Edit tour

Windows Analysis Report
DOC-20241029-WA0005_pdf .exe

Overview

General Information

Sample name:	DOC-20241029-WA0005_pdf .exe
Analysis ID:	1545875
MD5:	10bd0f08ae622f203dbf10d870c87168
SHA1:	28866c0bf923f6bffdb459978e3a55d37bb5878d
SHA256:	2fd41cfb7c7d0653a396e538166b91db7ddc56cb008701a437e8cd92d63156b6
Tags:	exeuser-AdamekZbadam
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Sigma detected: Suspicious Double Extension File Execution

Yara detected AntiVM3

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code contains very large array initializations

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses an obfuscated file name to hide its real file extension (a lot of spaces)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates processes with suspicious names

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

DOC-20241029-WA0005_pdf .exe (PID: 7296 cmdline: "C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe" MD5: 10BD0F08AE622F203DBF10D870C87168)

powershell.exe (PID: 7488 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\FQDffaysNf.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7796 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 7516 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FQDffaysNf" /XML "C:\Users\user\AppData\Local\Temp\tmpC1F8.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

DOC-20241029-WA0005_pdf .exe (PID: 7632 cmdline: "C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe" MD5: 10BD0F08AE622F203DBF10D870C87168)

DOC-20241029-WA0005_pdf .exe (PID: 7652 cmdline: "C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe" MD5: 10BD0F08AE622F203DBF10D870C87168)

DOC-20241029-WA0005_pdf .exe (PID: 7660 cmdline: "C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe" MD5: 10BD0F08AE622F203DBF10D870C87168)

DOC-20241029-WA0005_pdf .exe (PID: 7668 cmdline: "C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe" MD5: 10BD0F08AE622F203DBF10D870C87168)

DOC-20241029-WA0005_pdf .exe (PID: 7680 cmdline: "C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe" MD5: 10BD0F08AE622F203DBF10D870C87168)

FQDffaysNf.exe (PID: 7692 cmdline: C:\Users\user\AppData\Roaming\FQDffaysNf.exe MD5: 10BD0F08AE622F203DBF10D870C87168)

schtasks.exe (PID: 7904 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FQDffaysNf" /XML "C:\Users\user\AppData\Local\Temp\tmpD215.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

FQDffaysNf.exe (PID: 7952 cmdline: "C:\Users\user\AppData\Roaming\FQDffaysNf.exe" MD5: 10BD0F08AE622F203DBF10D870C87168)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000F.00000002.1753554050.0000000005B80000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000F.00000002.1750774864.0000000004281000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000F.00000002.1748222231.0000000003281000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: DOC-20241029-WA0005_pdf .exe PID: 7296	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: FQDffaysNf.exe PID: 7692	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: FQDffaysNf.exe PID: 7952	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
15.2.FQDffaysNf.exe.5b80000.7.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
15.2.FQDffaysNf.exe.42f3190.2.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious Double Extension File Execution

Source: Process started

Author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe", CommandLine: "C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe, NewProcessName: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe, OriginalFileName: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe", ProcessId: 7296, ProcessName: DOC-20241029-WA0005_pdf .exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\FQDffaysNf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\FQDffaysNf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe", ParentImage: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe, ParentProcessId: 7296, ParentProcessName: DOC-20241029-WA0005_pdf .exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\FQDffaysNf.exe", ProcessId: 7488, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FQDffaysNf" /XML "C:\Users\user\AppData\Local\Temp\tmpD215.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FQDffaysNf" /XML "C:\Users\user\AppData\Local\Temp\tmpD215.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\FQDffaysNf.exe, ParentImage: C:\Users\user\AppData\Roaming\FQDffaysNf.exe, ParentProcessId: 7692, ParentProcessName: FQDffaysNf.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FQDffaysNf" /XML "C:\Users\user\AppData\Local\Temp\tmpD215.tmp", ProcessId: 7904, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FQDffaysNf" /XML "C:\Users\user\AppData\Local\Temp\tmpC1F8.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FQDffaysNf" /XML "C:\Users\user\AppData\Local\Temp\tmpC1F8.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe", ParentImage: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe, ParentProcessId: 7296, ParentProcessName: DOC-20241029-WA0005_pdf .exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FQDffaysNf" /XML "C:\Users\user\AppData\Local\Temp\tmpC1F8.tmp", ProcessId: 7516, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\FQDffaysNf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\FQDffaysNf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe", ParentImage: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe, ParentProcessId: 7296, ParentProcessName: DOC-20241029-WA0005_pdf .exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\FQDffaysNf.exe", ProcessId: 7488, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FQDffaysNf" /XML "C:\Users\user\AppData\Local\Temp\tmpC1F8.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FQDffaysNf" /XML "C:\Users\user\AppData\Local\Temp\tmpC1F8.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe", ParentImage: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe, ParentProcessId: 7296, ParentProcessName: DOC-20241029-WA0005_pdf .exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FQDffaysNf" /XML "C:\Users\user\AppData\Local\Temp\tmpC1F8.tmp", ProcessId: 7516, ProcessName: schtasks.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe

ReversingLabs: Detection: 36%

Multi AV Scanner detection for submitted file

Source: DOC-20241029-WA0005_pdf .exe	Virustotal: Detection: 31%			Perma Link
Source: DOC-20241029-WA0005_pdf .exe	ReversingLabs: Detection: 36%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: DOC-20241029-WA0005_pdf .exe

Joe Sandbox ML: detected

Source: DOC-20241029-WA0005_pdf .exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: DOC-20241029-WA0005_pdf .exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: Riqd.pdbSHA256 source: DOC-20241029-WA0005_pdf .exe, FQDffaysNf.exe.0.dr
Source:	Binary string: Riqd.pdb source: DOC-20241029-WA0005_pdf .exe, FQDffaysNf.exe.0.dr
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: FQDffaysNf.exe, 0000000F.00000002.1750774864.00000000043D8000.00000004.00000800.00020000.00000000.sdmp, FQDffaysNf.exe, 0000000F.00000002.1754054846.0000000005D30000.00000004.08000000.00040000.00000000.sdmp, FQDffaysNf.exe, 0000000F.00000002.1748222231.0000000003281000.00000004.00000800.00020000.00000000.sdmp, FQDffaysNf.exe, 0000000F.00000002.1750774864.0000000004281000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: FQDffaysNf.exe, 0000000F.00000002.1750774864.00000000043D8000.00000004.00000800.00020000.00000000.sdmp, FQDffaysNf.exe, 0000000F.00000002.1754054846.0000000005D30000.00000004.08000000.00040000.00000000.sdmp, FQDffaysNf.exe, 0000000F.00000002.1748222231.0000000003281000.00000004.00000800.00020000.00000000.sdmp, FQDffaysNf.exe, 0000000F.00000002.1750774864.0000000004281000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 4x nop then jmp 0E9B0115h		11_2_0E9B0341
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 4x nop then jmp 0E9B0115h		11_2_0E9B08CC

Source: DOC-20241029-WA0005_pdf .exe, 00000000.00000002.1696568216.00000000027D2000.00000004.00000800.00020000.00000000.sdmp, FQDffaysNf.exe, 0000000B.00000002.1762340234.0000000002A5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: DOC-20241029-WA0005_pdf .exe, FQDffaysNf.exe.0.dr	String found in binary or memory: http://tempuri.org/DataSet1.xsd
Source: DOC-20241029-WA0005_pdf .exe, 00000000.00000002.1713784405.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: DOC-20241029-WA0005_pdf .exe, 00000000.00000002.1713784405.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: DOC-20241029-WA0005_pdf .exe, 00000000.00000002.1713784405.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: DOC-20241029-WA0005_pdf .exe, 00000000.00000002.1713784405.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: DOC-20241029-WA0005_pdf .exe, 00000000.00000002.1713784405.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: DOC-20241029-WA0005_pdf .exe, 00000000.00000002.1713784405.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: DOC-20241029-WA0005_pdf .exe, 00000000.00000002.1713784405.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: DOC-20241029-WA0005_pdf .exe, 00000000.00000002.1713784405.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: DOC-20241029-WA0005_pdf .exe, 00000000.00000002.1713784405.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: DOC-20241029-WA0005_pdf .exe, 00000000.00000002.1713784405.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: DOC-20241029-WA0005_pdf .exe, 00000000.00000002.1713784405.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: DOC-20241029-WA0005_pdf .exe, 00000000.00000002.1713784405.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: DOC-20241029-WA0005_pdf .exe, 00000000.00000002.1713784405.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: DOC-20241029-WA0005_pdf .exe, 00000000.00000002.1713784405.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: DOC-20241029-WA0005_pdf .exe, 00000000.00000002.1713784405.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: DOC-20241029-WA0005_pdf .exe, 00000000.00000002.1713784405.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: DOC-20241029-WA0005_pdf .exe, 00000000.00000002.1713784405.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: DOC-20241029-WA0005_pdf .exe, 00000000.00000002.1713784405.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: DOC-20241029-WA0005_pdf .exe, 00000000.00000002.1713784405.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: DOC-20241029-WA0005_pdf .exe, 00000000.00000002.1713784405.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: DOC-20241029-WA0005_pdf .exe, 00000000.00000002.1713784405.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: DOC-20241029-WA0005_pdf .exe, 00000000.00000002.1713784405.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: DOC-20241029-WA0005_pdf .exe, 00000000.00000002.1713784405.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: DOC-20241029-WA0005_pdf .exe, 00000000.00000002.1713784405.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: DOC-20241029-WA0005_pdf .exe, 00000000.00000002.1713784405.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: FQDffaysNf.exe, 0000000F.00000002.1748222231.0000000003281000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://archive.torproject.org/tor-package-archive/torbrowser/13.0.9/tor-expert-bundle-windows-i686-
Source: FQDffaysNf.exe, 0000000F.00000002.1750774864.00000000043D8000.00000004.00000800.00020000.00000000.sdmp, FQDffaysNf.exe, 0000000F.00000002.1754054846.0000000005D30000.00000004.08000000.00040000.00000000.sdmp, FQDffaysNf.exe, 0000000F.00000002.1748222231.0000000003281000.00000004.00000800.00020000.00000000.sdmp, FQDffaysNf.exe, 0000000F.00000002.1750774864.0000000004281000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: FQDffaysNf.exe, 0000000F.00000002.1750774864.00000000043D8000.00000004.00000800.00020000.00000000.sdmp, FQDffaysNf.exe, 0000000F.00000002.1754054846.0000000005D30000.00000004.08000000.00040000.00000000.sdmp, FQDffaysNf.exe, 0000000F.00000002.1748222231.0000000003281000.00000004.00000800.00020000.00000000.sdmp, FQDffaysNf.exe, 0000000F.00000002.1750774864.0000000004281000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: FQDffaysNf.exe, 0000000F.00000002.1750774864.00000000043D8000.00000004.00000800.00020000.00000000.sdmp, FQDffaysNf.exe, 0000000F.00000002.1754054846.0000000005D30000.00000004.08000000.00040000.00000000.sdmp, FQDffaysNf.exe, 0000000F.00000002.1748222231.0000000003281000.00000004.00000800.00020000.00000000.sdmp, FQDffaysNf.exe, 0000000F.00000002.1750774864.0000000004281000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: FQDffaysNf.exe, 0000000F.00000002.1750774864.00000000043D8000.00000004.00000800.00020000.00000000.sdmp, FQDffaysNf.exe, 0000000F.00000002.1754054846.0000000005D30000.00000004.08000000.00040000.00000000.sdmp, FQDffaysNf.exe, 0000000F.00000002.1748222231.0000000003281000.00000004.00000800.00020000.00000000.sdmp, FQDffaysNf.exe, 0000000F.00000002.1750774864.0000000004281000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: FQDffaysNf.exe, 0000000F.00000002.1748222231.0000000003281000.00000004.00000800.00020000.00000000.sdmp, FQDffaysNf.exe, 0000000F.00000002.1750774864.0000000004281000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: FQDffaysNf.exe, 0000000F.00000002.1750774864.00000000043D8000.00000004.00000800.00020000.00000000.sdmp, FQDffaysNf.exe, 0000000F.00000002.1754054846.0000000005D30000.00000004.08000000.00040000.00000000.sdmp, FQDffaysNf.exe, 0000000F.00000002.1750774864.0000000004281000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

System Summary

.NET source code contains very large array initializations

Source: 0.2.DOC-20241029-WA0005_pdf .exe.4580718.3.raw.unpack, ObserverConsumer.cs	Large array initialization: ValidateToken: array initializer size 660336
Source: 0.2.DOC-20241029-WA0005_pdf .exe.44d08f8.1.raw.unpack, ObserverConsumer.cs	Large array initialization: ValidateToken: array initializer size 660336

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: DOC-20241029-WA0005_pdf .exe

Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Code function: 0_2_00CE4204	0_2_00CE4204
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Code function: 0_2_00CEE134	0_2_00CEE134
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Code function: 0_2_00CE7018	0_2_00CE7018
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Code function: 0_2_046D2F28	0_2_046D2F28
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Code function: 0_2_046D4538	0_2_046D4538
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Code function: 0_2_072C0E28	0_2_072C0E28
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Code function: 0_2_072C3CF0	0_2_072C3CF0
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Code function: 0_2_072C7998	0_2_072C7998
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Code function: 0_2_072CA518	0_2_072CA518
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Code function: 0_2_072CB1C0	0_2_072CB1C0
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Code function: 0_2_072C30D0	0_2_072C30D0
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Code function: 0_2_072C3F77	0_2_072C3F77
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Code function: 0_2_072C3F88	0_2_072C3F88
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Code function: 0_2_072C0E21	0_2_072C0E21
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Code function: 0_2_072CAD88	0_2_072CAD88
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Code function: 0_2_072C3CEB	0_2_072C3CEB
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Code function: 0_2_072CA950	0_2_072CA950
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Code function: 0_2_072C7988	0_2_072C7988
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Code function: 0_2_072CC9C8	0_2_072CC9C8
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 11_2_00E14204	11_2_00E14204
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 11_2_00E1E134	11_2_00E1E134
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 11_2_00E17018	11_2_00E17018
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 11_2_07260E28	11_2_07260E28
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 11_2_07263CF0	11_2_07263CF0
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 11_2_07267998	11_2_07267998
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 11_2_0726A518	11_2_0726A518
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 11_2_0726B1C0	11_2_0726B1C0
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 11_2_072630D0	11_2_072630D0
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 11_2_07263F77	11_2_07263F77
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 11_2_07263F88	11_2_07263F88
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 11_2_07260E21	11_2_07260E21
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 11_2_0726AD88	11_2_0726AD88
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 11_2_07263CEA	11_2_07263CEA
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 11_2_0726A950	11_2_0726A950
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 11_2_07267988	11_2_07267988
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 11_2_0726C9C8	11_2_0726C9C8
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 11_2_0E9B1FC0	11_2_0E9B1FC0
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 11_2_0E9B35D8	11_2_0E9B35D8
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_01794128	15_2_01794128
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_01794048	15_2_01794048
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_017940A7	15_2_017940A7
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_01794D68	15_2_01794D68
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_01794D58	15_2_01794D58
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_01791468	15_2_01791468
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_01791458	15_2_01791458
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_059B8D50	15_2_059B8D50
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_059BD568	15_2_059BD568
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_059B098D	15_2_059B098D
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_059BCD80	15_2_059BCD80
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_059BCD12	15_2_059BCD12
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_059BD558	15_2_059BD558
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_059B8D41	15_2_059B8D41
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_059BCD70	15_2_059BCD70
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_059BD635	15_2_059BD635
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_05A1B4A8	15_2_05A1B4A8
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_05A17465	15_2_05A17465
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_05A17F01	15_2_05A17F01
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_05A176FC	15_2_05A176FC
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_05A17E01	15_2_05A17E01
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_05A15670	15_2_05A15670
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_05A1782E	15_2_05A1782E
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_05A1ABD8	15_2_05A1ABD8
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_05A17C9F	15_2_05A17C9F
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_05A17F90	15_2_05A17F90
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_05A17FEA	15_2_05A17FEA
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_05A17F2B	15_2_05A17F2B
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_05A17F3D	15_2_05A17F3D
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_05A17F71	15_2_05A17F71
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_05A17EA0	15_2_05A17EA0
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_05A18188	15_2_05A18188
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_05A1782E	15_2_05A1782E
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_05A18115	15_2_05A18115
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_05A1A890	15_2_05A1A890
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_05A180DC	15_2_05A180DC
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_05A18011	15_2_05A18011
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_05A1806F	15_2_05A1806F
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_05A17A14	15_2_05A17A14
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_05C2B3A8	15_2_05C2B3A8
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_05C27F21	15_2_05C27F21
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_05C2376A	15_2_05C2376A
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_05C28257	15_2_05C28257
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_05C28FC8	15_2_05C28FC8

Source: DOC-20241029-WA0005_pdf .exe, 00000000.00000002.1716212715.000000000B270000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs DOC-20241029-WA0005_pdf .exe
Source: DOC-20241029-WA0005_pdf .exe, 00000000.00000002.1694852240.00000000007EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs DOC-20241029-WA0005_pdf .exe
Source: DOC-20241029-WA0005_pdf .exe	Binary or memory string: OriginalFilenameRiqd.exe: vs DOC-20241029-WA0005_pdf .exe

Source: DOC-20241029-WA0005_pdf .exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: DOC-20241029-WA0005_pdf .exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: FQDffaysNf.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.DOC-20241029-WA0005_pdf .exe.4580718.3.raw.unpack, ObserverConsumer.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.DOC-20241029-WA0005_pdf .exe.4580718.3.raw.unpack, Bridge.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.DOC-20241029-WA0005_pdf .exe.4580718.3.raw.unpack, Bridge.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.DOC-20241029-WA0005_pdf .exe.44d08f8.1.raw.unpack, ObserverConsumer.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.DOC-20241029-WA0005_pdf .exe.44d08f8.1.raw.unpack, Bridge.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.DOC-20241029-WA0005_pdf .exe.44d08f8.1.raw.unpack, Bridge.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 0.2.DOC-20241029-WA0005_pdf .exe.42ac510.0.raw.unpack, q8QrqICEysgcOouMmP.cs	Security API names: _0020.SetAccessControl
Source: 0.2.DOC-20241029-WA0005_pdf .exe.42ac510.0.raw.unpack, q8QrqICEysgcOouMmP.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.DOC-20241029-WA0005_pdf .exe.42ac510.0.raw.unpack, q8QrqICEysgcOouMmP.cs	Security API names: _0020.AddAccessRule
Source: 0.2.DOC-20241029-WA0005_pdf .exe.b270000.5.raw.unpack, zdeYs4rrOWeEt39qE2.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.DOC-20241029-WA0005_pdf .exe.42ac510.0.raw.unpack, zdeYs4rrOWeEt39qE2.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.DOC-20241029-WA0005_pdf .exe.b270000.5.raw.unpack, q8QrqICEysgcOouMmP.cs	Security API names: _0020.SetAccessControl
Source: 0.2.DOC-20241029-WA0005_pdf .exe.b270000.5.raw.unpack, q8QrqICEysgcOouMmP.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.DOC-20241029-WA0005_pdf .exe.b270000.5.raw.unpack, q8QrqICEysgcOouMmP.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.evad.winEXE@24/11@0/0

Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe

File created: C:\Users\user\AppData\Roaming\FQDffaysNf.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7912:120:WilError_03
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Mutant created: \Sessions\1\BaseNamedObjects\7ecd12ae244427d2
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7536:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7496:120:WilError_03
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Mutant created: \Sessions\1\BaseNamedObjects\NqwNJHdJFIqAGqTGYVsDUd

Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe

File created: C:\Users\user\AppData\Local\Temp\tmpC1F8.tmp

Jump to behavior

Source: DOC-20241029-WA0005_pdf .exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: DOC-20241029-WA0005_pdf .exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: DOC-20241029-WA0005_pdf .exe	Virustotal: Detection: 31%
Source: DOC-20241029-WA0005_pdf .exe	ReversingLabs: Detection: 36%

Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe

File read: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe "C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe"
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\FQDffaysNf.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FQDffaysNf" /XML "C:\Users\user\AppData\Local\Temp\tmpC1F8.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process created: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe "C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe"
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process created: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe "C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe"
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process created: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe "C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe"
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process created: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe "C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe"
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process created: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe "C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\FQDffaysNf.exe C:\Users\user\AppData\Roaming\FQDffaysNf.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FQDffaysNf" /XML "C:\Users\user\AppData\Local\Temp\tmpD215.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process created: C:\Users\user\AppData\Roaming\FQDffaysNf.exe "C:\Users\user\AppData\Roaming\FQDffaysNf.exe"
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\FQDffaysNf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FQDffaysNf" /XML "C:\Users\user\AppData\Local\Temp\tmpC1F8.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process created: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe "C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe"	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process created: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe "C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe"	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process created: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe "C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe"	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process created: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe "C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe"	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process created: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe "C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FQDffaysNf" /XML "C:\Users\user\AppData\Local\Temp\tmpD215.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process created: C:\Users\user\AppData\Roaming\FQDffaysNf.exe "C:\Users\user\AppData\Roaming\FQDffaysNf.exe"	Jump to behavior

Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Section loaded: uxtheme.dll	Jump to behavior

Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: DOC-20241029-WA0005_pdf .exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: DOC-20241029-WA0005_pdf .exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: DOC-20241029-WA0005_pdf .exe

Static file information: File size 1294336 > 1048576

Source: DOC-20241029-WA0005_pdf .exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x135400

Source: DOC-20241029-WA0005_pdf .exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: DOC-20241029-WA0005_pdf .exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: Riqd.pdbSHA256 source: DOC-20241029-WA0005_pdf .exe, FQDffaysNf.exe.0.dr
Source:	Binary string: Riqd.pdb source: DOC-20241029-WA0005_pdf .exe, FQDffaysNf.exe.0.dr
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: FQDffaysNf.exe, 0000000F.00000002.1750774864.00000000043D8000.00000004.00000800.00020000.00000000.sdmp, FQDffaysNf.exe, 0000000F.00000002.1754054846.0000000005D30000.00000004.08000000.00040000.00000000.sdmp, FQDffaysNf.exe, 0000000F.00000002.1748222231.0000000003281000.00000004.00000800.00020000.00000000.sdmp, FQDffaysNf.exe, 0000000F.00000002.1750774864.0000000004281000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: FQDffaysNf.exe, 0000000F.00000002.1750774864.00000000043D8000.00000004.00000800.00020000.00000000.sdmp, FQDffaysNf.exe, 0000000F.00000002.1754054846.0000000005D30000.00000004.08000000.00040000.00000000.sdmp, FQDffaysNf.exe, 0000000F.00000002.1748222231.0000000003281000.00000004.00000800.00020000.00000000.sdmp, FQDffaysNf.exe, 0000000F.00000002.1750774864.0000000004281000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.DOC-20241029-WA0005_pdf .exe.4580718.3.raw.unpack, Bridge.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.DOC-20241029-WA0005_pdf .exe.44d08f8.1.raw.unpack, Bridge.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: 0.2.DOC-20241029-WA0005_pdf .exe.4580718.3.raw.unpack, ObserverConsumer.cs	.Net Code: ForgotConsumer System.AppDomain.Load(byte[])
Source: 0.2.DOC-20241029-WA0005_pdf .exe.42ac510.0.raw.unpack, q8QrqICEysgcOouMmP.cs	.Net Code: cvgXnoJjVh System.Reflection.Assembly.Load(byte[])
Source: 0.2.DOC-20241029-WA0005_pdf .exe.5840000.4.raw.unpack, XlF5VlCIHRSQX8M5eh.cs	.Net Code: _200C_200C_202D_206C_200B_206A_206D_200B_200D_200C_202D_206A_206D_202A_206A_206B_202B_206C_202D_200B_202E_202B_202A_206C_206A_206D_202D_206B_206D_206B_200D_202B_202D_206C_206F_206C_200B_202B_206A_206D_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.DOC-20241029-WA0005_pdf .exe.b270000.5.raw.unpack, q8QrqICEysgcOouMmP.cs	.Net Code: cvgXnoJjVh System.Reflection.Assembly.Load(byte[])
Source: 0.2.DOC-20241029-WA0005_pdf .exe.44d08f8.1.raw.unpack, ObserverConsumer.cs	.Net Code: ForgotConsumer System.AppDomain.Load(byte[])

Yara detected Costura Assembly Loader

Source: Yara match	File source: 15.2.FQDffaysNf.exe.5b80000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.FQDffaysNf.exe.42f3190.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.1753554050.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1750774864.0000000004281000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1748222231.0000000003281000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FQDffaysNf.exe PID: 7952, type: MEMORYSTR

Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Code function: 0_2_00CE01B7 push ebx; retf	0_2_00CE01C3
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Code function: 0_2_072C62A5 push ebp; iretd	0_2_072C62A8
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 11_2_072662A5 push ebp; iretd	11_2_072662A8
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_05C23507 push ebp; retf	15_2_05C2350A
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_05EE5DB1 push eax; ret	15_2_05EE5DBA
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_05EE3161 push eax; ret	15_2_05EE316A
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_05EE455A push eax; ret	15_2_05EE4563
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_05EE553D push eax; ret	15_2_05EE554D
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_05EE3114 push eax; ret	15_2_05EE3115
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_05EE6513 push eax; ret	15_2_05EE651C
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_05EE14ED push eax; ret	15_2_05EE14F6
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_05EE2CE6 push eax; ret	15_2_05EE2CEF
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_05EE5CE6 push eax; ret	15_2_05EE5CEF
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_05EE40BC push eax; ret	15_2_05EE40BD
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_05EE78B3 push eax; ret	15_2_05EE78BC
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_05EE208E push eax; ret	15_2_05EE208F
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_05EE3886 push eax; ret	15_2_05EE3887
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_05EE2897 push eax; ret	15_2_05EE28A7
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_05EE7095 push eax; ret	15_2_05EE70B9
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_05EE4893 push eax; ret	15_2_05EE48AA
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_05EE6477 push eax; ret	15_2_05EE6480
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_05EE745E push eax; ret	15_2_05EE746E
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_05EE2415 push ebx; retn 0000h	15_2_05EE2416
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_05EE1FE7 push eax; ret	15_2_05EE1FF0
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_05EE2BE5 push eax; ret	15_2_05EE2BF5
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_05EE17CF push eax; ret	15_2_05EE17F3
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_05EE0BCC push eax; ret	15_2_05EE0BD5
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_05EE43DC push eax; ret	15_2_05EE43E5
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_05EE37D9 push eax; ret	15_2_05EE37E9
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_05EE73AE push eax; ret	15_2_05EE73BE
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Code function: 15_2_05EE4FB4 push eax; ret	15_2_05EE4FBD

Source: DOC-20241029-WA0005_pdf .exe	Static PE information: section name: .text entropy: 7.843924872961827
Source: FQDffaysNf.exe.0.dr	Static PE information: section name: .text entropy: 7.843924872961827

Source: 0.2.DOC-20241029-WA0005_pdf .exe.42ac510.0.raw.unpack, WfuDJbt5hAPFBOOBhi.cs	High entropy of concatenated method names: 'Dispose', 'sv4yexFZay', 'ag9dE3wgsJ', 'xr3CC0Xncn', 'cmxy21Ibc7', 'rFkyzFw3cQ', 'ProcessDialogKey', 'wXUds78Xdo', 'UcxdyN0ysC', 'uCldde9BJI'
Source: 0.2.DOC-20241029-WA0005_pdf .exe.42ac510.0.raw.unpack, q8QrqICEysgcOouMmP.cs	High entropy of concatenated method names: 'Y2HIQ5Kv65', 'NolItWPJko', 'HjSIqHpvZB', 'TojIBTQCNp', 'H0gIKZ6bdh', 'AW5IxRLcce', 'MJEIGtwR40', 'VF8IMkwITy', 'OaRI76YbaZ', 'WTCIrt0JnD'
Source: 0.2.DOC-20241029-WA0005_pdf .exe.42ac510.0.raw.unpack, hX1E3gm82OcdVViYGi.cs	High entropy of concatenated method names: 'ToString', 'qtiF3wDSra', 'JH1FEAgqa4', 'gImFasBDeY', 'TMBFvUoKiK', 'j5GFUd4aWr', 'XlQF16mNNM', 'BnbFoOG95J', 'HEeFwgcwD6', 'YnLFLXAhsu'
Source: 0.2.DOC-20241029-WA0005_pdf .exe.42ac510.0.raw.unpack, H7yME9y0m82my39ZiX.cs	High entropy of concatenated method names: 'xaAKZJvK04', 'tx7KbvsgWi', 'UweBao446Y', 'KFZBv0Gv75', 'PPPBU5vkxb', 'KCVB1QVImi', 'VPxBoZV5ao', 'VlJBwAOgch', 'DnCBL6ejOI', 'RexBJWcxVo'
Source: 0.2.DOC-20241029-WA0005_pdf .exe.42ac510.0.raw.unpack, FCZJ0We9fS24nDRfGF.cs	High entropy of concatenated method names: 'odMR4gSbZv', 'xTMREV9Ftp', 'y2iRaiVCpr', 'GCXRvWL24a', 'eVtRpQACKd', 'YtPRUyO7Rt', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.DOC-20241029-WA0005_pdf .exe.42ac510.0.raw.unpack, URbu9d09E8hatKhhZV.cs	High entropy of concatenated method names: 'VmbhcvuWjR', 'qCWh2CMM9w', 'CXMRsqNxKr', 'H7FRy451ud', 'Iqih3HtBQq', 'KykhV1N999', 'zQBhDN0Bb8', 'MxGhprR6jN', 'qLchkG4smt', 'IkXh8PKpyG'
Source: 0.2.DOC-20241029-WA0005_pdf .exe.42ac510.0.raw.unpack, nYeXo7lvR6pN43IDdb.cs	High entropy of concatenated method names: 'HQwGOZudBy', 'NdlGTdLlZt', 'hjFGnAcJ4d', 'kFoGfb28Mo', 'a8iGZcPMZg', 'r6xGiuEJyW', 'TNlGbqkma7', 'rRgGPiLXHk', 'xJWGNZ7jOt', 'qMxG6CIaTR'
Source: 0.2.DOC-20241029-WA0005_pdf .exe.42ac510.0.raw.unpack, JgOJy2nae6CIsILLkE.cs	High entropy of concatenated method names: 'BeOyGRTlBM', 'KgQyM7gULn', 'Y5AyrZELkA', 'JQCyHZ0HQY', 'gTrygIJ3qP', 'yPJyFJmZiV', 'q1Ts5l2micqM18vSJA', 'k4VLvjHGu7gF1nP3Fo', 'l06yyDmWdo', 'BEoyI3f1Mr'
Source: 0.2.DOC-20241029-WA0005_pdf .exe.42ac510.0.raw.unpack, cGjyOuACDZ1ak9VHJE.cs	High entropy of concatenated method names: 'vl7xQFNcfP', 'LJnxqNvP0I', 'aqExKN65VS', 'loDxGA81MB', 'IbFxMBDRtO', 'EWHK9axCji', 'XLDKYyH8oI', 'dfQKuXnlwF', 'YoJKc9lBKf', 'GQvKeqPKLS'
Source: 0.2.DOC-20241029-WA0005_pdf .exe.42ac510.0.raw.unpack, zdeYs4rrOWeEt39qE2.cs	High entropy of concatenated method names: 'dRlqpEGvGM', 'PHVqkPGeEs', 'Jeiq8shIUr', 'X7Qql6lO0X', 'dkAq9NIuBA', 'MPlqYvCfvD', 'jtcqu1IAUg', 'Ig4qcbA1Xe', 'yRVqebOqOY', 'N9jq235MYy'
Source: 0.2.DOC-20241029-WA0005_pdf .exe.42ac510.0.raw.unpack, NfFGAQwKp1IjXD6ed30.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'D0tSpmUNge', 'lDCSkm6N3D', 'vP8S8qGEUN', 'HZqSlnpacB', 'QrRS9h14fQ', 'LxHSYnIbA2', 'PfMSub3Cg8'
Source: 0.2.DOC-20241029-WA0005_pdf .exe.42ac510.0.raw.unpack, WpHhOHwuyMnkimrNlGd.cs	High entropy of concatenated method names: 'fXLAOGLStl', 'jq6ATrTKBv', 'NM5AnrBGCW', 'HLbAfKfQCN', 'R7NAZJh5Bj', 'zijAiGID68', 'vHhAbJVYFR', 'HWQAPEhKl9', 'wskANCwqTx', 'Yp1A61RLv2'
Source: 0.2.DOC-20241029-WA0005_pdf .exe.42ac510.0.raw.unpack, ixS6AGWNPpY1gL2Ph2.cs	High entropy of concatenated method names: 'xnUGt4UaAB', 'LSvGBFMUTA', 'SvQGxKIg99', 'iD9x2cWxwf', 'KRwxzrCElj', 'Uw2Gsdr6Zi', 'F2lGynsiuY', 'apjGdAkBOX', 'A0BGIocdlq', 'UV6GXo50vY'
Source: 0.2.DOC-20241029-WA0005_pdf .exe.42ac510.0.raw.unpack, OOqZ0XY6LEny6UwqVX.cs	High entropy of concatenated method names: 'fxsmPI42V7', 'Yd8mNyoIZa', 'OUYm4s3Bch', 'eOrmERnN4d', 'PUWmv03QkV', 'l2emUlL2D4', 'uvMmo5pjL0', 'NKmmwXujHV', 'T1bmJFsdw0', 'eTZm3brqfW'
Source: 0.2.DOC-20241029-WA0005_pdf .exe.42ac510.0.raw.unpack, IGqXqnOHiURV2QHy1e.cs	High entropy of concatenated method names: 'PeeBfD1SEo', 'hEJBiD3iYk', 'NHYBP5n8MU', 'QlZBNihrwy', 'i75Bg00da5', 'UGEBFjvO5s', 'Wf3BhbFFMO', 'YT4BRLH5O2', 'UxSBAH0yAZ', 'n20BS69iRE'
Source: 0.2.DOC-20241029-WA0005_pdf .exe.42ac510.0.raw.unpack, qcv401Fe2FQBfDPXhW.cs	High entropy of concatenated method names: 'Jq5Ayf8hFr', 'tu2AIaaL1w', 'eIQAXuEjf7', 'bHