTrle.exe.3df5748.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
20.2.mpTrle.exe.3df5748.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31bd0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31c42:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31ccc:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31d5e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31dc8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31e3a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31ed0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31f60:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
13.2.mpTrle.exe.347a768.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.2.mpTrle.exe.347a768.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
13.2.mpTrle.exe.347a768.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31bd0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31c42:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31ccc:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31d5e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31dc8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31e3a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31ed0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31f60:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
13.2.mpTrle.exe.34b5788.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.2.mpTrle.exe.34b5788.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
13.2.mpTrle.exe.34b5788.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x339d0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6e7f0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33a42:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6e862:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33acc:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e8ec:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33b5e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e97e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33bc8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e9e8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33c3a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6ea5a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33cd0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6eaf0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33d60:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6eb80:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.41b4228.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.41b4228.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.41b4228.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x339d0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6e7f0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33a42:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6e862:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33acc:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e8ec:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33b5e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e97e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33bc8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e9e8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33c3a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6ea5a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33cd0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6eaf0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33d60:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6eb80:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
6.2.UTiPLNuHYu.exe.42e4c90.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.UTiPLNuHYu.exe.42e4c90.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
20.2.mpTrle.exe.3df5748.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
20.2.mpTrle.exe.3df5748.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
6.2.UTiPLNuHYu.exe.42e4c90.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x339d0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6e7f0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33a42:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6e862:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33acc:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e8ec:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33b5e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e97e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33bc8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e9e8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33c3a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6ea5a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33cd0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6eaf0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33d60:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6eb80:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
20.2.mpTrle.exe.3df5748.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x339d0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6e7f0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33a42:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6e862:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33acc:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e8ec:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33b5e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e97e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33bc8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e9e8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33c3a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6ea5a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33cd0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6eaf0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33d60:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6eb80:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
13.2.mpTrle.exe.347a768.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.2.mpTrle.exe.347a768.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
13.2.mpTrle.exe.347a768.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x339d0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6e9f0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xa9810:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33a42:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6ea62:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xa9882:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33acc:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6eaec:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xa990c:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33b5e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6eb7e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xa999e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33bc8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6ebe8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xa9a08:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33c3a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6ec5a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xa9a7a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33cd0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6ecf0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xa9b10:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
20.2.mpTrle.exe.3dba728.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
20.2.mpTrle.exe.3dba728.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
20.2.mpTrle.exe.3dba728.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x339d0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6e9f0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xa9810:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33a42:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6ea62:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xa9882:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33acc:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6eaec:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xa990c:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33b5e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6eb7e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xa999e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33bc8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6ebe8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xa9a08:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33c3a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6ec5a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xa9a7a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33cd0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6ecf0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xa9b10:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
6.2.UTiPLNuHYu.exe.42a9c70.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.UTiPLNuHYu.exe.42a9c70.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
6.2.UTiPLNuHYu.exe.42a9c70.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x339d0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6e9f0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xa9810:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33a42:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6ea62:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xa9882:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33acc:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6eaec:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xa990c:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33b5e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6eb7e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xa999e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33bc8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6ebe8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xa9a08:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33c3a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6ec5a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xa9a7a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33cd0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6ecf0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xa9b10:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.4179208.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.4179208.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.4179208.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x339d0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6e9f0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xa9810:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33a42:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6ea62:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xa9882:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33acc:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6eaec:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xa990c:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33b5e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6eb7e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xa999e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33bc8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6ebe8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xa9a08:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33c3a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6ec5a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xa9a7a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33cd0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6ecf0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xa9b10:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
Click to see the 43 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe, ParentProcessId: 7016, ParentProcessName: SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe", ProcessId: 6400, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe, ProcessId: 6784, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mpTrle

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UTiPLNuHYu" /XML "C:\Users\user\AppData\Local\Temp\tmpBDCA.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UTiPLNuHYu" /XML "C:\Users\user\AppData\Local\Temp\tmpBDCA.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe, ParentImage: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe, ParentProcessId: 7176, ParentProcessName: UTiPLNuHYu.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UTiPLNuHYu" /XML "C:\Users\user\AppData\Local\Temp\tmpBDCA.tmp", ProcessId: 7408, ProcessName: schtasks.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 208.91.198.143, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe, Initiated: true, ProcessId: 6784, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49731

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UTiPLNuHYu" /XML "C:\Users\user\AppData\Local\Temp\tmpA5DD.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UTiPLNuHYu" /XML "C:\Users\user\AppData\Local\Temp\tmpA5DD.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe, ParentProcessId: 7016, ParentProcessName: SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UTiPLNuHYu" /XML "C:\Users\user\AppData\Local\Temp\tmpA5DD.tmp", ProcessId: 2496, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe, ParentProcessId: 7016, ParentProcessName: SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe", ProcessId: 6400, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UTiPLNuHYu" /XML "C:\Users\user\AppData\Local\Temp\tmpA5DD.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UTiPLNuHYu" /XML "C:\Users\user\AppData\Local\Temp\tmpA5DD.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe, ParentProcessId: 7016, ParentProcessName: SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UTiPLNuHYu" /XML "C:\Users\user\AppData\Local\Temp\tmpA5DD.tmp", ProcessId: 2496, ProcessName: schtasks.exe

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 52.165.165.26 - Destination IP: 192.168.2.4

Timestamp:	2024-07-26T10:29:01.890339+0200
SID:	2022930
Source Port:	443
Destination Port:	49744
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 52.165.165.26 - Destination IP: 192.168.2.4

Timestamp:	2024-07-26T10:28:23.350688+0200
SID:	2022930
Source Port:	443
Destination Port:	49734
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Avira: detection malicious, Label: HEUR/AGEN.1308640
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Avira: detection malicious, Label: HEUR/AGEN.1308640

Found malware configuration

Source: 20.2.mpTrle.exe.3df5748.1.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "us2.smtp.mailhostbox.com", "Username": "wethem@aklaneah-sa.com", "Password": "Password: )NYyffR0 "}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	ReversingLabs: Detection: 63%
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Virustotal: Detection: 59%	Perma Link
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	ReversingLabs: Detection: 63%
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Virustotal: Detection: 59%	Perma Link

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Virustotal: Detection: 59%			Perma Link
Source: SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	ReversingLabs: Detection: 63%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe

Joe Sandbox ML: detected

Source: SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49742 version: TLS 1.2

Source: SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: global traffic

TCP traffic: 192.168.2.4:49731 -> 208.91.198.143:587

Source: Joe Sandbox View	IP Address: 208.91.198.143 208.91.198.143
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152

Source: Joe Sandbox View

ASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

TCP traffic: 192.168.2.4:49731 -> 208.91.198.143:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: us2.smtp.mailhostbox.com

Source: SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe, 00000000.00000002.1790616281.00000000031EE000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe, 00000005.00000002.2980248436.0000000003241000.00000004.00000800.00020000.00000000.sdmp, UTiPLNuHYu.exe, 00000006.00000002.1849930169.0000000003287000.00000004.00000800.00020000.00000000.sdmp, UTiPLNuHYu.exe, 0000000C.00000002.2980306612.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000D.00000002.1935054356.0000000002457000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 00000013.00000002.2979395334.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 00000014.00000002.2009322632.0000000002D9A000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 00000018.00000002.2980111716.0000000002E7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe, 00000005.00000002.2980248436.00000000032BC000.00000004.00000800.00020000.00000000.sdmp, UTiPLNuHYu.exe, 0000000C.00000002.2980306612.000000000303A000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 00000013.00000002.2979395334.0000000002EFC000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 00000018.00000002.2980111716.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://us2.smtp.mailhostbox.com
Source: SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe, 00000000.00000002.1791421661.0000000004179000.00000004.00000800.00020000.00000000.sdmp, UTiPLNuHYu.exe, 00000006.00000002.1851368813.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, UTiPLNuHYu.exe, 0000000C.00000002.2971486884.0000000000436000.00000040.00000400.00020000.00000000.sdmp, mpTrle.exe, 0000000D.00000002.1936939570.000000000347A000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 00000014.00000002.2015893720.0000000003DBA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe, 00000000.00000002.1791421661.0000000004179000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe, 00000005.00000002.2980248436.0000000003241000.00000004.00000800.00020000.00000000.sdmp, UTiPLNuHYu.exe, 00000006.00000002.1851368813.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, UTiPLNuHYu.exe, 0000000C.00000002.2980306612.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000D.00000002.1936939570.000000000347A000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 00000013.00000002.2979395334.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 00000014.00000002.2015893720.0000000003DBA000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 00000018.00000002.2971496563.0000000000435000.00000040.00000400.00020000.00000000.sdmp, mpTrle.exe, 00000018.00000002.2980111716.0000000002E7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe, 00000005.00000002.2980248436.0000000003241000.00000004.00000800.00020000.00000000.sdmp, UTiPLNuHYu.exe, 0000000C.00000002.2980306612.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 00000013.00000002.2979395334.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 00000018.00000002.2980111716.0000000002E7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe, 00000005.00000002.2980248436.0000000003241000.00000004.00000800.00020000.00000000.sdmp, UTiPLNuHYu.exe, 0000000C.00000002.2980306612.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 00000013.00000002.2979395334.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 00000018.00000002.2980111716.0000000002E7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735

Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49742 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.41b4228.2.raw.unpack, 3DlgK9re6m.cs	.Net Code: sIJKyc
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.4179208.1.raw.unpack, 3DlgK9re6m.cs	.Net Code: sIJKyc

System Summary

Malicious sample detected (through community Yara rule)

Source: 20.2.mpTrle.exe.3dba728.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 6.2.UTiPLNuHYu.exe.42a9c70.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 6.2.UTiPLNuHYu.exe.42e4c90.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.4179208.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 13.2.mpTrle.exe.34b5788.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.41b4228.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 20.2.mpTrle.exe.3df5748.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 13.2.mpTrle.exe.347a768.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 13.2.mpTrle.exe.34b5788.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.41b4228.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 6.2.UTiPLNuHYu.exe.42e4c90.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 20.2.mpTrle.exe.3df5748.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 13.2.mpTrle.exe.347a768.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 20.2.mpTrle.exe.3dba728.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 6.2.UTiPLNuHYu.exe.42a9c70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.4179208.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

.NET source code contains very large array initializations

Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.57a0000.5.raw.unpack, SizeParameters.cs	Large array initialization: : array initializer size 15921
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.3132f7c.0.raw.unpack, SizeParameters.cs	Large array initialization: : array initializer size 15921

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Code function: 0_2_016ADEA4	0_2_016ADEA4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Code function: 0_2_01716C4A	0_2_01716C4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Code function: 0_2_01710830	0_2_01710830
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Code function: 0_2_017128A0	0_2_017128A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Code function: 0_2_01713310	0_2_01713310
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Code function: 0_2_01713301	0_2_01713301
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Code function: 0_2_01710C68	0_2_01710C68
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Code function: 0_2_01712468	0_2_01712468
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Code function: 0_2_01712458	0_2_01712458
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Code function: 5_2_0182E3E0	5_2_0182E3E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Code function: 5_2_01824AD0	5_2_01824AD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Code function: 5_2_01823EB8	5_2_01823EB8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Code function: 5_2_0182F1BB	5_2_0182F1BB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Code function: 5_2_0182B308	5_2_0182B308
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Code function: 5_2_01824200	5_2_01824200
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Code function: 5_2_06DDE2F1	5_2_06DDE2F1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Code function: 5_2_06DDC518	5_2_06DDC518
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Code function: 5_2_06DDB3EC	5_2_06DDB3EC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Code function: 5_2_06DD9DB8	5_2_06DD9DB8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Code function: 5_2_06E43488	5_2_06E43488
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Code function: 5_2_06E465E0	5_2_06E465E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Code function: 5_2_06E455C8	5_2_06E455C8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Code function: 5_2_06E4C568	5_2_06E4C568
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Code function: 5_2_06E4B211	5_2_06E4B211
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Code function: 5_2_06E45CD7	5_2_06E45CD7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Code function: 5_2_06E47D68	5_2_06E47D68
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Code function: 5_2_06E47688	5_2_06E47688
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Code function: 5_2_06E4E788	5_2_06E4E788
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Code function: 5_2_06E40040	5_2_06E40040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Code function: 5_2_06E40006	5_2_06E40006
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Code function: 6_2_03214B01	6_2_03214B01
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Code function: 6_2_0321DEA4	6_2_0321DEA4
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Code function: 6_2_05295F18	6_2_05295F18
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Code function: 6_2_05292468	6_2_05292468
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Code function: 6_2_05292458	6_2_05292458
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Code function: 6_2_05293301	6_2_05293301
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Code function: 6_2_05293310	6_2_05293310
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Code function: 6_2_05290C68	6_2_05290C68
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Code function: 6_2_05295F08	6_2_05295F08
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Code function: 6_2_05290830	6_2_05290830
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Code function: 6_2_05290818	6_2_05290818
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Code function: 6_2_052928A0	6_2_052928A0
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Code function: 12_2_0127B308	12_2_0127B308
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Code function: 12_2_0127AB40	12_2_0127AB40
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Code function: 12_2_01274AD0	12_2_01274AD0
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Code function: 12_2_01273EB8	12_2_01273EB8
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Code function: 12_2_01274200	12_2_01274200
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Code function: 12_2_06B7C518	12_2_06B7C518
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Code function: 12_2_06B79DB8	12_2_06B79DB8
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Code function: 12_2_06BD2380	12_2_06BD2380
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Code function: 12_2_06BD61E0	12_2_06BD61E0
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Code function: 12_2_06BD51C8	12_2_06BD51C8
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Code function: 12_2_06BDC168	12_2_06BDC168
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Code function: 12_2_06BDAE20	12_2_06BDAE20
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Code function: 12_2_06BD58E8	12_2_06BD58E8
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Code function: 12_2_06BD7968	12_2_06BD7968
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Code function: 12_2_06BD7288	12_2_06BD7288
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Code function: 12_2_06BDE388	12_2_06BDE388
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Code function: 12_2_06BD0006	12_2_06BD0006
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Code function: 12_2_06BD0040	12_2_06BD0040
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 13_2_0088DEA4	13_2_0088DEA4
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 13_2_04465F18	13_2_04465F18
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 13_2_04462458	13_2_04462458
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 13_2_04460C68	13_2_04460C68
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 13_2_04462468	13_2_04462468
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 13_2_04465F08	13_2_04465F08
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 13_2_04460830	13_2_04460830
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 13_2_044628A0	13_2_044628A0
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 13_2_04463301	13_2_04463301
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 13_2_04463310	13_2_04463310
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 19_2_01464AD0	19_2_01464AD0
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 19_2_0146EAD8	19_2_0146EAD8
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 19_2_01463EB8	19_2_01463EB8
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 19_2_01464200	19_2_01464200
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 19_2_0146AD08	19_2_0146AD08
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 19_2_06C1A8B4	19_2_06C1A8B4
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 19_2_06C1A598	19_2_06C1A598
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 19_2_06C1DBF0	19_2_06C1DBF0
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 19_2_06C23490	19_2_06C23490
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 19_2_06C255D0	19_2_06C255D0
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 19_2_06C265E8	19_2_06C265E8
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 19_2_06C2B220	19_2_06C2B220
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 19_2_06C2C178	19_2_06C2C178
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 19_2_06C27D70	19_2_06C27D70
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 19_2_06C27690	19_2_06C27690
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 19_2_06C2E398	19_2_06C2E398
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 19_2_06C20040	19_2_06C20040
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 19_2_06C25CDF	19_2_06C25CDF
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 20_2_0119DEA4	20_2_0119DEA4
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 20_2_02BC5F18	20_2_02BC5F18
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 20_2_02BC3310	20_2_02BC3310
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 20_2_02BC3301	20_2_02BC3301
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 20_2_02BC2468	20_2_02BC2468
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 20_2_02BC2458	20_2_02BC2458
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 20_2_02BC28A0	20_2_02BC28A0
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 20_2_02BC0830	20_2_02BC0830
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 20_2_02BC5F08	20_2_02BC5F08
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 20_2_02BC0C68	20_2_02BC0C68
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 24_2_013DEAD8	24_2_013DEAD8
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 24_2_013D4AD0	24_2_013D4AD0
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 24_2_013D3EB8	24_2_013D3EB8
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 24_2_013D4200	24_2_013D4200
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 24_2_013DAD08	24_2_013DAD08
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 24_2_06B6A8B4	24_2_06B6A8B4
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 24_2_06B6A598	24_2_06B6A598
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 24_2_06B6DBF0	24_2_06B6DBF0
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 24_2_06B73490	24_2_06B73490
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 24_2_06B765E8	24_2_06B765E8
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 24_2_06B755D0	24_2_06B755D0
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 24_2_06B7B220	24_2_06B7B220
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 24_2_06B7C178	24_2_06B7C178
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 24_2_06B77D70	24_2_06B77D70
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 24_2_06B77690	24_2_06B77690
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 24_2_06B7E398	24_2_06B7E398
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 24_2_06B70040	24_2_06B70040
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 24_2_06B75CDF	24_2_06B75CDF

Source: SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe, 00000000.00000002.1790616281.00000000031EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename64af20ca-f267-4570-b8a1-6b375e9c5566.exe4 vs SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe
Source: SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe, 00000000.00000002.1793676399.00000000057A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMML.dll2 vs SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe
Source: SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe, 00000000.00000002.1794443006.0000000006210000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe
Source: SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe, 00000000.00000002.1788213845.000000000140E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe
Source: SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe, 00000000.00000002.1791421661.0000000004179000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename64af20ca-f267-4570-b8a1-6b375e9c5566.exe4 vs SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe
Source: SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe, 00000000.00000002.1790616281.0000000003111000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMML.dll2 vs SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe
Source: SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe, 00000000.00000002.1791421661.00000000042EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe
Source: SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe, 00000000.00000000.1727124968.0000000000C92000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameVphj.exe< vs SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe
Source: SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe, 00000005.00000002.2972695779.0000000001359000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe
Source: SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Binary or memory string: OriginalFilenameVphj.exe< vs SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe

Source: SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 20.2.mpTrle.exe.3dba728.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 6.2.UTiPLNuHYu.exe.42a9c70.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 6.2.UTiPLNuHYu.exe.42e4c90.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.4179208.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 13.2.mpTrle.exe.34b5788.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.41b4228.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 20.2.mpTrle.exe.3df5748.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 13.2.mpTrle.exe.347a768.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 13.2.mpTrle.exe.34b5788.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.41b4228.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 6.2.UTiPLNuHYu.exe.42e4c90.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 20.2.mpTrle.exe.3df5748.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 13.2.mpTrle.exe.347a768.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 20.2.mpTrle.exe.3dba728.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 6.2.UTiPLNuHYu.exe.42a9c70.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.4179208.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: UTiPLNuHYu.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.41b4228.2.raw.unpack, slKb.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.41b4228.2.raw.unpack, mAKJ.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.41b4228.2.raw.unpack, xQRSe0Fg.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.41b4228.2.raw.unpack, n3rhMa.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.41b4228.2.raw.unpack, MQzE4FWn.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.41b4228.2.raw.unpack, nSmgRyX5a1.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.41b4228.2.raw.unpack, 6IMLmJtk.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.41b4228.2.raw.unpack, 6IMLmJtk.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.41b4228.2.raw.unpack, 3HroK7qN.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.41b4228.2.raw.unpack, 3HroK7qN.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.4479aa0.4.raw.unpack, xh7Ze27jhlR7wxiGEu.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.6210000.8.raw.unpack, xh7Ze27jhlR7wxiGEu.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.4479aa0.4.raw.unpack, GtmOKRoEt31uvVTiMJ.cs	Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.4479aa0.4.raw.unpack, GtmOKRoEt31uvVTiMJ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.4479aa0.4.raw.unpack, GtmOKRoEt31uvVTiMJ.cs	Security API names: _0020.AddAccessRule
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.6210000.8.raw.unpack, GtmOKRoEt31uvVTiMJ.cs	Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.6210000.8.raw.unpack, GtmOKRoEt31uvVTiMJ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.6210000.8.raw.unpack, GtmOKRoEt31uvVTiMJ.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@34/16@2/2

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe

File created: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Mutant created: \Sessions\1\BaseNamedObjects\ZmZrUStTlFuSGnSBmOSiag
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3684:120:WilError_03
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7416:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8156:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4324:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7816:120:WilError_03

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe

File created: C:\Users\user\AppData\Local\Temp\tmpA5DD.tmp

Jump to behavior

Source: SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Virustotal: Detection: 59%
Source: SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	ReversingLabs: Detection: 63%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe:Zone.Identifier

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UTiPLNuHYu" /XML "C:\Users\user\AppData\Local\Temp\tmpA5DD.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UTiPLNuHYu" /XML "C:\Users\user\AppData\Local\Temp\tmpBDCA.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process created: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe "C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe"
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process created: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe "C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe"
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process created: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe "C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe "C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe"
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UTiPLNuHYu" /XML "C:\Users\user\AppData\Local\Temp\tmpDED0.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process created: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe "C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe "C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe"
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UTiPLNuHYu" /XML "C:\Users\user\AppData\Local\Temp\tmpFE1F.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process created: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe "C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe"
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process created: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe "C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UTiPLNuHYu" /XML "C:\Users\user\AppData\Local\Temp\tmpA5DD.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UTiPLNuHYu" /XML "C:\Users\user\AppData\Local\Temp\tmpBDCA.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process created: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe "C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process created: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe "C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process created: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe "C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UTiPLNuHYu" /XML "C:\Users\user\AppData\Local\Temp\tmpDED0.tmp"
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process created: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe "C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe"
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UTiPLNuHYu" /XML "C:\Users\user\AppData\Local\Temp\tmpFE1F.tmp"
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process created: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe "C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe"
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process created: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe "C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe"

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: wintypes.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe, StatGrapher.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: UTiPLNuHYu.exe.0.dr, StatGrapher.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.57a0000.5.raw.unpack, bg.cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.3132f7c.0.raw.unpack, bg.cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.6210000.8.raw.unpack, GtmOKRoEt31uvVTiMJ.cs	.Net Code: vK6WDEejOI System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.4479aa0.4.raw.unpack, GtmOKRoEt31uvVTiMJ.cs	.Net Code: vK6WDEejOI System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Code function: 0_2_01716170 pushad ; iretd	0_2_01716171
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Code function: 0_2_01719D8D push FFFFFF8Bh; iretd	0_2_01719D8F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Code function: 5_2_06DD4D80 push esp; retf	5_2_06DD4D8D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Code function: 5_2_06DD5B0F push es; ret	5_2_06DD5B10
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Code function: 6_2_0529910D push FFFFFF8Bh; iretd	6_2_0529910F
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Code function: 12_2_01270C55 push edi; retf	12_2_01270C7A
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Code function: 12_2_06B75B00 push es; ret	12_2_06B75B10
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 13_2_0446904D push FFFFFF8Bh; iretd	13_2_0446904F
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 19_2_01460C55 push edi; retf	19_2_01460C7A
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 19_2_06C1FEF3 push es; ret	19_2_06C1FEF4
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 20_2_0119E52C push edi; ret	20_2_0119E536
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 20_2_0119EE58 pushad ; ret	20_2_0119EE66
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 20_2_0119CEA8 pushad ; ret	20_2_0119CEBA
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 20_2_02BC910D push FFFFFF8Bh; iretd	20_2_02BC910F
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 24_2_013D0C55 push edi; retf	24_2_013D0C7A

Source: SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Static PE information: section name: .text entropy: 7.946917722198967
Source: UTiPLNuHYu.exe.0.dr	Static PE information: section name: .text entropy: 7.946917722198967

Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.6210000.8.raw.unpack, qS6WaQz3rud4pOOkZg.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'KU6jcZvdKA', 'UKQjLUO19W', 'rI6jUVD6T8', 'CJfja9kWyy', 'PUwjhtLiTe', 'wxkjjfDd2g', 'cWEjluLMvS'
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.6210000.8.raw.unpack, GtmOKRoEt31uvVTiMJ.cs	High entropy of concatenated method names: 'QTpiqTJhN6', 'qqjiv3oIab', 'snWi2PIDVj', 'jn3iwu1k5j', 'QyZinCpHCC', 'TKtiyM4QDu', 'Rthi6I5SQL', 'NMDios7nub', 'KgCiYuKjQ9', 'hOWitWVQJY'
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.6210000.8.raw.unpack, l1TjgJZiaP4TqC4fZXW.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'VUvlVR2qWL', 'kJ9lfcFvy7', 'ejTlp87H0G', 'l2ilk8opXE', 'mCRlCfIC0f', 'pF3lNXBpvZ', 'wUQlRo8PRw'
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.6210000.8.raw.unpack, patFjKwYbrr7wnCu49.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'SsIO3P09Py', 'QD2OJw1hUg', 'ffqOzRmZHm', 'wwYi05rcR3', 'zFGiZRHv0j', 'Lx3iOdFBKy', 'SXPiiPyrao', 'mUXGH4Aj0dCq4vPXTfp'
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.6210000.8.raw.unpack, B0d25wsUG0HDI2Z8f8.cs	High entropy of concatenated method names: 'SfJc7juv1n', 'Wo4cgO9Eji', 'XkocHwidoe', 'bGlcSpvgOL', 'WraceKQYZ2', 'fd9crJHTQS', 'y9KcGL5umA', 'bSKcI6bbvC', 'Ep0cBMt4QM', 'Rj1cuL7uIQ'
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.6210000.8.raw.unpack, GOUe7IJpeNc4mvuYIT.cs	High entropy of concatenated method names: 'BogjZ2JSpy', 'jAIjirK3Po', 'H9ljWUCR0P', 'LvDjvceM3U', 'ecej23Qreo', 'PykjnALCVm', 'SkQjy9PBad', 'KbshRRUtj5', 'GBHh1jtWdr', 'x5Uh3KNtdu'
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.6210000.8.raw.unpack, XkVF3D2BeXftFo8cqK.cs	High entropy of concatenated method names: 'Dispose', 'T7JZ3rLmni', 'IBBOSUvXcj', 'PEmKKTXPy0', 'LLnZJw1c6S', 'BEnZzjsxQd', 'ProcessDialogKey', 'xnlO0piE59', 'kCoOZeWlSc', 'hr6OOHOUe7'
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.6210000.8.raw.unpack, Rx5caJN7xQ5cxLjRmN.cs	High entropy of concatenated method names: 'i57a1JQBeW', 'btMaJu7JqH', 'KmYh0YwZ1Q', 'JC4hZJVv3K', 'uEtauybbgY', 'cAjammBEAc', 'O7NasV1aY5', 'AI3aVqcoFM', 'JZoafVDiyY', 'thbapTMOgq'
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.6210000.8.raw.unpack, xh7Ze27jhlR7wxiGEu.cs	High entropy of concatenated method names: 'WM82VKZOnW', 'Lir2fftbVN', 'Bgy2pARvFY', 'jqh2kKVTs4', 'bUw2CI37xu', 'MGT2Nn8toI', 'Gph2RTvlbO', 'uNA21vEhCp', 's1A23Ic8aL', 'kL62JfJ02F'
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.6210000.8.raw.unpack, CfVLeRZ0fCPbwTRpXVX.cs	High entropy of concatenated method names: 'v6tjPJ7ktR', 'XvBjK79vQu', 'JYdjDteQDX', 'AvMjbCNiND', 'xw9jAga9Xy', 'G4mj5LWXWU', 'TdTjMDe2Bb', 'eD9j7C5No9', 'jYLjgBnx8d', 'G2cjxiplKP'
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.6210000.8.raw.unpack, pnw1c61SAEnjsxQdPn.cs	High entropy of concatenated method names: 'zJHhvQUFCf', 'QnEh2xsrA5', 'vn9hwIXfIX', 'Tj3hnnqc99', 'QZghyYueIY', 'WBOh6gQLuG', 'X9hhoHr2yL', 'UT7hY0QtAY', 'QHIht9wyKy', 'Ycvh4rYZa4'
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.6210000.8.raw.unpack, LdkFnaEUNvG12q8J5f.cs	High entropy of concatenated method names: 'xOC6PDv41j', 'JeW6K9lrlt', 'jyJ6Dgsn37', 'qgY6bFXcfJ', 'YUX6A5shuj', 'QQB65sGpEA', 'rwn6MoVKJp', 'OBm673sC77', 'AbP6grk3Nl', 'ccm6xba3ZZ'
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.6210000.8.raw.unpack, Kke9OiWaQ5u3N9S7Qf.cs	High entropy of concatenated method names: 'vAPZ6h7Ze2', 'rhlZoR7wxi', 'zD5Zt4raG1', 'JIKZ4PK5Cm', 'rQEZLvkq4F', 'RytZUnnGx4', 'z2w7f5LtkjJL9RwtfM', 'TD8ZHiqHYu1Y0sZGJu', 'DnnZZSJgdj', 'BVVZi20yB7'
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.6210000.8.raw.unpack, I43C61GjeNqdxOqCmZ.cs	High entropy of concatenated method names: 'der6vFPyIO', 'e1r6wj5VKZ', 'hyp6yVxn70', 'pRCyJnZ8tr', 'MdlyzXgCwj', 'wQ2608P3t8', 'EGj6ZRXblQ', 'lsm6OdGsLu', 'gpc6iSwIVI', 'U2S6WkBvoe'
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.6210000.8.raw.unpack, QEq4NDgD54raG1rIKP.cs	High entropy of concatenated method names: 'tSewbGkxCx', 'jj5w5ow8ne', 'GpGw7NHbAB', 'rUNwgpCpxc', 'JH4wLWpHiY', 'o8KwUuEoKC', 'XBEwakOiuU', 'QNYwh5AAEH', 'Gt5wjIikFn', 'TNBwljQMFd'
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.6210000.8.raw.unpack, aruLftOc4Rd1lvxZI5.cs	High entropy of concatenated method names: 'cq8DlZGFp', 'YS4bf678C', 'HbU5q7DrJ', 'pRlMQMqid', 'k8ngDqOK9', 'Goyx5OxQm', 'Bxhkj2MK4R9rKhqFOr', 'L6gTpI7WU9jjUWYTmp', 'zyLhwuNax', 'IL2la3YiS'
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.6210000.8.raw.unpack, e4FfytHnnGx4LF5gSR.cs	High entropy of concatenated method names: 'F32yqq3hUN', 'MUny2ORTYZ', 'gQiynqSNWw', 'cbYy6hjhSo', 'cNkyobeHf9', 'zT6nCnybpM', 'bBdnNjet9h', 'XoKnRvcpxY', 'TpQn17jZXR', 'FQ6n352csQ'
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.4479aa0.4.raw.unpack, qS6WaQz3rud4pOOkZg.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'KU6jcZvdKA', 'UKQjLUO19W', 'rI6jUVD6T8', 'CJfja9kWyy', 'PUwjhtLiTe', 'wxkjjfDd2g', 'cWEjluLMvS'
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.4479aa0.4.raw.unpack, GtmOKRoEt31uvVTiMJ.cs	High entropy of concatenated method names: 'QTpiqTJhN6', 'qqjiv3oIab', 'snWi2PIDVj', 'jn3iwu1k5j', 'QyZinCpHCC', 'TKtiyM4QDu', 'Rthi6I5SQL', 'NMDios7nub', 'KgCiYuKjQ9', 'hOWitWVQJY'
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.4479aa0.4.raw.unpack, l1TjgJZiaP4TqC4fZXW.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'VUvlVR2qWL', 'kJ9lfcFvy7', 'ejTlp87H0G', 'l2ilk8opXE', 'mCRlCfIC0f', 'pF3lNXBpvZ', 'wUQlRo8PRw'
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.4479aa0.4.raw.unpack, patFjKwYbrr7wnCu49.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'SsIO3P09Py', 'QD2OJw1hUg', 'ffqOzRmZHm', 'wwYi05rcR3', 'zFGiZRHv0j', 'Lx3iOdFBKy', 'SXPiiPyrao', 'mUXGH4Aj0dCq4vPXTfp'
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.4479aa0.4.raw.unpack, B0d25wsUG0HDI2Z8f8.cs	High entropy of concatenated method names: 'SfJc7juv1n', 'Wo4cgO9Eji', 'XkocHwidoe', 'bGlcSpvgOL', 'WraceKQYZ2', 'fd9crJHTQS', 'y9KcGL5umA', 'bSKcI6bbvC', 'Ep0cBMt4QM', 'Rj1cuL7uIQ'
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.4479aa0.4.raw.unpack, GOUe7IJpeNc4mvuYIT.cs	High entropy of concatenated method names: 'BogjZ2JSpy', 'jAIjirK3Po', 'H9ljWUCR0P', 'LvDjvceM3U', 'ecej23Qreo', 'PykjnALCVm', 'SkQjy9PBad', 'KbshRRUtj5', 'GBHh1jtWdr', 'x5Uh3KNtdu'
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.4479aa0.4.raw.unpack, XkVF3D2BeXftFo8cqK.cs	High entropy of concatenated method names: 'Dispose', 'T7JZ3rLmni', 'IBBOSUvXcj', 'PEmKKTXPy0', 'LLnZJw1c6S', 'BEnZzjsxQd', 'ProcessDialogKey', 'xnlO0piE59', 'kCoOZeWlSc', 'hr6OOHOUe7'
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.4479aa0.4.raw.unpack, Rx5caJN7xQ5cxLjRmN.cs	High entropy of concatenated method names: 'i57a1JQBeW', 'btMaJu7JqH', 'KmYh0YwZ1Q', 'JC4hZJVv3K', 'uEtauybbgY', 'cAjammBEAc', 'O7NasV1aY5', 'AI3aVqcoFM', 'JZoafVDiyY', 'thbapTMOgq'
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.4479aa0.4.raw.unpack, xh7Ze27jhlR7wxiGEu.cs	High entropy of concatenated method names: 'WM82VKZOnW', 'Lir2fftbVN', 'Bgy2pARvFY', 'jqh2kKVTs4', 'bUw2CI37xu', 'MGT2Nn8toI', 'Gph2RTvlbO', 'uNA21vEhCp', 's1A23Ic8aL', 'kL62JfJ02F'
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.4479aa0.4.raw.unpack, CfVLeRZ0fCPbwTRpXVX.cs	High entropy of concatenated method names: 'v6tjPJ7ktR', 'XvBjK79vQu', 'JYdjDteQDX', 'AvMjbCNiND', 'xw9jAga9Xy', 'G4mj5LWXWU', 'TdTjMDe2Bb', 'eD9j7C5No9', 'jYLjgBnx8d', 'G2cjxiplKP'
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.4479aa0.4.raw.unpack, pnw1c61SAEnjsxQdPn.cs	High entropy of concatenated method names: 'zJHhvQUFCf', 'QnEh2xsrA5', 'vn9hwIXfIX', 'Tj3hnnqc99', 'QZghyYueIY', 'WBOh6gQLuG', 'X9hhoHr2yL', 'UT7hY0QtAY', 'QHIht9wyKy', 'Ycvh4rYZa4'
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.4479aa0.4.raw.unpack, LdkFnaEUNvG12q8J5f.cs	High entropy of concatenated method names: 'xOC6PDv41j', 'JeW6K9lrlt', 'jyJ6Dgsn37', 'qgY6bFXcfJ', 'YUX6A5shuj', 'QQB65sGpEA', 'rwn6MoVKJp', 'OBm673sC77', 'AbP6grk3Nl', 'ccm6xba3ZZ'
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.4479aa0.4.raw.unpack, Kke9OiWaQ5u3N9S7Qf.cs	High entropy of concatenated method names: 'vAPZ6h7Ze2', 'rhlZoR7wxi', 'zD5Zt4raG1', 'JIKZ4PK5Cm', 'rQEZLvkq4F', 'RytZUnnGx4', 'z2w7f5LtkjJL9RwtfM', 'TD8ZHiqHYu1Y0sZGJu', 'DnnZZSJgdj', 'BVVZi20yB7'
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.4479aa0.4.raw.unpack, I43C61GjeNqdxOqCmZ.cs	High entropy of concatenated method names: 'der6vFPyIO', 'e1r6wj5VKZ', 'hyp6yVxn70', 'pRCyJnZ8tr', 'MdlyzXgCwj', 'wQ2608P3t8', 'EGj6ZRXblQ', 'lsm6OdGsLu', 'gpc6iSwIVI', 'U2S6WkBvoe'
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.4479aa0.4.raw.unpack, QEq4NDgD54raG1rIKP.cs	High entropy of concatenated method names: 'tSewbGkxCx', 'jj5w5ow8ne', 'GpGw7NHbAB', 'rUNwgpCpxc', 'JH4wLWpHiY', 'o8KwUuEoKC', 'XBEwakOiuU', 'QNYwh5AAEH', 'Gt5wjIikFn', 'TNBwljQMFd'
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.4479aa0.4.raw.unpack, aruLftOc4Rd1lvxZI5.cs	High entropy of concatenated method names: 'cq8DlZGFp', 'YS4bf678C', 'HbU5q7DrJ', 'pRlMQMqid', 'k8ngDqOK9', 'Goyx5OxQm', 'Bxhkj2MK4R9rKhqFOr', 'L6gTpI7WU9jjUWYTmp', 'zyLhwuNax', 'IL2la3YiS'
Source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.4479aa0.4.raw.unpack, e4FfytHnnGx4LF5gSR.cs	High entropy of concatenated method names: 'F32yqq3hUN', 'MUny2ORTYZ', 'gQiynqSNWw', 'cbYy6hjhSo', 'cNkyobeHf9', 'zT6nCnybpM', 'bBdnNjet9h', 'XoKnRvcpxY', 'TpQn17jZXR', 'FQ6n352csQ'

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	File created: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe			Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	File created: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UTiPLNuHYu" /XML "C:\Users\user\AppData\Local\Temp\tmpA5DD.tmp"

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run mpTrle			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run mpTrle			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	File opened: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	File opened: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe:Zone.Identifier read attributes \| delete

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe PID: 7016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UTiPLNuHYu.exe PID: 7176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mpTrle.exe PID: 7596, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Memory allocated: 16A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Memory allocated: 3110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Memory allocated: 16C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Memory allocated: 6520000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Memory allocated: 7520000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Memory allocated: 7660000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Memory allocated: 8660000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Memory allocated: 1820000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Memory allocated: 3240000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Memory allocated: 5240000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Memory allocated: 3200000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Memory allocated: 3240000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Memory allocated: 5240000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Memory allocated: 6640000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Memory allocated: 7640000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Memory allocated: 7880000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Memory allocated: 8880000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Memory allocated: 1270000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Memory allocated: 2FA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Memory allocated: 15A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Memory allocated: 850000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Memory allocated: 2410000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Memory allocated: 4410000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Memory allocated: 57B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Memory allocated: 67B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Memory allocated: 57B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Memory allocated: 1460000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Memory allocated: 2E80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Memory allocated: 2C90000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Memory allocated: 1190000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Memory allocated: 2D50000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Memory allocated: 2B70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Memory allocated: 5FB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Memory allocated: 6FB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Memory allocated: 71E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Memory allocated: 81E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Memory allocated: 13D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Memory allocated: 2E70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Memory allocated: 4E70000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7951	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1257	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Window / User API: threadDelayed 3012	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Window / User API: threadDelayed 6808	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Window / User API: threadDelayed 3290
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Window / User API: threadDelayed 6550
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Window / User API: threadDelayed 4249
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Window / User API: threadDelayed 5594
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Window / User API: threadDelayed 2286
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Window / User API: threadDelayed 7560

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe TID: 7064	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3684	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6448	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe TID: 7304	Thread sleep count: 37 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe TID: 7304	Thread sleep time: -34126476536362649s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe TID: 7304	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe TID: 7308	Thread sleep count: 3012 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe TID: 7304	Thread sleep time: -99875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe TID: 7304	Thread sleep time: -99766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe TID: 7308	Thread sleep count: 6808 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe TID: 7304	Thread sleep time: -99641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe TID: 7304	Thread sleep time: -99532s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe TID: 7304	Thread sleep time: -99407s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe TID: 7304	Thread sleep time: -99278s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe TID: 7304	Thread sleep time: -99172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe TID: 7304	Thread sleep time: -99047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe TID: 7304	Thread sleep time: -98936s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe TID: 7304	Thread sleep time: -98828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe TID: 7304	Thread sleep time: -98719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe TID: 7304	Thread sleep time: -98594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe TID: 7304	Thread sleep time: -98409s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe TID: 7304	Thread sleep time: -98072s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe TID: 7304	Thread sleep time: -97969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe TID: 7304	Thread sleep time: -97860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe TID: 7304	Thread sleep time: -97735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe TID: 7304	Thread sleep time: -97610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe TID: 7304	Thread sleep time: -97485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe TID: 7304	Thread sleep time: -97360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe TID: 7304	Thread sleep time: -97235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe TID: 7304	Thread sleep time: -97110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe TID: 7304	Thread sleep time: -96985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe TID: 7304	Thread sleep time: -96860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe TID: 7304	Thread sleep time: -96732s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe TID: 7304	Thread sleep time: -96625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe TID: 7304	Thread sleep time: -96513s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe TID: 7304	Thread sleep time: -96407s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe TID: 7304	Thread sleep time: -96282s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe TID: 7304	Thread sleep time: -96157s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe TID: 7304	Thread sleep time: -96047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe TID: 7304	Thread sleep time: -95937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe TID: 7304	Thread sleep time: -95789s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe TID: 7304	Thread sleep time: -95563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe TID: 7304	Thread sleep time: -95421s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe TID: 7304	Thread sleep time: -95312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe TID: 7304	Thread sleep time: -95204s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe TID: 7304	Thread sleep time: -95079s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe TID: 7304	Thread sleep time: -94954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe TID: 7304	Thread sleep time: -94829s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe TID: 7304	Thread sleep time: -94704s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe TID: 7304	Thread sleep time: -94579s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe TID: 7304	Thread sleep time: -94454s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe TID: 7304	Thread sleep time: -94329s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe TID: 7304	Thread sleep time: -94204s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe TID: 7304	Thread sleep time: -94079s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe TID: 7304	Thread sleep time: -93954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe TID: 7304	Thread sleep time: -93829s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe TID: 7304	Thread sleep time: -93704s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe TID: 7304	Thread sleep time: -93579s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe TID: 7304	Thread sleep time: -93422s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe TID: 7220	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe TID: 7576	Thread sleep count: 44 > 30
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe TID: 7576	Thread sleep time: -40582836962160988s >= -30000s
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe TID: 7576	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe TID: 7580	Thread sleep count: 3290 > 30
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe TID: 7576	Thread sleep time: -99889s >= -30000s
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe TID: 7580	Thread sleep count: 6550 > 30
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe TID: 7576	Thread sleep time: -99781s >= -30000s
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe TID: 7576	Thread sleep time: -99672s >= -30000s
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe TID: 7576	Thread sleep time: -99540s >= -30000s
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe TID: 7576	Thread sleep time: -99287s >= -30000s
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe TID: 7576	Thread sleep time: -99172s >= -30000s
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe TID: 7576	Thread sleep time: -99063s >= -30000s
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe TID: 7576	Thread sleep time: -98922s >= -30000s
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe TID: 7576	Thread sleep time: -98813s >= -30000s
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe TID: 7576	Thread sleep time: -98703s >= -30000s
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe TID: 7576	Thread sleep time: -98594s >= -30000s
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe TID: 7576	Thread sleep time: -98485s >= -30000s
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe TID: 7576	Thread sleep time: -98360s >= -30000s
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe TID: 7576	Thread sleep time: -98235s >= -30000s
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe TID: 7576	Thread sleep time: -98110s >= -30000s
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe TID: 7576	Thread sleep time: -97985s >= -30000s
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe TID: 7576	Thread sleep time: -97860s >= -30000s
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe TID: 7576	Thread sleep time: -97735s >= -30000s
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe TID: 7576	Thread sleep time: -97535s >= -30000s
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe TID: 7576	Thread sleep time: -97407s >= -30000s
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe TID: 7576	Thread sleep time: -97286s >= -30000s
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe TID: 7576	Thread sleep time: -97117s >= -30000s
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe TID: 7576	Thread sleep time: -96726s >= -30000s
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe TID: 7576	Thread sleep time: -96624s >= -30000s
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe TID: 7576	Thread sleep time: -96515s >= -30000s
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe TID: 7576	Thread sleep time: -96404s >= -30000s
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe TID: 7576	Thread sleep time: -96296s >= -30000s
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe TID: 7576	Thread sleep time: -96187s >= -30000s
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe TID: 7576	Thread sleep time: -96078s >= -30000s
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe TID: 7576	Thread sleep time: -95968s >= -30000s
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe TID: 7576	Thread sleep time: -95859s >= -30000s
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe TID: 7576	Thread sleep time: -95749s >= -30000s
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe TID: 7576	Thread sleep time: -95640s >= -30000s
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe TID: 7576	Thread sleep time: -95531s >= -30000s
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe TID: 7576	Thread sleep time: -95416s >= -30000s
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe TID: 7576	Thread sleep time: -95310s >= -30000s
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe TID: 7576	Thread sleep time: -95201s >= -30000s
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe TID: 7576	Thread sleep time: -95094s >= -30000s
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe TID: 7576	Thread sleep time: -94984s >= -30000s
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe TID: 7576	Thread sleep time: -94875s >= -30000s
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe TID: 7576	Thread sleep time: -94764s >= -30000s
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe TID: 7576	Thread sleep time: -93791s >= -30000s
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe TID: 7576	Thread sleep time: -93651s >= -30000s
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe TID: 7576	Thread sleep time: -93547s >= -30000s
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe TID: 7576	Thread sleep time: -93434s >= -30000s
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe TID: 7576	Thread sleep time: -93328s >= -30000s
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe TID: 7576	Thread sleep time: -93218s >= -30000s
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe TID: 7576	Thread sleep time: -93109s >= -30000s
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe TID: 7576	Thread sleep time: -92976s >= -30000s
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe TID: 7576	Thread sleep time: -92875s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7620	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7992	Thread sleep count: 38 > 30
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7992	Thread sleep time: -35048813740048126s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7992	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 8004	Thread sleep count: 4249 > 30
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7992	Thread sleep time: -99828s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7992	Thread sleep time: -99693s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7992	Thread sleep time: -99562s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7992	Thread sleep time: -99451s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 8004	Thread sleep count: 5594 > 30
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7992	Thread sleep time: -99343s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7992	Thread sleep time: -99231s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7992	Thread sleep time: -99111s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7992	Thread sleep time: -98990s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7992	Thread sleep time: -98859s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7992	Thread sleep time: -98747s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7992	Thread sleep time: -98640s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7992	Thread sleep time: -98530s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7992	Thread sleep time: -98421s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7992	Thread sleep time: -98312s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7992	Thread sleep time: -98202s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7992	Thread sleep time: -98091s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7992	Thread sleep time: -97984s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7992	Thread sleep time: -97875s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7992	Thread sleep time: -97765s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7992	Thread sleep time: -97655s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7992	Thread sleep time: -97512s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7992	Thread sleep time: -97250s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7992	Thread sleep time: -97124s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7992	Thread sleep time: -97015s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7992	Thread sleep time: -96906s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7992	Thread sleep time: -96796s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7992	Thread sleep time: -96687s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7992	Thread sleep time: -96578s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7992	Thread sleep time: -96468s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7992	Thread sleep time: -96359s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7992	Thread sleep time: -96250s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7992	Thread sleep time: -96140s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7992	Thread sleep time: -96031s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7992	Thread sleep time: -95921s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7992	Thread sleep time: -95812s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7992	Thread sleep time: -95703s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7992	Thread sleep time: -95593s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7992	Thread sleep time: -95484s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7992	Thread sleep time: -95375s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7992	Thread sleep time: -95265s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7992	Thread sleep time: -95156s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7992	Thread sleep time: -95044s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7992	Thread sleep time: -94926s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7992	Thread sleep time: -94797s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7992	Thread sleep time: -94672s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7992	Thread sleep time: -94562s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7992	Thread sleep time: -94449s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7992	Thread sleep time: -94343s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7992	Thread sleep time: -94234s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7992	Thread sleep time: -94116s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 8084	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6252	Thread sleep count: 33 > 30
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6252	Thread sleep time: -30437127721620741s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6252	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7160	Thread sleep count: 2286 > 30
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6252	Thread sleep time: -99890s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6252	Thread sleep time: -99611s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6252	Thread sleep time: -99484s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 7160	Thread sleep count: 7560 > 30
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6252	Thread sleep time: -99374s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6252	Thread sleep time: -99265s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6252	Thread sleep time: -99156s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6252	Thread sleep time: -99046s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6252	Thread sleep time: -98937s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6252	Thread sleep time: -98827s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6252	Thread sleep time: -98718s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6252	Thread sleep time: -98609s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6252	Thread sleep time: -98494s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6252	Thread sleep time: -98374s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6252	Thread sleep time: -98265s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6252	Thread sleep time: -98151s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6252	Thread sleep time: -98046s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6252	Thread sleep time: -97937s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6252	Thread sleep time: -97828s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6252	Thread sleep time: -97718s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6252	Thread sleep time: -97609s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6252	Thread sleep time: -97497s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6252	Thread sleep time: -97380s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6252	Thread sleep time: -97222s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6252	Thread sleep time: -97079s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6252	Thread sleep time: -96968s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6252	Thread sleep time: -96859s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6252	Thread sleep time: -96749s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6252	Thread sleep time: -96640s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6252	Thread sleep time: -96531s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6252	Thread sleep time: -96419s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6252	Thread sleep time: -96312s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6252	Thread sleep time: -96203s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6252	Thread sleep time: -96093s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6252	Thread sleep time: -95984s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6252	Thread sleep time: -95874s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6252	Thread sleep time: -95765s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6252	Thread sleep time: -95656s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6252	Thread sleep time: -95546s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6252	Thread sleep time: -95437s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6252	Thread sleep time: -95328s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6252	Thread sleep time: -95218s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6252	Thread sleep time: -95109s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6252	Thread sleep time: -94999s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6252	Thread sleep time: -94890s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6252	Thread sleep time: -94781s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6252	Thread sleep time: -94671s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6252	Thread sleep time: -94562s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6252	Thread sleep time: -94453s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6252	Thread sleep time: -94343s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6252	Thread sleep time: -94234s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6252	Thread sleep time: -94124s >= -30000s

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Thread delayed: delay time: 99766	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Thread delayed: delay time: 99641	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Thread delayed: delay time: 99532	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Thread delayed: delay time: 99407	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Thread delayed: delay time: 99278	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Thread delayed: delay time: 99172	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Thread delayed: delay time: 99047	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Thread delayed: delay time: 98936	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Thread delayed: delay time: 98828	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Thread delayed: delay time: 98719	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Thread delayed: delay time: 98594	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Thread delayed: delay time: 98409	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Thread delayed: delay time: 98072	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Thread delayed: delay time: 97969	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Thread delayed: delay time: 97860	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Thread delayed: delay time: 97735	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Thread delayed: delay time: 97610	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Thread delayed: delay time: 97485	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Thread delayed: delay time: 97360	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Thread delayed: delay time: 97235	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Thread delayed: delay time: 97110	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Thread delayed: delay time: 96985	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Thread delayed: delay time: 96860	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Thread delayed: delay time: 96732	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Thread delayed: delay time: 96625	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Thread delayed: delay time: 96513	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Thread delayed: delay time: 96407	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Thread delayed: delay time: 96282	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Thread delayed: delay time: 96157	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Thread delayed: delay time: 96047	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Thread delayed: delay time: 95937	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Thread delayed: delay time: 95789	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Thread delayed: delay time: 95563	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Thread delayed: delay time: 95421	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Thread delayed: delay time: 95312	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Thread delayed: delay time: 95204	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Thread delayed: delay time: 95079	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Thread delayed: delay time: 94954	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Thread delayed: delay time: 94829	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Thread delayed: delay time: 94704	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Thread delayed: delay time: 94579	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Thread delayed: delay time: 94454	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Thread delayed: delay time: 94329	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Thread delayed: delay time: 94204	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Thread delayed: delay time: 94079	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Thread delayed: delay time: 93954	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Thread delayed: delay time: 93829	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Thread delayed: delay time: 93704	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Thread delayed: delay time: 93579	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Thread delayed: delay time: 93422	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Thread delayed: delay time: 99889
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Thread delayed: delay time: 99781
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Thread delayed: delay time: 99672
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Thread delayed: delay time: 99540
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Thread delayed: delay time: 99287
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Thread delayed: delay time: 99172
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Thread delayed: delay time: 99063
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Thread delayed: delay time: 98922
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Thread delayed: delay time: 98813
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Thread delayed: delay time: 98703
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Thread delayed: delay time: 98594
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Thread delayed: delay time: 98485
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Thread delayed: delay time: 98360
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Thread delayed: delay time: 98235
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Thread delayed: delay time: 98110
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Thread delayed: delay time: 97985
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Thread delayed: delay time: 97860
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Thread delayed: delay time: 97735
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Thread delayed: delay time: 97535
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Thread delayed: delay time: 97407
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Thread delayed: delay time: 97286
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Thread delayed: delay time: 97117
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Thread delayed: delay time: 96726
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Thread delayed: delay time: 96624
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Thread delayed: delay time: 96515
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Thread delayed: delay time: 96404
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Thread delayed: delay time: 96296
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Thread delayed: delay time: 96187
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Thread delayed: delay time: 96078
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Thread delayed: delay time: 95968
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Thread delayed: delay time: 95859
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Thread delayed: delay time: 95749
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Thread delayed: delay time: 95640
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Thread delayed: delay time: 95531
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Thread delayed: delay time: 95416
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Thread delayed: delay time: 95310
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Thread delayed: delay time: 95201
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Thread delayed: delay time: 95094
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Thread delayed: delay time: 94984
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Thread delayed: delay time: 94875
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Thread delayed: delay time: 94764
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Thread delayed: delay time: 93791
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Thread delayed: delay time: 93651
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Thread delayed: delay time: 93547
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Thread delayed: delay time: 93434
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Thread delayed: delay time: 93328
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Thread delayed: delay time: 93218
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Thread delayed: delay time: 93109
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Thread delayed: delay time: 92976
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Thread delayed: delay time: 92875
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 99828
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 99693
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 99562
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 99451
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 99343
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 99231
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 99111
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 98990
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 98859
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 98747
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 98640
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 98530
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 98421
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 98312
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 98202
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 98091
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 97984
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 97875
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 97765
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 97655
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 97512
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 97250
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 97124
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 97015
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 96906
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 96796
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 96687
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 96578
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 96468
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 96359
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 96250
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 96140
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 96031
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 95921
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 95812
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 95703
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 95593
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 95484
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 95375
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 95265
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 95156
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 95044
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 94926
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 94797
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 94672
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 94562
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 94449
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 94343
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 94234
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 94116
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 99890
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 99611
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 99484
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 99374
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 99265
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 99156
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 99046
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 98937
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 98827
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 98718
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 98609
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 98494
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 98374
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 98265
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 98151
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 98046
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 97937
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 97828
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 97718
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 97609
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 97497
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 97380
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 97222
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 97079
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 96968
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 96859
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 96749
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 96640
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 96531
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 96419
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 96312
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 96203
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 96093
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 95984
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 95874
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 95765
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 95656
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 95546
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 95437
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 95328
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 95218
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 95109
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 94999
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 94890
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 94781
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 94671
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 94562
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 94453
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 94343
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 94234
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 94124

Source: SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe, 00000000.00000002.1788451149.0000000001443000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: mpTrle.exe, 0000000D.00000002.1941705028.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: mpTrle.exe, 0000000D.00000002.1933428401.0000000000652000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\ G
Source: SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe, 00000005.00000002.2976264466.0000000001501000.00000004.00000020.00020000.00000000.sdmp, UTiPLNuHYu.exe, 0000000C.00000002.2975332345.0000000001350000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 00000013.00000002.2974398040.00000000013E5000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 00000018.00000002.2972918560.0000000001064000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Memory written: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Memory written: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Memory written: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Memory written: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UTiPLNuHYu" /XML "C:\Users\user\AppData\Local\Temp\tmpA5DD.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UTiPLNuHYu" /XML "C:\Users\user\AppData\Local\Temp\tmpBDCA.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process created: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe "C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process created: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe "C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Process created: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe "C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UTiPLNuHYu" /XML "C:\Users\user\AppData\Local\Temp\tmpDED0.tmp"
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process created: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe "C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe"
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UTiPLNuHYu" /XML "C:\Users\user\AppData\Local\Temp\tmpFE1F.tmp"
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process created: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe "C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe"
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process created: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe "C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe"

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Queries volume information: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Queries volume information: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Queries volume information: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Queries volume information: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Queries volume information: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Queries volume information: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 20.2.mpTrle.exe.3dba728.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.UTiPLNuHYu.exe.42a9c70.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.UTiPLNuHYu.exe.42e4c90.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.4179208.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.mpTrle.exe.34b5788.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.41b4228.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.mpTrle.exe.3df5748.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.mpTrle.exe.347a768.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.mpTrle.exe.34b5788.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.41b4228.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.UTiPLNuHYu.exe.42e4c90.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.mpTrle.exe.3df5748.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.mpTrle.exe.347a768.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.mpTrle.exe.3dba728.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.UTiPLNuHYu.exe.42a9c70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.4179208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2980248436.00000000032BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2980111716.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1936939570.000000000347A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2979395334.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2979395334.0000000002EFC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2015893720.0000000003DBA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1791421661.0000000004179000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2980306612.000000000303A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2980111716.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2980306612.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1851368813.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2980248436.0000000003291000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe PID: 7016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe PID: 6784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UTiPLNuHYu.exe PID: 7176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UTiPLNuHYu.exe PID: 7476, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mpTrle.exe PID: 7596, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mpTrle.exe PID: 7856, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mpTrle.exe PID: 8064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mpTrle.exe PID: 6280, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe

File opened: C:\FTP Navigator\Ftplist.txt

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Source: Yara match	File source: 20.2.mpTrle.exe.3dba728.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.UTiPLNuHYu.exe.42a9c70.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.UTiPLNuHYu.exe.42e4c90.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.4179208.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.mpTrle.exe.34b5788.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.41b4228.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.mpTrle.exe.3df5748.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.mpTrle.exe.347a768.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.mpTrle.exe.34b5788.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.41b4228.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.UTiPLNuHYu.exe.42e4c90.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.mpTrle.exe.3df5748.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.mpTrle.exe.347a768.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.mpTrle.exe.3dba728.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.UTiPLNuHYu.exe.42a9c70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.4179208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.1936939570.000000000347A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2979395334.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2015893720.0000000003DBA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1791421661.0000000004179000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2980111716.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2980306612.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1851368813.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2980248436.0000000003291000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe PID: 7016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe PID: 6784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UTiPLNuHYu.exe PID: 7176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UTiPLNuHYu.exe PID: 7476, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mpTrle.exe PID: 7596, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mpTrle.exe PID: 7856, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mpTrle.exe PID: 8064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mpTrle.exe PID: 6280, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 20.2.mpTrle.exe.3dba728.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.UTiPLNuHYu.exe.42a9c70.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.UTiPLNuHYu.exe.42e4c90.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.4179208.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.mpTrle.exe.34b5788.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.41b4228.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.mpTrle.exe.3df5748.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.mpTrle.exe.347a768.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.mpTrle.exe.34b5788.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.41b4228.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.UTiPLNuHYu.exe.42e4c90.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.mpTrle.exe.3df5748.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.mpTrle.exe.347a768.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.mpTrle.exe.3dba728.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.UTiPLNuHYu.exe.42a9c70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.4179208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2980248436.00000000032BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2980111716.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1936939570.000000000347A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2979395334.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2979395334.0000000002EFC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2015893720.0000000003DBA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1791421661.0000000004179000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2980306612.000000000303A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2980111716.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2980306612.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1851368813.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2980248436.0000000003291000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe PID: 7016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe PID: 6784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UTiPLNuHYu.exe PID: 7176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UTiPLNuHYu.exe PID: 7476, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mpTrle.exe PID: 7596, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mpTrle.exe PID: 7856, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mpTrle.exe PID: 8064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mpTrle.exe PID: 6280, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	24 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	2 Obfuscated Files or Information	1 Credentials in Registry	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Registry Run Keys / Startup Folder	12 Software Packing	NTDS	211 Security Software Discovery	Distributed Component Object Model	1 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Process Discovery	SSH	Keylogging	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	141 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	141 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	111 Process Injection	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Hidden Files and Directories	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	59%	Virustotal		Browse
SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	63%	ReversingLabs	ByteCode-MSIL.Spyware.Negasteal
SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	100%	Avira	HEUR/AGEN.1308640
SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	100%	Avira	HEUR/AGEN.1308640
C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	100%	Avira	HEUR/AGEN.1308640
C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	63%	ReversingLabs	Win32.Trojan.AgentTesla
C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe	59%	Virustotal		Browse
C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	63%	ReversingLabs	Win32.Trojan.AgentTesla
C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	59%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
us2.smtp.mailhostbox.com	1%	Virustotal		Browse
api.ipify.org	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://api.ipify.org/	0%	URL Reputation	safe
https://api.ipify.org	0%	URL Reputation	safe
https://account.dyn.com/	0%	URL Reputation	safe
https://api.ipify.org/t	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://us2.smtp.mailhostbox.com	0%	Avira URL Cloud	safe
http://us2.smtp.mailhostbox.com	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
us2.smtp.mailhostbox.com	208.91.198.143	true	true	1%, Virustotal, Browse	unknown
api.ipify.org	172.67.74.152	true	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.ipify.org	SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe, 00000000.00000002.1791421661.0000000004179000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe, 00000005.00000002.2980248436.0000000003241000.00000004.00000800.00020000.00000000.sdmp, UTiPLNuHYu.exe, 00000006.00000002.1851368813.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, UTiPLNuHYu.exe, 0000000C.00000002.2980306612.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000D.00000002.1936939570.000000000347A000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 00000013.00000002.2979395334.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 00000014.00000002.2015893720.0000000003DBA000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 00000018.00000002.2971496563.0000000000435000.00000040.00000400.00020000.00000000.sdmp, mpTrle.exe, 00000018.00000002.2980111716.0000000002E7C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://account.dyn.com/	SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe, 00000000.00000002.1791421661.0000000004179000.00000004.00000800.00020000.00000000.sdmp, UTiPLNuHYu.exe, 00000006.00000002.1851368813.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, UTiPLNuHYu.exe, 0000000C.00000002.2971486884.0000000000436000.00000040.00000400.00020000.00000000.sdmp, mpTrle.exe, 0000000D.00000002.1936939570.000000000347A000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 00000014.00000002.2015893720.0000000003DBA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.org/t	SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe, 00000005.00000002.2980248436.0000000003241000.00000004.00000800.00020000.00000000.sdmp, UTiPLNuHYu.exe, 0000000C.00000002.2980306612.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 00000013.00000002.2979395334.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 00000018.00000002.2980111716.0000000002E7C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://us2.smtp.mailhostbox.com	SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe, 00000005.00000002.2980248436.00000000032BC000.00000004.00000800.00020000.00000000.sdmp, UTiPLNuHYu.exe, 0000000C.00000002.2980306612.000000000303A000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 00000013.00000002.2979395334.0000000002EFC000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 00000018.00000002.2980111716.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe, 00000000.00000002.1790616281.00000000031EE000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe, 00000005.00000002.2980248436.0000000003241000.00000004.00000800.00020000.00000000.sdmp, UTiPLNuHYu.exe, 00000006.00000002.1849930169.0000000003287000.00000004.00000800.00020000.00000000.sdmp, UTiPLNuHYu.exe, 0000000C.00000002.2980306612.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000D.00000002.1935054356.0000000002457000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 00000013.00000002.2979395334.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 00000014.00000002.2009322632.0000000002D9A000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 00000018.00000002.2980111716.0000000002E7C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.91.198.143	us2.smtp.mailhostbox.com	United States		394695	PUBLIC-DOMAIN-REGISTRYUS	true
172.67.74.152	api.ipify.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1482888
Start date and time:	2024-07-26 10:27:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@34/16@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 369 Number of non-executed functions: 28
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
04:28:02	API Interceptor	174x Sleep call for process: SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe modified
04:28:06	API Interceptor	19x Sleep call for process: powershell.exe modified
04:28:09	API Interceptor	161x Sleep call for process: UTiPLNuHYu.exe modified
04:28:17	API Interceptor	385x Sleep call for process: mpTrle.exe modified
09:28:06	Task Scheduler	Run new task: UTiPLNuHYu path: C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe
09:28:09	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run mpTrle C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe
09:28:17	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run mpTrle C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.91.198.143	ynhHNexysa.exe	Get hash	malicious	AgentTesla	Browse
	2FBexXRCHR.rtf	Get hash	malicious	AgentTesla	Browse
	file.exe	Get hash	malicious	SystemBC	Browse
	file.exe	Get hash	malicious	SystemBC	Browse
	LisectAVT_2403002A_52.exe	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.Win32.PWSX-gen.14778.18726.exe	Get hash	malicious	AgentTesla	Browse
	8hOkq9mMQu.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	Order List Pdf.exe	Get hash	malicious	AgentTesla	Browse
	payment order.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	Mt103.exe	Get hash	malicious	AgentTesla	Browse
172.67.74.152	golang-modules.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	SecuriteInfo.com.Trojan.Win64.Agent.14415.19839.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	242764.exe	Get hash	malicious	Ficker Stealer, Rusty Stealer	Browse	api.ipify.org/?format=wef
	K8mzlntJVN.msi	Get hash	malicious	Unknown	Browse	api.ipify.org/
	stub.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	stub.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	Sonic-Glyder.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	Sky-Beta.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json
	Sky-Beta.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json
	Sky-Beta-Setup.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
us2.smtp.mailhostbox.com	ynhHNexysa.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.225
	2FBexXRCHR.rtf	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	file.exe	Get hash	malicious	SystemBC	Browse	208.91.199.224
	file.exe	Get hash	malicious	SystemBC	Browse	208.91.199.223
	LisectAVT_2403002A_124.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.225
	LisectAVT_2403002A_52.exe	Get hash	malicious	AgentTesla	Browse	208.91.198.143
	SWIFT COPY.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	LisectAVT_2403002B_465.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	jRlq1fSUW5.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.225
	SecuriteInfo.com.Win32.PWSX-gen.14778.18726.exe	Get hash	malicious	AgentTesla	Browse	208.91.198.143
api.ipify.org	ynhHNexysa.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	2FBexXRCHR.rtf	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	https://pub-bc1e99c17d21413c8c62ead228907d1f.r2.dev/auth_gen.html?folder=inf0gudkij&module&user-agent=Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/86.0.4240.75+Safari/537.36	Get hash	malicious	Greatness Phishing Kit, HTMLPhisher	Browse	104.26.13.205
	https://b14d.lnsd.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	104.26.13.205
	LisectAVT_2403002A_124.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	LisectAVT_2403002A_127.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	LisectAVT_2403002A_133.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	LisectAVT_2403002A_2.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	LisectAVT_2403002A_460.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	LisectAVT_2403002A_481.exe	Get hash	malicious	Luna Grabber, Luna Logger	Browse	104.26.12.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
PUBLIC-DOMAIN-REGISTRYUS	ynhHNexysa.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	2FBexXRCHR.rtf	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	file.exe	Get hash	malicious	SystemBC	Browse	103.50.162.156
	file.exe	Get hash	malicious	SystemBC	Browse	103.50.162.156
	LisectAVT_2403002A_124.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.225
	LisectAVT_2403002A_16.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	LisectAVT_2403002A_52.exe	Get hash	malicious	AgentTesla	Browse	208.91.198.143
	SWIFT COPY.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	LisectAVT_2403002B_290.exe	Get hash	malicious	Bdaejec	Browse	74.119.239.234
	LisectAVT_2403002B_465.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.223
CLOUDFLARENETUS	https://r.emails.wellbeingontheweb.com/mk/cl/f/sh/7nVU1aA2nfuMScRuip3UF1TWed6PxdT/DQvTpig-WhJj	Get hash	malicious	Unknown	Browse	104.17.25.14
	Quotation.xls	Get hash	malicious	Remcos	Browse	188.114.96.3
	invoice.docx.doc	Get hash	malicious	FormBook	Browse	188.114.96.3
	zKXXNr7f2e.exe	Get hash	malicious	Babadeda	Browse	172.64.41.3
	https://cloudflare-ipfs.com/ipfs/QmZe2ELun5aFwHyi9wE3DpfuUQM8RqExLq66jv64aV8BQd/#info@royaletruckservices.com.au	Get hash	malicious	HTMLPhisher	Browse	104.17.64.14
	new order 00041221.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	JGKjBsQrMc.exe	Get hash	malicious	Amadey, Babadeda, RedLine, Stealc, Vidar	Browse	172.64.41.3
	zKXXNr7f2e.exe	Get hash	malicious	Babadeda	Browse	162.159.61.3
	N#U00b0025498563-.pdf	Get hash	malicious	Unknown	Browse	172.64.41.3
	#U00d6DEME TAVS#U0130YES#U0130.xls	Get hash	malicious	Remcos	Browse	188.114.97.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	http://cs9.biz	Get hash	malicious	Unknown	Browse	172.67.74.152
	https://cloudflare-ipfs.com/ipfs/QmZe2ELun5aFwHyi9wE3DpfuUQM8RqExLq66jv64aV8BQd/#info@royaletruckservices.com.au	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	new order 00041221.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.74.152
	ynhHNexysa.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	7Y18r(191).exe	Get hash	malicious	Unknown	Browse	172.67.74.152
	7Y18r(169).exe	Get hash	malicious	CryptOne	Browse	172.67.74.152
	7Y18r(191).exe	Get hash	malicious	Unknown	Browse	172.67.74.152
	xptRc4P9NV.exe	Get hash	malicious	Unknown	Browse	172.67.74.152
	fps-booster.exe	Get hash	malicious	StormKitty	Browse	172.67.74.152
	https://metamaskwalletexetention.webflow.io/	Get hash	malicious	Unknown	Browse	172.67.74.152

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\UTiPLNuHYu.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\mpTrle.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380134126512796
Encrypted:	false
SSDEEP:	48:+WSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMuge//YUyus:+LHxvIIwLgZ2KRHWLOug8s
MD5:	5317422AE0D4B4DCC96C903A5FCB88E8
SHA1:	D47E15FF7709A633E231BF182B20B8C6A29C277D
SHA-256:	5AB27086EE94EF2E6553D3D751F5C19D226F68373E56DEF21590BCFBC1BA40F3
SHA-512:	92C2E6533B2B61C6C7394B30A0E69AE7D4B57D6A99FC90A25D3BDB829299D3EEB0AAC73C64D340C87B98FAF3C16C9FFAA427A1C6384C12F419CDEB18FFB3CABB
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1fp1sv2r.cpb.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2ahlsree.45x.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jbromjj5.gi1.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jr4hcp0y.n5l.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmpA5DD.tmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1576
Entropy (8bit):	5.113709183189339
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtapBwxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTiBAv
MD5:	A54F38F2C73AF18632FF5C4A4DC5F6A0
SHA1:	8AA6A1EF72C930E6365026E4C8BBBA2A1A046262
SHA-256:	18D969B4B292B6DA8E97598FA6BFFCDC57B1D12B0AB66888B877904559C6EFE9
SHA-512:	1F7A13B71142633BDD15092AC0BCB865C53F4658DEEFAB06084FA7719A0EF6C6D83021206225ADBCC9F969CC7887F32AFD635F0260C0E261E4F7F6D06179E65C
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Local\Temp\tmpBDCA.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1576
Entropy (8bit):	5.113709183189339
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtapBwxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTiBAv
MD5:	A54F38F2C73AF18632FF5C4A4DC5F6A0
SHA1:	8AA6A1EF72C930E6365026E4C8BBBA2A1A046262
SHA-256:	18D969B4B292B6DA8E97598FA6BFFCDC57B1D12B0AB66888B877904559C6EFE9
SHA-512:	1F7A13B71142633BDD15092AC0BCB865C53F4658DEEFAB06084FA7719A0EF6C6D83021206225ADBCC9F969CC7887F32AFD635F0260C0E261E4F7F6D06179E65C
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Local\Temp\tmpDED0.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1576
Entropy (8bit):	5.113709183189339
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtapBwxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTiBAv
MD5:	A54F38F2C73AF18632FF5C4A4DC5F6A0
SHA1:	8AA6A1EF72C930E6365026E4C8BBBA2A1A046262
SHA-256:	18D969B4B292B6DA8E97598FA6BFFCDC57B1D12B0AB66888B877904559C6EFE9
SHA-512:	1F7A13B71142633BDD15092AC0BCB865C53F4658DEEFAB06084FA7719A0EF6C6D83021206225ADBCC9F969CC7887F32AFD635F0260C0E261E4F7F6D06179E65C
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Local\Temp\tmpFE1F.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1576
Entropy (8bit):	5.113709183189339
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtapBwxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTiBAv
MD5:	A54F38F2C73AF18632FF5C4A4DC5F6A0
SHA1:	8AA6A1EF72C930E6365026E4C8BBBA2A1A046262
SHA-256:	18D969B4B292B6DA8E97598FA6BFFCDC57B1D12B0AB66888B877904559C6EFE9
SHA-512:	1F7A13B71142633BDD15092AC0BCB865C53F4658DEEFAB06084FA7719A0EF6C6D83021206225ADBCC9F969CC7887F32AFD635F0260C0E261E4F7F6D06179E65C
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	764416
Entropy (8bit):	7.786014042943944
Encrypted:	false
SSDEEP:	12288:nuSSY+aZrwr+vBDpXNbPi26ZQ/Zn4iRSt5p0DNuJVbVipE07bj:L/4rYBLPilQR5wt5euJVUE0/j
MD5:	3AC2AB389629EE685878DA77C511F359
SHA1:	05A6CCB19D32AA653A942DEA5D6401249BB8F7D2
SHA-256:	5CB06070E2428B600080A8B4A21FDE3ED5D773CA0A1CF3BEA381CE96C1FA305D
SHA-512:	1CD1C127F994AAAEF44D6A774EB133CDFAE48B6D609519E6A99DB32B96A3EC1FC902CA6ECA8D62DF0B51B253B544E4C5DAD550C13E2FEE208A683B32165E0CDC
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 63% Antivirus: Virustotal, Detection: 59%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....O.f..............0................. ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......@z...Q......?...X...@...........................................^..}.....(.......(......0..+.........,..{.......+....,...{....o........(.......0...........s.....s.....s..........(....s......s....}.....s ...}.....{....o!.....{....o!.....(".....{.....o#.....{.....o$.....{.....o%.....{.....o&.....{......s'...o(.....{........s)...o*.....{....r...po+.....{.... .... I...s,...o-.....{.....o......r...po/.....{....o0....o1.....r1..po/.....{....o2....o3.....{..... ..s'...o(..

C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	764416
Entropy (8bit):	7.786014042943944
Encrypted:	false
SSDEEP:	12288:nuSSY+aZrwr+vBDpXNbPi26ZQ/Zn4iRSt5p0DNuJVbVipE07bj:L/4rYBLPilQR5wt5euJVUE0/j
MD5:	3AC2AB389629EE685878DA77C511F359
SHA1:	05A6CCB19D32AA653A942DEA5D6401249BB8F7D2
SHA-256:	5CB06070E2428B600080A8B4A21FDE3ED5D773CA0A1CF3BEA381CE96C1FA305D
SHA-512:	1CD1C127F994AAAEF44D6A774EB133CDFAE48B6D609519E6A99DB32B96A3EC1FC902CA6ECA8D62DF0B51B253B544E4C5DAD550C13E2FEE208A683B32165E0CDC
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 63% Antivirus: Virustotal, Detection: 59%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....O.f..............0................. ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......@z...Q......?...X...@...........................................^..}.....(.......(......0..+.........,..{.......+....,...{....o........(.......0...........s.....s.....s..........(....s......s....}.....s ...}.....{....o!.....{....o!.....(".....{.....o#.....{.....o$.....{.....o%.....{.....o&.....{......s'...o(.....{........s)...o*.....{....r...po+.....{.... .... I...s,...o-.....{.....o......r...po/.....{....o0....o1.....r1..po/.....{....o2....o3.....{..... ..s'...o(..

C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.786014042943944
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe
File size:	764'416 bytes
MD5:	3ac2ab389629ee685878da77c511f359
SHA1:	05a6ccb19d32aa653a942dea5d6401249bb8f7d2
SHA256:	5cb06070e2428b600080a8b4a21fde3ed5d773ca0a1cf3bea381ce96c1fa305d
SHA512:	1cd1c127f994aaaef44d6a774eb133cdfae48b6d609519e6a99db32b96a3ec1fc902ca6eca8d62df0b51b253b544e4c5dad550c13e2fee208a683b32165e0cdc
SSDEEP:	12288:nuSSY+aZrwr+vBDpXNbPi26ZQ/Zn4iRSt5p0DNuJVbVipE07bj:L/4rYBLPilQR5wt5euJVUE0/j
TLSH:	CDF4F112AAD55B62D8A502F7943439CC23B46949CD43E7B91EBCA5DDCD337C2EE88603
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....O.f..............0.................. ........@.. ....................................@................................

File Icon


Icon Hash:	d3d0deeae2f2c6c2

Static PE Info

General

Entrypoint:	0x4ab7ea
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66A04F2E [Wed Jul 24 00:47:42 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xab798	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xac000	0x10c84	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xbe000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa97f0	0xa9800	57306169d10743aad52f5de442e2fd35	False	0.9512741403945427	data	7.946917722198967	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xac000	0x10c84	0x10e00	47f02870c96b3a14563d0acaa3ad6783	False	0.07346643518518518	DIY-Thermocam raw data (Lepton 2.x), scale 0-0, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 0.000000, slope 36028797018963968.000000	3.7650138975345664	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xbe000	0xc	0x200	f092646082c91f7d627e364144fe6ecf	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xac118	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 60472 x 60472 px/m	0.06794924878741275
RT_GROUP_ICON	0xbc940	0x14	data	1.0
RT_GROUP_ICON	0xbc954	0x14	data	1.05
RT_VERSION	0xbc968	0x31c	data	0.44472361809045224

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-26T10:29:01.890339+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49744	52.165.165.26	192.168.2.4
2024-07-26T10:28:23.350688+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49734	52.165.165.26	192.168.2.4

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 26, 2024 10:28:07.357225895 CEST	49730	443	192.168.2.4	172.67.74.152
Jul 26, 2024 10:28:07.357266903 CEST	443	49730	172.67.74.152	192.168.2.4
Jul 26, 2024 10:28:07.357482910 CEST	49730	443	192.168.2.4	172.67.74.152
Jul 26, 2024 10:28:07.368529081 CEST	49730	443	192.168.2.4	172.67.74.152
Jul 26, 2024 10:28:07.368542910 CEST	443	49730	172.67.74.152	192.168.2.4
Jul 26, 2024 10:28:07.897007942 CEST	443	49730	172.67.74.152	192.168.2.4
Jul 26, 2024 10:28:07.897263050 CEST	49730	443	192.168.2.4	172.67.74.152
Jul 26, 2024 10:28:07.902987957 CEST	49730	443	192.168.2.4	172.67.74.152
Jul 26, 2024 10:28:07.903006077 CEST	443	49730	172.67.74.152	192.168.2.4
Jul 26, 2024 10:28:07.903450012 CEST	443	49730	172.67.74.152	192.168.2.4
Jul 26, 2024 10:28:07.945703030 CEST	49730	443	192.168.2.4	172.67.74.152
Jul 26, 2024 10:28:07.989890099 CEST	49730	443	192.168.2.4	172.67.74.152
Jul 26, 2024 10:28:08.036544085 CEST	443	49730	172.67.74.152	192.168.2.4
Jul 26, 2024 10:28:08.101270914 CEST	443	49730	172.67.74.152	192.168.2.4
Jul 26, 2024 10:28:08.101358891 CEST	443	49730	172.67.74.152	192.168.2.4
Jul 26, 2024 10:28:08.101492882 CEST	49730	443	192.168.2.4	172.67.74.152
Jul 26, 2024 10:28:08.109962940 CEST	49730	443	192.168.2.4	172.67.74.152
Jul 26, 2024 10:28:09.267921925 CEST	49731	587	192.168.2.4	208.91.198.143
Jul 26, 2024 10:28:09.298062086 CEST	587	49731	208.91.198.143	192.168.2.4
Jul 26, 2024 10:28:09.298219919 CEST	49731	587	192.168.2.4	208.91.198.143
Jul 26, 2024 10:28:13.956007004 CEST	49732	443	192.168.2.4	172.67.74.152
Jul 26, 2024 10:28:13.956048965 CEST	443	49732	172.67.74.152	192.168.2.4
Jul 26, 2024 10:28:13.956135988 CEST	49732	443	192.168.2.4	172.67.74.152
Jul 26, 2024 10:28:13.960438967 CEST	49732	443	192.168.2.4	172.67.74.152
Jul 26, 2024 10:28:13.960448027 CEST	443	49732	172.67.74.152	192.168.2.4
Jul 26, 2024 10:28:14.460807085 CEST	443	49732	172.67.74.152	192.168.2.4
Jul 26, 2024 10:28:14.460979939 CEST	49732	443	192.168.2.4	172.67.74.152
Jul 26, 2024 10:28:14.463366032 CEST	49732	443	192.168.2.4	172.67.74.152
Jul 26, 2024 10:28:14.463371038 CEST	443	49732	172.67.74.152	192.168.2.4
Jul 26, 2024 10:28:14.463593006 CEST	443	49732	172.67.74.152	192.168.2.4
Jul 26, 2024 10:28:14.508318901 CEST	49732	443	192.168.2.4	172.67.74.152
Jul 26, 2024 10:28:14.567496061 CEST	49732	443	192.168.2.4	172.67.74.152
Jul 26, 2024 10:28:14.612498999 CEST	443	49732	172.67.74.152	192.168.2.4
Jul 26, 2024 10:28:14.683533907 CEST	443	49732	172.67.74.152	192.168.2.4
Jul 26, 2024 10:28:14.683585882 CEST	443	49732	172.67.74.152	192.168.2.4
Jul 26, 2024 10:28:14.683649063 CEST	49732	443	192.168.2.4	172.67.74.152
Jul 26, 2024 10:28:14.686403036 CEST	49732	443	192.168.2.4	172.67.74.152
Jul 26, 2024 10:28:15.361036062 CEST	49733	587	192.168.2.4	208.91.198.143
Jul 26, 2024 10:28:15.399586916 CEST	587	49733	208.91.198.143	192.168.2.4
Jul 26, 2024 10:28:15.399698973 CEST	49733	587	192.168.2.4	208.91.198.143
Jul 26, 2024 10:28:21.981889963 CEST	49735	443	192.168.2.4	172.67.74.152
Jul 26, 2024 10:28:21.981975079 CEST	443	49735	172.67.74.152	192.168.2.4
Jul 26, 2024 10:28:21.982151985 CEST	49735	443	192.168.2.4	172.67.74.152
Jul 26, 2024 10:28:21.986254930 CEST	49735	443	192.168.2.4	172.67.74.152
Jul 26, 2024 10:28:21.986287117 CEST	443	49735	172.67.74.152	192.168.2.4
Jul 26, 2024 10:28:22.545628071 CEST	443	49735	172.67.74.152	192.168.2.4
Jul 26, 2024 10:28:22.545713902 CEST	49735	443	192.168.2.4	172.67.74.152
Jul 26, 2024 10:28:22.547679901 CEST	49735	443	192.168.2.4	172.67.74.152
Jul 26, 2024 10:28:22.547688007 CEST	443	49735	172.67.74.152	192.168.2.4
Jul 26, 2024 10:28:22.548033953 CEST	443	49735	172.67.74.152	192.168.2.4
Jul 26, 2024 10:28:22.601962090 CEST	49735	443	192.168.2.4	172.67.74.152
Jul 26, 2024 10:28:22.608293056 CEST	49735	443	192.168.2.4	172.67.74.152
Jul 26, 2024 10:28:22.652533054 CEST	443	49735	172.67.74.152	192.168.2.4
Jul 26, 2024 10:28:22.730940104 CEST	443	49735	172.67.74.152	192.168.2.4
Jul 26, 2024 10:28:22.731143951 CEST	443	49735	172.67.74.152	192.168.2.4
Jul 26, 2024 10:28:22.731211901 CEST	49735	443	192.168.2.4	172.67.74.152
Jul 26, 2024 10:28:22.734321117 CEST	49735	443	192.168.2.4	172.67.74.152
Jul 26, 2024 10:28:23.338251114 CEST	49738	587	192.168.2.4	208.91.198.143
Jul 26, 2024 10:28:23.345628023 CEST	587	49738	208.91.198.143	192.168.2.4
Jul 26, 2024 10:28:23.345716000 CEST	49738	587	192.168.2.4	208.91.198.143
Jul 26, 2024 10:28:29.204468012 CEST	49742	443	192.168.2.4	172.67.74.152
Jul 26, 2024 10:28:29.204591990 CEST	443	49742	172.67.74.152	192.168.2.4
Jul 26, 2024 10:28:29.204674006 CEST	49742	443	192.168.2.4	172.67.74.152
Jul 26, 2024 10:28:29.229950905 CEST	49742	443	192.168.2.4	172.67.74.152
Jul 26, 2024 10:28:29.230010033 CEST	443	49742	172.67.74.152	192.168.2.4
Jul 26, 2024 10:28:29.737904072 CEST	443	49742	172.67.74.152	192.168.2.4
Jul 26, 2024 10:28:29.738014936 CEST	49742	443	192.168.2.4	172.67.74.152
Jul 26, 2024 10:28:29.741949081 CEST	49742	443	192.168.2.4	172.67.74.152
Jul 26, 2024 10:28:29.741956949 CEST	443	49742	172.67.74.152	192.168.2.4
Jul 26, 2024 10:28:29.742269993 CEST	443	49742	172.67.74.152	192.168.2.4
Jul 26, 2024 10:28:29.789503098 CEST	49742	443	192.168.2.4	172.67.74.152
Jul 26, 2024 10:28:29.793167114 CEST	49742	443	192.168.2.4	172.67.74.152
Jul 26, 2024 10:28:29.840512991 CEST	443	49742	172.67.74.152	192.168.2.4
Jul 26, 2024 10:28:29.905651093 CEST	443	49742	172.67.74.152	192.168.2.4
Jul 26, 2024 10:28:29.905720949 CEST	443	49742	172.67.74.152	192.168.2.4
Jul 26, 2024 10:28:29.905788898 CEST	49742	443	192.168.2.4	172.67.74.152
Jul 26, 2024 10:28:29.919408083 CEST	49742	443	192.168.2.4	172.67.74.152
Jul 26, 2024 10:28:30.467200041 CEST	49743	587	192.168.2.4	208.91.198.143
Jul 26, 2024 10:28:30.472403049 CEST	587	49743	208.91.198.143	192.168.2.4
Jul 26, 2024 10:28:30.472507000 CEST	49743	587	192.168.2.4	208.91.198.143
Jul 26, 2024 10:28:30.690905094 CEST	587	49731	208.91.198.143	192.168.2.4
Jul 26, 2024 10:28:30.691093922 CEST	49731	587	192.168.2.4	208.91.198.143
Jul 26, 2024 10:28:30.730467081 CEST	49731	587	192.168.2.4	208.91.198.143
Jul 26, 2024 10:28:30.737837076 CEST	587	49731	208.91.198.143	192.168.2.4
Jul 26, 2024 10:28:36.843528032 CEST	587	49733	208.91.198.143	192.168.2.4
Jul 26, 2024 10:28:36.843871117 CEST	49733	587	192.168.2.4	208.91.198.143
Jul 26, 2024 10:28:36.845586061 CEST	49733	587	192.168.2.4	208.91.198.143
Jul 26, 2024 10:28:36.850517035 CEST	587	49733	208.91.198.143	192.168.2.4
Jul 26, 2024 10:28:44.801218987 CEST	587	49738	208.91.198.143	192.168.2.4
Jul 26, 2024 10:28:44.801403999 CEST	49738	587	192.168.2.4	208.91.198.143
Jul 26, 2024 10:28:44.802932978 CEST	49738	587	192.168.2.4	208.91.198.143
Jul 26, 2024 10:28:44.808073044 CEST	587	49738	208.91.198.143	192.168.2.4
Jul 26, 2024 10:28:51.890993118 CEST	587	49743	208.91.198.143	192.168.2.4
Jul 26, 2024 10:28:51.891204119 CEST	49743	587	192.168.2.4	208.91.198.143
Jul 26, 2024 10:28:51.894143105 CEST	49743	587	192.168.2.4	208.91.198.143
Jul 26, 2024 10:28:51.899391890 CEST	587	49743	208.91.198.143	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 26, 2024 10:28:07.340739012 CEST	64644	53	192.168.2.4	1.1.1.1
Jul 26, 2024 10:28:07.349560022 CEST	53	64644	1.1.1.1	192.168.2.4
Jul 26, 2024 10:28:09.239093065 CEST	52679	53	192.168.2.4	1.1.1.1
Jul 26, 2024 10:28:09.266278982 CEST	53	52679	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 26, 2024 10:28:07.340739012 CEST	192.168.2.4	1.1.1.1	0x2171	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:28:09.239093065 CEST	192.168.2.4	1.1.1.1	0x793f	Standard query (0)	us2.smtp.mailhostbox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jul 26, 2024 10:28:07.349560022 CEST	1.1.1.1	192.168.2.4	0x2171	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:28:07.349560022 CEST	1.1.1.1	192.168.2.4	0x2171	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:28:07.349560022 CEST	1.1.1.1	192.168.2.4	0x2171	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:28:09.266278982 CEST	1.1.1.1	192.168.2.4	0x793f	No error (0)	us2.smtp.mailhostbox.com	208.91.198.143	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:28:09.266278982 CEST	1.1.1.1	192.168.2.4	0x793f	No error (0)	us2.smtp.mailhostbox.com	208.91.199.224	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:28:09.266278982 CEST	1.1.1.1	192.168.2.4	0x793f	No error (0)	us2.smtp.mailhostbox.com	208.91.199.225	A (IP address)	IN (0x0001)	false
Jul 26, 2024 10:28:09.266278982 CEST	1.1.1.1	192.168.2.4	0x793f	No error (0)	us2.smtp.mailhostbox.com	208.91.199.223	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	172.67.74.152	443	6784	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-26 08:28:07 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-07-26 08:28:08 UTC	211	IN	HTTP/1.1 200 OK Date: Fri, 26 Jul 2024 08:28:08 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8a9303b64db47285-EWR
2024-07-26 08:28:08 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49732	172.67.74.152	443	7476	C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-26 08:28:14 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-07-26 08:28:14 UTC	211	IN	HTTP/1.1 200 OK Date: Fri, 26 Jul 2024 08:28:14 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8a9303df6e498ce6-EWR
2024-07-26 08:28:14 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49735	172.67.74.152	443	7856	C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-26 08:28:22 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-07-26 08:28:22 UTC	211	IN	HTTP/1.1 200 OK Date: Fri, 26 Jul 2024 08:28:22 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8a930411ab318c23-EWR
2024-07-26 08:28:22 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49742	172.67.74.152	443	6280	C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-26 08:28:29 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-07-26 08:28:29 UTC	211	IN	HTTP/1.1 200 OK Date: Fri, 26 Jul 2024 08:28:29 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8a93043e8ac441d5-EWR
2024-07-26 08:28:29 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

Target ID:	0
Start time:	04:28:02
Start date:	26/07/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe"
Imagebase:	0xc90000
File size:	764'416 bytes
MD5 hash:	3AC2AB389629EE685878DA77C511F359
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1791421661.0000000004179000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1791421661.0000000004179000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	04:28:05
Start date:	26/07/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe"
Imagebase:	0xfe0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	04:28:05
Start date:	26/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	04:28:05
Start date:	26/07/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UTiPLNuHYu" /XML "C:\Users\user\AppData\Local\Temp\tmpA5DD.tmp"
Imagebase:	0x4c0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	04:28:05
Start date:	26/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	04:28:06
Start date:	26/07/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe"
Imagebase:	0xf10000
File size:	764'416 bytes
MD5 hash:	3AC2AB389629EE685878DA77C511F359
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2980248436.00000000032BC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2980248436.0000000003291000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2980248436.0000000003291000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	04:28:06
Start date:	26/07/2024
Path:	C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe
Imagebase:	0xf40000
File size:	764'416 bytes
MD5 hash:	3AC2AB389629EE685878DA77C511F359
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.1851368813.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.1851368813.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 63%, ReversingLabs Detection: 59%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	04:28:08
Start date:	26/07/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	04:28:12
Start date:	26/07/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UTiPLNuHYu" /XML "C:\Users\user\AppData\Local\Temp\tmpBDCA.tmp"
Imagebase:	0xa40000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	04:28:12
Start date:	26/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	04:28:12
Start date:	26/07/2024
Path:	C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe"
Imagebase:	0x230000
File size:	764'416 bytes
MD5 hash:	3AC2AB389629EE685878DA77C511F359
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	04:28:12
Start date:	26/07/2024
Path:	C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe"
Imagebase:	0x2f0000
File size:	764'416 bytes
MD5 hash:	3AC2AB389629EE685878DA77C511F359
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	04:28:12
Start date:	26/07/2024
Path:	C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\UTiPLNuHYu.exe"
Imagebase:	0xb40000
File size:	764'416 bytes
MD5 hash:	3AC2AB389629EE685878DA77C511F359
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.2980306612.000000000303A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.2980306612.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.2980306612.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	04:28:17
Start date:	26/07/2024
Path:	C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe"
Imagebase:	0xd0000
File size:	764'416 bytes
MD5 hash:	3AC2AB389629EE685878DA77C511F359
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.1936939570.000000000347A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.1936939570.000000000347A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 63%, ReversingLabs Detection: 59%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	04:28:20
Start date:	26/07/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UTiPLNuHYu" /XML "C:\Users\user\AppData\Local\Temp\tmpDED0.tmp"
Imagebase:	0x4c0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	04:28:20
Start date:	26/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	04:28:21
Start date:	26/07/2024
Path:	C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe"
Imagebase:	0xb90000
File size:	764'416 bytes
MD5 hash:	3AC2AB389629EE685878DA77C511F359
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000013.00000002.2979395334.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000013.00000002.2979395334.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000013.00000002.2979395334.0000000002EFC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	04:28:25
Start date:	26/07/2024
Path:	C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe"
Imagebase:	0x8b0000
File size:	764'416 bytes
MD5 hash:	3AC2AB389629EE685878DA77C511F359
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000014.00000002.2015893720.0000000003DBA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000014.00000002.2015893720.0000000003DBA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	04:28:28
Start date:	26/07/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UTiPLNuHYu" /XML "C:\Users\user\AppData\Local\Temp\tmpFE1F.tmp"
Imagebase:	0x4c0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	04:28:28
Start date:	26/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	04:28:28
Start date:	26/07/2024
Path:	C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe"
Imagebase:	0x2f0000
File size:	764'416 bytes
MD5 hash:	3AC2AB389629EE685878DA77C511F359
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	04:28:28
Start date:	26/07/2024
Path:	C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe"
Imagebase:	0xae0000
File size:	764'416 bytes
MD5 hash:	3AC2AB389629EE685878DA77C511F359
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000018.00000002.2980111716.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000018.00000002.2980111716.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000018.00000002.2980111716.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	11.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2.6%
Total number of Nodes:	233
Total number of Limit Nodes:	19

Executed Functions

Function 01716C4A Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789840330.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1710000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4815bcef6309d4b0fec56c6b34387563742a1e63dbcc75008a9c12f94351884e
Instruction ID: cdecc9301dc79a55a6795aa5f5e1f5c27ef8c43763852d7241869fba44fcf594
Opcode Fuzzy Hash: 4815bcef6309d4b0fec56c6b34387563742a1e63dbcc75008a9c12f94351884e
Instruction Fuzzy Hash: 88711771D05219CBEB24CF6AC8447E9FBB6AF89300F14C1EAD549A6254EBB05AC5CF40

Function 016AD2F0 Relevance: 6.1, APIs: 4, Instructions: 134
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 016AD37E
GetCurrentThread.KERNEL32 ref: 016AD3BB
GetCurrentProcess.KERNEL32 ref: 016AD3F8
GetCurrentThreadId.KERNEL32 ref: 016AD451

Memory Dump Source

Source File: 00000000.00000002.1789761033.00000000016A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16a0000_SecuriteInfo.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 4bfb719b1f276db29dea15ba8462cd9bd39396db486f407c823bd66b8d1c794f
Instruction ID: 6b6d247b45dbd37f4a9cd98f2c86b887eb199ef6b6ef05be3e596598a4ae21bc
Opcode Fuzzy Hash: 4bfb719b1f276db29dea15ba8462cd9bd39396db486f407c823bd66b8d1c794f
Instruction Fuzzy Hash: 965166B09012498FDB14CFA9D948B9EBBF1EF49304F248459D109A73A0DB74A885CF65

Function 016AD300 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 016AD37E
GetCurrentThread.KERNEL32 ref: 016AD3BB
GetCurrentProcess.KERNEL32 ref: 016AD3F8
GetCurrentThreadId.KERNEL32 ref: 016AD451

Memory Dump Source

Source File: 00000000.00000002.1789761033.00000000016A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16a0000_SecuriteInfo.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: a8e3bbe0a930e0efa8af565d93d7d8c93f88bbd58876a0f0a1059eec3c1a41b8
Instruction ID: 6e2a009bcab0badc93bb299bde191732b17ff771cfe52a79ec204125cce7e379
Opcode Fuzzy Hash: a8e3bbe0a930e0efa8af565d93d7d8c93f88bbd58876a0f0a1059eec3c1a41b8
Instruction Fuzzy Hash: 235145B09012498FDB14DFAAD948BDEBBF1EF48304F248459D119A73A0DB74A884CF65

Function 017139C4 Relevance: 1.7, APIs: 1, Instructions: 247
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 01713C06

Memory Dump Source

Source File: 00000000.00000002.1789840330.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1710000_SecuriteInfo.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 012888ef138565ae1e45e76b889ba182bb15ec07a8b67900c0cf467fc6f0d854
Instruction ID: 59b12a09ea2d6ea1f0ca2f20fcf3868d8f6a43573cb5df9b716f97715fd17670
Opcode Fuzzy Hash: 012888ef138565ae1e45e76b889ba182bb15ec07a8b67900c0cf467fc6f0d854
Instruction Fuzzy Hash: 6BA12971D00619DFEB20CF69C841BEDFBB2BF48324F1485A9E848A7294DB749985CF91

Function 017139D0 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 01713C06

Memory Dump Source

Source File: 00000000.00000002.1789840330.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1710000_SecuriteInfo.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 9d99bc7d1963112a9b7daba501636bf4a4fd0add21ec300b14e8865971dae829
Instruction ID: e4d8dd905c1412e59a9fcbcc561ce660cfcd11a1641af7b1207ae8733fb1ede0
Opcode Fuzzy Hash: 9d99bc7d1963112a9b7daba501636bf4a4fd0add21ec300b14e8865971dae829
Instruction Fuzzy Hash: 5D912871D00219DFEB20CF69C841B9DFBB2BF48324F1481A9E848A7294DB749985CF91

Function 016AB070 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 016AB2C6

Memory Dump Source

Source File: 00000000.00000002.1789761033.00000000016A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16a0000_SecuriteInfo.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: c3fe37cbd943e842877f33ba1f21992a225ceb935e34769a53ed09ca4f6b6855
Instruction ID: 7bd6e38519f47d41a043177552a94935c76ca5aa209bd74bf17a35617180f7eb
Opcode Fuzzy Hash: c3fe37cbd943e842877f33ba1f21992a225ceb935e34769a53ed09ca4f6b6855
Instruction Fuzzy Hash: 26712070A00B058FD724DF6AD94075ABBF1BF88200F408A2ED58ADBB50EB75E845CF90

Function 016A590D Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 016A59C9

Memory Dump Source

Source File: 00000000.00000002.1789761033.00000000016A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16a0000_SecuriteInfo.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e1a27f27b832bf48895c9704ba492219606fb2390c4c0dd289018e411aeed0f8
Instruction ID: a548b5833c75ea2ff1aca4bf1c1234ecf04a2accdf75bd8ea01c57c11fbb0217
Opcode Fuzzy Hash: e1a27f27b832bf48895c9704ba492219606fb2390c4c0dd289018e411aeed0f8
Instruction Fuzzy Hash: D041DFB0D00719CEDB24CFAAC8847CDBBB6BF49304F64805AD509AB265DB756986CF90

Function 016A44B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 016A59C9

Memory Dump Source

Source File: 00000000.00000002.1789761033.00000000016A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16a0000_SecuriteInfo.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: fbf029dc9dec1815a607a69f64856873c6b53bece70decaec60f1147e19a2d85
Instruction ID: a275fa346c6dc77e2e51fb716903b6106826d188fbfb5987383212e91f584a77
Opcode Fuzzy Hash: fbf029dc9dec1815a607a69f64856873c6b53bece70decaec60f1147e19a2d85
Instruction Fuzzy Hash: A841F1B0D00719CFDB24CFAAC884B8EBBB5BF49304F64806AD509AB255DB756946CF90

Function 01713740 Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 017137D8

Memory Dump Source

Source File: 00000000.00000002.1789840330.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1710000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 5c991354368f58488b5a4b602038409889c5aba2e0ac51425226a174ce4cd2bb
Instruction ID: 99ec77ad47247cb65962791a2bb143ead66bd49c456de282bfd5b14b4af86091
Opcode Fuzzy Hash: 5c991354368f58488b5a4b602038409889c5aba2e0ac51425226a174ce4cd2bb
Instruction Fuzzy Hash: 502137B59002499FDB10DFA9C884BDEBFF1FF48324F10842AE558A7250C7789545CBA0

Function 01713748 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 017137D8

Memory Dump Source

Source File: 00000000.00000002.1789840330.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1710000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: da7d14469965efa2bd42937a4afef2c768e168ffd53246ddd32d8452cdbac2d8
Instruction ID: 406a1b907b49668cd3cc85d748c1de1b062b2c18ff1467fa8e976d89f1a508df
Opcode Fuzzy Hash: da7d14469965efa2bd42937a4afef2c768e168ffd53246ddd32d8452cdbac2d8
Instruction Fuzzy Hash: 022127B59003599FDB10DFA9C885BDEFBF5FF48320F108429E958A7250C7789954CBA4

Function 01713171 Relevance: 1.6, APIs: 1, Instructions: 67
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 017131F6

Memory Dump Source

Source File: 00000000.00000002.1789840330.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1710000_SecuriteInfo.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 6be023cb993541752174125e8bc4068934b08ee8d90741e646301f65356af09e
Instruction ID: 433ae24e81ef34a66984da9470fccbefe32f42cc677b1d0882341f9e22f9efc0
Opcode Fuzzy Hash: 6be023cb993541752174125e8bc4068934b08ee8d90741e646301f65356af09e
Instruction Fuzzy Hash: B02116B19002098FDB10DFAAC4857EEFFF4EF48324F148429D599A7245C778A985CFA5

Function 016AD540 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 016AD5CF

Memory Dump Source

Source File: 00000000.00000002.1789761033.00000000016A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16a0000_SecuriteInfo.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7f084a8d8b24188410899fc5cee1aa3b4e5d481ff314d7ea06cb2d6e4a981ded
Instruction ID: 5f6b4429bda37d5deb57c4cf0a7a69633ae6a8512176cb91f1cffffee2f19e5c
Opcode Fuzzy Hash: 7f084a8d8b24188410899fc5cee1aa3b4e5d481ff314d7ea06cb2d6e4a981ded
Instruction Fuzzy Hash: 902105B5D002089FDB10CF99D884ADEFBF4EB48310F14801AE958A7310D374A945CFA0

Function 01713830 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 017138B8

Memory Dump Source

Source File: 00000000.00000002.1789840330.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1710000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: bbcce89fec90d5b34651ae1e4bce676ee043b3de20b7780524f1600643540125
Instruction ID: 11d7b10e9b85b55d09aa9c49d210195d75a2632530033da7682e031fd142ece9
Opcode Fuzzy Hash: bbcce89fec90d5b34651ae1e4bce676ee043b3de20b7780524f1600643540125
Instruction Fuzzy Hash: 852136B18002499FDB10CFAAC880ADEFBF5FF48320F108429E918A7250C738A545CBA4

Function 01713178 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 017131F6

Memory Dump Source

Source File: 00000000.00000002.1789840330.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1710000_SecuriteInfo.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: bf80fde83176a700a1d6f11ecbcf7cfd95d14afb981bb08006258c440fe7cbbd
Instruction ID: ea03e31d02a7b1b117f4284cf5f66012ac43241dc58ae1fa582361ab7780220d
Opcode Fuzzy Hash: bf80fde83176a700a1d6f11ecbcf7cfd95d14afb981bb08006258c440fe7cbbd
Instruction Fuzzy Hash: DE2137B19002098FDB10DFAEC4857EEFFF4EB48324F108429D559A7240C7789945CFA4

Function 01713838 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 017138B8

Memory Dump Source

Source File: 00000000.00000002.1789840330.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1710000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 7b3254a0480dae91a9180ddb860c4a4c31f45ebf22bce21bcbd5c3565943aa05
Instruction ID: 24f3f31efd2baf77689c1ded7b9d104ec9a7590daada9ff722f9eb6150e78693
Opcode Fuzzy Hash: 7b3254a0480dae91a9180ddb860c4a4c31f45ebf22bce21bcbd5c3565943aa05
Instruction Fuzzy Hash: 952128B1C003599FDB10DFAAC840ADEFBF5FF48320F108429E958A7250C7389545CBA4

Function 016AD548 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 016AD5CF

Memory Dump Source

Source File: 00000000.00000002.1789761033.00000000016A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16a0000_SecuriteInfo.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 28b567ddb13e7be1e6df8a43292292731a8ca1439e2dd198c2720998575ce52e
Instruction ID: 11459149fa2ef91238b8cb27254cebb86ed06f51b87402feb7579acd5dbbf111
Opcode Fuzzy Hash: 28b567ddb13e7be1e6df8a43292292731a8ca1439e2dd198c2720998575ce52e
Instruction Fuzzy Hash: CA21E2B5D002089FDB10CFAAD984ADEFFF8EB48320F14801AE958A3310D374A940CFA4

Function 017130C0 Relevance: 1.6, APIs: 1, Instructions: 55threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 0171312A

Memory Dump Source

Source File: 00000000.00000002.1789840330.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1710000_SecuriteInfo.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 1d53482a42bcabfada69c169fc444d6f05d978cb9cb40f7f4cfd404fb9fdeede
Instruction ID: 8e5a83a258f1333ca119659ea921d0adaa19288a454dd7ccec66dee0a77f7504
Opcode Fuzzy Hash: 1d53482a42bcabfada69c169fc444d6f05d978cb9cb40f7f4cfd404fb9fdeede
Instruction Fuzzy Hash: AA1158B59002488FDB20DFAAC4457DEFFF4EB88324F248429D559A7244CB75A545CFA4

Function 01713249 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 017132BE

Memory Dump Source

Source File: 00000000.00000002.1789840330.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1710000_SecuriteInfo.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5c86fb5a89e83d38e40fea0f5184a5bf861638b40a614c48c529a130d95cd047
Instruction ID: 874fa71dec766547ba4ffcf6c3013ccb0065a3524025b6ef67404a477a4d65e7
Opcode Fuzzy Hash: 5c86fb5a89e83d38e40fea0f5184a5bf861638b40a614c48c529a130d95cd047
Instruction Fuzzy Hash: F11117B19002499FDB20DFA9C4446EEFFF5EF88324F24881AE559A7250C7359555CF90

Function 016AAA88 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,016AB341,00000800,00000000,00000000), ref: 016AB552

Memory Dump Source

Source File: 00000000.00000002.1789761033.00000000016A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16a0000_SecuriteInfo.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 464a94f99d96f5ba0ae79f32fcaafa09cf7b32c3a0bcf50d347d5ed3aab5e6c1
Instruction ID: a5b42ba4b4dc7b3435f7b96b0b9c3140c81c7ed24ce78231f76ac60cb5d4d969
Opcode Fuzzy Hash: 464a94f99d96f5ba0ae79f32fcaafa09cf7b32c3a0bcf50d347d5ed3aab5e6c1
Instruction Fuzzy Hash: F91123B6D003488FDB20CF9AD844ADEFBF4EB48310F54842AE959A7310C375A945CFA4

Function 016AB4E1 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,016AB341,00000800,00000000,00000000), ref: 016AB552

Memory Dump Source

Source File: 00000000.00000002.1789761033.00000000016A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16a0000_SecuriteInfo.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 7738a203e79692650baa1b846ae761a22aac81a3636ef063606c1616f8949f39
Instruction ID: cacf5fc171e85d00170bb97b7a439b8b925ddaddb4ec110091c4f2fe22e9b372
Opcode Fuzzy Hash: 7738a203e79692650baa1b846ae761a22aac81a3636ef063606c1616f8949f39
Instruction Fuzzy Hash: AC11F3B6D003499FDB24CF9AD844ADEFBF4EB88310F14842AD959A7310C375A945CFA5

Function 01713250 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 017132BE

Memory Dump Source

Source File: 00000000.00000002.1789840330.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1710000_SecuriteInfo.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 13a5a92fd46bd7f6a8fa8467cc49dfde415614b128899aadf2b8dcae9888de92
Instruction ID: c36a8a75d005e33dd17895098ad98e808b95de3ef49aa014d2705a8dfd2f268e
Opcode Fuzzy Hash: 13a5a92fd46bd7f6a8fa8467cc49dfde415614b128899aadf2b8dcae9888de92
Instruction Fuzzy Hash: 291137B29002499FCB10DFAAC844BDEFFF5EF88324F208419E559A7250C775A554CFA4

Function 017130C8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 0171312A

Memory Dump Source

Source File: 00000000.00000002.1789840330.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1710000_SecuriteInfo.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 05bd357889887b9a2abfc0e8c8734d60f777b0b1d30f74b932d6b69145e5183e
Instruction ID: 5084f73590349abef59f19c91d1ecbb61093ee7cb8c27ed01299804ff182a9b1
Opcode Fuzzy Hash: 05bd357889887b9a2abfc0e8c8734d60f777b0b1d30f74b932d6b69145e5183e
Instruction Fuzzy Hash: 6E1136B1D002488FDB20DFAAC4457DEFBF4EB88324F208429D559A7250CB75A944CFA4

Function 016AB259 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 016AB2C6

Memory Dump Source

Source File: 00000000.00000002.1789761033.00000000016A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16a0000_SecuriteInfo.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: b654f30b007e1bcaf8771cebf38785b9e067a0491acb7e97bfed7e54c7274a36
Instruction ID: e2a4203f8a0e2010bc40a035b081b894feb12056e238b7ef692ffe7128b3cc4f
Opcode Fuzzy Hash: b654f30b007e1bcaf8771cebf38785b9e067a0491acb7e97bfed7e54c7274a36
Instruction Fuzzy Hash: E51102B5C002498FDB10CF9AD844ADEFBF4EF89310F10C46AD919AB210D375A545CFA1

Function 01711C40 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 017181C5

Memory Dump Source

Source File: 00000000.00000002.1789840330.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1710000_SecuriteInfo.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 3d1ade73667052fdea5d6a029397aca9b6fd61b49445f5091f69fdfb82432e40
Instruction ID: 37f24def75262df3b6759f4776cb2015432e1b8a29b24464ec3fac9f7bc73271
Opcode Fuzzy Hash: 3d1ade73667052fdea5d6a029397aca9b6fd61b49445f5091f69fdfb82432e40
Instruction Fuzzy Hash: ED11F2B58003489FDB10DF9AD948BDEFBF8EB48320F208459E958A7200C375A944CFA5

Function 016AB260 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 016AB2C6

Memory Dump Source

Source File: 00000000.00000002.1789761033.00000000016A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16a0000_SecuriteInfo.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 4f8146bc00a8bf083dc60034204b75e17a0e397c5fc8ba813c0e4fc5b37d2eb1
Instruction ID: 267ddff8a1c7f9bae3b2a82b5d98414eb7149d65fcfc1dac76da683e5b161dcb
Opcode Fuzzy Hash: 4f8146bc00a8bf083dc60034204b75e17a0e397c5fc8ba813c0e4fc5b37d2eb1
Instruction Fuzzy Hash: 70110FB5C002498FDB10CF9AD844ADEFBF4AF88320F10C42AD818A7210C375A545CFA1

Function 01718160 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 017181C5

Memory Dump Source

Source File: 00000000.00000002.1789840330.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1710000_SecuriteInfo.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: a05cd0dcc3765b6969772443cf1ed1b108284ea508cb1a68c3477d7ca08ee381
Instruction ID: 4630b39e0019e3a08e1f602c2aae0bbecb41794122a8538c85566651eac8c06c
Opcode Fuzzy Hash: a05cd0dcc3765b6969772443cf1ed1b108284ea508cb1a68c3477d7ca08ee381
Instruction Fuzzy Hash: 2B11C2B59002899FDB10CF99D448BDEFFF4EB48314F24885AE558A7610C375A984CFA1

Function 0160D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789145118.000000000160D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0160D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06cecc018f093a04045e2de4fa2dbf14561be2bbe60ca77bdc237f886c246faa
Instruction ID: 117b48ca4b257a97569a6f33d34b31aff423517d74f925e114e42c8a74110223
Opcode Fuzzy Hash: 06cecc018f093a04045e2de4fa2dbf14561be2bbe60ca77bdc237f886c246faa
Instruction Fuzzy Hash: 5021D371504240DFDB0BDF98D9C0B2BBF65FB88318F24C669ED094B296C336D456CAA1

Function 0160D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789145118.000000000160D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0160D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fb9d9dc02294dc188ac64f5b0bb99fdc975911b54258226c4c8a33f1eb17ade
Instruction ID: 1085d3eb34e058de76b032903e2a7dc2e586b3b1f2091eb3942cbca1930de0f4
Opcode Fuzzy Hash: 9fb9d9dc02294dc188ac64f5b0bb99fdc975911b54258226c4c8a33f1eb17ade
Instruction Fuzzy Hash: BE212871500204DFDB0ADF98DDC0B6BBF65FB94324F21C269E9094B396C336E456C6A2

Function 0161D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789257506.000000000161D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0161D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_161d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8231a1d75efdc890a1cf8353f5f840436c7705a5fdee7a45c3f4f42c7c7180e9
Instruction ID: f6edda169e7d60a20da72fb59c3fb8a499d8b7f8d35d47257fb64b6cd3cba237
Opcode Fuzzy Hash: 8231a1d75efdc890a1cf8353f5f840436c7705a5fdee7a45c3f4f42c7c7180e9
Instruction Fuzzy Hash: 1B212671504240EFDB05DF98DDC8B66BBA5FB84324F28C66DEA094B35AC33AD446CA61

Function 0161D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789257506.000000000161D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0161D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_161d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9ea6f3ad07cdde1f89c746e937c493faab5a597a487e50358cb54afa05d21cc
Instruction ID: 64e8fcb375032683f1923c8fa6676b92ccf2350722fa2e4decec2675475ebdce
Opcode Fuzzy Hash: d9ea6f3ad07cdde1f89c746e937c493faab5a597a487e50358cb54afa05d21cc
Instruction Fuzzy Hash: 07212275604200DFCB15DF58D988B26BFA5EB84315F28C56DD80A4B39AC33AD447CA61

Function 0161D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789257506.000000000161D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0161D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_161d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f676f77ebc685f171951ce491b873b7b13d19fe58993af1971ed4760bb0c0f7
Instruction ID: a1e83cdfdc015d1e49e0e85a6a652d96e0c42d7f9b30a2e16774341d10845c5b
Opcode Fuzzy Hash: 3f676f77ebc685f171951ce491b873b7b13d19fe58993af1971ed4760bb0c0f7
Instruction Fuzzy Hash: E921AE755093808FDB03CF64D994B15BF71EB46214F28C5EAD8498F6A7C33A980ACB62

Function 0160D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789145118.000000000160D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0160D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 5d54676e82ed0416b64b96cc62429afb3aec08aa95687bfde9442ef91a798345
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: A911CD72404280CFCB07CF54D9C4B16BF61FB88218F24C6A9DC090B296C336D45ACBA1

Function 0160D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789145118.000000000160D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0160D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: a51766db85cf175c3e076121035dc3d01adcce3c0e23670a9c0dbe466c5cf7d7
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 5011DF72404240DFDB06CF84D9C4B56BF71FB94324F24C2A9D9090B296C33AE45ACBA1

Function 0161D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789257506.000000000161D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0161D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_161d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 3a4def1b3f50210b76a3d4a44054bf0c86877124989581b28ea22e62affe36ff
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: F911BE75504280DFDB02CF54C9C4B55BFA1FB84224F28C6A9D9494B766C33AD40ACB51

Non-executed Functions

Function 01710830 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789840330.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1710000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04fc043cc6775be6bdb0b02982167a427dcf540965bc12a5f806029eb2d9cefd
Instruction ID: 1e958340b29f0a6752de1d55c9788dee4b088993d0abbdacc7fedf6abfea6d06
Opcode Fuzzy Hash: 04fc043cc6775be6bdb0b02982167a427dcf540965bc12a5f806029eb2d9cefd
Instruction Fuzzy Hash: 62E1D674E002198FDB14DFADC5809AEFBB2FF89304F248169E415AB35AD735A981CF60

Function 017128A0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789840330.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1710000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dc1da68303ce4a32a4d554bcbe560414619523321cbc2bceded3409b595d067
Instruction ID: 19163fc809a9e23a1f582366437b3d3d538e023cb01a89f1ce9651e2af3970a0
Opcode Fuzzy Hash: 0dc1da68303ce4a32a4d554bcbe560414619523321cbc2bceded3409b595d067
Instruction Fuzzy Hash: 1DE1E674E002198FDB14DFADC5809AEFBB2FF89304F248169E915AB35AD734A941CF61

Function 01713310 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789840330.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1710000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2873ceab7ce566e4c9a8d1ee3048a3138b677476904351e55e7023f58bf244fa
Instruction ID: f0c3ee8c72d6917a6c5cac3048c1e501c6f82548cc7a32c5be331700b09c0b84
Opcode Fuzzy Hash: 2873ceab7ce566e4c9a8d1ee3048a3138b677476904351e55e7023f58bf244fa
Instruction Fuzzy Hash: 37E1E774E002198FDB14DFADC5809AEFBB2FF89314F248169E415AB35AD735A941CF60

Function 01710C68 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789840330.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1710000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 159151bbbab33b54500d9bba7fcf9349843f935fb61d3162c4181af1f53ebd11
Instruction ID: 89251ab2a086f22831e5d76e6777321c79bf9c1565a19c577ed1caf90cf30342
Opcode Fuzzy Hash: 159151bbbab33b54500d9bba7fcf9349843f935fb61d3162c4181af1f53ebd11
Instruction Fuzzy Hash: 85E1F874E002198FDB14DFADC5809AEFBB2FF89304F248169E515AB35AD731A981CF60

Function 01712468 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789840330.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1710000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a92d900148f4215c33829dc0ac3ae24693dffec7aed3bd52ce267385c1c16b6a
Instruction ID: a4eebe48a4abc0bcf32673122edd09e1d769efde8601dda41cea7339013a063f
Opcode Fuzzy Hash: a92d900148f4215c33829dc0ac3ae24693dffec7aed3bd52ce267385c1c16b6a
Instruction Fuzzy Hash: 23E1D774E001198FDB14DFADC5809AEFBB2FF89304F248169E515AB35ADB35A941CF60

Function 016ADEA4 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789761033.00000000016A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16a0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 079a84442fd6ecf98161f7346e22251a4351f1bdacc9acaa8b463a847bb124ac
Instruction ID: 804507944af3b6526cb1687b17d277e39c31814b3742ba3405d420b328592721
Opcode Fuzzy Hash: 079a84442fd6ecf98161f7346e22251a4351f1bdacc9acaa8b463a847bb124ac
Instruction Fuzzy Hash: 09A17C32E0020A8FCF05DFB8D84459EBBB6FF95300B5545AAE906AB265DB31ED55CF80

Function 01713301 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789840330.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1710000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7a28f3e25616434af0774c5f181d4acb94a65275ac086103974e51f09bc1218
Instruction ID: 797022335a1f07a11ac86bb44dbff69d80ef140edd0cc45813002d67f4e3eb65
Opcode Fuzzy Hash: f7a28f3e25616434af0774c5f181d4acb94a65275ac086103974e51f09bc1218
Instruction Fuzzy Hash: 3D511974E002198FDB15CFA9C9805AEFBF2FF89310F248169D458AB356D7359942CFA1

Function 01712458 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1789840330.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1710000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e159c451b3e4e3be1bff982c53d7377eaf3f8093ee104117c68ec5f494b27b3
Instruction ID: 1084eb74ef822a6bab23eebda0f74ed8866d13446af062f51fc2ce6182891e5a
Opcode Fuzzy Hash: 6e159c451b3e4e3be1bff982c53d7377eaf3f8093ee104117c68ec5f494b27b3
Instruction Fuzzy Hash: 10510A74E002198FDB14DFA9D9805AEFBB2BF89304F2481AAD419A7356D7349942CFA1

Analysis Process: SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exePID: 6784, Parent PID: 7016COMMON

Execution Graph

Execution Coverage:	11.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	125
Total number of Limit Nodes:	9

Executed Functions

Function 06E43488 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06E43B87
$^q, xrefs: 06E43BD4
$^q, xrefs: 06E43BE0
$^q, xrefs: 06E43B93
$^q, xrefs: 06E43BB0
$^q, xrefs: 06E43BBC

Memory Dump Source

Source File: 00000005.00000002.3034706846.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: a4baedd7669ff819382e77d3fa564074b2482eea671a2f7801d0bef5ec3b8be1
Instruction ID: 35cefeb0ee2e5756d3d72b6bb53e55fbbcf44069101f3257cc5c94a6a0e912aa
Opcode Fuzzy Hash: a4baedd7669ff819382e77d3fa564074b2482eea671a2f7801d0bef5ec3b8be1
Instruction Fuzzy Hash: 71322F31E1071A8FCB14EF79D89459DB7B6FFC9300F1096A9D409AB264EB30AD85CB91

Function 06E47D68 Relevance: 3.0, Strings: 2, Instructions: 479
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06E4830F
$^q, xrefs: 06E48303

Memory Dump Source

Source File: 00000005.00000002.3034706846.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 3386f46d275999807368eaa56cbb99fcc4ff29965789f14eef1786b5865a2d80
Instruction ID: 9150ef875cdd883c40a897e6fb924b501f3352a105b57fcb1ec699444922ed85
Opcode Fuzzy Hash: 3386f46d275999807368eaa56cbb99fcc4ff29965789f14eef1786b5865a2d80
Instruction Fuzzy Hash: 32029E30B102058FDB54EB79E5946AEB7E2FF84304F148929D809DB395EB35EC82CB91

Function 06E45CD7 Relevance: 2.9, Strings: 2, Instructions: 425
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Ocq, xrefs: 06E45E4D
XPcq, xrefs: 06E45E1D

Memory Dump Source

Source File: 00000005.00000002.3034706846.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: XPcq$\Ocq
API String ID: 0-2802517751
Opcode ID: ad706cabb633990d7039789a0a1105ce73d81a2cb83b26708dff5bbfce997d73
Instruction ID: 02dd29856629c26a339158a8ddc3e73f45f98341d2d0c901c3b29b11e04c0505
Opcode Fuzzy Hash: ad706cabb633990d7039789a0a1105ce73d81a2cb83b26708dff5bbfce997d73
Instruction Fuzzy Hash: 09E10631B102148FDB64AB78E88476EBBF2EF89314F25846AE44ADB391CB35DC45C791

Function 06E465E0 Relevance: .8, Instructions: 820COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3034706846.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c02e172fad627072b5c45db959f95b0b9346cce281d7e48ec6e3c246dc7ee1c
Instruction ID: 95b2b1f65329c8aa5cca9896a519a80d7393426880ce0c24e4975a7db441c1de
Opcode Fuzzy Hash: 4c02e172fad627072b5c45db959f95b0b9346cce281d7e48ec6e3c246dc7ee1c
Instruction Fuzzy Hash: F562AF34B002059FDB54EB79E584AADB7F2EF85318F149469E40ADB390DB35EC86CB81

Function 06E4C568 Relevance: .6, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3034706846.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdc1d4ffb94429237dc094c0773ea6af8059be03e2605de82d57f2b86d40e177
Instruction ID: 8ff0e8f9da6f24573dee397f017475a37f3ccc7ee6e1b019b49c913da098cad2
Opcode Fuzzy Hash: cdc1d4ffb94429237dc094c0773ea6af8059be03e2605de82d57f2b86d40e177
Instruction Fuzzy Hash: B532A134B012099FDB50EB78E484BAEB7B2FB88714F209525E505EB354DB35EC86CB91

Function 06E455C8 Relevance: .6, Instructions: 597COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3034706846.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8fd69733f88ae197548ab1607e5aee8d3b1409aba2bec782f554cc7d310fd79
Instruction ID: d7c277e56571283fb615ef2eac1a7cd03143d9600f390006835c9b346e097221
Opcode Fuzzy Hash: d8fd69733f88ae197548ab1607e5aee8d3b1409aba2bec782f554cc7d310fd79
Instruction Fuzzy Hash: FD12F231F103059BDB20EB74E8846AEB7B2EB85314F248879D95ADB384DB34DC46CB91

Function 06E4B211 Relevance: .6, Instructions: 571COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3034706846.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71e2699f2d446b15fb97a7ff639dc7e9ea20d55be018b123c6f92b532e391195
Instruction ID: 94eac329f09bc92be0b2a451c65a8a73ef84b7c9d28477529c06e7c567697aa0
Opcode Fuzzy Hash: 71e2699f2d446b15fb97a7ff639dc7e9ea20d55be018b123c6f92b532e391195
Instruction Fuzzy Hash: FA226E30E102098FDF64EB79E4847ADB7B2EB89314F249826E449DB395DB35DC82CB51

Function 06E4ACB8 Relevance: 10.4, Strings: 8, Instructions: 389
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06E4ADE5
$^q, xrefs: 06E4AE67
$^q, xrefs: 06E4AE5B
$^q, xrefs: 06E4AE90
$^q, xrefs: 06E4ADD9
$^q, xrefs: 06E4AE2C
$^q, xrefs: 06E4AE84
$^q, xrefs: 06E4AE38

Memory Dump Source

Source File: 00000005.00000002.3034706846.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: 4a19cf7c0b5c1effa878d732bcac3be3110de24cdfe04afdf9e652a3126e62b3
Instruction ID: cab3592c798bfe7797d35077a6cb427b7fed81384bb76fa87ef752d204cb1d55
Opcode Fuzzy Hash: 4a19cf7c0b5c1effa878d732bcac3be3110de24cdfe04afdf9e652a3126e62b3
Instruction Fuzzy Hash: 1CE15D30F1030A8FDB65EF79E4846AEB7B2EB84314F209529D415AB358DB35D886CB91

Function 06DD388B Relevance: 6.1, APIs: 4, Instructions: 134
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 06DD3916
GetCurrentThread.KERNEL32 ref: 06DD3953
GetCurrentProcess.KERNEL32 ref: 06DD3990
GetCurrentThreadId.KERNEL32 ref: 06DD39E9

Memory Dump Source

Source File: 00000005.00000002.3031912350.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6dd0000_SecuriteInfo.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: bcd57ac229907dd60f0defb5400ec93941d57d826fef2f9682c6dfd639ff34ad
Instruction ID: ce38e598a1aa5c656d9e21c93a08cfec468f622d8f7a4d053c966fe3f4bdc903
Opcode Fuzzy Hash: bcd57ac229907dd60f0defb5400ec93941d57d826fef2f9682c6dfd639ff34ad
Instruction Fuzzy Hash: 355176B0D003498FDB54EFAAD948B9EBBF1AF49304F248459D059AB360DB349984CF66

Function 06DD3898 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 06DD3916
GetCurrentThread.KERNEL32 ref: 06DD3953
GetCurrentProcess.KERNEL32 ref: 06DD3990
GetCurrentThreadId.KERNEL32 ref: 06DD39E9

Memory Dump Source

Source File: 00000005.00000002.3031912350.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6dd0000_SecuriteInfo.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: a5b5f633beabf2fa862fb5c2375d1619a2a30363ec6dbccd419537e3020d489c
Instruction ID: 5aeb40651a80159ae640ccaf5021941fb0fe3f9b2aeb2b98b78bb9f2aaac71f6
Opcode Fuzzy Hash: a5b5f633beabf2fa862fb5c2375d1619a2a30363ec6dbccd419537e3020d489c
Instruction Fuzzy Hash: F45168B0D003098FDB54EFAAD548B9EBBF1EB48314F248459D059A7360DB34A984CF66

Function 06E49140 Relevance: 5.2, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06E491C2
$^q, xrefs: 06E49193
$^q, xrefs: 06E491CE
$^q, xrefs: 06E49187

Memory Dump Source

Source File: 00000005.00000002.3034706846.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 704740ccf302f01acaf901128fdcf0d69ffa101c042af661aba8193be6da60c1
Instruction ID: 855aaeb219943fbd2f0659ba8c458130af757120308940d3f493f9d792a40f3b
Opcode Fuzzy Hash: 704740ccf302f01acaf901128fdcf0d69ffa101c042af661aba8193be6da60c1
Instruction Fuzzy Hash: E8914030F0021A9FDB54DB79E9547AFB3F6EBC8204F108569C809EB345EB749C868B91

Function 06E4D328 Relevance: 4.6, Strings: 3, Instructions: 801
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06E4D727
$^q, xrefs: 06E4D733
$^q, xrefs: 06E4D71F

Memory Dump Source

Source File: 00000005.00000002.3034706846.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q
API String ID: 0-831282457
Opcode ID: 14324c7bf5761aaa49e31ef432f73386a749a443480fbca913035754d3553ee0
Instruction ID: a50eaa69a1de7836dbdba5b60e36c0fa1f761b52aa4c7f93da1f8403aa3355af
Opcode Fuzzy Hash: 14324c7bf5761aaa49e31ef432f73386a749a443480fbca913035754d3553ee0
Instruction Fuzzy Hash: FF622134B002058FCB55EB78E984A5EB7B2FF84344F209A69D0099F359DB75ED86CB81

Function 06E44B90 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XPcq, xrefs: 06E44CBD
fcq, xrefs: 06E4529D
\Ocq, xrefs: 06E44D47

Memory Dump Source

Source File: 00000005.00000002.3034706846.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: fcq$XPcq$\Ocq
API String ID: 0-3575482020
Opcode ID: 323ee261e6bbac31008a75ea1a10e8978547ca07a069e91200da234e57951077
Instruction ID: f0c17badbbd50d5416974ae8acc37e7e05f46158d8f7be9653afb1adf4b33e6f
Opcode Fuzzy Hash: 323ee261e6bbac31008a75ea1a10e8978547ca07a069e91200da234e57951077
Instruction Fuzzy Hash: E1616170F002099FEB54AFB9D4587AEBAF7FB88700F20842AE509AB395DE754C418F55

Function 06E49130 Relevance: 2.7, Strings: 2, Instructions: 162
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06E491C2
$^q, xrefs: 06E49187

Memory Dump Source

Source File: 00000005.00000002.3034706846.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 58374e3bf17edd1da580150e202d943a9b64ce347fd871e8782b0d33e66804a1
Instruction ID: 5185bf03a190e09631b248027c74c80e8c0b917483a2fb33038dcf3ba9ba69ee
Opcode Fuzzy Hash: 58374e3bf17edd1da580150e202d943a9b64ce347fd871e8782b0d33e66804a1
Instruction Fuzzy Hash: 09516234F002059FDB54DB79E854BAFB3FAEBC8604F108869C809EB385DA74DC428B91

Function 06DDBE30 Relevance: 1.7, APIs: 1, Instructions: 220
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 06DDC096

Memory Dump Source

Source File: 00000005.00000002.3031912350.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6dd0000_SecuriteInfo.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 56bbe8e9227addda5e4068832ff42b9d7629f055ea16ade4d964b9631144dc6a
Instruction ID: 0a3d558cc0f55b5ff709c83f41615e4f2a2e7019a4959ca1163969a98a43a27e
Opcode Fuzzy Hash: 56bbe8e9227addda5e4068832ff42b9d7629f055ea16ade4d964b9631144dc6a
Instruction Fuzzy Hash: 828148B0A00B058FD764EF79D4447AABBF5FF88244F00892AD09AD7A50D775E945CB90

Function 0182F573 Relevance: 1.6, APIs: 1, Instructions: 143
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.2978322098.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1820000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cbf714af23211754b083bc2227ee0036e7f064119041bf806c516818d1161c4
Instruction ID: d0a437d854853f5bc6a1663bf77ea67e9b942c0d826b0155c36c44c8661a56fc
Opcode Fuzzy Hash: 4cbf714af23211754b083bc2227ee0036e7f064119041bf806c516818d1161c4
Instruction Fuzzy Hash: E5415571D043A99FC715DF79C80029ABFF0EF8A310F1485AAE588E7291DB349985CBE1

Function 06DDE004 Relevance: 1.6, APIs: 1, Instructions: 119COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06DDE122

Memory Dump Source

Source File: 00000005.00000002.3031912350.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6dd0000_SecuriteInfo.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 6ae9a1fcfe563a2f8f79bc7a8b3692dfc78661b778218ca1064415e85ad71922
Instruction ID: ff8451a23c0a1929a69b387cf9f64501ee9245c438862d8dfb2d3b1292450b16
Opcode Fuzzy Hash: 6ae9a1fcfe563a2f8f79bc7a8b3692dfc78661b778218ca1064415e85ad71922
Instruction Fuzzy Hash: B651C2B1D00319DFDB14DFAAC984ADEBBB5FF48310F24812AE819AB210D7759985CF91

Function 06DDE010 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06DDE122

Memory Dump Source

Source File: 00000005.00000002.3031912350.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6dd0000_SecuriteInfo.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: a529a72e8c035323116c8db2eb44dd112bbf3cbaaa52310f0b49a2d4bebb7c32
Instruction ID: e0c7e3495dbd4ac3baf2189b6f86713da3d3250fc26df06f8582c9fef3483d9b
Opcode Fuzzy Hash: a529a72e8c035323116c8db2eb44dd112bbf3cbaaa52310f0b49a2d4bebb7c32
Instruction Fuzzy Hash: E141B0B1D00319DFDB14DFAAC984ADEBBB5FF48310F24852AE818AB210D7759985CF91

Function 06DD3AD8 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06DD3B67

Memory Dump Source

Source File: 00000005.00000002.3031912350.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6dd0000_SecuriteInfo.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 61bebfe642227ad163d84ba27930bb42e2f314a96cbc1baf3ed0d86400884380
Instruction ID: 5454a23567e83a4d02144f23b857b6c9c9785e7b46d1f6de3c83cf0bc5c944f0
Opcode Fuzzy Hash: 61bebfe642227ad163d84ba27930bb42e2f314a96cbc1baf3ed0d86400884380
Instruction Fuzzy Hash: B521D4B5900218DFDB10CFAAD984ADEFBF4FB48310F24842AE958A7350D375A954CFA5

Function 01828668 Relevance: 1.6, APIs: 1, Instructions: 65fileCOMMON

Download Yara Rule

APIs

MoveFileA.KERNEL32(?,00000000,?,?), ref: 01828700

Memory Dump Source

Source File: 00000005.00000002.2978322098.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1820000_SecuriteInfo.jbxd

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: 2894f4739d7ef053df0e82ab18a3fd921f68833f6e1981b35317751095f9d651
Instruction ID: a60fbee77cf0613fb35cfe4b8f898e7e1dcb5ef566e2faf13a9962ef5aea68ab
Opcode Fuzzy Hash: 2894f4739d7ef053df0e82ab18a3fd921f68833f6e1981b35317751095f9d651
Instruction Fuzzy Hash: B72116B6C012199FCB10CF99D984ADEFFF5FB88310F24845AE918AB215C7759A44CFA4

Function 01827838 Relevance: 1.6, APIs: 1, Instructions: 65fileCOMMON

Download Yara Rule

APIs

MoveFileA.KERNEL32(?,00000000,?,?), ref: 01828700

Memory Dump Source

Source File: 00000005.00000002.2978322098.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1820000_SecuriteInfo.jbxd

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: d1ebd1874d5b3c421ebcd328b70d661cef13eeca60d7c16570b293ed045d49ee
Instruction ID: 2fbad684952bcca347f791ca6a913b634b24702736237ba06b25c3fd0536b891
Opcode Fuzzy Hash: d1ebd1874d5b3c421ebcd328b70d661cef13eeca60d7c16570b293ed045d49ee
Instruction Fuzzy Hash: AD2127B6C012199FCB10CF99D984ADEFBF1FB88310F10805AE918BB205C3759A40CFA4

Function 06DD3AE0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06DD3B67

Memory Dump Source

Source File: 00000005.00000002.3031912350.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6dd0000_SecuriteInfo.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e364190519a6e027d108a8a4a9349be36545b485772fef639379bc4ffcda4f93
Instruction ID: 030daf0971aa9a7382e61ce66107c2e189587b067811bffbc4561ee2fe4e04a3
Opcode Fuzzy Hash: e364190519a6e027d108a8a4a9349be36545b485772fef639379bc4ffcda4f93
Instruction Fuzzy Hash: 1321E4B59002189FDB10CFAAD984ADEBBF4EB48310F14801AE918A7350C375A944CFA5

Function 01828098 Relevance: 1.6, APIs: 1, Instructions: 61fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(00000000), ref: 01828110

Memory Dump Source

Source File: 00000005.00000002.2978322098.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1820000_SecuriteInfo.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: ae2f90fb33cc5c959dafdd90700069562394b681c552510357e6bb7d8be13ea3
Instruction ID: 81b65c4701381d1f1183ab69a99fee229dca388c5c00a4638ca7e69931c0eea1
Opcode Fuzzy Hash: ae2f90fb33cc5c959dafdd90700069562394b681c552510357e6bb7d8be13ea3
Instruction Fuzzy Hash: 9A2149B1C006699BCB14CFAAC9457DEFBF4EF08320F148169D858A7240D738AA40CFA5

Function 018280A0 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(00000000), ref: 01828110

Memory Dump Source

Source File: 00000005.00000002.2978322098.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1820000_SecuriteInfo.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 0d240d2e6ba17c678d7b14d9a02b87549e1c0d6dc46bf56efc304e8e937dea82
Instruction ID: c66c0260220860f2ea0c474423545333fa53cbb2151100bd68f65bda90c301f5
Opcode Fuzzy Hash: 0d240d2e6ba17c678d7b14d9a02b87549e1c0d6dc46bf56efc304e8e937dea82
Instruction Fuzzy Hash: 1D1106B1C0066A9BCB14CF9AC54579EFBF4FB48320F14812AD958A7250D778AA44CFA5

Function 06DDB228 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,06DDC111,00000800,00000000,00000000), ref: 06DDC302

Memory Dump Source

Source File: 00000005.00000002.3031912350.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6dd0000_SecuriteInfo.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 2d021cc1d4911ce0c50993c8895c7f4b47a0c0202b3cd83caf9739bd08f548f3
Instruction ID: 8a65fb8333a99b67df77b0c34ca0279edbdb387fb801cdd1d97b30e62bed1e7b
Opcode Fuzzy Hash: 2d021cc1d4911ce0c50993c8895c7f4b47a0c0202b3cd83caf9739bd08f548f3
Instruction Fuzzy Hash: E61123B6D003498FDB20DF9AC944ADEFBF8EB48310F10842AE819A7210C375A545CFA5

Function 06DDC291 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,06DDC111,00000800,00000000,00000000), ref: 06DDC302

Memory Dump Source

Source File: 00000005.00000002.3031912350.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6dd0000_SecuriteInfo.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4b1dab600ceb47ae3d87775fb65f1a54d91ec8da921019fc7cbdfd3276ac3ffd
Instruction ID: 8a33e51718e8a1b3c774b584a7573f6db998c70b8e605c7a9b8b0c5c1369ce2f
Opcode Fuzzy Hash: 4b1dab600ceb47ae3d87775fb65f1a54d91ec8da921019fc7cbdfd3276ac3ffd
Instruction Fuzzy Hash: C21126B6C003098FCB20DF9AC544ADEFBF9EB88310F10842AE419A7210C375A545CFA5

Function 0182F658 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 0182F6BF

Memory Dump Source

Source File: 00000005.00000002.2978322098.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1820000_SecuriteInfo.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 37bea1ae83c4d7cb2f2fad7475ede3c6d5ece29ee7ae618b2b40800244e3c745
Instruction ID: 0d980f95ed5fddf4428126cf9dad596a6f4ff1d992c81ed038817c1be7cabd59
Opcode Fuzzy Hash: 37bea1ae83c4d7cb2f2fad7475ede3c6d5ece29ee7ae618b2b40800244e3c745
Instruction Fuzzy Hash: 301126B1C002699BCB10CFAAC5447DEFBF4EF48320F10812AD918A7250D378A944CFA5

Function 06DDC030 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 06DDC096

Memory Dump Source

Source File: 00000005.00000002.3031912350.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6dd0000_SecuriteInfo.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 6618bb4e89badab2ab0a1d200903f5631a086746497584ff6963113b91b97e2f
Instruction ID: 80821b1893f4f5ca15b7d57fa746021aa9389776d959e12e37007985cef0e548
Opcode Fuzzy Hash: 6618bb4e89badab2ab0a1d200903f5631a086746497584ff6963113b91b97e2f
Instruction Fuzzy Hash: DF11E3B5D002498FCB10DF9AC544BDEFBF8EB49314F14851AD459B7210C375A545CFA5

Function 06E44B83 Relevance: 1.4, Strings: 1, Instructions: 131COMMON

Download Yara Rule

Strings

XPcq, xrefs: 06E44CBD

Memory Dump Source

Source File: 00000005.00000002.3034706846.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: XPcq
API String ID: 0-714321711
Opcode ID: ec910884c4a4f757820f574c4b3c62e7c4e7cc006f928ebfab7f3da1665726e6
Instruction ID: 3171fbb8174bea09cba0da074472f5bfc05389b4d1bb27cfcc8d70e1c9c1963d
Opcode Fuzzy Hash: ec910884c4a4f757820f574c4b3c62e7c4e7cc006f928ebfab7f3da1665726e6
Instruction Fuzzy Hash: 9A415270F002099FDB559FB9C858B9EBBF7FF88700F208529D145AB395DA744C418B91

Function 06E4DE9D Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06E4DFF9

Memory Dump Source

Source File: 00000005.00000002.3034706846.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 5aeea3220cf26b3522841b96805979acb1727450fd68d4e1138bd874a07cbf15
Instruction ID: bb8698cfd8a1da91d2d289f9b602185dff876dab8e69b2d12b7badde1e893319
Opcode Fuzzy Hash: 5aeea3220cf26b3522841b96805979acb1727450fd68d4e1138bd874a07cbf15
Instruction Fuzzy Hash: 99419D30E007099FDB61AF75D89469EBBB2FF85304F20842AE405EB344EB75E846CB91

Function 06E425F8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06E42733

Memory Dump Source

Source File: 00000005.00000002.3034706846.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 70860d177a85ddbc4879be08f680dca29c8b44a05843b9963ec4716c3d7e7e54
Instruction ID: 34fe329b2a06c68bdc8e0f0f140c6fe754105fad15287a6dd7f9ab5d94c7d1a1
Opcode Fuzzy Hash: 70860d177a85ddbc4879be08f680dca29c8b44a05843b9963ec4716c3d7e7e54
Instruction Fuzzy Hash: 82310430B003018FDB55AB35E55866FBAE3AFC8214F208468E40ADB394EE35DD46CBA1

Function 06E482B8 Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

$^q, xrefs: 06E48303

Memory Dump Source

Source File: 00000005.00000002.3034706846.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: $^q
API String ID: 0-388095546
Opcode ID: ff2352dad77c015648a9b3fd2dbe5d7a6f8363dc15efc825f4307c4030e86d6c
Instruction ID: 6aea4a7e28852886863f0962f5091afbdd7aaf7aeefac016956b8504fbbe8639
Opcode Fuzzy Hash: ff2352dad77c015648a9b3fd2dbe5d7a6f8363dc15efc825f4307c4030e86d6c
Instruction Fuzzy Hash: F0F0FF35F00305CFDF68AA6AFA883AAB7A5EB80218F141466D904CB245C731ED01C791

Function 06E42770 Relevance: 1.0, Instructions: 1019COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3034706846.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 125ca39ce04669e9ad3738944b5d656cac59c89588cfef0bf03e0b0d4effbf80
Instruction ID: 11cb64bda02631b2590b9c7ee9ddee889d8cda1881d0c1b693ed92baa1f860fd
Opcode Fuzzy Hash: 125ca39ce04669e9ad3738944b5d656cac59c89588cfef0bf03e0b0d4effbf80
Instruction Fuzzy Hash: D1925634E003048FDB64EB69D588B9DB7F2FB44318F5494A9E549AB361DB35ED82CB80

Function 06E4B638 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3034706846.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be54706d2c9ed8e3873e84ba10b6a42d1ccdf661959225833f72546adc6c6816
Instruction ID: 97ccf541e2c96331f849e9f1e936868d4d38e33ce9745aee7e8b8d2b95ce97c0
Opcode Fuzzy Hash: be54706d2c9ed8e3873e84ba10b6a42d1ccdf661959225833f72546adc6c6816
Instruction Fuzzy Hash: 64A17930E102098FDFA0EB79E4847ADB7B1EB49318F249966E449DB391D735DC82CB51

Function 06E461E0 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3034706846.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 881f6d46788c06cec6b30eca8d4143f2949daa75e1dbf148ca7a5ae49d000da6
Instruction ID: 8956cc385a61b530a2eb6d5e037c92c032f31eba84ddcbb7c71083bc7396464a
Opcode Fuzzy Hash: 881f6d46788c06cec6b30eca8d4143f2949daa75e1dbf148ca7a5ae49d000da6
Instruction Fuzzy Hash: A661EF71F001214FCB50AA7ED88866FEAD7AFC5614B25443AD80EDB360EE65DD0287C6

Function 06E442C0 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3034706846.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5b273cba9029996cef3967239d67125066c8f8e089fdd8df4121420ccaeff1d
Instruction ID: 7c99b47ba6ba15098c75e52124c8f050e0fb51fc4199f12497634a9f76443746
Opcode Fuzzy Hash: c5b273cba9029996cef3967239d67125066c8f8e089fdd8df4121420ccaeff1d
Instruction Fuzzy Hash: 7F814F30B002099FDF54EFB9E49476EB7F6EB89704F209525D50ADB384EA74DC828B91

Function 06E445E0 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3034706846.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdc6b27eeb7c1651c1bbe16c845b2de98c5eed26bcf3ae4c491855c4b6411a7a
Instruction ID: 772cac7fe916d7de6a09f35d89135b8c358d9f04c5003bd96895f571f192e15d
Opcode Fuzzy Hash: cdc6b27eeb7c1651c1bbe16c845b2de98c5eed26bcf3ae4c491855c4b6411a7a
Instruction Fuzzy Hash: EC915C30E103198FDF60DF68C890B9DB7B1FF89304F208599D549AB295EB70AA85CF91

Function 06E445F8 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3034706846.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23946c23f12458765e461b264ca64cd7cf104fd99421ced468e6623f1c04570d
Instruction ID: 8fc130dc63783eecbbd379a788970bc326cb5c02744d9ef464d08d3d6acc2e90
Opcode Fuzzy Hash: 23946c23f12458765e461b264ca64cd7cf104fd99421ced468e6623f1c04570d
Instruction Fuzzy Hash: ED913D30E106198BDF60DF68C880B9DB7B1FF89304F208599D549AB295EB70AA85CF91

Function 06E4EEE7 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3034706846.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04571679f6c63173b4e9b1b66ac7e5306e4a2e7a20c5066179a4d1eef9088702
Instruction ID: fcf610abeea719904f0397086fa19cffc7652736a9656f0b503e696022db4260
Opcode Fuzzy Hash: 04571679f6c63173b4e9b1b66ac7e5306e4a2e7a20c5066179a4d1eef9088702
Instruction Fuzzy Hash: BA712870A012099FCB54EFA9E984A9DBBF6FF88304F249429D419EB355DB30EC46CB51

Function 06E4EEF8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3034706846.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9224adf971a7c452ec0641f2ae946f5ac8eaf80ab3348e475f25d4581f69751a
Instruction ID: 60a936b34be8ac3138d33155661eeb67821cbc1c18722e35e7001659495b4770
Opcode Fuzzy Hash: 9224adf971a7c452ec0641f2ae946f5ac8eaf80ab3348e475f25d4581f69751a
Instruction Fuzzy Hash: 08711A70A002099FCB54EFA9E984A9DBBF6FF88304F249429D419EB355DB30EC46CB51

Function 06E4FC57 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3034706846.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dd7151bd168582188d27aceb3ab9e6960769f1a1de4a1142279fc66de1a6040
Instruction ID: b0e8e014935bbe5b3ca02befca8f9f5457c5047f4bd5bf51384bbe3f20d6f079
Opcode Fuzzy Hash: 5dd7151bd168582188d27aceb3ab9e6960769f1a1de4a1142279fc66de1a6040
Instruction Fuzzy Hash: 4451D131E00205DFDB64EF78F4842ADBBB2EBC8719F108879E14ADB251DB358845CB91

Function 06E4FA0B Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3034706846.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 928c4eaa798ca82b09763af1830a53f00a6afeb2f23853ca5163f9f741bde2ee
Instruction ID: 722c5d9f0d08a76e0f6730fdb1664d2b568aa8d0624be186668baf6b2a1b3d17
Opcode Fuzzy Hash: 928c4eaa798ca82b09763af1830a53f00a6afeb2f23853ca5163f9f741bde2ee
Instruction Fuzzy Hash: 3A512C70B103148FEFA46A7CF85472F265BDBC9744F20482AE40AD73D4C92DCC8547A2

Function 06E4FA18 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3034706846.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8056ee11385e0ec96e8573718146ff13454036b13d9a225aa8040907bd91159c
Instruction ID: a76f7c49bbdeb89b17131d43e38a6ed2c7eff66c6e29db808e090a26e3f972cb
Opcode Fuzzy Hash: 8056ee11385e0ec96e8573718146ff13454036b13d9a225aa8040907bd91159c
Instruction Fuzzy Hash: 5F511874B103149FEFA46ABCF85472F265BD7C9744F20482AE50AD73D8C929CC8547A2

Function 06E45439 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3034706846.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0817f598b7495938b9d2cb1adcae60bb8f3dc1aeb8a548ac09d6512059847e0
Instruction ID: 2be2f50967bcae2a9f77b5c1309e8e8df0aaa531f32a020ad2c5e2609b3c7b57
Opcode Fuzzy Hash: d0817f598b7495938b9d2cb1adcae60bb8f3dc1aeb8a548ac09d6512059847e0
Instruction Fuzzy Hash: 79417C71E007098FCB70DEA9E880ABFFBB2EB85314F10492AD156DB654D334E955CB91

Function 06E42418 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3034706846.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4545ff72ec9ad896cc48c8c5ca74da1ae1468a82fdd6fcb001863b4571b9e478
Instruction ID: f1e16c939634a2220aab329fbd8b508961c6cc4d0fe898898585e878d8aed6b8
Opcode Fuzzy Hash: 4545ff72ec9ad896cc48c8c5ca74da1ae1468a82fdd6fcb001863b4571b9e478
Instruction Fuzzy Hash: A9410330E042558FDB15DF79E4A469ABBF2EF8A300F008529F546DB355DB34D986CB81

Function 06E455B8 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3034706846.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 223c5edf4fd7b924f3e7252093f5c8278ec938a60150205333c8617cecd03903
Instruction ID: 98006545b74443799cf33fdee12cd8fc88788b54d79f19dc60c84b37c352b6d9
Opcode Fuzzy Hash: 223c5edf4fd7b924f3e7252093f5c8278ec938a60150205333c8617cecd03903
Instruction Fuzzy Hash: 20319470E203058BEF70AE79E48077EFBB2EB85318F25986AD455D7281C635D941CB91

Function 06E4DD50 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3034706846.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2700c53eda845593f361d548c0666523339aa758aa47258571ab517605d608ab
Instruction ID: 58dc1a64c440c1edfbdef126b4f6054d284e3f073c7bbb5cc456a20cdcf833e4
Opcode Fuzzy Hash: 2700c53eda845593f361d548c0666523339aa758aa47258571ab517605d608ab
Instruction Fuzzy Hash: 17318F30E1031A9FCB65DF69D98469EFBB6FF85304F108929E405AB314EB71E8468B91

Function 06E45FE0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3034706846.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f282cda29ceab76c7b2744e1f0529b21d453c054244d5392ba390881b04867e1
Instruction ID: 71b3462b6fe3cc0eee9ff41d50119a6fc5aaf04a854bde9e3289ec4e701d0c91
Opcode Fuzzy Hash: f282cda29ceab76c7b2744e1f0529b21d453c054244d5392ba390881b04867e1
Instruction Fuzzy Hash: D631CE357101148FCB54EF7CD488A5ABBE6FF89720F2080A9E50ACF3A5CA71DC048B90

Function 06E424B8 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3034706846.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff44b7fd5a3de4272999827a6214a6966efdd2f7586788c5f2702ca0be2bf942
Instruction ID: 19cabd5e29e9ee9bd7842e433ebc4c7b9c6931ca5f0037c7481f77802dc303f2
Opcode Fuzzy Hash: ff44b7fd5a3de4272999827a6214a6966efdd2f7586788c5f2702ca0be2bf942
Instruction Fuzzy Hash: 20316B30E102059FCB59DBA5E49469EB7F2EF89300F10D519E906E7344DB70E942CB51

Function 06E43EC9 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3034706846.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9571727e725b0f5d2e9d59955231a34df6521e3134b5a6b6422c9e1075457ffd
Instruction ID: ef5e36f471bc51d0be2b263a0b510bd3c92c071d41d10a172821048795ca76d5
Opcode Fuzzy Hash: 9571727e725b0f5d2e9d59955231a34df6521e3134b5a6b6422c9e1075457ffd
Instruction Fuzzy Hash: FF216875F012159FDB40EF7AE881AEEBBF2EB48210F108429E904E7390E734DD918B91

Function 06E43ED8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3034706846.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4cec0abec59f871d5efe365090b5a976cf2e8afa10adc322243f9817d7a0624
Instruction ID: b52b636e86ff344c866844b754b4eb6f58b5176d65e72d7b1168eda227284a62
Opcode Fuzzy Hash: d4cec0abec59f871d5efe365090b5a976cf2e8afa10adc322243f9817d7a0624
Instruction Fuzzy Hash: 42216975F012159FDB50EF7AE880AEEBBF2EB48610F108429E905E7390E735DD918B91

Function 0174D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2977510859.000000000174D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_174d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aac3bf47884d9226e10e028608c8a4f47db73b3e28391022007c74e4884b5d25
Instruction ID: 8702db67f0b5e146de985787ac4cd9885f003ad0300793195217136e4349d696
Opcode Fuzzy Hash: aac3bf47884d9226e10e028608c8a4f47db73b3e28391022007c74e4884b5d25
Instruction Fuzzy Hash: 7B214671604204DFCB21DF98D9C0B26FFA5FB94314F20C5ADE9894B266C33AD447CA62

Function 06E4A2F0 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3034706846.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6942e023db3e07c35ef333a21429ba77bba0292067e7a02c96f2b1fd46aef9a
Instruction ID: ffb99fbe01c561f271681d2e33ef25b684bd5efff44d77cfdcb6aef3f9bd8e4b
Opcode Fuzzy Hash: a6942e023db3e07c35ef333a21429ba77bba0292067e7a02c96f2b1fd46aef9a
Instruction Fuzzy Hash: 81110835F442101FC761A67DF85476EB7D9EB86628F104835F10ECB345EA26DD0183D5

Function 06E44221 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3034706846.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66c4ef8951cdf1e669276f310d6d5e008c3dd5fd9813032e7652de075c50f5b1
Instruction ID: 930e3c33ed7b4d6ce61f30da33f65ab1bed57102b1be338eb425279475e0ec66
Opcode Fuzzy Hash: 66c4ef8951cdf1e669276f310d6d5e008c3dd5fd9813032e7652de075c50f5b1
Instruction Fuzzy Hash: 1001F134B002115FCBA0A6BEA85072BA7DBDBCA718F14843AF50AD7785DD65DC0343A9

Function 06E43FE8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3034706846.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 787b063848b8964bc0cbe80404640eb17340dbb1dd794332c160a206850f40dd
Instruction ID: 0cb6e903f912a0ed0fc197e892fb596d463d0e7e3caa455af996b45c4d4a99df
Opcode Fuzzy Hash: 787b063848b8964bc0cbe80404640eb17340dbb1dd794332c160a206850f40dd
Instruction Fuzzy Hash: A011A131B001259FDF54A679E8146EF73EBEBC8215F00443AD50AE7380EE65DC128BD2

Function 06E43CA0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3034706846.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30adc4916f3f876a6856ab45d4127eae20c93db2f46ccf66db51d9a9b9ac0095
Instruction ID: 0768def5d45042bdd3f5e39e2ae5b8fd2269408cc7926aebc0dd541b7403005c
Opcode Fuzzy Hash: 30adc4916f3f876a6856ab45d4127eae20c93db2f46ccf66db51d9a9b9ac0095
Instruction Fuzzy Hash: 8321E3B5D012599FCB10DF9AD984BDEFFB4BB48314F10812AE518A7300C3756940CFA5

Function 06E4F167 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3034706846.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfb0a7cfff553d87379cf8c77564d6d5208732206a11d7ff43d06a4fd7ede54a
Instruction ID: 3ae1e0346ca1fffff9113551b47d58eafc25e5e95a88bd4e67b69970eedc29c7
Opcode Fuzzy Hash: bfb0a7cfff553d87379cf8c77564d6d5208732206a11d7ff43d06a4fd7ede54a
Instruction Fuzzy Hash: B901F735F141105FDB619A7DECA472E67E7EBCAB14F14883AF10AC7342DA24CD068396

Function 06E42154 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3034706846.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d4a60293ed44146db48d4391bcbb3965a951cb94322437d32f046127f2958e9
Instruction ID: 57ca131039ebb02e293484ceff2c365fda19c08fd7d12db645b9fe08dbcc0c12
Opcode Fuzzy Hash: 4d4a60293ed44146db48d4391bcbb3965a951cb94322437d32f046127f2958e9
Instruction Fuzzy Hash: E221C2B5D01259AFCB10DFAAD984ADEFBB4FB48314F10812AE918A7240C375A954CFE5

Function 06E43FD7 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3034706846.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 457c64dd83160ba424460b84bd5757c8ef35f5549614bfd380d425d44851e63a
Instruction ID: 04431d7998be07e1345e32c8cbd2768620d8a3db5aae2b2a91ea8df978e4fad4
Opcode Fuzzy Hash: 457c64dd83160ba424460b84bd5757c8ef35f5549614bfd380d425d44851e63a
Instruction Fuzzy Hash: 1701B536F101159BEF54A579AC147EF72EADBC4605F00443AD90AE7380FE659C5247E2

Function 0174D02B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2977510859.000000000174D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_174d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 744a6646be8474e184f79a9d6e24a8b927824add0a57ed33448fae460c81d968
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 9411BB75504284CFDB22CF58D5C4B15FFA1FB94314F28C6AAD8894B666C33AD44ACB62

Function 06E44230 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3034706846.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 024bfd7a17ecaa03f5ba396f28df2d9fc41c10e21f89ec953a99ecf73acfe2af
Instruction ID: 3c270ee5c632dd76d6cd24b604a8dadff7743336013d258d67dfba56ba576912
Opcode Fuzzy Hash: 024bfd7a17ecaa03f5ba396f28df2d9fc41c10e21f89ec953a99ecf73acfe2af
Instruction Fuzzy Hash: 2801D134B001114FDBA0A5BEA45472BE2DBDBC9728F14883AE50ED7384DE61DC020399

Function 06E4F178 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3034706846.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba779eddeb561e249a4bd103c54308cb03d009b16fb9d79f110c99fbc08837b1
Instruction ID: d8566c1f52d05e5561b8ec5bcc83f82239911ac00146506ae6fc9a3b795cccd1
Opcode Fuzzy Hash: ba779eddeb561e249a4bd103c54308cb03d009b16fb9d79f110c99fbc08837b1
Instruction Fuzzy Hash: 7F01A471F101115BDB64A67EE89472EA3DBEBCAA18F14983AE20EC7341DE25DC064395

Function 06E4A300 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3034706846.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6057a14bfeb7280855709451a766f9a552310cd2e322fe2af40d35704142a4cd
Instruction ID: 1a985d90eb92e330d1fb0bed6614d0c503d5a1c210c3b665526e053fc4798fb4
Opcode Fuzzy Hash: 6057a14bfeb7280855709451a766f9a552310cd2e322fe2af40d35704142a4cd
Instruction Fuzzy Hash: 3F016D74B102155FD750EA7DF49872EB3D6E789724F149838E60EC7344EE25DC418785

Function 06E4CBC0 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3034706846.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 710698ff3a07af57951f1fafe51c7ea8199b2a37c7e4911252b859f46457dc0b
Instruction ID: d65ae919b41de16fbd81c368c81f4080c515f6610c99d0cb2a9ebc956ec3137f
Opcode Fuzzy Hash: 710698ff3a07af57951f1fafe51c7ea8199b2a37c7e4911252b859f46457dc0b
Instruction Fuzzy Hash: 1A012871F112289BCB14AA79F844A9EB77AF7C4714F204439E905EB340DB31AC01CBC0

Function 06E46460 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3034706846.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a08265cb100e7231bde7936945a3f303b6ffe1c9b0ecb6dd3ace435acd7dedf
Instruction ID: 0584a063c7efabc74afd028b04215f63e551b01894330cbb4a6558470af5b0f7
Opcode Fuzzy Hash: 4a08265cb100e7231bde7936945a3f303b6ffe1c9b0ecb6dd3ace435acd7dedf
Instruction Fuzzy Hash: 7DE092B0E053485BEF60DE70D95535E7BA9EB42248F3048A5D448CB142E176CA428381

Non-executed Functions

Function 06E47688 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$^q, xrefs: 06E47BE0
$^q, xrefs: 06E47BF6
$^q, xrefs: 06E47B41
$^q, xrefs: 06E47BEA
$^q, xrefs: 06E477B5
$^q, xrefs: 06E47778
$^q, xrefs: 06E47BD4
$^q, xrefs: 06E47784
$^q, xrefs: 06E477A9
$^q, xrefs: 06E47B35

Memory Dump Source

Source File: 00000005.00000002.3034706846.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2222239885
Opcode ID: cb93f44fae8a4cc31a7d278153ba9e295b46851f1e25ef20e607d2ec35e30cfa
Instruction ID: 5208de4859adb9d576c03892f90e44d69007a77da0c09f112b9629a19ca358ac
Opcode Fuzzy Hash: cb93f44fae8a4cc31a7d278153ba9e295b46851f1e25ef20e607d2ec35e30cfa
Instruction Fuzzy Hash: CB121B30E002198FDB64EF79D994A9EB7B2FF88704F209969D409AB354DB319D85CB81

Function 06E4A928 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$^q, xrefs: 06E4AAA4
$^q, xrefs: 06E4AADA
$^q, xrefs: 06E4AA79
$^q, xrefs: 06E4AA2A
$^q, xrefs: 06E4AA85
$^q, xrefs: 06E4AA1E
$^q, xrefs: 06E4AAB0
$^q, xrefs: 06E4AAE6

Memory Dump Source

Source File: 00000005.00000002.3034706846.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: 9c0b56517da1b9e0551b8c92c515da1cc58ab3ae653f383b4b707b177a8c3458
Instruction ID: af26b98618091b65573779da195e052cc44455ddf8859f5685f94b6ea1f145c2
Opcode Fuzzy Hash: 9c0b56517da1b9e0551b8c92c515da1cc58ab3ae653f383b4b707b177a8c3458
Instruction Fuzzy Hash: 6F915D30E403099FDB68EB7DE6447AEB7B2EF84314F109439E4019B298DB759D85CB91

Function 06E47088 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

.5vq, xrefs: 06E470E3
$^q, xrefs: 06E473D0
$^q, xrefs: 06E47590
$^q, xrefs: 06E47524
$^q, xrefs: 06E473C4
$^q, xrefs: 06E4736A
$^q, xrefs: 06E4759C

Memory Dump Source

Source File: 00000005.00000002.3034706846.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: .5vq$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-390881366
Opcode ID: 2466a712bbdce3192299580d6a6a62b509eefaa2d8448da5e5280e195be74b1f
Instruction ID: 5180037866963d927725892894b562a59b420f84729d756a575d2fbc1a322d25
Opcode Fuzzy Hash: 2466a712bbdce3192299580d6a6a62b509eefaa2d8448da5e5280e195be74b1f
Instruction Fuzzy Hash: 6DF14B30B00209CFDB59EF79E588A6EB7B2FB84304F248569D8059B355DB75EC86CB81

Function 06E4BDE8 Relevance: 7.7, Strings: 6, Instructions: 197COMMON

Download Yara Rule

Strings

$^q, xrefs: 06E4BFE9
$^q, xrefs: 06E4BF8D
$^q, xrefs: 06E4BFB5
$^q, xrefs: 06E4BFC1
$^q, xrefs: 06E4BF81
$^q, xrefs: 06E4BFF5

Memory Dump Source

Source File: 00000005.00000002.3034706846.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: bf2ef5322cc4f5c3aec6670caf292d3e5d9a75391233bfa07abeb9402f583d2c
Instruction ID: 52fe9362000c7d79b50a987b35c0d95bb1d867609f362de6dffbdcad8c7fd979
Opcode Fuzzy Hash: bf2ef5322cc4f5c3aec6670caf292d3e5d9a75391233bfa07abeb9402f583d2c
Instruction Fuzzy Hash: 7671AE30E012098FDB68EF79E9446ADB7A2FF84704B208569D40ADB355EB72DC46CB81

Function 06E483C0 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$^q, xrefs: 06E4867F
$^q, xrefs: 06E4861A
$^q, xrefs: 06E4868B
$^q, xrefs: 06E48626

Memory Dump Source

Source File: 00000005.00000002.3034706846.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: bacde14a16ce7adcd566924e28ab4f786ad4c43703550a3cbfbc210ee4571c67
Instruction ID: a595d4a2fb35a1137fd542e3be881c894d15076280bcc028d30d98dc0a80916d
Opcode Fuzzy Hash: bacde14a16ce7adcd566924e28ab4f786ad4c43703550a3cbfbc210ee4571c67
Instruction Fuzzy Hash: 26B14930B102098FDB65EF79E5946AEB7B2EF84304F249829D406DB395DB74DC82CB81

Function 06E487D8 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

$^q, xrefs: 06E48857
LR^q, xrefs: 06E4891A
$^q, xrefs: 06E48863
LR^q, xrefs: 06E488CB

Memory Dump Source

Source File: 00000005.00000002.3034706846.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: LR^q$LR^q$$^q$$^q
API String ID: 0-2454687669
Opcode ID: d03a3ae234420580afcf8a98e181cbbda258d3a079197551d3d103b5a3ae1a01
Instruction ID: 4dd05ebe82020328ef940595ea45a060d7208b871f58750bd2f73ee1b7cb09f1
Opcode Fuzzy Hash: d03a3ae234420580afcf8a98e181cbbda258d3a079197551d3d103b5a3ae1a01
Instruction Fuzzy Hash: 9451B230B003058FDB58EB39E984A6BB7E6FF88304F149969E5059B395DA31EC44CB91

Function 06E4ACA8 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

$^q, xrefs: 06E4AE5B
$^q, xrefs: 06E4ADD9
$^q, xrefs: 06E4AE84
$^q, xrefs: 06E4AE2C

Memory Dump Source

Source File: 00000005.00000002.3034706846.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: bd6b5cd4dec6d8885de80e4f80dee01b367bb8a787d25f860ed7fcd0b0fbab3a
Instruction ID: b538612fa93d650a21b68ed4c95eb01efd22937e30337380ecd3fa40d71df343
Opcode Fuzzy Hash: bd6b5cd4dec6d8885de80e4f80dee01b367bb8a787d25f860ed7fcd0b0fbab3a
Instruction Fuzzy Hash: B951A130E503058FCB65EA7CE4846AEB3B6EB88325F20553AD815DB348DB35DC81CB91

Analysis Process: UTiPLNuHYu.exePID: 7176, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	10.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	284
Total number of Limit Nodes:	19

Executed Functions

Function 052939C4 Relevance: 1.7, APIs: 1, Instructions: 245
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05293C06

Memory Dump Source

Source File: 00000006.00000002.1852494582.0000000005290000.00000040.00000800.00020000.00000000.sdmp, Offset: 05290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5290000_UTiPLNuHYu.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 112fda5cc43f2f5b06726d8c4f40b5a51285d53f20e0201fdc41fba90ededbb1
Instruction ID: 4f5c5c48c44f7eea5a363b16a72c0277da64faef23cd94a019ec10c5c24d0fdf
Opcode Fuzzy Hash: 112fda5cc43f2f5b06726d8c4f40b5a51285d53f20e0201fdc41fba90ededbb1
Instruction Fuzzy Hash: 05A16971D1061A9FDF24CF68C841BEDBBB2BF48314F1485A9E809A7390DB749985CF92

Function 052939D0 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05293C06

Memory Dump Source

Source File: 00000006.00000002.1852494582.0000000005290000.00000040.00000800.00020000.00000000.sdmp, Offset: 05290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5290000_UTiPLNuHYu.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 68ea60f65f67665dbfda535a51ea9329cbbd49ee7c1a628c2191ff7c88678db9
Instruction ID: bdae249ba8187419766eee558626e6ffbb632e3a81f56ec6d11534991fc4a057
Opcode Fuzzy Hash: 68ea60f65f67665dbfda535a51ea9329cbbd49ee7c1a628c2191ff7c88678db9
Instruction Fuzzy Hash: A1914871D1061A9FDF24CF68C841BEEBBB2BF48314F1485A9E809A7350DB749985CF92

Function 0321B070 Relevance: 1.7, APIs: 1, Instructions: 193
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.1849824421.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3210000_UTiPLNuHYu.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 712a6fd7dc70ae821ba2a07518ea44e9aca01bc05a3a081497f8132cb148658c
Instruction ID: 43462b69edc9c690ba79c60648ffcafcfa54c13224d324049c29c205d478cb8e
Opcode Fuzzy Hash: 712a6fd7dc70ae821ba2a07518ea44e9aca01bc05a3a081497f8132cb148658c
Instruction Fuzzy Hash: 21716670A10B458FD764DF29D64475ABBF1FF88300F04896ED08ACBA50DB74E899CB90

Function 0321590D Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 032159C9

Memory Dump Source

Source File: 00000006.00000002.1849824421.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3210000_UTiPLNuHYu.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 13a771037d9acbdfdfdd5e2a0090607fdfc7f558945eefef683346dacd419c5a
Instruction ID: 0e8b900c03b5b921cb8942f86dad4d3afbe3fa869c786024a920f0a06710a6e9
Opcode Fuzzy Hash: 13a771037d9acbdfdfdd5e2a0090607fdfc7f558945eefef683346dacd419c5a
Instruction Fuzzy Hash: 114103B0C00729CEDB14CFA9C9847DEBBF5BF89314F2480AAD408AB265DB755985CF90

Function 032144B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 032159C9

Memory Dump Source

Source File: 00000006.00000002.1849824421.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3210000_UTiPLNuHYu.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 73d226aa1e51912627b3dfad8bd68f360fe27d73d373ead191ca1bc6b9ef7217
Instruction ID: 24680e7cdfb21b3ad88f0e7dc95c890fc9e1641912f0c8e078e61842dbc4b2d2
Opcode Fuzzy Hash: 73d226aa1e51912627b3dfad8bd68f360fe27d73d373ead191ca1bc6b9ef7217
Instruction Fuzzy Hash: 1A41E3B0C00729CBDB24CFA9C98468DBBF5BF59304F2480A9D408AB255DB756985CF90

Function 05293740 Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 052937D8

Memory Dump Source

Source File: 00000006.00000002.1852494582.0000000005290000.00000040.00000800.00020000.00000000.sdmp, Offset: 05290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5290000_UTiPLNuHYu.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 412d01b6ac106e60e9e939e4b8c1a956ac8a1b9a21154a9f8e9334a2620d4ac5
Instruction ID: da37b6b2a3420859a7c706b4f5d60b9131ff4d2ff2f99e02ba38e97f3e906b12
Opcode Fuzzy Hash: 412d01b6ac106e60e9e939e4b8c1a956ac8a1b9a21154a9f8e9334a2620d4ac5
Instruction Fuzzy Hash: 992135B5910259DFCB10CFA9C884BEEBBF5FF48314F10882AE559A7250C7789944CBA5

Function 05293748 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 052937D8

Memory Dump Source

Source File: 00000006.00000002.1852494582.0000000005290000.00000040.00000800.00020000.00000000.sdmp, Offset: 05290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5290000_UTiPLNuHYu.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 81b594a8f97b69d01ce3058c1b4352075d2c93cbc5b6f9261ec1eaaffc637788
Instruction ID: ddd32393f64665868b25c39b254b871be42312e7cba2bbb591369f2951e18cbf
Opcode Fuzzy Hash: 81b594a8f97b69d01ce3058c1b4352075d2c93cbc5b6f9261ec1eaaffc637788
Instruction Fuzzy Hash: 3D2127B59003599FCF10CFA9C885BDEBBF5FF48314F108829E959A7250C778A944CBA5

Function 0321CE10 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0321D50E,?,?,?,?,?), ref: 0321D5CF

Memory Dump Source

Source File: 00000006.00000002.1849824421.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3210000_UTiPLNuHYu.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f30f3ebce48ccc31f49504e59fa04386b3ac3913e30d2fd8b47453cb21499ada
Instruction ID: 75ba94903e3a9d7f3ddd7c87dd18303f84e1fd43f922fc4f6ff4ecf94055e324
Opcode Fuzzy Hash: f30f3ebce48ccc31f49504e59fa04386b3ac3913e30d2fd8b47453cb21499ada
Instruction Fuzzy Hash: 9721E3B5900258EFDB10CFAAD584AEEFFF4EB58314F14841AE954A7310D378A950CFA5

Function 0321D540 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0321D50E,?,?,?,?,?), ref: 0321D5CF

Memory Dump Source

Source File: 00000006.00000002.1849824421.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3210000_UTiPLNuHYu.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 30f46203ff4e044e96b6d1d51fa93eb8bb697c51ca3fcacd5b5c7024210f914e
Instruction ID: 56ab1dd8c27309427d2b3406709804fdc5d3812c70afe8d1d63b929d8f243e62
Opcode Fuzzy Hash: 30f46203ff4e044e96b6d1d51fa93eb8bb697c51ca3fcacd5b5c7024210f914e
Instruction Fuzzy Hash: FC21F2B5900248EFDB10CFA9D584AEEBBF4FB48314F14845AE958A7210D375A950CFA1

Function 05293171 Relevance: 1.6, APIs: 1, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 052931F6

Memory Dump Source

Source File: 00000006.00000002.1852494582.0000000005290000.00000040.00000800.00020000.00000000.sdmp, Offset: 05290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5290000_UTiPLNuHYu.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: f4be28e09357c4c2d6c34e7bb8191c8466b221652f8cb22f91844e896a0e073e
Instruction ID: 2b1435eb81e5b7fd7930db69c403f6d8593f34509f7f7a9e2970110192b70c15
Opcode Fuzzy Hash: f4be28e09357c4c2d6c34e7bb8191c8466b221652f8cb22f91844e896a0e073e
Instruction Fuzzy Hash: 6F2125B59002098FDB14DFA9C5857EEBBF4EF48314F10842AD459A7251C7789945CFA4

Function 05293178 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 052931F6

Memory Dump Source

Source File: 00000006.00000002.1852494582.0000000005290000.00000040.00000800.00020000.00000000.sdmp, Offset: 05290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5290000_UTiPLNuHYu.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 9c9f2a5bffced5c15c587d9c2860a3ff4f11b6b534456bd78418456bc61af7d6
Instruction ID: 060bc500bf81ea4f61d551a3dfd4bc3fd7f839930f2bcb3150d98096155f26b7
Opcode Fuzzy Hash: 9c9f2a5bffced5c15c587d9c2860a3ff4f11b6b534456bd78418456bc61af7d6
Instruction Fuzzy Hash: 792138B1D002098FDB14DFAAC485BEEBBF4FF48324F10842AD459A7250C778A944CFA5

Function 05293838 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 052938B8

Memory Dump Source

Source File: 00000006.00000002.1852494582.0000000005290000.00000040.00000800.00020000.00000000.sdmp, Offset: 05290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5290000_UTiPLNuHYu.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 4dfc76fdb05a0c6a3e437d5245d130caa5cd4b79f17d3d9aa81c1bd9f88d2740
Instruction ID: 31a9fa2e57f3f118280b7bdc324db994af003d5338534471f090b8d812e1f6c0
Opcode Fuzzy Hash: 4dfc76fdb05a0c6a3e437d5245d130caa5cd4b79f17d3d9aa81c1bd9f88d2740
Instruction Fuzzy Hash: 862139B1D003599FCB10DFAAC880ADEFBF5FF48314F108429E559A7250C778A544CBA5

Function 05293830 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 052938B8

Memory Dump Source

Source File: 00000006.00000002.1852494582.0000000005290000.00000040.00000800.00020000.00000000.sdmp, Offset: 05290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5290000_UTiPLNuHYu.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 19f74a17beb06f98a36de7095934a3a51337671302e0397ff20ff25b86866702
Instruction ID: 78dc72f5a7f757b854410487267f91b0ce17d039cd3daaf9f7e07fb98669e474
Opcode Fuzzy Hash: 19f74a17beb06f98a36de7095934a3a51337671302e0397ff20ff25b86866702
Instruction Fuzzy Hash: D12145B1D00259DFDB10DFA9C980BEEBBF1FF48324F10882AE558A7250D7389544CBA0

Function 05293249 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 052932BE

Memory Dump Source

Source File: 00000006.00000002.1852494582.0000000005290000.00000040.00000800.00020000.00000000.sdmp, Offset: 05290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5290000_UTiPLNuHYu.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 43ee1b8803358f6599c06bd4a359fcbda37b83a918611d0a5a7f900387601762
Instruction ID: f756d2b60f58700d4fb298713dbf4446513737e39e14b634ec13cb2a51167a4e
Opcode Fuzzy Hash: 43ee1b8803358f6599c06bd4a359fcbda37b83a918611d0a5a7f900387601762
Instruction Fuzzy Hash: AC1117719002499FCB14DFA9C844ADEFFF5EF88314F108819E559A7250C7759954CFA0

Function 0321AA88 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0321B341,00000800,00000000,00000000), ref: 0321B552

Memory Dump Source

Source File: 00000006.00000002.1849824421.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3210000_UTiPLNuHYu.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 488661fec0e7e3681f2b67b9efbc654d30f7638dff817fe9361fa58fb5b3f117
Instruction ID: 91e1135f5266ab6595184e3ae4a7be828c284c740df64a39e74dbcad9f7dc39f
Opcode Fuzzy Hash: 488661fec0e7e3681f2b67b9efbc654d30f7638dff817fe9361fa58fb5b3f117
Instruction Fuzzy Hash: CF1123B6D003499FDB20CF9AC584ADEFBF4EB58314F14842AE459A7210C379A585CFA5

Function 052930C0 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0529312A

Memory Dump Source

Source File: 00000006.00000002.1852494582.0000000005290000.00000040.00000800.00020000.00000000.sdmp, Offset: 05290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5290000_UTiPLNuHYu.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 999b165c6f214082f0b6d12fe0030d1bb071d01a4a165c75049d2710d8de2288
Instruction ID: b580f96ec2d72806945b517bb14c0c3354e0a8aaa4240227d656b4d0077f356c
Opcode Fuzzy Hash: 999b165c6f214082f0b6d12fe0030d1bb071d01a4a165c75049d2710d8de2288
Instruction Fuzzy Hash: 3D1155B5D002488FDB10DFAAC4457EEFBF4EF88324F20881AD559A7250CA79A544CFA4

Function 05293250 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 052932BE

Memory Dump Source

Source File: 00000006.00000002.1852494582.0000000005290000.00000040.00000800.00020000.00000000.sdmp, Offset: 05290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5290000_UTiPLNuHYu.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4c9f57158335fc7d2a0ee9dbf9b963f1a119d80d6ea5ada5425cd954eaf3cac1
Instruction ID: b3c175b343f632d81723f639bd4eb02f5e6c0ad76050347d253880c927b1da0b
Opcode Fuzzy Hash: 4c9f57158335fc7d2a0ee9dbf9b963f1a119d80d6ea5ada5425cd954eaf3cac1
Instruction Fuzzy Hash: 431126719002499FCB10DFAAC844ADFFBF5EF88324F108819E559A7250C775A944CFA5

Function 0321AA24 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,0321B08C), ref: 0321B2C6

Memory Dump Source

Source File: 00000006.00000002.1849824421.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3210000_UTiPLNuHYu.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: af4b6cc5b097ad7b7973377ac9a63c177f646db43da54cf579b735f805079e6b
Instruction ID: 9aee1042729810fe5e733f33b86c763a5edc345f46f31fcf3779e053885e174a
Opcode Fuzzy Hash: af4b6cc5b097ad7b7973377ac9a63c177f646db43da54cf579b735f805079e6b
Instruction Fuzzy Hash: 261120B5D002498FCB10CF9AC944A9EFBF4AB88324F10842AD858A7610C379A584CFA1

Function 0321B4E1 Relevance: 1.6, APIs: 1, Instructions: 50libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0321B341,00000800,00000000,00000000), ref: 0321B552

Memory Dump Source

Source File: 00000006.00000002.1849824421.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3210000_UTiPLNuHYu.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 1b1921b598733b60ee95409f83b4f2aba97628fe7f27b9aa4bdf76c138e25b7d
Instruction ID: e0efccadfe28a6c71c7483fbb1ffadc42a3e6f04f8a5ddf72f183765f864ce5c
Opcode Fuzzy Hash: 1b1921b598733b60ee95409f83b4f2aba97628fe7f27b9aa4bdf76c138e25b7d
Instruction Fuzzy Hash: B51162B6D003499FDB20CFAAC584BDEFBF4AB58314F14842ED459A7210C378A584CFA4

Function 052930C8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0529312A

Memory Dump Source

Source File: 00000006.00000002.1852494582.0000000005290000.00000040.00000800.00020000.00000000.sdmp, Offset: 05290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5290000_UTiPLNuHYu.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 5d7f873ccd88208c953611ab50608bfa13869eb4c0cbb14fe017acadfd3a65fc
Instruction ID: 46dd5378473e7766dd73947164127f0a0bfef4ef1f95fd7e0ee940d4e734ed01
Opcode Fuzzy Hash: 5d7f873ccd88208c953611ab50608bfa13869eb4c0cbb14fe017acadfd3a65fc
Instruction Fuzzy Hash: D1113AB1D002498FCB14DFAAC4457DEFBF4EF88324F208419D559A7250C775A544CF95

Function 05296D7C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 05297545

Memory Dump Source

Source File: 00000006.00000002.1852494582.0000000005290000.00000040.00000800.00020000.00000000.sdmp, Offset: 05290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5290000_UTiPLNuHYu.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 096e7ccc67bb490a443e9efa6051c53723d1beb350df4cae1b30e6cce367e495
Instruction ID: 10f85fc9ee256e00a071fff5d501039983186a965e6e750bd1f45eb36fb2a19f
Opcode Fuzzy Hash: 096e7ccc67bb490a443e9efa6051c53723d1beb350df4cae1b30e6cce367e495
Instruction Fuzzy Hash: 821122B5810348DFCB10DF8AC488BDEBBF8EB48324F10841AE958A7310C375AA44CFA5

Function 052974E2 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 05297545

Memory Dump Source

Source File: 00000006.00000002.1852494582.0000000005290000.00000040.00000800.00020000.00000000.sdmp, Offset: 05290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5290000_UTiPLNuHYu.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 588f0880511a323722ca8fb12fcdca8081160c6fd9d4ed7460d0a2ff29bda545
Instruction ID: 161d98463f2ec4647cafeb2cb060c5c12fa64fa4d0e54dff5d3d3379641f9a89
Opcode Fuzzy Hash: 588f0880511a323722ca8fb12fcdca8081160c6fd9d4ed7460d0a2ff29bda545
Instruction Fuzzy Hash: 9411F2B5900249DFDB10CF99C488BDEBFF4EB48324F14845AE558A7610C375A984CFA5

Function 0321B259 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,0321B08C), ref: 0321B2C6

Memory Dump Source

Source File: 00000006.00000002.1849824421.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3210000_UTiPLNuHYu.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a56b35d26b4be17517077d388f0e9d766b06af7794dc98979456c35d318da974
Instruction ID: db1216432ad56bcd73f40b70bd21e5a7270cc21552b9c76d0fbf82c136631c6e
Opcode Fuzzy Hash: a56b35d26b4be17517077d388f0e9d766b06af7794dc98979456c35d318da974
Instruction Fuzzy Hash: BC1110B6C006498FDB10CF9AC544BDEFBF4AF48314F14846AC468B7650C379A589CFA5

Function 014ED4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1848370236.00000000014ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 014ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_14ed000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4e743370341f798c2e28456c482a18c664f3fd5b04006da57590c2f25670b22
Instruction ID: 2029fe912ac2e1de8db6d3a7b7f07dba1d032319e61dc95dda833ff82aeb7792
Opcode Fuzzy Hash: d4e743370341f798c2e28456c482a18c664f3fd5b04006da57590c2f25670b22
Instruction Fuzzy Hash: F7210371900240DFDB05DF58D9C8B2BBFA5FB88319F20C56AE9090B266C336D456CBA1

Function 014FD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1848481350.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_14fd000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff308cbdfc9191221db338b738b2ed84d26cd90259f5579116008697da2857f4
Instruction ID: 048dc5551fa51f23c7a431d405fbc56e231a3901ff1d8f16bbdcca57ca1b2736
Opcode Fuzzy Hash: ff308cbdfc9191221db338b738b2ed84d26cd90259f5579116008697da2857f4
Instruction Fuzzy Hash: 8921F5B1904200DFDB15DF58D984B17BFA5EB84358F20C56EDA0A4B366C336D447CA61

Function 014FD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1848481350.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_14fd000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f2f1cf028154d393c2f56da69e7bf3fba4e1ae0431dac529b61d4cbff4dfa4f
Instruction ID: aabd035040b5689dbd703250c4652617fc999e2d5df3b75266b5df78d6c8cda3
Opcode Fuzzy Hash: 9f2f1cf028154d393c2f56da69e7bf3fba4e1ae0431dac529b61d4cbff4dfa4f
Instruction Fuzzy Hash: 2B212975904200DFDB05DF98D9C4B26BBA5FB84324F20C56EDA094B366C736D446CAA1

Function 014FD006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1848481350.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_14fd000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c8bd3b0d2394cfa64017e3803c99c4c9add240b556974c7d652ef57024ecbb1
Instruction ID: 6ba835cfd4a3a7ca9a8d1bbe26e20bbb12954a38d4321c756325b4ff5e288612
Opcode Fuzzy Hash: 2c8bd3b0d2394cfa64017e3803c99c4c9add240b556974c7d652ef57024ecbb1
Instruction Fuzzy Hash: ED216D755093808FDB06CF24D594716BF71EB46218F28C5EAD9498B7A7C33A980ACB62

Function 014ED4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1848370236.00000000014ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 014ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_14ed000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: e32c9c1460cf27672635a417a8813b7fc590bacd5b40cc3d6ea7c4b6b6b49ad6
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 4611B176904280CFDB16CF54D9C4B16BFB1FB84318F24C6AAD9490B666C336D45ACBA1

Function 014FD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1848481350.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_14fd000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 7d3111f35e6f451ebaa1be94c88e30e844386953409ea3e3ffeeaf3573bb19cb
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 4911BE79904240DFDB02CF54C5C4B16BF61FB84224F24C6AED9494B366C33AD40ACB92

Analysis Process: UTiPLNuHYu.exePID: 7476, Parent PID: 7176COMMON

Execution Graph

Execution Coverage:	10.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	136
Total number of Limit Nodes:	9

Executed Functions

Function 06BD2380 Relevance: 9.0, Strings: 6, Instructions: 1480COMMON

Download Yara Rule

Strings

$^q, xrefs: 06BD37BC
$^q, xrefs: 06BD37B0
$^q, xrefs: 06BD37E0
$^q, xrefs: 06BD37D4
$^q, xrefs: 06BD3793
$^q, xrefs: 06BD3787

Memory Dump Source

Source File: 0000000C.00000002.3037464372.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6bd0000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: 6d36be08c202d32dcb6dc44f290ac3cf5f8d39478e6ec55f4cbd5d1d6d8cbd7d
Instruction ID: a8533effde6447555d3e74f662d36006e258ddcc5831ca08c08e915541675d90
Opcode Fuzzy Hash: 6d36be08c202d32dcb6dc44f290ac3cf5f8d39478e6ec55f4cbd5d1d6d8cbd7d
Instruction Fuzzy Hash: F6D25574E00209CFCB64DB68C594A9DB7F2FF89300F54D5AAD409AB265EB34ED85CB81

Function 06BD7968 Relevance: 3.0, Strings: 2, Instructions: 474
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06BD7F03
$^q, xrefs: 06BD7F0F

Memory Dump Source

Source File: 0000000C.00000002.3037464372.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6bd0000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 61b5e9ff9133be4fd1aeddfe767be8312da0df95e9c6b6444e933a99fb72138f
Instruction ID: 68c98d044d989e2cd01467ac93f8730bff2fab0f3510d2f66e2e609f772432f6
Opcode Fuzzy Hash: 61b5e9ff9133be4fd1aeddfe767be8312da0df95e9c6b6444e933a99fb72138f
Instruction Fuzzy Hash: AF027B71B102069FDB54DF64D590AAEB7E2FB84304F2489B9D405AB395EF35EC82CB81

Function 06BD58E8 Relevance: 2.9, Strings: 2, Instructions: 408
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Ocq, xrefs: 06BD5A4D
XPcq, xrefs: 06BD5A1D

Memory Dump Source

Source File: 0000000C.00000002.3037464372.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6bd0000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID: XPcq$\Ocq
API String ID: 0-2802517751
Opcode ID: ea781d29c5cdc5a4bc4e728f8559781a57fa5938e184441b01b028b131134a3f
Instruction ID: 460efcb4ae33acd872d3852c64a26c251543463e556615865926d404cce98591
Opcode Fuzzy Hash: ea781d29c5cdc5a4bc4e728f8559781a57fa5938e184441b01b028b131134a3f
Instruction Fuzzy Hash: 48D1F6B2B101148FDF64DB68D480AAEBBE2FF89710F2584AAE446DF391DA35DC41C791

Function 06BD61E0 Relevance: .8, Instructions: 810COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3037464372.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6bd0000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe69339f5e7882becc17105c63f00fc58785e131024beec59b4b0b1e9306f498
Instruction ID: f28717bb1df6fc13eb0b7d8a3d40ab9a9171aa4d6f889733f1a7f71a4a1ac58e
Opcode Fuzzy Hash: fe69339f5e7882becc17105c63f00fc58785e131024beec59b4b0b1e9306f498
Instruction Fuzzy Hash: 2162A074B002059FDB54DB68D594AADB7F2EF84314F1484A9E406EB391FB35EC86CB81

Function 06BDC168 Relevance: .6, Instructions: 638COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3037464372.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6bd0000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfeb5c2efba835239cc34ac767ff6a757cd5357b52c1e5fe1bc8a372d78e19c3
Instruction ID: b59f5aa71997a57fcd1f7fbf5ce5ccffa4467a85a7ba14ba86efc36a1a4bb5cd
Opcode Fuzzy Hash: cfeb5c2efba835239cc34ac767ff6a757cd5357b52c1e5fe1bc8a372d78e19c3
Instruction Fuzzy Hash: CE32C174B102099FDB54DF68D890BAEBBB6FB88314F108565E405EB355EB34EC82CB91

Function 06BD51C8 Relevance: .6, Instructions: 584COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3037464372.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6bd0000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54e0638d8af4d9f81faf63b5ecaf442384f150d6647f0a608aff0531b54dcca6
Instruction ID: 54377fec9ebefff1c70364ba4917d987f98ec488475c932be7b0486ceba0c676
Opcode Fuzzy Hash: 54e0638d8af4d9f81faf63b5ecaf442384f150d6647f0a608aff0531b54dcca6
Instruction Fuzzy Hash: 0912F3B6F102059BDB74CB64C8806AEB7A2FB84314F2484A9D85A9F344EB74DC46CB91

Function 06BDAE20 Relevance: .6, Instructions: 568COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3037464372.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6bd0000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad4326b077c33b7e0c0b3698759812aa155f0c1bb9e701e760f1faa742686ab3
Instruction ID: fde734a34c64d21794915fa1579737ec833911d26d3c3b44319b47bbffc06b84
Opcode Fuzzy Hash: ad4326b077c33b7e0c0b3698759812aa155f0c1bb9e701e760f1faa742686ab3
Instruction Fuzzy Hash: ED2271F0E102098FDF64CB68C5907ADB7B2EB45314F2198AAE419EF391EA35DC85CB51

Function 06BDA8B8 Relevance: 10.4, Strings: 8, Instructions: 388
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06BDAA5B
$^q, xrefs: 06BDA9E5
$^q, xrefs: 06BDAA67
$^q, xrefs: 06BDAA90
$^q, xrefs: 06BDA9D9
$^q, xrefs: 06BDAA84
$^q, xrefs: 06BDAA38
$^q, xrefs: 06BDAA2C

Memory Dump Source

Source File: 0000000C.00000002.3037464372.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6bd0000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: f99739f91ec91fc57c11b6fe5f06608aed4325af82aaa3f5f4369794af1cd8d6
Instruction ID: e7e10a11d65ad2618af91cea5d58a0df641e4584f2737a6cf7f2bd0119216f7d
Opcode Fuzzy Hash: f99739f91ec91fc57c11b6fe5f06608aed4325af82aaa3f5f4369794af1cd8d6
Instruction Fuzzy Hash: 04E16C70E1020A8FDB69DF68D5946AEB7B2FF85300F108569D409AF355EB35DC86CB81

Function 06B7388A Relevance: 6.1, APIs: 4, Instructions: 129
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 06B73916
GetCurrentThread.KERNEL32 ref: 06B73953
GetCurrentProcess.KERNEL32 ref: 06B73990
GetCurrentThreadId.KERNEL32 ref: 06B739E9

Memory Dump Source

Source File: 0000000C.00000002.3035514891.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6b70000_UTiPLNuHYu.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 69e6f5b592721d541ec1522c617b93479497c497d935853fceb69f9036a7bf61
Instruction ID: d762c18cfd6e75c502032c3c54a82fd69bb26455e4d9926151287e2dd8d2632f
Opcode Fuzzy Hash: 69e6f5b592721d541ec1522c617b93479497c497d935853fceb69f9036a7bf61
Instruction Fuzzy Hash: 655155B1D003098FDB54DFA9D948BAEBBF1EF48314F208459D06AA73A1DB349984CF65

Function 06B73898 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 06B73916
GetCurrentThread.KERNEL32 ref: 06B73953
GetCurrentProcess.KERNEL32 ref: 06B73990
GetCurrentThreadId.KERNEL32 ref: 06B739E9

Memory Dump Source

Source File: 0000000C.00000002.3035514891.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6b70000_UTiPLNuHYu.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: c78ce7ae6656fb98072a45f9ca51d4a773e9a030fa4df7dd6ad42d18a9d25953
Instruction ID: 599a86f74f0ea794122661f7e974c07c0907609fd909f464c3287a139ff0230c
Opcode Fuzzy Hash: c78ce7ae6656fb98072a45f9ca51d4a773e9a030fa4df7dd6ad42d18a9d25953
Instruction Fuzzy Hash: 565164B1D003098FDB54DFAAD948B9EBBF1EF48314F208459E06AA7361DB349984CF65

Function 06BD8D40 Relevance: 5.2, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06BD8D87
$^q, xrefs: 06BD8DCE
$^q, xrefs: 06BD8DC2
$^q, xrefs: 06BD8D93

Memory Dump Source

Source File: 0000000C.00000002.3037464372.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6bd0000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 94916708c0b710603d523ed15d594690c239bde6b4679f59baa021e22a0d1d1a
Instruction ID: 21e52bd838d8e801a234ee5c8cd2d33b0c366717eb6c36cb1c27ac257447d152
Opcode Fuzzy Hash: 94916708c0b710603d523ed15d594690c239bde6b4679f59baa021e22a0d1d1a
Instruction Fuzzy Hash: 17913F70B0021A9FDB54DF65D850BAFB7F6EBC8604F1085A9C409EB384EF749C868B91

Function 06BDCF28 Relevance: 4.5, Strings: 3, Instructions: 799
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06BDD327
$^q, xrefs: 06BDD333
$^q, xrefs: 06BDD31F

Memory Dump Source

Source File: 0000000C.00000002.3037464372.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6bd0000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q
API String ID: 0-831282457
Opcode ID: 966b03639ebfee8c834a4315e586b0cc39cd6a4300fe88445f3048d75c8caeb5
Instruction ID: 423222f267e38390cfeb90449322ac2423965b5ba7d04724cdb8e7023908fa60
Opcode Fuzzy Hash: 966b03639ebfee8c834a4315e586b0cc39cd6a4300fe88445f3048d75c8caeb5
Instruction Fuzzy Hash: 52624170A0060A9FCB55EB68D590A5EB7F2FF85304F108A79D0499F359EB71EC4ACB81

Function 06BD4790 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Ocq, xrefs: 06BD4947
fcq, xrefs: 06BD4E9D
XPcq, xrefs: 06BD48BD

Memory Dump Source

Source File: 0000000C.00000002.3037464372.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6bd0000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID: fcq$XPcq$\Ocq
API String ID: 0-3575482020
Opcode ID: cea412262b335a20cd60fa9023ecc683b7904c3bff82bf21cbabcb0f69611432
Instruction ID: d045813816f8aed4c7ae5b725eb002f92e5bda78ea0bf0279f5806b489a8f79b
Opcode Fuzzy Hash: cea412262b335a20cd60fa9023ecc683b7904c3bff82bf21cbabcb0f69611432
Instruction Fuzzy Hash: 4C618F70F102099FEB549FA5C8547AEBAF6FB88700F20846AE109AB395DF758C418B91

Function 06BD8D30 Relevance: 2.7, Strings: 2, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06BD8D87
$^q, xrefs: 06BD8DC2

Memory Dump Source

Source File: 0000000C.00000002.3037464372.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6bd0000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 1f85e1681b994d795a91079af611d4a295be19a9c6e701e3b898089854a8716e
Instruction ID: 50588f5af94069d1451665c8dc7fb4fafdfb5cadc5447c8eed614187af07739a
Opcode Fuzzy Hash: 1f85e1681b994d795a91079af611d4a295be19a9c6e701e3b898089854a8716e
Instruction Fuzzy Hash: F0511C70B0020A9FDB54DF74D990BAEB3F6EBC8644F14856AD509EB394EE34DC428B91

Function 06B7BE30 Relevance: 1.7, APIs: 1, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 06B7C096

Memory Dump Source

Source File: 0000000C.00000002.3035514891.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6b70000_UTiPLNuHYu.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: fd44428d78ec72258ef98236939cb5abaaced0695e17f71d2213fbc2cef4d9d5
Instruction ID: 8cf7f69043f345afbdf3f515155e6985c4cf812d6d77ab5fd61fab1494589678
Opcode Fuzzy Hash: fd44428d78ec72258ef98236939cb5abaaced0695e17f71d2213fbc2cef4d9d5
Instruction Fuzzy Hash: 908156B0A00B059FD764DF29D44479ABBF1FF88304F008AADD4AA9BA50D771E949CF91

Function 0127F760 Relevance: 1.6, APIs: 1, Instructions: 130
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.2974659706.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1270000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00e01ccc321210e40d40f4688a14bba7ecafe4a5fa22ea332516e66c116b9b6c
Instruction ID: b62c447d5bd3603072cb8162e5f4dfc9064335db51a3009cf6a5de6ada476916
Opcode Fuzzy Hash: 00e01ccc321210e40d40f4688a14bba7ecafe4a5fa22ea332516e66c116b9b6c
Instruction Fuzzy Hash: 4B412172D183998FCB04DF79D84429EBFF5EF89310F1486AAD558A7241DB349841CBD1

Function 06B7E004 Relevance: 1.6, APIs: 1, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06B7E122

Memory Dump Source

Source File: 0000000C.00000002.3035514891.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6b70000_UTiPLNuHYu.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 09b0dfc008649f1d926e57092991e49bc4f42d0171dc900617eba3af904ca48d
Instruction ID: 96f514624d38c0a4e17285ada17f25b86987b277143b2979d059e5bf88b63ebd
Opcode Fuzzy Hash: 09b0dfc008649f1d926e57092991e49bc4f42d0171dc900617eba3af904ca48d
Instruction Fuzzy Hash: F151D1B1D00319AFDB14CFA9C885ADEBBF5FF48310F24856AE819AB210D7719985CF91

Function 06B7E010 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06B7E122

Memory Dump Source

Source File: 0000000C.00000002.3035514891.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6b70000_UTiPLNuHYu.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 2caf3666e3d336a4468bee2b92b96d1a60092f9fc92cb0984444a76fa8930260
Instruction ID: 91a94affce7e0e85e6b5b3a139afeb74236f93a865cf3accdb914eaa325448cc
Opcode Fuzzy Hash: 2caf3666e3d336a4468bee2b92b96d1a60092f9fc92cb0984444a76fa8930260
Instruction Fuzzy Hash: 0341C0B1D003199FDB14CFA9C884ADEBBB5FF48314F24856AE819AB210D7719985CF91

Function 01277840 Relevance: 1.6, APIs: 1, Instructions: 65fileCOMMON

Download Yara Rule

APIs

MoveFileA.KERNEL32(?,00000000,?,?), ref: 01278700

Memory Dump Source

Source File: 0000000C.00000002.2974659706.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1270000_UTiPLNuHYu.jbxd

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: 66979957d676267bcd10c458b1abff40f45d28ea3a4ea3ffe1d5dc65f72b8a91
Instruction ID: 73f89974b9449e6dfbac87209f184fc72bf30585e95af621332741f2131d90c6
Opcode Fuzzy Hash: 66979957d676267bcd10c458b1abff40f45d28ea3a4ea3ffe1d5dc65f72b8a91
Instruction Fuzzy Hash: 8F2107B6C112199FCB14CF99D884ADEFBF5FB88310F14845AE918BB205D3759944CBA4

Function 06B73AD8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06B73B67

Memory Dump Source

Source File: 0000000C.00000002.3035514891.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6b70000_UTiPLNuHYu.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: fe2f09aaa97cf8ab3e627cce997d252ad6be7aab7c10a85ede50ad1ce287fa94
Instruction ID: 520d1ade9d2c590dddaedb5f6d1530ba2690e68b3116627cf61a08b2bd7940c3
Opcode Fuzzy Hash: fe2f09aaa97cf8ab3e627cce997d252ad6be7aab7c10a85ede50ad1ce287fa94
Instruction Fuzzy Hash: 0B21E5B5900218AFDB10CFAAD984ADEBBF8EB48310F14845AE955A7350D374A944CFA5

Function 06B73AE0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06B73B67

Memory Dump Source

Source File: 0000000C.00000002.3035514891.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6b70000_UTiPLNuHYu.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c2670350a5cdb5220972ceaae5cd4745277cd95b43c9e996c4bebc94c51875ae
Instruction ID: 8c7ecc53eac70ce13bf96f2cff809320ce2b8a6aa4d82ec9b0bfd9312a901e2f
Opcode Fuzzy Hash: c2670350a5cdb5220972ceaae5cd4745277cd95b43c9e996c4bebc94c51875ae
Instruction Fuzzy Hash: 3921C4B5900258DFDB10CFAAD984ADEBBF8EB48310F14845AE954A7350D374A944CFA5

Function 01278668 Relevance: 1.6, APIs: 1, Instructions: 61fileCOMMON

Download Yara Rule

APIs

MoveFileA.KERNEL32(?,00000000,?,?), ref: 01278700

Memory Dump Source

Source File: 0000000C.00000002.2974659706.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1270000_UTiPLNuHYu.jbxd

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: 430981a6856e456d4e8c2191a35d6a24b4701542b67f67948478c32c27571f49
Instruction ID: 345984233ee0ddde4e57e04543b74eee4c27d89c0978fcdde6be37eef20bc956
Opcode Fuzzy Hash: 430981a6856e456d4e8c2191a35d6a24b4701542b67f67948478c32c27571f49
Instruction Fuzzy Hash: F62103B6C11219DFCB14CF99D584ADEFBF1BB88310F24846AE918AB204D3759A44CFA4

Function 0127781C Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(00000000), ref: 01278110

Memory Dump Source

Source File: 0000000C.00000002.2974659706.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1270000_UTiPLNuHYu.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 61594b02493580300dde1adc136e98eec5daec2872ed272ae7af875b637ee66e
Instruction ID: 612350a24f414c5a7b527defda7cecd1e61e6956fd5b57eec58ec7334f65d510
Opcode Fuzzy Hash: 61594b02493580300dde1adc136e98eec5daec2872ed272ae7af875b637ee66e
Instruction Fuzzy Hash: DF2127B1C1065ADBCB14CF9AD4457AEFBF4FB48320F108169D958B7240D378A944CFA5

Function 01278098 Relevance: 1.6, APIs: 1, Instructions: 57fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(00000000), ref: 01278110

Memory Dump Source

Source File: 0000000C.00000002.2974659706.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1270000_UTiPLNuHYu.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 3f0714cae1fc4c1247dab1b979300f295a999b026fc9653f66115c4eb98876ef
Instruction ID: c41e8c4130a0b9b72e25a78a73235a641da365c90a29091a9dca383a9ab9c9c4
Opcode Fuzzy Hash: 3f0714cae1fc4c1247dab1b979300f295a999b026fc9653f66115c4eb98876ef
Instruction Fuzzy Hash: A42115B1C1061ADBCB14CF99D5457EEFBB4AF08320F14856AD958B7250D338A944CFA5

Function 0127F830 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 0127F89F

Memory Dump Source

Source File: 0000000C.00000002.2974659706.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1270000_UTiPLNuHYu.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 230e4a1f8e7e4156f6c7c0869d4e52759c4f5620af5e588d8e0182bf510f0895
Instruction ID: c6516d1b810d5b3f78250dec52d8cd536309c26439ca91a6b4ffaaaefa21bac2
Opcode Fuzzy Hash: 230e4a1f8e7e4156f6c7c0869d4e52759c4f5620af5e588d8e0182bf510f0895
Instruction Fuzzy Hash: EB1114B1C1066A9BDB10DF9AC5447DEFBF4EF48320F14856AD818B7240D378A944CFA5

Function 06B7B228 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,06B7C111,00000800,00000000,00000000), ref: 06B7C302

Memory Dump Source

Source File: 0000000C.00000002.3035514891.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6b70000_UTiPLNuHYu.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4db847dfd60cd2d8d2a8d9f2a0a2a7d871edad2b5de11f7b46961a9a73214fdb
Instruction ID: 22bc6310f3b86a7c85a7bb196b855434c150fa1ff0d3e5985003234caac55d41
Opcode Fuzzy Hash: 4db847dfd60cd2d8d2a8d9f2a0a2a7d871edad2b5de11f7b46961a9a73214fdb
Instruction Fuzzy Hash: 4411E4B6D003499FDB20CF9AC844ADEFBF4EB48310F14846EE529A7610C375A545CFA5

Function 06B7C291 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,06B7C111,00000800,00000000,00000000), ref: 06B7C302

Memory Dump Source

Source File: 0000000C.00000002.3035514891.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6b70000_UTiPLNuHYu.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b0032f79435eb72d0b24285c015f0c0a65e731caad0a5ee04022638a6041d33c
Instruction ID: c0417d75800a5aaabd0916e59afa86e9a538ebc67fc0da15f5d197b04c610ca1
Opcode Fuzzy Hash: b0032f79435eb72d0b24285c015f0c0a65e731caad0a5ee04022638a6041d33c
Instruction Fuzzy Hash: B711D0B6D002498FDB20CF9AD544A9EBBF5AB88310F14846ED429A7610C375A645CFA5

Function 06B7C030 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 06B7C096

Memory Dump Source

Source File: 0000000C.00000002.3035514891.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6b70000_UTiPLNuHYu.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 6f51352797f115ffe5d445d8e18707aaf00ecd1596b789caf2ee4134e0b727cb
Instruction ID: 614d909f2a87638a8165adbf5dcc301ac34c29b479ab0a2c4aef474377d8b3e9
Opcode Fuzzy Hash: 6f51352797f115ffe5d445d8e18707aaf00ecd1596b789caf2ee4134e0b727cb
Instruction Fuzzy Hash: 7A110FB6C002498FCB10CF9AC844ADEFBF4EB88324F10846AD829B7210C375A545CFA1

Function 06BD4781 Relevance: 1.4, Strings: 1, Instructions: 126COMMON

Download Yara Rule

Strings

XPcq, xrefs: 06BD48BD

Memory Dump Source

Source File: 0000000C.00000002.3037464372.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6bd0000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID: XPcq
API String ID: 0-714321711
Opcode ID: d21318d48236caf2b402f51ad3334af6b82a3623cf059e7541f298f93fa030e8
Instruction ID: 21bdc4bd23d50b7558fc5eb9ddafcdae4742c883f4030a4b0712ed7919785789
Opcode Fuzzy Hash: d21318d48236caf2b402f51ad3334af6b82a3623cf059e7541f298f93fa030e8
Instruction Fuzzy Hash: 67417D70F102099FDB559FA9C854BAEBAF7FF88700F20C529E105AB395DB749C018B91

Function 06BDDAB0 Relevance: 1.4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06BDDBF9

Memory Dump Source

Source File: 0000000C.00000002.3037464372.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6bd0000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 5494b3eb685469affaa2b987d92bee606fb76fa0687b00734cae13db2fd7a043
Instruction ID: cdf63c48c8b00ba9dde91208f9b4bac1e2e9eabcef694a1e3c94c2776cf916f5
Opcode Fuzzy Hash: 5494b3eb685469affaa2b987d92bee606fb76fa0687b00734cae13db2fd7a043
Instruction Fuzzy Hash: 9041CFB0E0030A9FDB64DFA5C45469EBBB2FF85304F208569E455EF284EB70E846CB81

Function 06BDDA9D Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06BDDBF9

Memory Dump Source

Source File: 0000000C.00000002.3037464372.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6bd0000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 2c11fc4146f4f60d1af4aa90e60fb72eee6aac7d4702a9854731f8a65d2c8766
Instruction ID: 6c09e15382345f27b3830a14fe9840aa3f3c24700609a4a0856d917ac4b23ba7
Opcode Fuzzy Hash: 2c11fc4146f4f60d1af4aa90e60fb72eee6aac7d4702a9854731f8a65d2c8766
Instruction Fuzzy Hash: 5541C070E007099FCB65DFB5C89069EBBB2FF85304F148569E455EB284EBB0E846CB51

Function 06BD21E5 Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06BD2333

Memory Dump Source

Source File: 0000000C.00000002.3037464372.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6bd0000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: cfe279c726d6e55ce768929f8475e10a0d641c51dac324f24faef66a8429b8d2
Instruction ID: dcd8549fb8a76475d6e695396ab29c8855c2fa9b4d3e4c8755c74cb90b67ac51
Opcode Fuzzy Hash: cfe279c726d6e55ce768929f8475e10a0d641c51dac324f24faef66a8429b8d2
Instruction Fuzzy Hash: B9310371B102418FDB5A9BB0C55466E7BE2EB88204F1085B9D006EF395EF39CD46C7A1

Function 06BD21F8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06BD2333

Memory Dump Source

Source File: 0000000C.00000002.3037464372.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6bd0000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 5c3428f493a468b804e1a09382f137ddafcc5e6074119c27b8c942d67398270a
Instruction ID: e70a84c98646241f6b3ec2cf8262e9f18a6658cdad0cb624cbd69b6d6a6c2bfc
Opcode Fuzzy Hash: 5c3428f493a468b804e1a09382f137ddafcc5e6074119c27b8c942d67398270a
Instruction Fuzzy Hash: 4131F070B102018FDB599BB4D51466E7AE2EB88204F10857CE006DF394EF35DE46C7A1

Function 06BDFC30 Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

|, xrefs: 06BDFC80

Memory Dump Source

Source File: 0000000C.00000002.3037464372.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6bd0000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: 5e9b0cdf3d560a0b3436fd92e8a4405e16f58546eef73b04c5c57a5799c186d4
Instruction ID: d9d924f14d913480cbc956806ab1c1b31c61b5e0cddbc4f3eda6f41e89211f48
Opcode Fuzzy Hash: 5e9b0cdf3d560a0b3436fd92e8a4405e16f58546eef73b04c5c57a5799c186d4
Instruction Fuzzy Hash: F3115B74B142249FDB449B78C804B6E7BF5AF48610F1044AAE90AEB3A4EB359D018B85

Function 06BDFC2E Relevance: 1.3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

Strings

|, xrefs: 06BDFC80

Memory Dump Source

Source File: 0000000C.00000002.3037464372.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6bd0000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: 9ea1bf75a72fcabfa6ec3da9367ec597b436aed29982af0b82a7f95ae739c14c
Instruction ID: cd6bd624911e7ac1788a5262e8fb3bdfeb21b53a1a5cec1b13fde6711ed828e7
Opcode Fuzzy Hash: 9ea1bf75a72fcabfa6ec3da9367ec597b436aed29982af0b82a7f95ae739c14c
Instruction Fuzzy Hash: 5D116D75B102248FDB44DF78D905B6E7BF1AF48700F10446AE50AEB3A4EB359D018B84

Function 06BD7EB8 Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

$^q, xrefs: 06BD7F03

Memory Dump Source

Source File: 0000000C.00000002.3037464372.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6bd0000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID: $^q
API String ID: 0-388095546
Opcode ID: a943779d533fad3979649d63089a2d48c44e4e6b9c938e94c4306298ef04ed8d
Instruction ID: ed7a48e0fc0e7eb6d9c46981376e293336aee951807f59e2822944a7c85dd219
Opcode Fuzzy Hash: a943779d533fad3979649d63089a2d48c44e4e6b9c938e94c4306298ef04ed8d
Instruction Fuzzy Hash: 61F0FFB1B1024A9FDF789E44E9906E873A5EB40204F1404FAD908DF245FF31DD05C790

Function 06BDAE12 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3037464372.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6bd0000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75e7783deaf74fd6586ee049bf3deb4a704703ca1225f92c42602f1b30ffec92
Instruction ID: 6376eacfda79cae7d24f09f3fa63c75d1e8808855cb6694825387e8f2d43ec16
Opcode Fuzzy Hash: 75e7783deaf74fd6586ee049bf3deb4a704703ca1225f92c42602f1b30ffec92
Instruction Fuzzy Hash: 81A1A8F0F102098FEF64CB6CC5947AE77A6FB89310F214865E419EB395DA39DC818751

Function 06BDB228 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3037464372.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6bd0000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae879a64391f49a7aaa8c24d031f657772ea98fad665013133d0bd4761ed2f57
Instruction ID: dfa8d59b3973c41f1925f296e041df7e0e3f6ea209beafd4ff638d81a2244e6d
Opcode Fuzzy Hash: ae879a64391f49a7aaa8c24d031f657772ea98fad665013133d0bd4761ed2f57
Instruction Fuzzy Hash: 15A14AF0E102098BDFA4CF68C4907ADB7A2EB45314F2599AAE419DF351EB34DC86CB51

Function 06BD5DE0 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3037464372.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6bd0000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfc4c73c772b5069db5b503a0e24926ff45e8e18e3e2a01a5d54aaacac725a92
Instruction ID: aaed5ec8f764e713ed278dc35dd2145b7c90edf68c6c14af358006155d69ea89
Opcode Fuzzy Hash: cfc4c73c772b5069db5b503a0e24926ff45e8e18e3e2a01a5d54aaacac725a92
Instruction Fuzzy Hash: 2F61C1B2F101114FCB64AA7DC88466FBAD7EFC4610B25447AD80EDB364EE65DD0287C2

Function 06BD3EC0 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3037464372.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6bd0000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 876040731aa4cefb4f416044b064ba346c4028de6475c2bd5a09e12b1cd6736a
Instruction ID: 50bc2973112e038eb1e9b0d127df568388e759b7ac9a0c564e2e1632dcf0b4ae
Opcode Fuzzy Hash: 876040731aa4cefb4f416044b064ba346c4028de6475c2bd5a09e12b1cd6736a
Instruction Fuzzy Hash: 15817D70B102099FDB44DFA4D59076EBBF6EF89304F108469D40AEB395EB74EC428B82

Function 06BD3ED0 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3037464372.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6bd0000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01c51c2e53334eadabc1eb64b9906b3f9937c3c3117ced1c334d91886b797f44
Instruction ID: 0d179b56f21e42236a7d5f482c54b35c1615731116aa320dc8965e1d87740ff4
Opcode Fuzzy Hash: 01c51c2e53334eadabc1eb64b9906b3f9937c3c3117ced1c334d91886b797f44
Instruction Fuzzy Hash: 3D815D70B002099FDB44DFA5D49476EBBF6EB89304F108469D40AEB395EB75EC428B92

Function 06BD41E0 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3037464372.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6bd0000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da8a213cf8075524aa294116dcf00da03a274e55355af1986e62865f1f92c835
Instruction ID: 6aa42c1a3c3eeab7715006be957faac59cab5043e104cf28d076e5ec8288f46e
Opcode Fuzzy Hash: da8a213cf8075524aa294116dcf00da03a274e55355af1986e62865f1f92c835
Instruction Fuzzy Hash: EC915E70E102198FDF60DF68C880B9DB7B1FF85314F208599D549EB295EB70AA85CF91

Function 06BD41F8 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3037464372.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6bd0000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac1b2195a980b48003f63cc25c3e7a264094d5a5f2d3f36e2240d13f15925f50
Instruction ID: ca47278229d4da2f6ad775bdb0711bcc33463494eeda5db34b478554ab3278eb
Opcode Fuzzy Hash: ac1b2195a980b48003f63cc25c3e7a264094d5a5f2d3f36e2240d13f15925f50
Instruction Fuzzy Hash: FA914C70E1021A8BDF60DF68C880B9DB7B1FF89314F208599D54DAB355EB70AA85CF91

Function 06BDEAE7 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3037464372.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6bd0000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c310a7c5a8d470377a10af77bc83f358da187e3e9e43481aa1a21ae1a6390d35
Instruction ID: c3728ec74de86204491ec3db69586422a97b47d1f68156c01ec208c46ed97198
Opcode Fuzzy Hash: c310a7c5a8d470377a10af77bc83f358da187e3e9e43481aa1a21ae1a6390d35
Instruction Fuzzy Hash: 68711BB1A006099FDB54DFA9D990AAEBBF6FF84304F148569D019EF354EB30E846CB50

Function 06BDEAF8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3037464372.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6bd0000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38b2c404bfd6d682038a35f43216d30c4f20af03f6c2ca141bd746ff668d6ed0
Instruction ID: 64490198510eecdbc5cdfd41b723b8394d98bb163c55dff4ce16b5fa3d46524f
Opcode Fuzzy Hash: 38b2c404bfd6d682038a35f43216d30c4f20af03f6c2ca141bd746ff668d6ed0
Instruction Fuzzy Hash: 55710BB0A006099FDB54DFA9D990AAEBBF6FF84304F148469D419EF354EB30E846CB50

Function 06BDF868 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3037464372.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6bd0000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d37bdcbb060a785936570c1274deb5efd4c4a41c30429144168870751e93afe7
Instruction ID: 5073a2927b76e1d19dafa52f4926f2e4936c7922ab88af3bc8eee1964d37acc3
Opcode Fuzzy Hash: d37bdcbb060a785936570c1274deb5efd4c4a41c30429144168870751e93afe7
Instruction Fuzzy Hash: F451C1B1E04109DFDB14AFB8E4546BDBBB6EF88315F1088B9E01ADB250EB35C945CB81

Function 06BDF609 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3037464372.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6bd0000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f80253aa7fdc90c45df2841a57b74980ed8d98eb4253802a487d2915205bf463
Instruction ID: 644e8e7f841c9ae8bf2cc6e75d42e8a04956365821fa277e143154cf2d677c2a
Opcode Fuzzy Hash: f80253aa7fdc90c45df2841a57b74980ed8d98eb4253802a487d2915205bf463
Instruction Fuzzy Hash: CC51EAB0B24208DFEF64666CD86477F395ED789700F104836E10BDB7A8DE69CC458392

Function 06BDF618 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3037464372.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6bd0000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45510fff18aed4cd194bc4adb7402d98942702f5d160f47b9c4459c9c6875573
Instruction ID: 333e3274e833683226d3d083851f609f428e70f59400dcc95f2c772099417182
Opcode Fuzzy Hash: 45510fff18aed4cd194bc4adb7402d98942702f5d160f47b9c4459c9c6875573
Instruction Fuzzy Hash: F351EBB0B242089FEF64666CD95477F365ED789300F10483AE00BDB7E8DE69CC458392

Function 06BD5048 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3037464372.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6bd0000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51a321862cbc622a5544e65aaaa5936915788fefd973d12704b432a8a19f4ea9
Instruction ID: 785695813354334c9481d27bc2f81c731e311a94cee0efc71d28151b497c2334
Opcode Fuzzy Hash: 51a321862cbc622a5544e65aaaa5936915788fefd973d12704b432a8a19f4ea9
Instruction Fuzzy Hash: 7F4143B2E006199FDF70CEA9D880AAFFBB1FB84314F104969D116DB654E731A9458B90

Function 06BDF857 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3037464372.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6bd0000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bfed11bbf0f2ad7e6e030ce284d4fe3e42a4da1762ce50bc903a87011ddd91d
Instruction ID: 9195fa1b49d7ecd652cb1b92800011fe1f9e0460553bc39f3fd6fe493f89fecd
Opcode Fuzzy Hash: 5bfed11bbf0f2ad7e6e030ce284d4fe3e42a4da1762ce50bc903a87011ddd91d
Instruction Fuzzy Hash: 804123B2E04205DFCB14ABB8E45416EBBB6FF84304F10C8BAD04ADB250EF35C8568792

Function 06BD51B8 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3037464372.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6bd0000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 775785bf02e5e6f4ae2027e52cb35820ea0261bd49ff3dfc2fb415fbe95da7e8
Instruction ID: 04e0a804e23c0b8f34db14951b0c8ef9492b4bf5e425de190b327f85688665a5
Opcode Fuzzy Hash: 775785bf02e5e6f4ae2027e52cb35820ea0261bd49ff3dfc2fb415fbe95da7e8
Instruction Fuzzy Hash: 2531A4B2E102058FDF748AA9C48077EFBB2FB85324F2498AAD055DB241E635D945CB91

Function 06BDD950 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3037464372.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6bd0000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1998ae170399f7618278713c16ad4e2d71accd1a5f0b05af395ecd8cd86d9f6
Instruction ID: 68f51e06f0d375319163b26f5eb4821c147b3c3a7a996275c1c78dc46276d950
Opcode Fuzzy Hash: d1998ae170399f7618278713c16ad4e2d71accd1a5f0b05af395ecd8cd86d9f6
Instruction Fuzzy Hash: 9B31A370E1030A8FCF25DFA4C990A9EBBB1FF85304F108969E505EB315EB71E9468B91

Function 06BD20A8 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3037464372.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6bd0000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b36555263ef7bfd69da3b8c31f3aa4bebe72ebb309c8c236b27d91b21fb4ff2
Instruction ID: 59c5ebcf62c0b1ececed317dc4e19efe04f71ace5d3bbd26af8e63ef65fc6e2d
Opcode Fuzzy Hash: 2b36555263ef7bfd69da3b8c31f3aa4bebe72ebb309c8c236b27d91b21fb4ff2
Instruction Fuzzy Hash: 26319E70E106159BCB19CFA4D85469EBBB2FF89300F10C969E90AEB340EB71A942CB40

Function 06BD20B8 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3037464372.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6bd0000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d176e47f02fe7bbf1164c7e3ecdd291cd17410703ce29c62e52a65cf37796fba
Instruction ID: 7987304bf3a92ec448828b80d4b44a8ee3d58b8fe06af872a25807199ff544b3
Opcode Fuzzy Hash: d176e47f02fe7bbf1164c7e3ecdd291cd17410703ce29c62e52a65cf37796fba
Instruction Fuzzy Hash: B8317E70E106199BCB19CFA5D85469EBBF2FF89300F14C569E90AEB740EB71AD42CB40

Function 06BD5BE0 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3037464372.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6bd0000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 487a16da048aa917d109998bcca191d6611532bdbf8544c2e1a79974699a80cd
Instruction ID: e854b93dfa0247624593d62bfd869839cbff8575c35eed0becc74f26debc85a1
Opcode Fuzzy Hash: 487a16da048aa917d109998bcca191d6611532bdbf8544c2e1a79974699a80cd
Instruction Fuzzy Hash: 8331BF75B200148FCB58DF68D498A5EBBE2FF8C710F2180A9E506DF3A1DA32DC048B90

Function 06BD3AC9 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3037464372.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6bd0000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8acaa4014cee4650466322edfde8e85cf68ae8189351bbd1ff15e93515414913
Instruction ID: 4b7ec4167e78c929c0149f473b0a6e2ae8853fc648e7e968a0566c979d974e0b
Opcode Fuzzy Hash: 8acaa4014cee4650466322edfde8e85cf68ae8189351bbd1ff15e93515414913
Instruction Fuzzy Hash: E921AEB5F012159FDB10CF78D881AAEBBF1EB48210F148076E909EB381E775DD428B91

Function 06BD5BF0 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3037464372.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6bd0000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fb6bc608105eef45f91fa54115b896955b3e14ee839fe2b7b6b406875e5a9f4
Instruction ID: d8f3a87262f10b2f24a835d5f3cfe77474c71ff670ff08d003f55decfcb3afb5
Opcode Fuzzy Hash: 2fb6bc608105eef45f91fa54115b896955b3e14ee839fe2b7b6b406875e5a9f4
Instruction Fuzzy Hash: DF213D357200148FCB54DF69D498A5AB7E6FF8D710F2184A9E506DB365DA71EC048B90

Function 06BD3AD8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3037464372.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6bd0000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd200b8bdedfa09dd8903526e74c76c8fc697aa5c5838eef0cd3cbf9363ee5fa
Instruction ID: f9dda7cb1f9e790f342834814a4575b987782a7b9250b0850a1366eb283bfb1e
Opcode Fuzzy Hash: bd200b8bdedfa09dd8903526e74c76c8fc697aa5c5838eef0cd3cbf9363ee5fa
Instruction Fuzzy Hash: 2F219AB5F002099FDB40CF68D880AAEBBF1EB48610F108079E905EB381E775DC418B91

Function 011DD030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2973847752.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_11dd000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df05afeaa378728ceb6c9a4e8b127692a021e5c7f788f9b32f8c2a49906edf9b
Instruction ID: 61250263b07f5cc67fcb1bdedf9bffd38b1cfa93d3646ae1f44cf34ef731659a
Opcode Fuzzy Hash: df05afeaa378728ceb6c9a4e8b127692a021e5c7f788f9b32f8c2a49906edf9b
Instruction Fuzzy Hash: 3B21F271604204DFDF19DF98E980B26BBA5EBC4314F24C56DD9094B296C33AD446CA62

Function 06BD5039 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3037464372.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6bd0000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e994b100f915767d9360744b75464b648b256145159296ae6ef5aad90143407e
Instruction ID: 1a4fef078fc8f7006046c35be29492d485f07911cfa596fe8a15b32db2150e43
Opcode Fuzzy Hash: e994b100f915767d9360744b75464b648b256145159296ae6ef5aad90143407e
Instruction Fuzzy Hash: B62190B2A007058FCB70CFA9CC80AAFFBF2FF84314F104929D1569B654E331A8498B80

Function 06BD6900 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3037464372.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6bd0000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c607840c095b1f4c2143279f1847cb608757b13e6da5533870aa037476f6c192
Instruction ID: 2003d1aa3a392934cb8376096e52690014addfe633641db1e0a45046ea144a54
Opcode Fuzzy Hash: c607840c095b1f4c2143279f1847cb608757b13e6da5533870aa037476f6c192
Instruction Fuzzy Hash: 4021D671B101199FDF44DBA9E85069EB7B7EB88310F148479D409EB345FB35EC428B85

Function 011DD006 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2973847752.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_11dd000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bd28a187e4324ae490a65c1f10bd7f2836abe2bccfb0677a34ccd946e085a5e
Instruction ID: 9e80732edcc38e26662c76cfe84908760936d30656a81a4fa05d4d63d9149853
Opcode Fuzzy Hash: 2bd28a187e4324ae490a65c1f10bd7f2836abe2bccfb0677a34ccd946e085a5e
Instruction Fuzzy Hash: 34217C755093C08FDB07CF64D990715BF71AB46214F28C5EBD8898F6A7C33A980ACB62

Function 06BD9EF0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3037464372.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6bd0000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4425ce373eacb783075927cc8e5bb1b11a3ccb02409e80dd8406e80628e4e6a8
Instruction ID: 7c049f2863f1b271da4894722d9490988fe69e5045137e5d2f37b97e0f9ca507
Opcode Fuzzy Hash: 4425ce373eacb783075927cc8e5bb1b11a3ccb02409e80dd8406e80628e4e6a8
Instruction Fuzzy Hash: 4611E9B4B141148FCB55FB78E850AAE7BE5FB45214F1044B5F119DF345EA35EC068781

Function 06BD3088 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3037464372.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6bd0000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f36f97d37754dc1c43b1086556e6ec27ba4d896174b3404f708b7b7d6bd1566
Instruction ID: b58a9d67cee8dbff72b50084895fdd9569fd8bc084c9b9d58e5ca19579f674cc
Opcode Fuzzy Hash: 3f36f97d37754dc1c43b1086556e6ec27ba4d896174b3404f708b7b7d6bd1566
Instruction Fuzzy Hash: 351190B1E002299BCB58DB78D8815DEF7F5EB8A310F1085A9D009EB341EA31D945CBD2

Function 06BD3BE8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3037464372.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6bd0000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ca20aa3f7294af08be5644911e9d4e98554e833022d7bcf8e41c93d0fb9a497
Instruction ID: ae38787ddd9573d8fc01b3a25180e1350b80c4d0b5efa9055751211b0571240f
Opcode Fuzzy Hash: 3ca20aa3f7294af08be5644911e9d4e98554e833022d7bcf8e41c93d0fb9a497
Instruction Fuzzy Hash: FC110431B101244FDF549A78C8146AF77EAEBC9301F054479D40AEB340EE38DC028BE2

Function 06BD3E22 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3037464372.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6bd0000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5228b9f9da645fb73004060d99aaae421a2c9a534c7c70cb1ecf13bdbfc7a036
Instruction ID: a2540bab42d9fbe6c8ef5ca8fee56d20709df31bcb51ed8ee07648c8ebf86904
Opcode Fuzzy Hash: 5228b9f9da645fb73004060d99aaae421a2c9a534c7c70cb1ecf13bdbfc7a036
Instruction Fuzzy Hash: 8C01F2B6B200110FDB64956DD45072AA7CADBCA710F10847EE10ACB3C6EE21CC024396

Function 06BD38A8 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3037464372.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6bd0000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffa7137313f465ecd4f2c2b1d82b4154a9b1d3dd68dc928e6503d7093200fcea
Instruction ID: dab7394e3330605916b429e38800517b73b8c726e4ec623978aa8819b77d4ebf
Opcode Fuzzy Hash: ffa7137313f465ecd4f2c2b1d82b4154a9b1d3dd68dc928e6503d7093200fcea
Instruction Fuzzy Hash: 0E11D3B5D01259AFCB00CF9AD884ADEFBF4FB49314F10812AE918A7201D374A944CFA5

Function 06BD38A0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3037464372.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6bd0000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fe16dd54e54f16583bbbce18362c856008fd27e43a4a0abed304ed610b69aca
Instruction ID: 9946c53a8d9cd64299c85f1273b85ccabb612df952de9f68a9eb832aa046299f
Opcode Fuzzy Hash: 5fe16dd54e54f16583bbbce18362c856008fd27e43a4a0abed304ed610b69aca
Instruction Fuzzy Hash: 2121CEB6D01219AFCB00CF9AD984BDEFBF4BB48314F10852AE918A7241D374A954CFA5

Function 06BDED67 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3037464372.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6bd0000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db341f2030a121652eb6e4f53cd021adf16e9d2347c66399fd7ff323790de941
Instruction ID: 70a3de7ac04cbba68db22cc1ab68fba082aa890cc7fa92ed2e1324cbfe164b7c
Opcode Fuzzy Hash: db341f2030a121652eb6e4f53cd021adf16e9d2347c66399fd7ff323790de941
Instruction Fuzzy Hash: 82012F79B501104FCB209A7CA854B2E6BE6EBC9611F20887EE00ECF340EE20CC038381

Function 06BD3E30 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3037464372.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6bd0000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb056880b229876d9bfef8fa49a39bf891a0051cc6951689cde1112dcce19c63
Instruction ID: 97e3e67066a6a8e2883d6d099646a4a4b58400aa1463cce44266d41eae82d6c7
Opcode Fuzzy Hash: bb056880b229876d9bfef8fa49a39bf891a0051cc6951689cde1112dcce19c63
Instruction Fuzzy Hash: 3801D175B200110FDB64956DD450B2BB7DADBCAB20F10947EE50ECB386EE61DC0243EA

Function 06BD3BD7 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3037464372.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6bd0000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d95c03df4bda720f996ffedbf607237269765c14785ad070974ee890da4d5254
Instruction ID: bc314b2fcafe6914ef49fd3310b80b12d254ef27670d1c1b6d06eae5eb46550b
Opcode Fuzzy Hash: d95c03df4bda720f996ffedbf607237269765c14785ad070974ee890da4d5254
Instruction Fuzzy Hash: 7B018F76B101285FDB549A79DC106EF72EAEBC9205F04443AD40AEB381EE648C424BE2

Function 06BDED78 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3037464372.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6bd0000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7394bec1f887c23d7ab9fc5a99ba541fb63621e859878e239944c5f2a4a1395
Instruction ID: c548e2dd4f8bdcbaf692dac489f05ffaeeb5de61a64b6708047cb098e3fc983e
Opcode Fuzzy Hash: f7394bec1f887c23d7ab9fc5a99ba541fb63621e859878e239944c5f2a4a1395
Instruction Fuzzy Hash: F801F475B101114BCB65966DE854B2F77DADBCA610F208879E10ECF344EE21DC0343C5

Function 06BD9F00 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3037464372.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6bd0000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d5e46d6e8a286f8ae44179a5a747234a6cd740a016ad49726e1d0cb95d18c7f
Instruction ID: 4de376e258ed534b9c5c50742896e052982f3416abd4f41aa667a6453979ce38
Opcode Fuzzy Hash: 1d5e46d6e8a286f8ae44179a5a747234a6cd740a016ad49726e1d0cb95d18c7f
Instruction Fuzzy Hash: C301AFB4B102144FDB64EA6DE850B6E7BDAEB89714F109878F10ECB344EE35EC428785

Function 06BDC7C0 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3037464372.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6bd0000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa960361850f268020ecd4553bf3adeab16533daa0da792ac849eebd086d7f28
Instruction ID: 220f620b9e371ba572a9cbd6dca4bc1bb5ad97ea2041bd0b35547d38ae182693
Opcode Fuzzy Hash: fa960361850f268020ecd4553bf3adeab16533daa0da792ac849eebd086d7f28
Instruction Fuzzy Hash: FB012D71F2021C9BCB149A65F851D9E7B79F745314F004079E901EB344EB32A805C7C0

Function 06BD6060 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3037464372.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6bd0000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 736ac49c3af1560defeb590d9d9198291218e068ea4b3d18cde770af9b746685
Instruction ID: c7e2799de8ed475b563492b68b6816a73b1368c17ce33645c5551ba2b35018d9
Opcode Fuzzy Hash: 736ac49c3af1560defeb590d9d9198291218e068ea4b3d18cde770af9b746685
Instruction Fuzzy Hash: 52E01AF1E152089EDB61CAB0CA8636A77AADB41344F2048E6D508DB241F277CA514390

Function 06BD6070 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3037464372.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6bd0000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb0adfad3bfbee73000e632037e407f624bc3d01109aa2e6be7aea780b5184a6
Instruction ID: 2d8a283ed8f3ee49143c3e65c3c00f38ba2ef28f1b0b07e2474e7d9bd04082de
Opcode Fuzzy Hash: cb0adfad3bfbee73000e632037e407f624bc3d01109aa2e6be7aea780b5184a6
Instruction Fuzzy Hash: F0E0ECB1E10109ABDB60DEB5C98575B77ADD701298F2088E6D409CB201F677DA014790

Non-executed Functions

Function 06BD7288 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$^q, xrefs: 06BD77F6
$^q, xrefs: 06BD77E0
$^q, xrefs: 06BD7384
$^q, xrefs: 06BD7378
$^q, xrefs: 06BD77D4
$^q, xrefs: 06BD73A9
$^q, xrefs: 06BD7741
$^q, xrefs: 06BD73B5
$^q, xrefs: 06BD77EA
$^q, xrefs: 06BD7735

Memory Dump Source

Source File: 0000000C.00000002.3037464372.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6bd0000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2222239885
Opcode ID: ed1d63a3cc0eedc7441aeacbe71a462f058bf36c3032229f4b6ede586d83448b
Instruction ID: 6a0d0970ee7c45e8e44fa3ff022e7185b99bce7cbc6e9793759a6d78467e1d28
Opcode Fuzzy Hash: ed1d63a3cc0eedc7441aeacbe71a462f058bf36c3032229f4b6ede586d83448b
Instruction Fuzzy Hash: 85121A70E002198FDB68DF65C854A9EB7B2FF88304F2095B9D409AB354EF359D86CB81

Function 06BDA528 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$^q, xrefs: 06BDA62A
$^q, xrefs: 06BDA61E
$^q, xrefs: 06BDA6A4
$^q, xrefs: 06BDA6DA
$^q, xrefs: 06BDA6E6
$^q, xrefs: 06BDA685
$^q, xrefs: 06BDA679
$^q, xrefs: 06BDA6B0

Memory Dump Source

Source File: 0000000C.00000002.3037464372.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6bd0000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: 409f60bb4905f9524dcaeb178a75d370c66140c27bdb5cbea7fc0dea0356dcb8
Instruction ID: e72fa844be9d770dc632234189bea90a50ecb82383ff849232c3b06891163a57
Opcode Fuzzy Hash: 409f60bb4905f9524dcaeb178a75d370c66140c27bdb5cbea7fc0dea0356dcb8
Instruction Fuzzy Hash: 7B916BB0E10209DFEB68DF69D554B6EBBF6EF44700F108469E401AF294EB759C86CB90

Function 06BD6C88 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

$^q, xrefs: 06BD6FD0
$^q, xrefs: 06BD6F6A
.5vq, xrefs: 06BD6CE3
$^q, xrefs: 06BD7124
$^q, xrefs: 06BD6FC4
$^q, xrefs: 06BD719C
$^q, xrefs: 06BD7190

Memory Dump Source

Source File: 0000000C.00000002.3037464372.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6bd0000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID: .5vq$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-390881366
Opcode ID: d03c711c3a468e27faa4593382d66378de2377287c290edd7b2ea8a38e675ade
Instruction ID: cbb54cd360b3c76705d316eec7bbfc58118fe0b6ae40ef9919b4db8b4529c81b
Opcode Fuzzy Hash: d03c711c3a468e27faa4593382d66378de2377287c290edd7b2ea8a38e675ade
Instruction Fuzzy Hash: E8F16E70A00209CFDB58DF64D594AAEB7B2FF85304F208569D405AB369EF75EC86CB84

Function 06BDB9E8 Relevance: 7.7, Strings: 6, Instructions: 197COMMON

Download Yara Rule

Strings

$^q, xrefs: 06BDBBC1
$^q, xrefs: 06BDBBF5
$^q, xrefs: 06BDBBB5
$^q, xrefs: 06BDBB81
$^q, xrefs: 06BDBB8D
$^q, xrefs: 06BDBBE9

Memory Dump Source

Source File: 0000000C.00000002.3037464372.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6bd0000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: 8608604b35a1452966a754297deabdbd4e2b36526ac1d9cba4f39e72e349b89d
Instruction ID: 4b91fbdfe1dc20fd821e204c34ba80240409713c19cb7b6de058ef5c9f44b874
Opcode Fuzzy Hash: 8608604b35a1452966a754297deabdbd4e2b36526ac1d9cba4f39e72e349b89d
Instruction Fuzzy Hash: E671AFB1E102098FDB68CF69D584A6DBBF2FF84704F2585A9D005AF354EB71D845CB81

Function 06BD7FC0 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$^q, xrefs: 06BD827F
$^q, xrefs: 06BD821A
$^q, xrefs: 06BD828B
$^q, xrefs: 06BD8226

Memory Dump Source

Source File: 0000000C.00000002.3037464372.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6bd0000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 3579ef929d3c5002195fb86d9b87d31d62ad59ce74c73bfae8da0507b9651de2
Instruction ID: 2822068fe8c56ee892eaad64edee0ac85cd0327eaec3f46de5bda2f2a316261a
Opcode Fuzzy Hash: 3579ef929d3c5002195fb86d9b87d31d62ad59ce74c73bfae8da0507b9651de2
Instruction Fuzzy Hash: 5DB15D70A10209CFDB68DF69D594AAEB7B2FF84315F248469E0099B355EB35DC86CB80

Function 06BD83D8 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

LR^q, xrefs: 06BD84CB
$^q, xrefs: 06BD8463
$^q, xrefs: 06BD8457
LR^q, xrefs: 06BD851A

Memory Dump Source

Source File: 0000000C.00000002.3037464372.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6bd0000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID: LR^q$LR^q$$^q$$^q
API String ID: 0-2454687669
Opcode ID: ad4ceb465964bec066081ca63d41fa83425ece61aa7602f527ac01779407adc4
Instruction ID: 359e29a8d95e1b2edb6a057138c80c82bbcfcc4e5a45aab5c8cd4c24d8349b61
Opcode Fuzzy Hash: ad4ceb465964bec066081ca63d41fa83425ece61aa7602f527ac01779407adc4
Instruction Fuzzy Hash: 1651AE70B102059FDB58DF28D990A6AB7E6FB88705F1485A8E4069F3A5EB30EC45CB91

Function 06BDA8A8 Relevance: 5.2, Strings: 4, Instructions: 161COMMON

Download Yara Rule

Strings

$^q, xrefs: 06BDAA5B
$^q, xrefs: 06BDA9D9
$^q, xrefs: 06BDAA84
$^q, xrefs: 06BDAA2C

Memory Dump Source

Source File: 0000000C.00000002.3037464372.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6bd0000_UTiPLNuHYu.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: a951a6f530a4eb4dc1b505914eecc9d44179a40a887c819ff5d4c6c57614e53b
Instruction ID: 769afa4ca2b7c76ef7a74ecef4f0dd441da547322273178f6e7b99a22a410c0a
Opcode Fuzzy Hash: a951a6f530a4eb4dc1b505914eecc9d44179a40a887c819ff5d4c6c57614e53b
Instruction Fuzzy Hash: D851CFB0F102098FDF65DB64D980A6EB7B2EB84300F1096AAD405EF355EB35EC46CB91

Analysis Process: mpTrle.exePID: 7596, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	11.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	233
Total number of Limit Nodes:	16

Executed Functions

Function 044639C4 Relevance: 1.7, APIs: 1, Instructions: 246
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 04463C06

Memory Dump Source

Source File: 0000000D.00000002.1937886971.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4460000_mpTrle.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 4befe0f2391b6b7c98435beb3437c8aa5870ec06bfa6a7913498b3c9f1a554fb
Instruction ID: 40a1223c591e0f3e3815994d629f5a5376c8dac89716155262d95d8634d0124e
Opcode Fuzzy Hash: 4befe0f2391b6b7c98435beb3437c8aa5870ec06bfa6a7913498b3c9f1a554fb
Instruction Fuzzy Hash: DA913B71D00259DFEF10DF68C941BDEBBB2BF44314F1485AAE809A7290DB74A985CF92

Function 044639D0 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 04463C06

Memory Dump Source

Source File: 0000000D.00000002.1937886971.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4460000_mpTrle.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: f986664f2cb366fbff43c093caead4dee3f85f17e41b91626f661bd35d6bd21a
Instruction ID: 1b5c3d5b8e80775a34275eb44a68e082c1b90a8f180971756aa1ec96bd73d44c
Opcode Fuzzy Hash: f986664f2cb366fbff43c093caead4dee3f85f17e41b91626f661bd35d6bd21a
Instruction Fuzzy Hash: 63914C71D00259DFDF10DF68C941BDEBBB2BF44314F1485AAE809A7250DB74A985CF92

Function 0088B070 Relevance: 1.7, APIs: 1, Instructions: 193
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0088B2C6

Memory Dump Source

Source File: 0000000D.00000002.1934570960.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_880000_mpTrle.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 6aca2758a228c87ee0492e4b64b9533665ec9e048e8f040ce2d2778446b87d38
Instruction ID: e1b794cccd9b0e4855ee2498c685b436e44e4c36105f7d180670dac19f080ab8
Opcode Fuzzy Hash: 6aca2758a228c87ee0492e4b64b9533665ec9e048e8f040ce2d2778446b87d38
Instruction Fuzzy Hash: D0713370A00B058FD724EF69D55475ABBF2FF88304F008A2ED08ADBA50DB75E949CB91

Function 00885A84 Relevance: 1.6, APIs: 1, Instructions: 105
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000D.00000002.1934570960.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_880000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d039ef6c8ea21361e8977322141059c43ca6039074638f34134ce05afb58e298
Instruction ID: 3c6012fd79e4d6433d969940e7fc992736a7c9df241ed3b33fd503feb22729fe
Opcode Fuzzy Hash: d039ef6c8ea21361e8977322141059c43ca6039074638f34134ce05afb58e298
Instruction Fuzzy Hash: 0931EC71804A58CFCB10EFA8D8846EDBBF0FF56324F24828AC019EB251D775AD46CB41

Function 0088590D Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 008859C9

Memory Dump Source

Source File: 0000000D.00000002.1934570960.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_880000_mpTrle.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 4b4e923ab5431839589a8b50e52d50ad09983b16f70d06bc49796f84a6299b31
Instruction ID: 2c6fb3446229a50dfe4a9359886362703d4834215456869f6345bc9e46b4d370
Opcode Fuzzy Hash: 4b4e923ab5431839589a8b50e52d50ad09983b16f70d06bc49796f84a6299b31
Instruction Fuzzy Hash: 9341D1B0D00629CFDB24DFA9C884BCDBBF5BF48304F24816AD418AB255DB756986CF90

Function 008844B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 008859C9

Memory Dump Source

Source File: 0000000D.00000002.1934570960.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_880000_mpTrle.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: c7304b98557fc20b64343a01d608701f0ded0079d4bd7d5f1d1d5ff59fd119a5
Instruction ID: 8b56a7c7ddce332cab12e3bd6394cefb247d9e70871d061f7519001bd3bcf62a
Opcode Fuzzy Hash: c7304b98557fc20b64343a01d608701f0ded0079d4bd7d5f1d1d5ff59fd119a5
Instruction Fuzzy Hash: A841BFB0C00629CBDB24DFA9C884B9DBBF5FF49304F24816AD408AB255DB756945CF90

Function 04463740 Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 044637D8

Memory Dump Source

Source File: 0000000D.00000002.1937886971.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4460000_mpTrle.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 99172c5718196accb1f8b57cfb8064b2771144b20dc38fcbc045314af4a924dc
Instruction ID: 440ade7cd41235bb99e5e608b22390233fdce0d29b97755ad213c358a19fbbfc
Opcode Fuzzy Hash: 99172c5718196accb1f8b57cfb8064b2771144b20dc38fcbc045314af4a924dc
Instruction Fuzzy Hash: D92135B59003499FDF10DFA9C981BEEBBF5FF48314F10842AE959A7240C778A944CBA5

Function 04463748 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 044637D8

Memory Dump Source

Source File: 0000000D.00000002.1937886971.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4460000_mpTrle.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: ee7a714775534da765ccdb01317472f2672038c089aea8a418d25720c74d9ba0
Instruction ID: 5475456f7f02163f15d106b4233ce52c7dc1d462337bc837e0e8c9e4e24588ca
Opcode Fuzzy Hash: ee7a714775534da765ccdb01317472f2672038c089aea8a418d25720c74d9ba0
Instruction Fuzzy Hash: 272169B59003499FCF10DFA9C880BDEBBF5FF48310F10842AE959A7240C778A944CBA5

Function 0088CE10 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0088D50E,?,?,?,?,?), ref: 0088D5CF

Memory Dump Source

Source File: 0000000D.00000002.1934570960.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_880000_mpTrle.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8ff1927b05931d421f394a310b2932d68482c2cebec43e161552ad2a90e01c11
Instruction ID: 00b7ee4b3e3d5cbf861e5a9c4a3dce0d1fd79766f3404c50588510e490d82b25
Opcode Fuzzy Hash: 8ff1927b05931d421f394a310b2932d68482c2cebec43e161552ad2a90e01c11
Instruction Fuzzy Hash: 5C2105B5900348AFDB10DFA9D584AEEBFF4FB48314F10801AE914A3351D374A940CFA0

Function 04463830 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 044638B8

Memory Dump Source

Source File: 0000000D.00000002.1937886971.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4460000_mpTrle.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 88e623c7f6aab53289f18115be464bbbc5f6ec216720965aea259871fcc99249
Instruction ID: 3acc31510243f506f46089e2c5582128bded70505c53c909c76d0ffb53e4aca3
Opcode Fuzzy Hash: 88e623c7f6aab53289f18115be464bbbc5f6ec216720965aea259871fcc99249
Instruction Fuzzy Hash: 8B2128B1D002599FDB10DFAAC881BEEFBF5FF48310F10842AE959A7250C7389545CBA5

Function 04463171 Relevance: 1.6, APIs: 1, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 044631F6

Memory Dump Source

Source File: 0000000D.00000002.1937886971.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4460000_mpTrle.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 031563d413de8061d008b642317d3d5a2c45a0921648b7417132817edac8f9a5
Instruction ID: 6bf2e8fb7fc256a971809327762e053fea91d7a05de549743c0c03c3cc78576c
Opcode Fuzzy Hash: 031563d413de8061d008b642317d3d5a2c45a0921648b7417132817edac8f9a5
Instruction Fuzzy Hash: A92157B1D002498FDB10DFAAC8857EEBFF4EF48364F10842AD859A7241C778A945CFA1

Function 0088D540 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0088D50E,?,?,?,?,?), ref: 0088D5CF

Memory Dump Source

Source File: 0000000D.00000002.1934570960.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_880000_mpTrle.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c070288ab381699ff73d1c7a68ac3d1c99719d928e0f25586d5ba0e87dff0c9e
Instruction ID: 3a7aca21f791636451f15df04b51ac60425f31f811092b4f64f1131c7188c9b2
Opcode Fuzzy Hash: c070288ab381699ff73d1c7a68ac3d1c99719d928e0f25586d5ba0e87dff0c9e
Instruction Fuzzy Hash: 5621E4B5900249DFDB10DFA9D984ADEBBF5FB48314F14841AE954A7350C374A944CFA1

Function 04463838 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 044638B8

Memory Dump Source

Source File: 0000000D.00000002.1937886971.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4460000_mpTrle.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 23075f51db731a37291666362484a23c2ff8aaee692df08384bdee2c8f95cc61
Instruction ID: 0ee168edac92f7c018f1ea242b1223138085962d10d2e1210e1d13037b4a5cad
Opcode Fuzzy Hash: 23075f51db731a37291666362484a23c2ff8aaee692df08384bdee2c8f95cc61
Instruction Fuzzy Hash: 972128B1C002599FDB10DFAAC841BEEFBF5FF48310F10842AE959A7250C738A544CBA5

Function 04463178 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 044631F6

Memory Dump Source

Source File: 0000000D.00000002.1937886971.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4460000_mpTrle.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 2c0f3812e164a7632c9375a46d8efb8ebeb8560c73ef7ff06ba653301a76e9f0
Instruction ID: 3241ce4c50f79abe3c5ada96cbd080c37a26c5cfa74cafccc0d537064d144d29
Opcode Fuzzy Hash: 2c0f3812e164a7632c9375a46d8efb8ebeb8560c73ef7ff06ba653301a76e9f0
Instruction Fuzzy Hash: 922138B1D002498FDB10DFAAC8857EEBFF4EF48324F10842AD859A7240C778A944CFA5

Function 0088AA88 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0088B341,00000800,00000000,00000000), ref: 0088B552

Memory Dump Source

Source File: 0000000D.00000002.1934570960.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_880000_mpTrle.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 7eeed29377caf4e986bd4a8c932e950e70a165d5946974ab9aac25b4f533b42b
Instruction ID: 1ea6f7d879c8386d56d0e2ece65101d5425b4632dd7da89600aececfea6c6ebc
Opcode Fuzzy Hash: 7eeed29377caf4e986bd4a8c932e950e70a165d5946974ab9aac25b4f533b42b
Instruction Fuzzy Hash: 691114B69003499FDB10DF9AD444ADEFBF4FB88320F10842AD519A7211C375A945CFA4

Function 04463249 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 044632BE

Memory Dump Source

Source File: 0000000D.00000002.1937886971.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4460000_mpTrle.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5de036e8755c2a4df5aca07998aace0b898d6a5f3dcdb2687f52317d688a1ffa
Instruction ID: 5f7cdd02ec1b5711221db59d2d8a99e406dccf826d2bca662997923a084cf2cd
Opcode Fuzzy Hash: 5de036e8755c2a4df5aca07998aace0b898d6a5f3dcdb2687f52317d688a1ffa
Instruction Fuzzy Hash: 7F1126B69002499FCB10DFA9C844BDEFFF5EF88324F24881AE559A7250C775A544CFA1

Function 04463250 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 044632BE

Memory Dump Source

Source File: 0000000D.00000002.1937886971.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4460000_mpTrle.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5cad91917f2c39674d398df9827efe8b42b1a0a69be59c0e4681ff0f519954d0
Instruction ID: 93619807cea76619dae3fb99a70523d57d16f264e2653464819e2e1721c89d70
Opcode Fuzzy Hash: 5cad91917f2c39674d398df9827efe8b42b1a0a69be59c0e4681ff0f519954d0
Instruction Fuzzy Hash: 871114B19002499BCB10DFAAC844BDEFFF5EB88324F10881AE559A7250C775A544CFA5

Function 044630C0 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0446312A

Memory Dump Source

Source File: 0000000D.00000002.1937886971.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4460000_mpTrle.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 8a7dadef71d80f79f706a72af2df584b46ecb03a34a363be8d229451ccf7596f
Instruction ID: 4fd96f01f524819f67dc348577d9c3fee6f817d3f5d4c3e5976f35b8ac69bd7c
Opcode Fuzzy Hash: 8a7dadef71d80f79f706a72af2df584b46ecb03a34a363be8d229451ccf7596f
Instruction Fuzzy Hash: 571158B1D002488BDB10DFAAC4447DEFFF5EF88324F20841AD559A7240C774A544CF95

Function 0088B4E1 Relevance: 1.6, APIs: 1, Instructions: 50libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0088B341,00000800,00000000,00000000), ref: 0088B552

Memory Dump Source

Source File: 0000000D.00000002.1934570960.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_880000_mpTrle.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e5145b892f042ebd88cdc8c58190eda513656b06e9ab09444fd5178d5b0c3e73
Instruction ID: 7a8a71565e0b54bbc39fb187ee93101183234ddbd582d4363f8ce760bb368bfe
Opcode Fuzzy Hash: e5145b892f042ebd88cdc8c58190eda513656b06e9ab09444fd5178d5b0c3e73
Instruction Fuzzy Hash: EB111FB6900249CFDB10DFAAD584B9EFBF4FB88310F14842AD569A7220C375A945CFA1

Function 044630C8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0446312A

Memory Dump Source

Source File: 0000000D.00000002.1937886971.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4460000_mpTrle.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 316f42c9a1575fc748d144ed1f3a82e57ea69c6d0777d2e36705ac453e0924b8
Instruction ID: 2b2f31f3e69e0b25b32945b317607278cc7ec644b956323c6baf957b5c0edb47
Opcode Fuzzy Hash: 316f42c9a1575fc748d144ed1f3a82e57ea69c6d0777d2e36705ac453e0924b8
Instruction Fuzzy Hash: 1A1128B1D002488BDB10DFAAC4457DEFBF5EB88324F20841AD559A7250C775A544CF95

Function 0088B260 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0088B2C6

Memory Dump Source

Source File: 0000000D.00000002.1934570960.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_880000_mpTrle.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 144af92be81b4d0bf29351b05dc059a806f98cb1701200b17e92314d8e6eb164
Instruction ID: 701d46f2203ddf4023be02ad3fdf62f5c2a575074e7c4917f52cada9ffb20cdd
Opcode Fuzzy Hash: 144af92be81b4d0bf29351b05dc059a806f98cb1701200b17e92314d8e6eb164
Instruction Fuzzy Hash: C4110FB5C002498FCB10DF9AD444ADEFBF4EF88320F10842AD458A7210C379A545CFA1

Function 04461C40 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 04467485

Memory Dump Source

Source File: 0000000D.00000002.1937886971.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4460000_mpTrle.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 4f3a64330bdbfd3ffa8ce0923286b759ee51c5ca09972f1f810f12307503121d
Instruction ID: 1bc563d3b03f207a545cd753750b22f674de526f99807ca29d7875dcb12c956e
Opcode Fuzzy Hash: 4f3a64330bdbfd3ffa8ce0923286b759ee51c5ca09972f1f810f12307503121d
Instruction Fuzzy Hash: 531103B5900348DFDB10DF9AC849BDEBFF8EB48324F10841AE959A7200C375A944CFA5

Function 04467420 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 04467485

Memory Dump Source

Source File: 0000000D.00000002.1937886971.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4460000_mpTrle.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 5ae026768db267c184544d75d7f2f5f5d859ed77543533d89187b1ae8434220f
Instruction ID: 872438cacba24a0131d3de6c53444ca32235cd37d7b662d9e49bf2d611b46ebe
Opcode Fuzzy Hash: 5ae026768db267c184544d75d7f2f5f5d859ed77543533d89187b1ae8434220f
Instruction Fuzzy Hash: CC1103B5800348DFDB10DF99D889BDEBFF8EB48324F10841AE958A7200C375A544CFA1

Function 0088B259 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0088B2C6

Memory Dump Source

Source File: 0000000D.00000002.1934570960.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_880000_mpTrle.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: abc5f45d595075fa1cc21466b702839072f0548e1f1609c98487d5c904c9889a
Instruction ID: 03ba3a85cbfc22c9117ae98414ab98725d4ac002454c73e3dd07aced76de21dd
Opcode Fuzzy Hash: abc5f45d595075fa1cc21466b702839072f0548e1f1609c98487d5c904c9889a
Instruction Fuzzy Hash: 69110FB6C00249CECB10EFAAD544B9EFBF4AF88314F14842AC468BB610C379A545CFA1

Function 007FD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1934209222.00000000007FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7fd000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a6a9b7cf306012582770e9d59a7e2812b6e7f67c534eaabbc9aff627f77e885
Instruction ID: 4729f8b090149d4547052ab5206bd5b69fc1936d6423ed369857266a93a23652
Opcode Fuzzy Hash: 3a6a9b7cf306012582770e9d59a7e2812b6e7f67c534eaabbc9aff627f77e885
Instruction Fuzzy Hash: D5212871504248DFCB25DF14D9C0B36BF66FB94318F20C569EA050B356C33ADC66D6A1

Function 0080D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1934299215.000000000080D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0080D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_80d000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a7da2f8802f36ddeefa5841c8a12f9feeb2ec90622ac3a97da53c303a8ea5b3
Instruction ID: f54d9ada72c76e723abb6e2a898d04ca390e6a43691bd904f9bb3d19e72f9221
Opcode Fuzzy Hash: 0a7da2f8802f36ddeefa5841c8a12f9feeb2ec90622ac3a97da53c303a8ea5b3
Instruction Fuzzy Hash: 5E210471604304EFDB45DF94D9C0B26BBA5FB84318F20C66DE8098B296C33AE846CA61

Function 0080D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1934299215.000000000080D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0080D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_80d000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66304083c56d650c4f220383bc0ca4ff3706e2fe9555e141a00ac8b8229b96a7
Instruction ID: f48541c1794cb8ffd5dcce0506f9d7b8ec77b3171e674f956f98a6936f02c3dd
Opcode Fuzzy Hash: 66304083c56d650c4f220383bc0ca4ff3706e2fe9555e141a00ac8b8229b96a7
Instruction Fuzzy Hash: 7721F271604704DFDB54DF54D984B26BBA5FB84318F20C569D84E8B296C33AD847CA61

Function 007FD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1934209222.00000000007FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7fd000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: ac381f4bb18569f08c8331cf7c02f00690a7231e067a17df1bc55b5f44ff78ff
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 1C11D376504284CFCB16CF14D5C4B26BF72FB94318F24C6A9D9490B756C33AD86ACBA2

Function 0080D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1934299215.000000000080D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0080D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_80d000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 3be3a9b1e166b9522f44902ad43285d2c7e2c59cbd312116f8e84a6f806dd698
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: B011BB75504780CFCB11CF54D9C4B16BBA2FB84314F24C6AAD8098B696C33AD80ACBA2

Function 0080D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1934299215.000000000080D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0080D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_80d000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 27bcb61bcf89bd699d9786b9b6493ac9602cdfd004a2058dc69aaee1e20f3bce
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: F811BB75504380DFDB02CF54C9C4B15BBA2FB84314F24C6AAD8498B696C33AE80ACB61

Analysis Process: mpTrle.exePID: 7856, Parent PID: 7596COMMON

Execution Graph

Execution Coverage:	10.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	157
Total number of Limit Nodes:	12

Executed Functions

Function 06C23490 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06C23BC4
$^q, xrefs: 06C23BB8
$^q, xrefs: 06C23B8F
$^q, xrefs: 06C23B9B
$^q, xrefs: 06C23BE8
$^q, xrefs: 06C23BDC

Memory Dump Source

Source File: 00000013.00000002.3035600388.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6c20000_mpTrle.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: ffc249e3d53c1ccb2bc0eb8ef2bc610746ec7e69c363e24dd909fb933012c67d
Instruction ID: d8d13c73f14231c7096ffc295d62bcc0d11038f12501ad314990bc642aa3a7d7
Opcode Fuzzy Hash: ffc249e3d53c1ccb2bc0eb8ef2bc610746ec7e69c363e24dd909fb933012c67d
Instruction Fuzzy Hash: 15322231E1076ACFCB14EFB5C85459DB7B5FFC9300F1086AAD409AB264EB349A85CB91

Function 06C27D70 Relevance: 3.0, Strings: 2, Instructions: 475
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06C28317
$^q, xrefs: 06C2830B

Memory Dump Source

Source File: 00000013.00000002.3035600388.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6c20000_mpTrle.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: d7f638dd31447587267faf3dda540af45cb3a20b7c11c5ffa15419e9de7c7f5f
Instruction ID: ed1ddc9745fcc41e2326d7f21f5dfea46b85d58176991db0151cc6722db6653f
Opcode Fuzzy Hash: d7f638dd31447587267faf3dda540af45cb3a20b7c11c5ffa15419e9de7c7f5f
Instruction Fuzzy Hash: 1802D030B012268FCB54DB69D484AAEB7E2FF84304F148529E906DB394DB35ED86CB91

Function 06C265E8 Relevance: .8, Instructions: 816COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3035600388.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6c20000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc9e5c4b667326c58272218513c5d40c37cffd2cd6e09e3613db62d8aca725a2
Instruction ID: f827dbd518d552c03d7ccd2f183b76ab174b5a65bdee1403fff243cd4ecc9e1d
Opcode Fuzzy Hash: bc9e5c4b667326c58272218513c5d40c37cffd2cd6e09e3613db62d8aca725a2
Instruction Fuzzy Hash: 0862C334B002268FDB54EB6AD584BADB7F2EF84304F148529E806DB354DB35ED46CBA0

Function 06C2C178 Relevance: .6, Instructions: 641COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3035600388.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6c20000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 258f3c4ca43162404e16de58523bdeb16ba77a41e505d49d0ff2bf3227aaa880
Instruction ID: 3a6f1e3c3e97015d10378eeb0448b49b5a718efe553c08d574b2900089b118c0
Opcode Fuzzy Hash: 258f3c4ca43162404e16de58523bdeb16ba77a41e505d49d0ff2bf3227aaa880
Instruction Fuzzy Hash: 23329234B002169FDF94DB69D880BAEB7B2FB84314F108529E909EB355DB35ED42CB91

Function 06C255D0 Relevance: .6, Instructions: 588COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3035600388.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6c20000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e1bdc3ae868cbf1c508d00c23cdecdbea8ca782161dc4c1c785504ddc124f98
Instruction ID: 16d1c589ffe4be2fd8822b363ad24eccb73983cb0d6f42ccfe42cbebc4a44009
Opcode Fuzzy Hash: 3e1bdc3ae868cbf1c508d00c23cdecdbea8ca782161dc4c1c785504ddc124f98
Instruction Fuzzy Hash: E512F475F102269BDB64DB64C8C06AFB7B2EB85310F64883AD85ADB344DB34DD46CB81

Function 06C2B220 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3035600388.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6c20000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 067b8ee67cafae5b484d822b28c08d2d6422150c99bcddad36b95730645ae7bb
Instruction ID: 42f853257d6f86b8b1a40fd5ef4bded4076e2456b8a5e523321cb9e7cd874731
Opcode Fuzzy Hash: 067b8ee67cafae5b484d822b28c08d2d6422150c99bcddad36b95730645ae7bb
Instruction Fuzzy Hash: CC228134E1022A8FDF64DB69C4C07ADB7B6FB85318F24882AE819DB355CA35DD81CB51

Function 06C2ACC8 Relevance: 10.4, Strings: 8, Instructions: 390
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06C2AE48
$^q, xrefs: 06C2AEA0
$^q, xrefs: 06C2ADE9
$^q, xrefs: 06C2AE94
$^q, xrefs: 06C2AE3C
$^q, xrefs: 06C2AE77
$^q, xrefs: 06C2AE6B
$^q, xrefs: 06C2ADF5

Memory Dump Source

Source File: 00000013.00000002.3035600388.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6c20000_mpTrle.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: bf5a60b8abbb70eda14c83c47fd049a3547f4691afc3db915fbcf03b4b6413fa
Instruction ID: cb58677d37cf58651cde9d14497331df6793ce89c4cfbfbaec67b7c428526fb6
Opcode Fuzzy Hash: bf5a60b8abbb70eda14c83c47fd049a3547f4691afc3db915fbcf03b4b6413fa
Instruction Fuzzy Hash: 79E16030E1021A8FDB59DFA9D9806AEB7B2FF85304F10852DD815AB354DB35DD86CB81

Function 06C2B648 Relevance: 8.0, Strings: 6, Instructions: 470
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06C2BB9D
$^q, xrefs: 06C2BBC5
$^q, xrefs: 06C2BB91
$^q, xrefs: 06C2BBF9
$^q, xrefs: 06C2BC05
$^q, xrefs: 06C2BBD1

Memory Dump Source

Source File: 00000013.00000002.3035600388.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6c20000_mpTrle.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: 14aec70d549d52dc7a1fa8d4e1bf260478cc26b063f8e80ed9104969a77955af
Instruction ID: fa48f518d372c49c812eb6fff81b2d62b58168efe6eb1a21534cc73947820cac
Opcode Fuzzy Hash: 14aec70d549d52dc7a1fa8d4e1bf260478cc26b063f8e80ed9104969a77955af
Instruction Fuzzy Hash: B202AE30E1022B8FDB64DF69D5806ADB7B2EB85308F14896AD809DB355DB30ED85CB91

Function 06C29148 Relevance: 5.2, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06C291CA
$^q, xrefs: 06C2918F
$^q, xrefs: 06C2919B
$^q, xrefs: 06C291D6

Memory Dump Source

Source File: 00000013.00000002.3035600388.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6c20000_mpTrle.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 0d78cc76f937e3f43d8be6970ff74c55a399c73cb4069deb619020392435da3d
Instruction ID: 49a3ae8d8f150efa56ed2ca15c36c0149fa48db02d53223494c00180c53b5046
Opcode Fuzzy Hash: 0d78cc76f937e3f43d8be6970ff74c55a399c73cb4069deb619020392435da3d
Instruction Fuzzy Hash: 2F912F30F1022A9FDB54DB66D9507AEB3F6AFC8204F108569D809EB348EB74DD46CB91

Function 06C2CF38 Relevance: 4.5, Strings: 3, Instructions: 799
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06C2D343
$^q, xrefs: 06C2D337
$^q, xrefs: 06C2D32F

Memory Dump Source

Source File: 00000013.00000002.3035600388.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6c20000_mpTrle.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q
API String ID: 0-831282457
Opcode ID: 348d417f8722aab134a90ecb8963404dc560d60caa3b458df8bcf50850ee0611
Instruction ID: 58b4fdac9de019dc5f15b4cadc8f03e016dc3e1f55f1e2db00fb724bf2722784
Opcode Fuzzy Hash: 348d417f8722aab134a90ecb8963404dc560d60caa3b458df8bcf50850ee0611
Instruction Fuzzy Hash: 59623D30A002169FCB55EF69D590A5DB7B2FF84304F208A69D41A9F369DB71FD86CB80

Function 06C24B98 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XPcq, xrefs: 06C24CC5
fcq, xrefs: 06C252A5
\Ocq, xrefs: 06C24D4F

Memory Dump Source

Source File: 00000013.00000002.3035600388.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6c20000_mpTrle.jbxd

Similarity

API ID:
String ID: fcq$XPcq$\Ocq
API String ID: 0-3575482020
Opcode ID: 7c88930e46a163eac5a4e8e0ae05c575fade3348bbec76c78efab841d4fb8cae
Instruction ID: 3db548c02ec294f89914a424259462140cd013f1a8c613351d29aa9e22876953
Opcode Fuzzy Hash: 7c88930e46a163eac5a4e8e0ae05c575fade3348bbec76c78efab841d4fb8cae
Instruction Fuzzy Hash: 1D619030F002199FEB58AFA5C8547AEBAF6FF88300F208429E505EB395DB758D418B91

Function 06C2A39A Relevance: 2.7, Strings: 2, Instructions: 224
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

X!@, xrefs: 06C2A54E
x!@, xrefs: 06C2A56F

Memory Dump Source

Source File: 00000013.00000002.3035600388.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6c20000_mpTrle.jbxd

Similarity

API ID:
String ID: X!@$x!@
API String ID: 0-2527372166
Opcode ID: e91e2dbac1de4b3c1862a7fda30ed7c672b57042cba2f872ce42c875e8ae25ea
Instruction ID: 07483a539f5f093e40aed2c0eab0fc9b538ddc71b835440a352815d74d766975
Opcode Fuzzy Hash: e91e2dbac1de4b3c1862a7fda30ed7c672b57042cba2f872ce42c875e8ae25ea
Instruction Fuzzy Hash: 3D71A231F002168FCB55EBA9D8906ADB7B2FF88214F108939E919E7354DB31ED46CB80

Function 06C29139 Relevance: 2.7, Strings: 2, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06C291CA
$^q, xrefs: 06C2918F

Memory Dump Source

Source File: 00000013.00000002.3035600388.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6c20000_mpTrle.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 6ec26dcc2d889cf18f62e5f4f856b098b25a8dd8f1cf57683448741024be37fa
Instruction ID: 31ba7a97ca0bcd59ff7bf4e4f5016ec37bc194db6ca9b83e428468d27041a889
Opcode Fuzzy Hash: 6ec26dcc2d889cf18f62e5f4f856b098b25a8dd8f1cf57683448741024be37fa
Instruction Fuzzy Hash: 80515530B101169FDB54DB76D950BAFB3F6ABC8644F108569D809EB388EB34DD42CB91

Function 06C1B718 Relevance: 1.7, APIs: 1, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3035156358.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6c10000_mpTrle.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: e64ec642118ebfcbad766d2252daee353ad7adf356ca358a18113e5d46c48da0
Instruction ID: e94e92eb51e463a561247022608cbb51efc9b9649e4783baaadc1338f822e530
Opcode Fuzzy Hash: e64ec642118ebfcbad766d2252daee353ad7adf356ca358a18113e5d46c48da0
Instruction Fuzzy Hash: 94812370A10B058FD764DF2AD44179ABBF1BF89204F008A2ED49ADBB50DB74E945CF90

Function 06C1D890 Relevance: 1.7, APIs: 1, Instructions: 153COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06C1DA02

Memory Dump Source

Source File: 00000013.00000002.3035156358.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6c10000_mpTrle.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: ea22966a471ac212d59245c40716e76c582c4f1800821fe530d252c491777457
Instruction ID: bf787d89a2c1b25a502350e504f53d75ccd001ee18928f0a7716eda63afd008e
Opcode Fuzzy Hash: ea22966a471ac212d59245c40716e76c582c4f1800821fe530d252c491777457
Instruction Fuzzy Hash: BA5102B1C00349AFDF05CFA9C980ADDBFB6BF49310F14816AE819AB221D771A955DF90

Function 06C1D8F0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06C1DA02

Memory Dump Source

Source File: 00000013.00000002.3035156358.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6c10000_mpTrle.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: f0357b9f30857c67fca7a745ce1db4d2a921dae97d9313f13c11d18c0d36210c
Instruction ID: 147c6bc9d1c1b15aca051cea24135d0cf907891a8823c08e37af16b1becdea8d
Opcode Fuzzy Hash: f0357b9f30857c67fca7a745ce1db4d2a921dae97d9313f13c11d18c0d36210c
Instruction Fuzzy Hash: 7D41B0B1D00349DFDF14CF99C884ADEBBB5BF49310F24812AE819AB210D771A985CF91

Function 0146F018 Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 0146F0BF

Memory Dump Source

Source File: 00000013.00000002.2978391843.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1460000_mpTrle.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 09023b9e917d27303b22e5b3a13793462b8b7f836070cdaeef6db66364cb2eb3
Instruction ID: b3d7ad444f97057f0b9627efc40380699d81201877abed44be5a7b4cc1c7a34d
Opcode Fuzzy Hash: 09023b9e917d27303b22e5b3a13793462b8b7f836070cdaeef6db66364cb2eb3
Instruction Fuzzy Hash: 712189B1C0025A9FCB14DFA9D8047DEFBF4AF48320F10856AE854A7251D778A845CBA6

Function 06C13450 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06C134DF

Memory Dump Source

Source File: 00000013.00000002.3035156358.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6c10000_mpTrle.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 540e5a57dc6faa18a6b87ffe5078afac08ac3dc87a49bc703d563e4a6164c2fc
Instruction ID: 0adbeb31f8743009cba1c0c40cb0a4fa9096366667db396be8613605cd11bc7e
Opcode Fuzzy Hash: 540e5a57dc6faa18a6b87ffe5078afac08ac3dc87a49bc703d563e4a6164c2fc
Instruction Fuzzy Hash: 1B21E3B5D002589FDB10CF99D984ADEBFF5EB48310F14805AE918A7350D375A950CFA1

Function 06C13458 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06C134DF

Memory Dump Source

Source File: 00000013.00000002.3035156358.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6c10000_mpTrle.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b1732dc230aa7649925877120a3840db7c8863da7a5634323cd5f034fa3d6dc4
Instruction ID: 9a7cdb7d535356d1192506198dd441d6aca2eb6679e7bddf5705541eb4ab799e
Opcode Fuzzy Hash: b1732dc230aa7649925877120a3840db7c8863da7a5634323cd5f034fa3d6dc4
Instruction Fuzzy Hash: 0F21E4B5D002589FDB10CF9AD984ADEBFF8EB48310F14801AE918A7350D375A940CFA5

Function 06C1BB6B Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,?,?), ref: 06C1BBDA

Memory Dump Source

Source File: 00000013.00000002.3035156358.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6c10000_mpTrle.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6701c8ec1a962325445f1cd4b6287fa9d5a9232830d7c3372ad60f9275b9bc71
Instruction ID: 0989909648c7a77251b7c4c6f084d89e36292f474607a64305b48b6b0219ae69
Opcode Fuzzy Hash: 6701c8ec1a962325445f1cd4b6287fa9d5a9232830d7c3372ad60f9275b9bc71
Instruction Fuzzy Hash: FE1144B6C002098FCB10CF9AC844ADEFBF4EB49320F10802ED459A7210C374A545CFA5

Function 06C1BB70 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,?,?), ref: 06C1BBDA

Memory Dump Source

Source File: 00000013.00000002.3035156358.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6c10000_mpTrle.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 2c7628c6b7bd52bbe2ce137ca74e993cb450838913e879a0c2d0a35f17ae4bc9
Instruction ID: 54fd6140a8d7a2e958a2af9adeecbf189dd5f0e975fc8f4d269dc64c3e11f048
Opcode Fuzzy Hash: 2c7628c6b7bd52bbe2ce137ca74e993cb450838913e879a0c2d0a35f17ae4bc9
Instruction Fuzzy Hash: 481104B6D003099FDB10CF9AC884ADEFBF4EB49310F10846ED459A7610C779A945CFA5

Function 0146F058 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 0146F0BF

Memory Dump Source

Source File: 00000013.00000002.2978391843.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1460000_mpTrle.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 8b6b3701ae6b26093e27c6aa35a9668ba6a9ee2fbb1630d1f5bbd6e1d61b2fd2
Instruction ID: 5a7faa0226467e556674e96139e5e0354e259d08d04cf385098dfdefdb562097
Opcode Fuzzy Hash: 8b6b3701ae6b26093e27c6aa35a9668ba6a9ee2fbb1630d1f5bbd6e1d61b2fd2
Instruction Fuzzy Hash: 591120B1C0026A9BCB10DF9AC444BDEFBF8EF48324F10812AD818A7250D378A944CFA5

Function 06C1A6AC Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,06C1B734), ref: 06C1B96E

Memory Dump Source

Source File: 00000013.00000002.3035156358.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6c10000_mpTrle.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d181111ee36db1307e05261e8b636414d0786c173010080a2c49a7fb350d2d6e
Instruction ID: 85e6a30012777111ed1bb02e6bbc3dc9a6bacccb2c5a8807b90a6e3bc9150712
Opcode Fuzzy Hash: d181111ee36db1307e05261e8b636414d0786c173010080a2c49a7fb350d2d6e
Instruction Fuzzy Hash: 161102B5D00249CFDB10DF9AC444ADEFBF4EF49214F10842AD459AB210D375A945CFA1

Function 06C24B88 Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

XPcq, xrefs: 06C24CC5

Memory Dump Source

Source File: 00000013.00000002.3035600388.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6c20000_mpTrle.jbxd

Similarity

API ID:
String ID: XPcq
API String ID: 0-714321711
Opcode ID: ba9c1d9d4cf26015d28bfd86451c1b1c0ae2d1684bcd30ee05ad90e79eaacb10
Instruction ID: 44036fb8eccf4abaa5f14ce8cc6e4c10c94abc96cde65cf9896893262559f048
Opcode Fuzzy Hash: ba9c1d9d4cf26015d28bfd86451c1b1c0ae2d1684bcd30ee05ad90e79eaacb10
Instruction Fuzzy Hash: E3416E30B102199FDB599FA5C854BAEBBF7FF88700F208529E105AB395DB759C01CB91

Function 06C2DAAD Relevance: 1.4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06C2DC09

Memory Dump Source

Source File: 00000013.00000002.3035600388.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6c20000_mpTrle.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 47bc3e87fce1b177792fd6ec28b22a232cafd0070f7c1364188d35ce5487ac54
Instruction ID: 040e7dc85cad3616d124fe749a9b1f03941e2431574fdd9f28c4b4e317f7aa11
Opcode Fuzzy Hash: 47bc3e87fce1b177792fd6ec28b22a232cafd0070f7c1364188d35ce5487ac54
Instruction Fuzzy Hash: 6741B230E00726DFDF65DFA5C59469EBBB2BF95300F204929E806EB240DB71E946CB91

Function 06C221F8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06C22333

Memory Dump Source

Source File: 00000013.00000002.3035600388.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6c20000_mpTrle.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: f2286e761756d1e42acb4634e1f828f71912f99825dfbbe1a20f2f8c43afa4ca
Instruction ID: 527380befc33a336f3ed6647b181a466daff481a0800a1cdbfd9d20494dfb9ba
Opcode Fuzzy Hash: f2286e761756d1e42acb4634e1f828f71912f99825dfbbe1a20f2f8c43afa4ca
Instruction Fuzzy Hash: B1312470B102128FCB59AB74D45866E7AE3BF88210F10852CD406DB384DF79DE02C7A1

Function 06C282C0 Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

$^q, xrefs: 06C2830B

Memory Dump Source

Source File: 00000013.00000002.3035600388.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6c20000_mpTrle.jbxd

Similarity

API ID:
String ID: $^q
API String ID: 0-388095546
Opcode ID: d6147899e1180ec292bc950efe1e18cc4b48ae3cfa69229481095861c19f4aab
Instruction ID: 00b09a1c5e14d4f1ae168a81a3cb75cd775bddccbe3f94bb14b95621cf160a5e
Opcode Fuzzy Hash: d6147899e1180ec292bc950efe1e18cc4b48ae3cfa69229481095861c19f4aab
Instruction Fuzzy Hash: 7CF0A435E052279FDF649B46EA905AC73A5FB40314F14412DDE05DB249D731EA09C791

Function 06C261E8 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3035600388.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6c20000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca5b9e90f0107a1df2a5e74091d3d04eec99f266e5e72249b143d772d5e0a04a
Instruction ID: 19f74de0b42ccb7ad6226e1ae44ffad232fb28bd4861cf75eaa6ff0aaa6a0c79
Opcode Fuzzy Hash: ca5b9e90f0107a1df2a5e74091d3d04eec99f266e5e72249b143d772d5e0a04a
Instruction Fuzzy Hash: 6361D2B1F000224FCF54AA7EC89866FBAD7AFC4614B154439D80EDB364DEA6DD0287D2

Function 06C242CA Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3035600388.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6c20000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f640fd1c17ba94342cc3293ca799cb8773ecd36e0ac9376cd85ea90afabaa80f
Instruction ID: f5dbe2547ad7e468703f375a8765f45e250ed2726cee9a52a378b1bf8cc04c5d
Opcode Fuzzy Hash: f640fd1c17ba94342cc3293ca799cb8773ecd36e0ac9376cd85ea90afabaa80f
Instruction Fuzzy Hash: 50815034B002169FDB58DFA5D45475EB7F2AF88304F108529E90ADB394EB74ED428B91

Function 06C245E8 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3035600388.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6c20000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 222e47854a545b7e1bd3fcb3f3fe8d65d0ffa0e8bfbeebe45c071930faa31799
Instruction ID: 320fe1c020c2e8d9b935d3858932f8df608df0f80672268e32d74895d0cb6ea4
Opcode Fuzzy Hash: 222e47854a545b7e1bd3fcb3f3fe8d65d0ffa0e8bfbeebe45c071930faa31799
Instruction Fuzzy Hash: D2914F30E1021A8FDF64DF68C890B9DB7B1FF89304F20859AD549EB255DB70AA85CB91

Function 06C24600 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3035600388.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6c20000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e13dbd1f8c80d07608521c9e44c765391bae9ca15a3d3f31bc5e05e5c87b5ba0
Instruction ID: 3e50fcdb3ee0572dbad27986d095a4460a4e77f113b833cfdff1fafc3918bfb0
Opcode Fuzzy Hash: e13dbd1f8c80d07608521c9e44c765391bae9ca15a3d3f31bc5e05e5c87b5ba0
Instruction Fuzzy Hash: 48913C30E1021A8BDF64DF68C890B9DB7B1FF89304F20C599D549AB255EB70AA858F91

Function 06C2EF00 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3035600388.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6c20000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08abc7a58d2232e41e7369407f29cf328ac8ae8bf1f42915f9e674c313c69430
Instruction ID: ee3bf469836cd1dad27ba02de72c9032fd57cf02788b9408aa632a195721a7e1
Opcode Fuzzy Hash: 08abc7a58d2232e41e7369407f29cf328ac8ae8bf1f42915f9e674c313c69430
Instruction Fuzzy Hash: 18713D70A0021A9FDB54DFA9D980A9EBBF6FF88304F248529D419EB354DB30ED46CB51

Function 06C2EF10 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3035600388.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6c20000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d10fae9846ae154d82c6a153d7eab8f2d174f172c4bfae9c2f0c11d5e0c72d72
Instruction ID: fbf6af3bab8872e76447edd4f2e1f55031f8c85382191b20e4582e3ec93c24fb
Opcode Fuzzy Hash: d10fae9846ae154d82c6a153d7eab8f2d174f172c4bfae9c2f0c11d5e0c72d72
Instruction Fuzzy Hash: F7713D30A0021A9FDB54DFA9D980A9EBBF6FF88304F148529D419EB364DB30ED46CB50

Function 06C2FC70 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3035600388.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6c20000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c7d76bddd1d23df0a3d0c57b1d2d8ca99157693498505233eec3201a8bbcd56
Instruction ID: 06a0b9670a32f9f4da1dea44da948750490c44e4c476d82ab98d00fb480751ba
Opcode Fuzzy Hash: 3c7d76bddd1d23df0a3d0c57b1d2d8ca99157693498505233eec3201a8bbcd56
Instruction Fuzzy Hash: EC51F331E0011ADFDF24EF78E4946ADBBB2EF84314F10886EE916D7251DB319946CB81

Function 06C2FA1F Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3035600388.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6c20000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a92f263a4fb91c34a64783c144f25bc06d78767215a246f918baaaade5e1dea4
Instruction ID: ce0a1c88a96c470195b31b05d75b67b5706c4846941c4432f814ac676d7a849a
Opcode Fuzzy Hash: a92f263a4fb91c34a64783c144f25bc06d78767215a246f918baaaade5e1dea4
Instruction Fuzzy Hash: 66510730F502299FEF64676CD95473F266ED789300F10092EE81ED33A9CA69CD855392

Function 06C2FA30 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3035600388.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6c20000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87e8b3230250b7ffe9d8e0b5c88ca19864186bb9efbcd0b830ffa32805c1d804
Instruction ID: d3e6dc40e0d7a180b1548d16b172464d233693666768f791a2e35e840a902006
Opcode Fuzzy Hash: 87e8b3230250b7ffe9d8e0b5c88ca19864186bb9efbcd0b830ffa32805c1d804
Instruction Fuzzy Hash: AA511630F5022D9FEF646A6CD95473F266ED788710F20092EE81ED33A9CA69CD815392

Function 06C25440 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3035600388.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6c20000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d6d08c7a3b7de38681c8a162e77dc9ae288aed10a7b12c322ac889caffd2922
Instruction ID: 65e5912c7fdf6071b3d86aedbf3a18d0a30152c710dd49390ab82b655c3f3228
Opcode Fuzzy Hash: 8d6d08c7a3b7de38681c8a162e77dc9ae288aed10a7b12c322ac889caffd2922
Instruction Fuzzy Hash: F6418C71E0061A8FCB60CFA9D881AAFFBF2EB88310F50492AE516D7650D330E9558B91

Function 06C255C1 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3035600388.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6c20000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6c1c69dc207e6e79d3d16ea014148ef84d7f6acfa19019f045f722c046837c2
Instruction ID: cf17be07ea4623ef86bfa3ebb7d899d9006be5bc59fee183fafce6c4d9020668
Opcode Fuzzy Hash: b6c1c69dc207e6e79d3d16ea014148ef84d7f6acfa19019f045f722c046837c2
Instruction Fuzzy Hash: D9318170E102168BDF74CB69C8C076FF7A2EB85220FA4893ED855DB345C635DA41CB91

Function 06C2D960 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3035600388.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6c20000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 641aa3eb523229d5130cbfbcc9f814d8bb09931c5c12f4f6d4227e5daf6b312e
Instruction ID: 61dae97021e389229bfffb00a3eed0fabdd4c6f93a553075ce2c54c0b4d2dcf1
Opcode Fuzzy Hash: 641aa3eb523229d5130cbfbcc9f814d8bb09931c5c12f4f6d4227e5daf6b312e
Instruction Fuzzy Hash: 7D31B430E1071A9FCF15EF65C890A9EB7B6FF85304F108929E806A7304DB70F9468B91

Function 06C220A8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3035600388.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6c20000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0cf4c1c84328e15fcedac3d86086ca1acb588b1aa4f922a05d1591752557b9f
Instruction ID: 6c6825d772a98fd5c5c2518240d7bc21492d562d067b76b8f7facc4fcb2c727d
Opcode Fuzzy Hash: e0cf4c1c84328e15fcedac3d86086ca1acb588b1aa4f922a05d1591752557b9f
Instruction Fuzzy Hash: 23318D34E106169BCF19DF65C894A9EB7B2FF89300F108529E916EB354DB35ED86CB40

Function 06C220B8 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3035600388.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6c20000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbea3484e35001ed664f807899717995fac2af4f6c093b69cd528a11f95ca4c
Instruction ID: 99cf85c85549c81b4da7625017b6165bd86e84a654c0d7aa592b1228f9c75b1d
Opcode Fuzzy Hash: 5cbea3484e35001ed664f807899717995fac2af4f6c093b69cd528a11f95ca4c
Instruction Fuzzy Hash: 00318034E1061A9BCF59DFA5D854A9EB7B2FF89300F108529E916EB350DB71ED82CB40

Function 06C23ED1 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3035600388.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6c20000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53e65b476c69aa48f2639c0ae9172f1797a8aed79ed94262e62784de453e14db
Instruction ID: b221f707650de765fb45ae236f82eaefa08fb345c4f6157b9baf289d0eef4a18
Opcode Fuzzy Hash: 53e65b476c69aa48f2639c0ae9172f1797a8aed79ed94262e62784de453e14db
Instruction Fuzzy Hash: 1B219175F002269FDB00DF79E840AAEBBF5AB48210F148169F909EB354E738DD018B95

Function 06C23EE0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3035600388.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6c20000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45d80cfcb1bd032fa34b1e95f3b1755acea3db36701d3260d2d55fa427085e93
Instruction ID: 40707a6779cf66dde6d2cb6c53dcbe23963cd6289a68b758c2f659ae339ba401
Opcode Fuzzy Hash: 45d80cfcb1bd032fa34b1e95f3b1755acea3db36701d3260d2d55fa427085e93
Instruction Fuzzy Hash: 6821A175F002269FDB40DF6AE840AAEB7F1EB48710F108169FA09E7354E778DD018B91

Function 012DD030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2973844249.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_12dd000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba9de6794eadb805fe4ed30e1da8769014f1c90a65bc222312eb0dbcf45873c6
Instruction ID: 53719f6d07af5cf23a9de2bf314d1ba8e5801db189955cf984cb5815d936aac4
Opcode Fuzzy Hash: ba9de6794eadb805fe4ed30e1da8769014f1c90a65bc222312eb0dbcf45873c6
Instruction Fuzzy Hash: 59213471514608DFCB11DFA8D9C0B26BBA5FBC4314F20C56DD9094B296C37BD447CA62

Function 06C23481 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3035600388.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6c20000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2124490d610a4b71cb72106eafbbc3d5886e17bb6f9f40b8c716c2db77b9b4b
Instruction ID: 2b2a0356fea559ba5a0284ff250d0766d7f87c03c52cfd6206bcb2586a43023f
Opcode Fuzzy Hash: b2124490d610a4b71cb72106eafbbc3d5886e17bb6f9f40b8c716c2db77b9b4b
Instruction Fuzzy Hash: A321A271E0022A5FCB65EB69D8405DEB7F6EB89310F10856AD40EE7304DA35DA41CBA1

Function 012DD006 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2973844249.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_12dd000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 453469b1faa9eaa072d4d69917e7301fe27867dcd7a712141f0d5a9a92c8655d
Instruction ID: 560220c665a8e3298c66e3cd4024458a32e9607f745f2c327e191ed804029330
Opcode Fuzzy Hash: 453469b1faa9eaa072d4d69917e7301fe27867dcd7a712141f0d5a9a92c8655d
Instruction Fuzzy Hash: 6A218E7550D7C48FDB03CF64C990711BF71AB46214F28C5EBD9898F6A7C23A980ACB62

Function 06C23FF0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3035600388.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6c20000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f15e9fb4a3497ce7a22682c72a1917f8518c63e862a7c32daafd9a38fb2d1c92
Instruction ID: 70e5caf99adefbbf950719baedb2a1fecdb8cfa4610aa3ce0f527ce724eb856a
Opcode Fuzzy Hash: f15e9fb4a3497ce7a22682c72a1917f8518c63e862a7c32daafd9a38fb2d1c92
Instruction Fuzzy Hash: 89118E35B101259FDB48D669C814AAF73EAABC8711B00853AD90AEB340EE659C428B92

Function 06C24229 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3035600388.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6c20000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d5f20e8e57931ffc7cb331accb3da79e1a3915fa59cbc646fcda8715fce9156
Instruction ID: ebc15c805b6a50444e130d401b8d684e230e573788da2320c8ae320a24d9358f
Opcode Fuzzy Hash: 3d5f20e8e57931ffc7cb331accb3da79e1a3915fa59cbc646fcda8715fce9156
Instruction Fuzzy Hash: B001B175B104221BDB68A2AEE854B5BA6CBDBC9614F24C43EE60EC7344DD62DD0243A6

Function 06C23CA8 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3035600388.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6c20000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9081fcb12c8ab5455097a1dcb243d4390beda8887e55c0b28ca53da1048e48f
Instruction ID: d1477c5f4664012da4a7c3b44ec96ca8f10c1f4d6f777416996fbca2de6ae7a1
Opcode Fuzzy Hash: a9081fcb12c8ab5455097a1dcb243d4390beda8887e55c0b28ca53da1048e48f
Instruction Fuzzy Hash: 6321C4B5D01269AFCB00DF9AD884ADEFFB4FB49310F10852AE918A7201C374A554CFA5

Function 06C2F17F Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3035600388.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6c20000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75c96fa986f37f5ba6e9ced1a2ebec25f15a072650f20f2917174ff02e9e91ed
Instruction ID: 737dba0f6a3b70aa6f8d5eb0c4f68cc8f15dc152dcb3be43bc5e289bb67d4a79
Opcode Fuzzy Hash: 75c96fa986f37f5ba6e9ced1a2ebec25f15a072650f20f2917174ff02e9e91ed
Instruction Fuzzy Hash: F5012F7AB101251FDB21A62DE894B6BB3EADBC9710F10883DE90AC7340DE21CD434392

Function 06C23FDF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3035600388.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6c20000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69d7dadd39969095c5c8fe2f7b9a6e1cfbd61692039575df120ade850ade874c
Instruction ID: e11a45ab251b2f28bf4629c4b4f0fe2633ab087bcabd4a7a67e708355d7392ef
Opcode Fuzzy Hash: 69d7dadd39969095c5c8fe2f7b9a6e1cfbd61692039575df120ade850ade874c
Instruction Fuzzy Hash: 5A01D432F100265BDB589569DC10AEF73EBEBC8610F00813AE90AE7340EF659C4247E2

Function 06C23CB0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3035600388.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6c20000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba45a8592f2a9dcdc618a1cd5da905f3b846dfbbd823733806aea4e2c328af0c
Instruction ID: 3d27d3dd59c4c48b4aab63b020d50971fa62091185b8f8078046add13f31d9bc
Opcode Fuzzy Hash: ba45a8592f2a9dcdc618a1cd5da905f3b846dfbbd823733806aea4e2c328af0c
Instruction Fuzzy Hash: 1411B0B5D01259AFCB00DF9AD884ADEFFB4FB49320F10852AE918A7241D374A954CFA5

Function 06C24238 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3035600388.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6c20000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81c0870362a0ad7648b68522b9ed1094acedba9a450a8f164a37d6281a7621f0
Instruction ID: c968ee8129649165521048e9fd1fcb3c85ec2581831a8b31af14141892297068
Opcode Fuzzy Hash: 81c0870362a0ad7648b68522b9ed1094acedba9a450a8f164a37d6281a7621f0
Instruction Fuzzy Hash: CD01D670B104221BDB68A6AED45471BA2DBDBC9710F20C43EEA0EC7344DD61DD0243D5

Function 06C2A2FA Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3035600388.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6c20000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 319d1e415a21588a5b15f9824befc3d6ca76bdae84fa297a9eca44c3a5a3ffa8
Instruction ID: a69515180d8df6bd0dee52fc975384547e9b97fa1e8f17d858584cba265b0bed
Opcode Fuzzy Hash: 319d1e415a21588a5b15f9824befc3d6ca76bdae84fa297a9eca44c3a5a3ffa8
Instruction Fuzzy Hash: E7018F35F101211FDB60AA7DD850B6E77DAEB89750F148428E50AD7344EA21DC428785

Function 06C2F190 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3035600388.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6c20000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 931b11adfc3b75d8c9ea45e6330757b861350018636ced09f1310fd0e636dfb6
Instruction ID: d5d0deac95578637d12d1c8db661d635dc4cc4301870b3f764919eb60720bf5b
Opcode Fuzzy Hash: 931b11adfc3b75d8c9ea45e6330757b861350018636ced09f1310fd0e636dfb6
Instruction Fuzzy Hash: D501D175B1042A1BCB64A66DE85472EA3EADBC9610F14883DE91AC7340DE21DD424385

Function 06C2A308 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3035600388.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6c20000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0c421560f5e03e99f8bbec5bdf366aac9301f9df3f599def12b983d78982a0f
Instruction ID: 20788599b7bb2607e7c5176b1d0ab208a2f99dc0245539d962c70386e1da4c60
Opcode Fuzzy Hash: d0c421560f5e03e99f8bbec5bdf366aac9301f9df3f599def12b983d78982a0f
Instruction Fuzzy Hash: A0018130B001211FCB54AA6DD85072E73D6FB89750F14842CE50EC7344DB21DD428785

Function 06C26468 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3035600388.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6c20000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01aec7ab1314ca6b52ba18e72a1a79451619ee34b4b4ecf3c86ea11381852293
Instruction ID: b81194c124d1b86e5c37cd57d3d13aba57e41771708ca13e33629e9ea1057f40
Opcode Fuzzy Hash: 01aec7ab1314ca6b52ba18e72a1a79451619ee34b4b4ecf3c86ea11381852293
Instruction Fuzzy Hash: 7CE0D871E16159ABDF60CEB5CD4975B77ADEB01208F2088B9D809D7202E136EB4183E1

Non-executed Functions

Function 06C27690 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$^q, xrefs: 06C277B1
$^q, xrefs: 06C277BD
$^q, xrefs: 06C27780
$^q, xrefs: 06C27BFE
$^q, xrefs: 06C27B49
$^q, xrefs: 06C2778C
$^q, xrefs: 06C27BF2
$^q, xrefs: 06C27B3D
$^q, xrefs: 06C27BE8
$^q, xrefs: 06C27BDC

Memory Dump Source

Source File: 00000013.00000002.3035600388.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6c20000_mpTrle.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2222239885
Opcode ID: b7347e4456879037717899f6eb465671bcb0a20ea0fda58d7f721c586f3a56af
Instruction ID: 51240521e5a8d697785126f3d1703bf092a2901180700893859038df0d2b5230
Opcode Fuzzy Hash: b7347e4456879037717899f6eb465671bcb0a20ea0fda58d7f721c586f3a56af
Instruction Fuzzy Hash: 2212FA30E0022ACFDB64EF65C994A9DB7F6BF88704F208569D409AB364DB319D85CB91

Function 06C2A930 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$^q, xrefs: 06C2AAB8
$^q, xrefs: 06C2AA81
$^q, xrefs: 06C2AA8D
$^q, xrefs: 06C2AAEE
$^q, xrefs: 06C2AA26
$^q, xrefs: 06C2AA32
$^q, xrefs: 06C2AAAC
$^q, xrefs: 06C2AAE2

Memory Dump Source

Source File: 00000013.00000002.3035600388.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6c20000_mpTrle.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: c9884f88907314755a3a7cd0d2a67fb5e48b74c4d2ebfc2fbb1ea007c6ef8780
Instruction ID: 899c9859b403638da6b1e579c3a6eece8939ce3a5a0cacd2ce45d02657953ee9
Opcode Fuzzy Hash: c9884f88907314755a3a7cd0d2a67fb5e48b74c4d2ebfc2fbb1ea007c6ef8780
Instruction Fuzzy Hash: B2918E30E0022ADFDB68EFA6D954B6EBBF2AF84704F10852DE8019B354DB759D45CB90

Function 06C27090 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

$^q, xrefs: 06C273CC
$^q, xrefs: 06C27372
$^q, xrefs: 06C273D8
$^q, xrefs: 06C27598
.5vq, xrefs: 06C270EB
$^q, xrefs: 06C275A4
$^q, xrefs: 06C2752C

Memory Dump Source

Source File: 00000013.00000002.3035600388.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6c20000_mpTrle.jbxd

Similarity

API ID:
String ID: .5vq$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-390881366
Opcode ID: 674758cbc16ac3dcf85cdb63e210f6b47db8af46eb2f822f85a7bbfacfa04a58
Instruction ID: d2dc18dab3e22d742a7a09cc731404f4ccbb647f3744e66a988451bcfb1d3878
Opcode Fuzzy Hash: 674758cbc16ac3dcf85cdb63e210f6b47db8af46eb2f822f85a7bbfacfa04a58
Instruction Fuzzy Hash: 17F17230B0021ACFDB58EF69C594A5EB7F6BF84304F248529E8069B369DB75EC42CB51

Function 06C283C8 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$^q, xrefs: 06C28687
$^q, xrefs: 06C28693
$^q, xrefs: 06C2862E
$^q, xrefs: 06C28622

Memory Dump Source

Source File: 00000013.00000002.3035600388.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6c20000_mpTrle.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 1187dae836211e014b55ef753687d9b7834be3bee3b4c4b275ac75ff5d135119
Instruction ID: 11e0d9fd016f72c2deffe25603d7203f415bd55e518e37041ef5efbab19d941e
Opcode Fuzzy Hash: 1187dae836211e014b55ef753687d9b7834be3bee3b4c4b275ac75ff5d135119
Instruction Fuzzy Hash: 48B16F30B0121A8FDB58EF69C5906AEB7B6FF84304F248529E406DB355DB74DC86CB81

Function 06C287E0 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

LR^q, xrefs: 06C28922
LR^q, xrefs: 06C288D3
$^q, xrefs: 06C2886B
$^q, xrefs: 06C2885F

Memory Dump Source

Source File: 00000013.00000002.3035600388.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6c20000_mpTrle.jbxd

Similarity

API ID:
String ID: LR^q$LR^q$$^q$$^q
API String ID: 0-2454687669
Opcode ID: 06e1fb85bff2d336740308c397fb92ca4f61dd1541207ae123f9c54658e83ef6
Instruction ID: bf064fffaa1337f208b677be0041fe6482602d07a3cc48670f6a37dbe562bc6d
Opcode Fuzzy Hash: 06e1fb85bff2d336740308c397fb92ca4f61dd1541207ae123f9c54658e83ef6
Instruction Fuzzy Hash: 65510730B012168FDB58EB29D950A6AB7F2FF88304F14866DE9159F369DB30EC44CB91

Function 06C2ACBA Relevance: 5.2, Strings: 4, Instructions: 161COMMON

Download Yara Rule

Strings

$^q, xrefs: 06C2ADE9
$^q, xrefs: 06C2AE94
$^q, xrefs: 06C2AE3C
$^q, xrefs: 06C2AE6B

Memory Dump Source

Source File: 00000013.00000002.3035600388.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6c20000_mpTrle.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 7ce0e70c4faecbe6bd66c382fbd6159e409f8d2a11e55d9b11586c26971d56cb
Instruction ID: db87afdd00353b00e6449f80220b621318e4652f03acbd322f793e16abdb7056
Opcode Fuzzy Hash: 7ce0e70c4faecbe6bd66c382fbd6159e409f8d2a11e55d9b11586c26971d56cb
Instruction Fuzzy Hash: 89519130E102168FDF65DBA9D9806AEB3B2EB88311F20852EDC05DB354DB31DD46CB91

Analysis Process: mpTrle.exePID: 8064, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	10.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	236
Total number of Limit Nodes:	13

Executed Functions

Function 0119D300 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0119D37E
GetCurrentThread.KERNEL32 ref: 0119D3BB
GetCurrentProcess.KERNEL32 ref: 0119D3F8
GetCurrentThreadId.KERNEL32 ref: 0119D451

Memory Dump Source

Source File: 00000014.00000002.2008305745.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1190000_mpTrle.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 08ce4e17c8247843d82fa18fc29be3370ae594ad2ff70148be5e0a6877179449
Instruction ID: 67e85a57aa29731ce8405d6dce4f3c3e48051a33ea32aef034dae528701f98c7
Opcode Fuzzy Hash: 08ce4e17c8247843d82fa18fc29be3370ae594ad2ff70148be5e0a6877179449
Instruction Fuzzy Hash: D25124B09003498FEB18DFAAD649B9EBBF1BF49314F20C559D019A7360DB349984CF65

Function 0119D2FF Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0119D37E
GetCurrentThread.KERNEL32 ref: 0119D3BB
GetCurrentProcess.KERNEL32 ref: 0119D3F8
GetCurrentThreadId.KERNEL32 ref: 0119D451

Memory Dump Source

Source File: 00000014.00000002.2008305745.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1190000_mpTrle.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: a81ff354e74cb132318d0a4698ef7ba7eda32012a1a99096295f116ad6f77b2d
Instruction ID: 6f751af844d314205f154859a5a1dc475da5808011e6c70e1fd7d2fe92feeaea
Opcode Fuzzy Hash: a81ff354e74cb132318d0a4698ef7ba7eda32012a1a99096295f116ad6f77b2d
Instruction Fuzzy Hash: 5D5124B09002498FEB18DFAAD649BDEBBF1BF89314F20C559D019A7360DB349984CF65

Function 02BC39C4 Relevance: 1.7, APIs: 1, Instructions: 245
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 02BC3C06

Memory Dump Source

Source File: 00000014.00000002.2009094631.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2bc0000_mpTrle.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 67cc379f6923aa3c03ef314f1fb1ed6b4b4dfb74051705c868ea6f0c77001abe
Instruction ID: 1a2302dc2f6b44892f368be6447b0c42bee5e1e9814c93cee65efc5fa3c7c23b
Opcode Fuzzy Hash: 67cc379f6923aa3c03ef314f1fb1ed6b4b4dfb74051705c868ea6f0c77001abe
Instruction Fuzzy Hash: 5FA14871D0021ADFDB10DF68C841BEEBBF2EF48314F6485A9E818A7290DB759985CF91

Function 02BC39D0 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 02BC3C06

Memory Dump Source

Source File: 00000014.00000002.2009094631.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2bc0000_mpTrle.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 3e888e9520f224cfbe97709a1267b63b18ae273f7bcd067447e44f2054e76d05
Instruction ID: fc6cb20a75c3e02a4c61d24d392fca043755231ac2db1ccd6549f7d77553321e
Opcode Fuzzy Hash: 3e888e9520f224cfbe97709a1267b63b18ae273f7bcd067447e44f2054e76d05
Instruction Fuzzy Hash: 90914871D002199FDB10DFA8C841BEEBBF2EF48314F6485A9E818A7250DB759985CF92

Function 01195A84 Relevance: 1.6, APIs: 1, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000014.00000002.2008305745.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1190000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b36b691f5d00202ad4799c78d6a305c29ce491ebe5e447a8fc7a6eba17f4b0b
Instruction ID: 31518926e92ac215e3e6c947abc2254e3ca8337cf786f3a29a7537be81a87ef0
Opcode Fuzzy Hash: 7b36b691f5d00202ad4799c78d6a305c29ce491ebe5e447a8fc7a6eba17f4b0b
Instruction Fuzzy Hash: 3941F371800749CFDF5ACFA8C8447ADBFB6EF46324F14428AC06AAB265D7355946CF41

Function 011944B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 011959C9

Memory Dump Source

Source File: 00000014.00000002.2008305745.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1190000_mpTrle.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: ac585787c1d528182d5f109bfa89d0a9dfb9d642c13d0c852475459c707bd6e8
Instruction ID: 912be274165fa8876d73f1d9a1489876b3d3f6d5140c6ce706fd68940082ad12
Opcode Fuzzy Hash: ac585787c1d528182d5f109bfa89d0a9dfb9d642c13d0c852475459c707bd6e8
Instruction Fuzzy Hash: 9B41F2B0C00719CBDF28DFA9C84578EBBB6BF49304F20806AD418BB255DB756945CF90

Function 0119590D Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 011959C9

Memory Dump Source

Source File: 00000014.00000002.2008305745.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1190000_mpTrle.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 1140294052f1f1f2f7b279123748fab932fc67725eb505c0f9632acdbf12c13f
Instruction ID: e8e50db081f0c534b2ed725bede6b900aeffe1a6368f164e5a2a3946e9d9faa6
Opcode Fuzzy Hash: 1140294052f1f1f2f7b279123748fab932fc67725eb505c0f9632acdbf12c13f
Instruction Fuzzy Hash: AC41F1B0C00719CADB24DFAAC8857CDBBB6BF49314F24806AD418BB255DB756946CF90

Function 02BC3740 Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02BC37D8

Memory Dump Source

Source File: 00000014.00000002.2009094631.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2bc0000_mpTrle.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 0bd8c1ae5b1a4e4100aa12a37ca8dd03b276f9276fd75639c4661dbfe58ee101
Instruction ID: fd3ceefab055088ea96f0bebdc220499440aeebaaf4b717e6be842e40e14a0d0
Opcode Fuzzy Hash: 0bd8c1ae5b1a4e4100aa12a37ca8dd03b276f9276fd75639c4661dbfe58ee101
Instruction Fuzzy Hash: B02157B69003199FCB10CFA9C885BDEBBF5FF48314F10842AE958A7240D778A944CFA5

Function 02BC3748 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02BC37D8

Memory Dump Source

Source File: 00000014.00000002.2009094631.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2bc0000_mpTrle.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 2ae56cdc9cf1e9943c49d65a97f47a9b27a8f133ff4a20bc46c9d6e037d9d05b
Instruction ID: 929aac57d3a6168d30edf19d7a6d49ed5ee65966a1d49ad35c4434978ec94cde
Opcode Fuzzy Hash: 2ae56cdc9cf1e9943c49d65a97f47a9b27a8f133ff4a20bc46c9d6e037d9d05b
Instruction Fuzzy Hash: 552127B59003599FCB10CFA9C985BDEBBF5FF48314F10842AE958A7250C7789944CBA5

Function 02BC3171 Relevance: 1.6, APIs: 1, Instructions: 64
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 02BC31F6

Memory Dump Source

Source File: 00000014.00000002.2009094631.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2bc0000_mpTrle.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 5844d3a02ae0133dcc2e4ef638266155a933ecbb068f0a6cec513e0dafcf1aeb
Instruction ID: 3f03abb6ae2d051b0523a99d65cf608573494eb9b0e8a65dc7350f02cc5144f9
Opcode Fuzzy Hash: 5844d3a02ae0133dcc2e4ef638266155a933ecbb068f0a6cec513e0dafcf1aeb
Instruction Fuzzy Hash: 502125B19002098FDB10DFAAC4857AEBFF4EB48324F10C46ED459A7241CB789985CFA5

Function 02BC3838 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02BC38B8

Memory Dump Source

Source File: 00000014.00000002.2009094631.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2bc0000_mpTrle.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: f5dddfb188e48f68df9ce500fa110993d45613743ee47cdb574a61f00bd83424
Instruction ID: 7710b10c73c287a1a544e471d3a6120a94d49a307452ee656577e482f36d6d14
Opcode Fuzzy Hash: f5dddfb188e48f68df9ce500fa110993d45613743ee47cdb574a61f00bd83424
Instruction Fuzzy Hash: B92128B19002599FCB10DFAAC845ADEFBF5FF48310F508429E558A7250C738A544CBA5

Function 02BC3830 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02BC38B8

Memory Dump Source

Source File: 00000014.00000002.2009094631.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2bc0000_mpTrle.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 58090571f8e8a2fd7de7eab993e34ee6ec8dbb2cd2c8916b10cb8643a1007083
Instruction ID: 0ed9d53cbf2f432c7f88ca1a5489912e26cd2b411fd08a1850c4ab5a42fb0705
Opcode Fuzzy Hash: 58090571f8e8a2fd7de7eab993e34ee6ec8dbb2cd2c8916b10cb8643a1007083
Instruction Fuzzy Hash: 4D2114B2D002599FCB10CFA9C985BEEBBF5FF48314F14886AE559A7250C738A544CFA4

Function 02BC3178 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 02BC31F6

Memory Dump Source

Source File: 00000014.00000002.2009094631.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2bc0000_mpTrle.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 0f17611c45791249d53a2381a8275d967ec18b974e3e17d388e8de2cce2bb68d
Instruction ID: 5ad80a0a62980a615aa4e08c4fb5d7fe7c2e11fb1d84b242367180e2c554bbfa
Opcode Fuzzy Hash: 0f17611c45791249d53a2381a8275d967ec18b974e3e17d388e8de2cce2bb68d
Instruction Fuzzy Hash: C72138B19002098FDB10DFAAC4857EEBBF4EF48324F50C46DD459A7240C7789984CFA5

Function 0119D548 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0119D5CF

Memory Dump Source

Source File: 00000014.00000002.2008305745.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1190000_mpTrle.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d71d99306808aa6e117cd76d66420b0320138e552777ff7a1cb3f2ba08ddfb4f
Instruction ID: 54503179995dd91a902f0636cfaad474ef0ee41bb05b4ba8335c1a5a98a716f4
Opcode Fuzzy Hash: d71d99306808aa6e117cd76d66420b0320138e552777ff7a1cb3f2ba08ddfb4f
Instruction Fuzzy Hash: 7621E4B59002089FDB10CF9AD584ADEBFF4EB48310F14841AE918A3310D374A940CFA5

Function 0119D547 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0119D5CF

Memory Dump Source

Source File: 00000014.00000002.2008305745.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1190000_mpTrle.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 3ec737378d6f04443dcc1def9e83023db8040f997dc1e9a43e24d9f5a0e4eb7c
Instruction ID: 5719307556c605819c249c5012dbb7450aac7d295e1847f1e250711417c711df
Opcode Fuzzy Hash: 3ec737378d6f04443dcc1def9e83023db8040f997dc1e9a43e24d9f5a0e4eb7c
Instruction Fuzzy Hash: 9E21E2B5900248AFDB10CFAAD584AEEBFF4EB48320F14841AE958A3310C379A945CF60

Function 0119AA88 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0119B341,00000800,00000000,00000000), ref: 0119B552

Memory Dump Source

Source File: 00000014.00000002.2008305745.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1190000_mpTrle.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e9d7bfaa60c7b62508f1e6fd2ccf46e7ed230170c3ac3858affdd74c1ee70077
Instruction ID: e47282f2d5ff9d582959ad556ccd7b20e316d3699f270daa46370a20f0ac5e1b
Opcode Fuzzy Hash: e9d7bfaa60c7b62508f1e6fd2ccf46e7ed230170c3ac3858affdd74c1ee70077
Instruction Fuzzy Hash: 461123B6904348CFDB24DF9AD448ADEFBF4EB88310F10842EE529A7210C375A945CFA5

Function 02BC3249 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02BC32BE

Memory Dump Source

Source File: 00000014.00000002.2009094631.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2bc0000_mpTrle.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1d3c5085f831c9c8d6108267b034144440d670f55e619c7238bf624ef660909e
Instruction ID: ccb2c022c0737b160c3fc02519f418192796891b1ba6a86afc2f3104f579251d
Opcode Fuzzy Hash: 1d3c5085f831c9c8d6108267b034144440d670f55e619c7238bf624ef660909e
Instruction Fuzzy Hash: BE1156729002498FCB10DFA9C845ADEFFF5EF88324F20C819E559AB250CB35A944CFA0

Function 02BC3250 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02BC32BE

Memory Dump Source

Source File: 00000014.00000002.2009094631.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2bc0000_mpTrle.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 44d7d23a38dbfb453800c94ddcaec91b20ca912f65cd18eae1e4fc5af873c6c4
Instruction ID: 4105c3d458ef31d4ebfe23373f8ecbd062411af1817e008aa158750adcd32e34
Opcode Fuzzy Hash: 44d7d23a38dbfb453800c94ddcaec91b20ca912f65cd18eae1e4fc5af873c6c4
Instruction Fuzzy Hash: CF1156729002488FCB10DFAAC844ADEFFF5EF88324F208819E559A7250C735A544CFA0

Function 0119B4E7 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0119B341,00000800,00000000,00000000), ref: 0119B552

Memory Dump Source

Source File: 00000014.00000002.2008305745.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1190000_mpTrle.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 74d0ff4f34fa3a087c9a97c7c7fb035b0f29ae07b5d2e48ceea5a346e2f8db5c
Instruction ID: 36802bacdc8d5e76c804eaf645202fffa02f91ea4342f369ff05003f089dfa72
Opcode Fuzzy Hash: 74d0ff4f34fa3a087c9a97c7c7fb035b0f29ae07b5d2e48ceea5a346e2f8db5c
Instruction Fuzzy Hash: 2B11E2B69042498FDB24CFAAD484ADEFBF4EB88310F14842AD569A7210C375A545CFA5

Function 02BC30C0 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 02BC312A

Memory Dump Source

Source File: 00000014.00000002.2009094631.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2bc0000_mpTrle.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 3a366b1c88f4692a432161bd4f55030e1d4954723c89bf0cbc551698437ebfdf
Instruction ID: 7a51a7dc61dbef6b72e4289ed22ac9db9351c5faced45d408422b8f9b201c872
Opcode Fuzzy Hash: 3a366b1c88f4692a432161bd4f55030e1d4954723c89bf0cbc551698437ebfdf
Instruction Fuzzy Hash: 231128B19002488FCB20DFAAC4457DEFFF4EB88324F208459D559A7250CB75A985CF95

Function 02BC30C8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 02BC312A

Memory Dump Source

Source File: 00000014.00000002.2009094631.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2bc0000_mpTrle.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 74a435839f28729605daf35515fcc655e3dce7f59a69c6bed7ce32ee2a106b61
Instruction ID: 1e6fc38a65e7de53d6c37486735c7050bfe7d7c5e4d3113a25b3fb8a0c6c9cf6
Opcode Fuzzy Hash: 74a435839f28729605daf35515fcc655e3dce7f59a69c6bed7ce32ee2a106b61
Instruction Fuzzy Hash: CE113AB19002488FCB10DFAAC4457DEFBF4EF88324F208459D559A7250C775A544CF95

Function 02BC6D7C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 02BC7545

Memory Dump Source

Source File: 00000014.00000002.2009094631.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2bc0000_mpTrle.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 785849a7bbf20e6b11da909af00b9327c4341fb98b6776934cdfbcec46242dc0
Instruction ID: 79ce92965dc6034c82158cd550fe3a75d5b318adfc1a9fec2a6cd1fab0795399
Opcode Fuzzy Hash: 785849a7bbf20e6b11da909af00b9327c4341fb98b6776934cdfbcec46242dc0
Instruction Fuzzy Hash: D311F2B5800348DFCB10DF9AC449BDEFBF8EB48324F20885AE558A7201C375A944CFA5

Function 0119B25F Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0119B2C6

Memory Dump Source

Source File: 00000014.00000002.2008305745.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1190000_mpTrle.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a029f9d27743b5a3d87344cb7169987e7838c0038865ff44efc39fa369004b84
Instruction ID: 7c65eb7f8c500ef9542428c832e002f53f91df66d0d5c02ac9e31cbf8cea8c33
Opcode Fuzzy Hash: a029f9d27743b5a3d87344cb7169987e7838c0038865ff44efc39fa369004b84
Instruction Fuzzy Hash: EF110FB5C002498EDB24CFAAD444ADEFBF4EF88320F10856AD469B7210C379A545CFA5

Function 0119B260 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0119B2C6

Memory Dump Source

Source File: 00000014.00000002.2008305745.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1190000_mpTrle.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 6d5cccd2d2bd05616bcde40a92ea2359eb8fc7144534492a79819062aec487b0
Instruction ID: ab894a9ff0d0a20600678b2fc308130a34b21ecf374537a9bbb02b6cb04805d3
Opcode Fuzzy Hash: 6d5cccd2d2bd05616bcde40a92ea2359eb8fc7144534492a79819062aec487b0
Instruction Fuzzy Hash: A1110CB6C002498FDB14CF9AD444ADEFBF4EF88220F10846AD828B7210C379A545CFA5

Function 02BC74E3 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 02BC7545

Memory Dump Source

Source File: 00000014.00000002.2009094631.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2bc0000_mpTrle.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: ee0b83f205926e5e8d77aed18e27b86bddcef318054b44254bf7c086fdbdf171
Instruction ID: 17683516cc6e2eca5238f97c27aaaa54f89287c5ac735abbf4e1ae3d11747750
Opcode Fuzzy Hash: ee0b83f205926e5e8d77aed18e27b86bddcef318054b44254bf7c086fdbdf171
Instruction Fuzzy Hash: C611C5B59002499FDB10DF99C545BDEFBF8EB48314F208459D554A7210C375A544CFA5

Function 0113D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2007961086.000000000113D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_113d000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dc990212910fa58e393664d5daf41313b2c0fed3fa984c2e95383564bc33671
Instruction ID: ce2f710def22bba0408451baa1cfb420ec5db4d2d4fd687d008dc910fb3c24d8
Opcode Fuzzy Hash: 0dc990212910fa58e393664d5daf41313b2c0fed3fa984c2e95383564bc33671
Instruction Fuzzy Hash: 55212571600240DFDF09DF58E9C0B26BF75FBC8318F60C569E9094B29AC336D456CAA2

Function 0114D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2008046890.000000000114D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0114D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_114d000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a15aa97ddb108024018e5074f7fda87b2391852c29799628768a2f8919f5142
Instruction ID: 8f0a2aa0c1b6d4f6d174adeebb1255bf08b63631e4514a7475ea73b8136a850b
Opcode Fuzzy Hash: 3a15aa97ddb108024018e5074f7fda87b2391852c29799628768a2f8919f5142
Instruction Fuzzy Hash: D1212671604200EFDF09DF98E9C4F26BBA5FB94B24F20C66DE9094B356C336D446CA62

Function 0114D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2008046890.000000000114D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0114D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_114d000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3960eb2be26654d5f9e1358f2440c8148cd1ea90cba48a41692507475637813
Instruction ID: c37788a01cc7751d2f6273b454a60d68bca90301cac5c00b2fbcdbf0823910c4
Opcode Fuzzy Hash: c3960eb2be26654d5f9e1358f2440c8148cd1ea90cba48a41692507475637813
Instruction Fuzzy Hash: D7212271604200DFCF19DF98E984B26BFA5EB94B14F20C5ADD80A4B256C33AD447CA62

Function 0114D006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2008046890.000000000114D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0114D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_114d000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17b4918c435dcbe34b85352626e34210730f554533ff580960d0ffbd01f16abc
Instruction ID: cddce4609e38f615e84248b48a1170e9eae514333594512efa133c72df558454
Opcode Fuzzy Hash: 17b4918c435dcbe34b85352626e34210730f554533ff580960d0ffbd01f16abc
Instruction Fuzzy Hash: 5E219F755083809FCF07CF64D994B11BF71EB56614F28C5EAD8498F2A7C33A980ACB62

Function 0113D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2007961086.000000000113D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_113d000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: e9ebde5489e9518be01e1ba68bd9b87b116bb526ffa5290b9cfad5f3eab0894a
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 9E11B176504280CFDF16CF54E5C4B16BF71FB84328F24C6A9D9490B65AC336D45ACBA2

Function 0114D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2008046890.000000000114D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0114D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_114d000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 3f208e90a7be273a759ef9a79cc79fdeacc0345d95cf9110c26801ea245ad058
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: C911BB75504280DFDF06CF54D5C4B15BFA1FB84624F24C6AAE8494B296C33AD40ACB62

Analysis Process: mpTrle.exePID: 6280, Parent PID: 8064COMMON

Execution Graph

Execution Coverage:	10.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	173
Total number of Limit Nodes:	16

Executed Functions

Function 06B73490 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06B73B8F
$^q, xrefs: 06B73BB8
$^q, xrefs: 06B73B9B
$^q, xrefs: 06B73BDC
$^q, xrefs: 06B73BC4
$^q, xrefs: 06B73BE8

Memory Dump Source

Source File: 00000018.00000002.3033288147.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_6b70000_mpTrle.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: 19865c43742648928b739a31853476930d209e49acb04441d8d40a793e4cbee4
Instruction ID: 3088da760db33b7e82d6bde0aaea948586f0b1bf2642c61800739706865b5bbb
Opcode Fuzzy Hash: 19865c43742648928b739a31853476930d209e49acb04441d8d40a793e4cbee4
Instruction Fuzzy Hash: 4C323F71E1071ACFCB54EF79D85459DB7F2FF89300F1086A9D419AB264EB30AA85CB81

Function 06B77D70 Relevance: 3.0, Strings: 2, Instructions: 480
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06B78317
$^q, xrefs: 06B7830B

Memory Dump Source

Source File: 00000018.00000002.3033288147.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_6b70000_mpTrle.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 42037402fc192ae20e40c48042cbdba649f8b163127c453be76671d0904485af
Instruction ID: 871b08b93cd8ddf339980128cfffba982bac74429b8c3ce4048c9fdb55ac66ad
Opcode Fuzzy Hash: 42037402fc192ae20e40c48042cbdba649f8b163127c453be76671d0904485af
Instruction Fuzzy Hash: F8029C70B012168FDB54DB69E884AAEB7E2FF84304F148579D41ADB394DB31ED82CB91

Function 06B765E8 Relevance: .8, Instructions: 823COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3033288147.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_6b70000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ff9f31be4e4a5aacc99fe304df324c489874a304aa306ebb54e4e83ece0b10f
Instruction ID: f6e4328124090078a8448e16ae0c1fee9ccc708b63e915843df990359b384404
Opcode Fuzzy Hash: 7ff9f31be4e4a5aacc99fe304df324c489874a304aa306ebb54e4e83ece0b10f
Instruction Fuzzy Hash: 5E62D074B006058FDB54DB68D584AADB7F2FF88304F1485A9E426EB394EB35ED42CB90

Function 06B7C178 Relevance: .6, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3033288147.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_6b70000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93e0dcbd60c3fc5f573da15cefb7afd2d862eec5dd01912e8e6abaec46815e62
Instruction ID: 8901f0a08703d96a5aed37720ae0b587fd8357c984ff537688614680baf1e1a8
Opcode Fuzzy Hash: 93e0dcbd60c3fc5f573da15cefb7afd2d862eec5dd01912e8e6abaec46815e62
Instruction Fuzzy Hash: 9132D374B002159FDF54DB68E880BAEBBB2FB88310F108569E515EB355DB31ED82CB91

Function 06B755D0 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3033288147.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_6b70000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4742697bc3ef6ae31beceb2a2727b5a36950a2ed892173306d08426e296b842a
Instruction ID: 1d3af3aa9ffc7dfdcd1935beb541fd9ed31e87874c79337f85a38deab249bb46
Opcode Fuzzy Hash: 4742697bc3ef6ae31beceb2a2727b5a36950a2ed892173306d08426e296b842a
Instruction Fuzzy Hash: F912E5B6F002059BDB74DB74C8806AEB7B2EB85310F2488A9D469DB385DF34DD46CB91

Function 06B7B220 Relevance: .6, Instructions: 567COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3033288147.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_6b70000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbaf5bbcf1fdebac810d047171b2eeb1cd30633a8a54ccab4ccb0df1a2b4970a
Instruction ID: b03fe60c7d10a0857169a11778a331fb40359a39239624e42f9d47879b813f86
Opcode Fuzzy Hash: bbaf5bbcf1fdebac810d047171b2eeb1cd30633a8a54ccab4ccb0df1a2b4970a
Instruction Fuzzy Hash: 95227EB0E002098FDF64DF6DD490BAEB7A2EB45310F209866E429EB395DA35DD81CF51

Function 06B7ACC8 Relevance: 10.4, Strings: 8, Instructions: 390
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06B7AE77
$^q, xrefs: 06B7AEA0
$^q, xrefs: 06B7ADE9
$^q, xrefs: 06B7AE3C
$^q, xrefs: 06B7AE94
$^q, xrefs: 06B7ADF5
$^q, xrefs: 06B7AE6B
$^q, xrefs: 06B7AE48

Memory Dump Source

Source File: 00000018.00000002.3033288147.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_6b70000_mpTrle.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: bcf53b9690efbacbdcf3cce6c364097fa3f192462037b4d75f9297cdcb554d9c
Instruction ID: 5f63023aed39358a2dfead956ce160e3dd21197f29b14b84f19f5d6a706ac1f9
Opcode Fuzzy Hash: bcf53b9690efbacbdcf3cce6c364097fa3f192462037b4d75f9297cdcb554d9c
Instruction Fuzzy Hash: 12E17F70E1021A8FDF65DF69D4806AEB7B2FF85304F208569D815EB354DB31E846CB91

Function 06B7B648 Relevance: 8.0, Strings: 6, Instructions: 474
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06B7BB91
$^q, xrefs: 06B7BB9D
$^q, xrefs: 06B7BBD1
$^q, xrefs: 06B7BBF9
$^q, xrefs: 06B7BBC5
$^q, xrefs: 06B7BC05

Memory Dump Source

Source File: 00000018.00000002.3033288147.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_6b70000_mpTrle.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: e58561e4b0abe738e506f29c6b17fb1dd4258d13f0b140c48c1856cd36147e74
Instruction ID: fa314a172e187afc7dfbb4606fd6412282193f491ee498f95116d2b106c3078e
Opcode Fuzzy Hash: e58561e4b0abe738e506f29c6b17fb1dd4258d13f0b140c48c1856cd36147e74
Instruction Fuzzy Hash: C8029EB0E002098FDFA4CF69D4806ADB7B2EB45310F1489AAE425DB355DB34ED85CF91

Function 06B7CF38 Relevance: 4.6, Strings: 3, Instructions: 800
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06B7D32F
$^q, xrefs: 06B7D337
$^q, xrefs: 06B7D343

Memory Dump Source

Source File: 00000018.00000002.3033288147.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_6b70000_mpTrle.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q
API String ID: 0-831282457
Opcode ID: 8a68d2eed619102a24ebfe1441849b4ce5b616f1d4a56b5efeb5d0c4c37eead9
Instruction ID: 548ea2ac69db027eccb10f62bdd33853ce88341e09e3d7d1d3797013778354da
Opcode Fuzzy Hash: 8a68d2eed619102a24ebfe1441849b4ce5b616f1d4a56b5efeb5d0c4c37eead9
Instruction Fuzzy Hash: 7F628330A0021A8FCB55EF69D590A5DB7F2FF84344F208A68D0199F369DB71ED4ACB90

Function 06B74B98 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fcq, xrefs: 06B752A5
XPcq, xrefs: 06B74CC5
\Ocq, xrefs: 06B74D4F

Memory Dump Source

Source File: 00000018.00000002.3033288147.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_6b70000_mpTrle.jbxd

Similarity

API ID:
String ID: fcq$XPcq$\Ocq
API String ID: 0-3575482020
Opcode ID: 371f666741ac30a61d01f0f2527881be03ff1cba967ba1f55fa89c00569c73f1
Instruction ID: e5121e9eeab3497fabf1ba88640b319d9c775997404dc2e8d77765776fa98b30
Opcode Fuzzy Hash: 371f666741ac30a61d01f0f2527881be03ff1cba967ba1f55fa89c00569c73f1
Instruction Fuzzy Hash: 31619170F002199FEB659FA9C8547AEBBF6FF88700F20846AD106AB394DF754C418B95

Function 06B7A39A Relevance: 2.7, Strings: 2, Instructions: 231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

x!@, xrefs: 06B7A56F
X!@, xrefs: 06B7A54E

Memory Dump Source

Source File: 00000018.00000002.3033288147.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_6b70000_mpTrle.jbxd

Similarity

API ID:
String ID: X!@$x!@
API String ID: 0-2527372166
Opcode ID: 30651117241f79e15c865a192d1329142def1c69414ffa44a3586d12216978b3
Instruction ID: b0d8fac0207d7f51cdf5d6d56d11917feee154edadc418ee18aabf5e397a3516
Opcode Fuzzy Hash: 30651117241f79e15c865a192d1329142def1c69414ffa44a3586d12216978b3
Instruction Fuzzy Hash: 5081AF31F002098FCB95EBA9E8506ADB7B2FB88314F108979E51AE7754DB31ED45CB90

Function 06B79139 Relevance: 2.7, Strings: 2, Instructions: 161
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06B791CA
$^q, xrefs: 06B7918F

Memory Dump Source

Source File: 00000018.00000002.3033288147.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_6b70000_mpTrle.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 40487cbfe3d1bc23d4aa1aee226e586b4fd5eabe4f1be2bcbefe811a53565b71
Instruction ID: 0e9b26e7c62821fbdee1d7b75411b48ee109142121d2ba5721222ef5872b72b5
Opcode Fuzzy Hash: 40487cbfe3d1bc23d4aa1aee226e586b4fd5eabe4f1be2bcbefe811a53565b71
Instruction Fuzzy Hash: 77517230B011169FDB54EB76D890BAFB3FAEBC8640F108579C419DB388EA31DD528B95

Function 013DF018 Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 013DF0BF

Memory Dump Source

Source File: 00000018.00000002.2978109325.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_13d0000_mpTrle.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: ad8182c6f783d11464294068f1e9a3d3bc3cdd663b8632e8d5d392b23c7cd99a
Instruction ID: 9f28b37a49d03e6b8873f212206bb07fef532393b0635e203d3a85e32024c7b4
Opcode Fuzzy Hash: ad8182c6f783d11464294068f1e9a3d3bc3cdd663b8632e8d5d392b23c7cd99a
Instruction Fuzzy Hash: 0F21A6B1C0025A9FCB14CFAAD84479EBBF4AF08320F10806AE855B7211D778A881CFA1

Function 013DF058 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 013DF0BF

Memory Dump Source

Source File: 00000018.00000002.2978109325.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_13d0000_mpTrle.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: e49bc0ab143fa525ff5cf45d80711fc9b72cd2ccc958a31051f8d69281aeeda9
Instruction ID: 0467482ecfb64d9cc8979d299a64cd7c3b85d03b579a972dad85e062e8205096
Opcode Fuzzy Hash: e49bc0ab143fa525ff5cf45d80711fc9b72cd2ccc958a31051f8d69281aeeda9
Instruction Fuzzy Hash: AD11E2B2C006599BCB10DF9AD544BDEFBF4AF48324F14816AD818B7251D378A944CFA5

Function 06B74B88 Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

XPcq, xrefs: 06B74CC5

Memory Dump Source

Source File: 00000018.00000002.3033288147.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_6b70000_mpTrle.jbxd

Similarity

API ID:
String ID: XPcq
API String ID: 0-714321711
Opcode ID: 29a513c1b7c0a0cf1c4e92e9f5b9eb36e5dcc18952e7ed01065ac6b084456a39
Instruction ID: 6d41d4b2bf2e616e36205b217404af7041c63bd1ad730df12b8f1d7f4a5fd274
Opcode Fuzzy Hash: 29a513c1b7c0a0cf1c4e92e9f5b9eb36e5dcc18952e7ed01065ac6b084456a39
Instruction Fuzzy Hash: 82416070B002099FDB559FA9C854BAEBBF7FF88700F20852AD146AB394DB759C01CB95

Function 06B7DAAD Relevance: 1.4, Strings: 1, Instructions: 125COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06B7DC09

Memory Dump Source

Source File: 00000018.00000002.3033288147.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_6b70000_mpTrle.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: db0ea61dfd707e71f0fcee4db8ddc38275151fd7fb251749de3add893d9ffefb
Instruction ID: d0a2775c7079f43e41758e72d3340231a547a2624fd694ecfdfa520fd0fda902
Opcode Fuzzy Hash: db0ea61dfd707e71f0fcee4db8ddc38275151fd7fb251749de3add893d9ffefb
Instruction Fuzzy Hash: 1041F2B0E0030A9FDB64DF64C44469EBBB6FF85340F104469E412EB340DB71E846CB90

Function 06B721F8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06B72333

Memory Dump Source

Source File: 00000018.00000002.3033288147.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_6b70000_mpTrle.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: c0d186c2e58d19664e41274ac1d413e1f83b15ac42317587d6109c7fd6eef770
Instruction ID: 2e398874ededf9c26ca10957cd19b3fccf1f0455bcff079d58d8e1dbc98a6d9b
Opcode Fuzzy Hash: c0d186c2e58d19664e41274ac1d413e1f83b15ac42317587d6109c7fd6eef770
Instruction Fuzzy Hash: 3E31EE70B002018FDB69AB74D51466F7AE6EF89200F2085B9D406DB394EE36DE46CBA1

Function 06B782C0 Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

$^q, xrefs: 06B7830B

Memory Dump Source

Source File: 00000018.00000002.3033288147.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_6b70000_mpTrle.jbxd

Similarity

API ID:
String ID: $^q
API String ID: 0-388095546
Opcode ID: d0633b980d18f8b12f45a224c480aa9baeb10abded6fdfbe9acaee0e509a862f
Instruction ID: 8ba2db823caf418e1cd9916c593f07961ede70b91896b5235c88cda720d49b3e
Opcode Fuzzy Hash: d0633b980d18f8b12f45a224c480aa9baeb10abded6fdfbe9acaee0e509a862f
Instruction Fuzzy Hash: 08F022B0F00211DFDF749A9EF9886BC73A1EB40315F1641BAE92ACB204C631EA02C791

Function 06B742CA Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3033288147.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_6b70000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3b1414b5ab1e34edc552eed381ffd4e840343a92d8d70d925a956b00a0f86d6
Instruction ID: 83f8decb113f1959d3ed022c560bfd20fce3b244291ae13521f6bec027d8bcc6
Opcode Fuzzy Hash: f3b1414b5ab1e34edc552eed381ffd4e840343a92d8d70d925a956b00a0f86d6
Instruction Fuzzy Hash: B7817D70B0021A9FDF54DFA9D4506AEB7F6EF89304F108569D51AEB384EB30EC428B91

Function 06B761E8 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3033288147.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_6b70000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 859814c284ec3760988b384dd190e4087972c452df0870ee207758f4fb5abe7e
Instruction ID: 04ac81b75c14d50cb277c3a2814fcddd3168f2bfb1c95fc809bca249b5c2deec
Opcode Fuzzy Hash: 859814c284ec3760988b384dd190e4087972c452df0870ee207758f4fb5abe7e
Instruction Fuzzy Hash: 7661D1B1F004214FCF549A7EC88466FAAD7EFC4624B154479D80EDB324EEA6DD0287C6

Function 06B745E8 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3033288147.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_6b70000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 476a9a8b89baac9cad1ea86ad7a0e39082636d3f7836696bdec54b19e8040314
Instruction ID: 7ea969a47416bbb30b1c590e161cd4d6d696fbd97be3a097b8a14347e2cb508f
Opcode Fuzzy Hash: 476a9a8b89baac9cad1ea86ad7a0e39082636d3f7836696bdec54b19e8040314
Instruction Fuzzy Hash: 0C916F70E102198FDF60DF68C880B9DB7B1FF89304F208699D559BB295DB70AA85CF91

Function 06B74600 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3033288147.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_6b70000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25170cceffb3f234c1570e5b888febb685192a488d8a09b7495d135150f80252
Instruction ID: a9f3d8781ed96ced411c2219a43be908521618f21ff1f564c34d7b0f26c5ced3
Opcode Fuzzy Hash: 25170cceffb3f234c1570e5b888febb685192a488d8a09b7495d135150f80252
Instruction Fuzzy Hash: 96913D70E102198FDF60DF68C880B9DB7B1FF89304F208699D559BB255EB70AA85CF91

Function 06B7EF00 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3033288147.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_6b70000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94940f528b98987df5c144ad91344363e37e4ac71da5bba83d21e38290b3c381
Instruction ID: 835a05da91e7e7e05ab8f303a178db3dac8f5b0b7053564fd84142bcb394b5bd
Opcode Fuzzy Hash: 94940f528b98987df5c144ad91344363e37e4ac71da5bba83d21e38290b3c381
Instruction Fuzzy Hash: 4A713C70A002199FDB54DFA9D980AADBBF6FF84304F248569E019EB354DB30ED46CB51

Function 06B7EF10 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3033288147.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_6b70000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a29c192eb638e563d6d1a89f9d5182e1d971c0bc17979cd26ed20259145b402f
Instruction ID: 8da519d9227a1b6ebdd6ee65bb3aac5058d589d445c27198c75933947db8c4d3
Opcode Fuzzy Hash: a29c192eb638e563d6d1a89f9d5182e1d971c0bc17979cd26ed20259145b402f
Instruction Fuzzy Hash: 18712970A002099FDB54DFA9D980AADBBF6FF84304F2485A9E019EB354DB30ED46CB51

Function 06B7FC70 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3033288147.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_6b70000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef6f929a8849db6ae5e4d41ce1395aec7e8e762d377fc2d3df7b4e13fe1e1fe4
Instruction ID: 033fb977c0acc4a86342d6089e7396412019c8a444fe27fc0a780292df2dce92
Opcode Fuzzy Hash: ef6f929a8849db6ae5e4d41ce1395aec7e8e762d377fc2d3df7b4e13fe1e1fe4
Instruction Fuzzy Hash: 2451F3B1E10109CFDF64EBB8E4446BDBBB6EF84315F1088AAE126D7354DB358845CB89

Function 06B7FA1F Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3033288147.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_6b70000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b073dfce455ad7de64abf84de20bc9992adadf6ec4c2c3386418edcf71f5a10b
Instruction ID: c065bc432fb75c59df48a0c6c2c8635b3794f614eda6ab5ba724c30ebed99afc
Opcode Fuzzy Hash: b073dfce455ad7de64abf84de20bc9992adadf6ec4c2c3386418edcf71f5a10b
Instruction Fuzzy Hash: D6513D70B102149FEF7496BCD95477F2A6FDB89310F20096AF01AD33D9CA29CC458392

Function 06B7FA30 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3033288147.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_6b70000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d90bb559f14b494db2ea7baeba399902c27cc68b64445e175108d87a450ca5c
Instruction ID: cbe2f5aca1d4a17880ecf2a84656ee288f4b26138cbece2e6c3356ea4b44ccb3
Opcode Fuzzy Hash: 5d90bb559f14b494db2ea7baeba399902c27cc68b64445e175108d87a450ca5c
Instruction Fuzzy Hash: 1251E9B0B102149FEF74A6BCD95473F266ED789310F20496AE41AD33D9CA79CC8543A6

Function 06B75440 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3033288147.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_6b70000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3141fb61b1fc3b0f990d98e904fc2bc31c0ae48f5b85e8a59b9b4175e04701c5
Instruction ID: 42ad4446fdc91b871d4d54d174457a1758912ab1003263c51e8d5476963f00e4
Opcode Fuzzy Hash: 3141fb61b1fc3b0f990d98e904fc2bc31c0ae48f5b85e8a59b9b4175e04701c5
Instruction Fuzzy Hash: C34181B2E006099FCB70CFA9D880AAFFBF6EB44310F10496AD266D7654D730E8558B91

Function 06B755C1 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3033288147.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_6b70000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ec602fa08d5dda724c2d6aa4d67fd623c275bc050c084f6676fa0d27765c7c4
Instruction ID: 4ebaf4acc7535932329bea6ba64a1d30d63ca1990db460c31a27f0f12e9a9f01
Opcode Fuzzy Hash: 8ec602fa08d5dda724c2d6aa4d67fd623c275bc050c084f6676fa0d27765c7c4
Instruction Fuzzy Hash: E231A5B2E002058BDF70CE69C88077FF7B2FB45320F24996AD469DB281CA35DA51DB91

Function 06B720A8 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3033288147.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_6b70000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eeb68466d00f95a8ddbf803dbe775135dc75aef62523ad06b70e30a0b2e2ad7a
Instruction ID: 25bfb5037ba2457e276bafcf2253cca7c220c5cc39eeda5c06e427b5fc7a55e5
Opcode Fuzzy Hash: eeb68466d00f95a8ddbf803dbe775135dc75aef62523ad06b70e30a0b2e2ad7a
Instruction Fuzzy Hash: C4319C70E1021A9BDB58CF68C89469EB7B2FF89304F108529E826E7B50DB31AC46CB50

Function 06B720B8 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3033288147.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_6b70000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 186bb34513ce1c3adcdd960c66b6f79e0e18cb9c5b0abd9677496897062fa299
Instruction ID: fde2b86f583764297160ddd67b5f48eadfda08d0a63b4ccd85b9d1d4e091a193
Opcode Fuzzy Hash: 186bb34513ce1c3adcdd960c66b6f79e0e18cb9c5b0abd9677496897062fa299
Instruction Fuzzy Hash: 0E319C70E1021A9BDB59CF69C85469EB7B2FF89300F108529E916E7B54DB31AD42CB90

Function 06B73ED1 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3033288147.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_6b70000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9445aeee77a5de759000f7dbcaea2d76bca1b4661b001204d28e091832553fb
Instruction ID: c0288c3c1a686f826484f5f89d958bd815b4b4de286c189aa72aeec689f2e7a6
Opcode Fuzzy Hash: b9445aeee77a5de759000f7dbcaea2d76bca1b4661b001204d28e091832553fb
Instruction Fuzzy Hash: 1621AEB5F01216AFDB00DF79E850AAEBBF5EB48210F108165E905EB340E734DD118B95

Function 06B73EE0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3033288147.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_6b70000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 050e97d08ed69334e1ca64ab5b6131ce3925ae92e6c5b54fb38f31e034731a40
Instruction ID: eebd5dbd9bf08eedbc75f9ded42ecd5bdb1df4ffd276b2c66b137a5aaa4cfa66
Opcode Fuzzy Hash: 050e97d08ed69334e1ca64ab5b6131ce3925ae92e6c5b54fb38f31e034731a40
Instruction Fuzzy Hash: 1721BDB1F012259FDB40DF7AE890AAEBBF1EB48700F108165E915EB340E730DD018B90

Function 06B73481 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3033288147.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_6b70000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf953407b0b817c7291570a47d0ef9d04f94a596cabd650ed8fce5ad05aadf37
Instruction ID: 111035ea613536c4ee917c4a2ea21b264e1d29dead2d856437145cf90d102865
Opcode Fuzzy Hash: bf953407b0b817c7291570a47d0ef9d04f94a596cabd650ed8fce5ad05aadf37
Instruction Fuzzy Hash: 2F2193B1E012195ECB54DB79E8505EEF7E6EB89300F1085A9E11AE7204DA31D941DBE1

Function 06B7A2FA Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3033288147.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_6b70000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ab7005731949d3338a98c8730a0f3ba16245723de035982343a7330156d1d2d
Instruction ID: 9d222f3284bd1a8bcf9fe6b6607005bfec2a6e05e4c22b7d8964d9a7d3e9c160
Opcode Fuzzy Hash: 3ab7005731949d3338a98c8730a0f3ba16245723de035982343a7330156d1d2d
Instruction Fuzzy Hash: B2112570B041154FCBA1EB7DE850AAEB7E6EB8A314F1084A9E52AD7741DA22DD02C790

Function 06B76D08 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3033288147.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_6b70000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32154b1034415980c4fc69f233ccc49ec79c960058212ff08631fb8d7af81e4b
Instruction ID: bb6d54d32b7c973e648710347c7b3351bfe4cd315283b5f4dfa3c4c511b0cffe
Opcode Fuzzy Hash: 32154b1034415980c4fc69f233ccc49ec79c960058212ff08631fb8d7af81e4b
Instruction Fuzzy Hash: CE21DF70B101199FCF44DB69E8547AEB7B6EB84310F208479D419E7344EB31AC418B84

Function 06B74229 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3033288147.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_6b70000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f6bc84d7d518bef6012df32b3f07530a34eae987108f96b33c655b92a641fa2
Instruction ID: 61c279acea3d8c3b66835f7ee8dbee2388a478f95a73fa235a28a750ea59f6ec
Opcode Fuzzy Hash: 9f6bc84d7d518bef6012df32b3f07530a34eae987108f96b33c655b92a641fa2
Instruction Fuzzy Hash: BC014130B145102BCB6081AE9800BAFB7DBDBCA310F20847EE10EC7755EE21CC0243E2

Function 06B73FF0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3033288147.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_6b70000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01ed81d1d89065c11d0b40ef3d5ac317e2baba6421282fc222853b8637d99405
Instruction ID: d070e29fab5204e037f1784c3b1449e029b1c7586ecc7bab70de97776d803a2c
Opcode Fuzzy Hash: 01ed81d1d89065c11d0b40ef3d5ac317e2baba6421282fc222853b8637d99405
Instruction Fuzzy Hash: 6211A135B141255FDB589679D814AAF73FAEBC9311F004579C50AEB340EE25DC028B91

Function 06B7F17F Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3033288147.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_6b70000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aab407eaaf35d8f5b7f6c99133f5ea0947e16e116bcd1d7ff552cb63ab7bf883
Instruction ID: cff777c95ce883af81101f24cebaa9823382c62c411356cf6c249a187d249111
Opcode Fuzzy Hash: aab407eaaf35d8f5b7f6c99133f5ea0947e16e116bcd1d7ff552cb63ab7bf883
Instruction Fuzzy Hash: 1D0124BAB002101FCB628B3DA85077E77DADB8A310F04546AE11EC7340D910DC0387AA

Function 06B73FDF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3033288147.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_6b70000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3526253d55311028e9306c1b318fcbc2ca851396c757e6b8889e5abcab2228c7
Instruction ID: 1172c4a835f29c34a0ea8d70226540b4092349a44d35f9726e08f105935f625c
Opcode Fuzzy Hash: 3526253d55311028e9306c1b318fcbc2ca851396c757e6b8889e5abcab2228c7
Instruction Fuzzy Hash: D3012F36B000256BDB54A57C9C10AEFB3EFEBC9600F000176D50AE7280EF219C024BE2

Function 06B73CA8 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3033288147.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_6b70000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cead1daaad9fee04900f04be7ae14274ae5bedd70caa2f521b011bfff438e732
Instruction ID: ebf47a99bb935a1095e91f8d857cb597c11428cfddeca30eb0451c9601badf28
Opcode Fuzzy Hash: cead1daaad9fee04900f04be7ae14274ae5bedd70caa2f521b011bfff438e732
Instruction Fuzzy Hash: B321BFB5901259ABCB00DF9AD984ADEFFB8FB49310F10816AE518A7201C374A954CFA5

Function 06B73CB0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3033288147.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_6b70000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eab5fccdafb89ab6a2b1af0e3dca6e0f39cddd41cf54fc74c6964e543e4d3386
Instruction ID: c3cbd83400c3a05ec8196e561affac821118e90c38247a9e716a8288b1c02813
Opcode Fuzzy Hash: eab5fccdafb89ab6a2b1af0e3dca6e0f39cddd41cf54fc74c6964e543e4d3386
Instruction Fuzzy Hash: F711CFB1D01259AFCB00DF9AD984ACEFBB4FB48320F10816AE918B7200C374A944CFA5

Function 06B74238 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3033288147.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_6b70000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1da83f4701d41f99592e65070ce57280e554201082eff336283f64739cd006c8
Instruction ID: 8208d9013b7826c05b431fc6fea9b03d294e1615cd7febf1d52e94171231bfd6
Opcode Fuzzy Hash: 1da83f4701d41f99592e65070ce57280e554201082eff336283f64739cd006c8
Instruction Fuzzy Hash: 8C01D130B104101BDBA495AE945472BB2DBDBC9711F20843EE51EC7348ED65DC0243E5

Function 06B7F190 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3033288147.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_6b70000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b1bab11233a1ec73d69534e0c98a9b8adc6b3682ea0c5605af06021454c336e
Instruction ID: a6e712bde7876611a0d6a7902c8e1282717fa80e7bbad9acff45e309a2e7706e
Opcode Fuzzy Hash: 2b1bab11233a1ec73d69534e0c98a9b8adc6b3682ea0c5605af06021454c336e
Instruction Fuzzy Hash: DF01DCB1B005201BCB60DA6EE850B3EA3CAEBC9720F148839E51BC7344DE21DC024799

Function 06B7A308 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3033288147.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_6b70000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fceb1cb6dd159339746816f722848674d3ecfffa89cdb9a686c460da876d8e82
Instruction ID: 4d2346d1d1d894c04154004a3e7e47f3f84e5a7462f70a67c09c35bfd617f0a9
Opcode Fuzzy Hash: fceb1cb6dd159339746816f722848674d3ecfffa89cdb9a686c460da876d8e82
Instruction Fuzzy Hash: AD01AF70B105210FCBA4EA7EE450B2EB3D6EB8A750F148838E51EC7344EA21EC028795

Function 06B7C7D0 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3033288147.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_6b70000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ab04c70a6ab1427150d69fda8d0e5d2dc1d2fa941836fbe27514f7280a51d1d
Instruction ID: 0d351bc1baf01d31ba17182530a7e6c7bb4047c0f804a84da31f4f1d49bfde4d
Opcode Fuzzy Hash: 8ab04c70a6ab1427150d69fda8d0e5d2dc1d2fa941836fbe27514f7280a51d1d
Instruction Fuzzy Hash: E401C871F102249FCF559A6EE840AAEBBB6FB85354F00457DE915E7345DB31AC0487D0

Function 06B76468 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3033288147.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_6b70000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db71c8a7103b8fd67b7ebe0b7c8b4cfc024a4e1af511a715b0a78401abfc6fec
Instruction ID: 475134a92c5c5327b7bc517f372a540f54d474af0c4d2efa02a92f3a3f718010
Opcode Fuzzy Hash: db71c8a7103b8fd67b7ebe0b7c8b4cfc024a4e1af511a715b0a78401abfc6fec
Instruction Fuzzy Hash: AAE0D8B0E05A08ABDF50DFB0C95579E77A9EB01304F2088D6D418C7102F272DA109BC1

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\UTiPLNuHYu.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\mpTrle.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1fp1sv2r.cpb.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2ahlsree.45x.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jbromjj5.gi1.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jr4hcp0y.n5l.psm1

C:\Users\user\AppData\Local\Temp\tmpA5DD.tmp

C:\Users\user\AppData\Local\Temp\tmpBDCA.tmp

C:\Users\user\AppData\Local\Temp\tmpDED0.tmp

C:\Users\user\AppData\Local\Temp\tmpFE1F.tmp

Windows Analysis Report
SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre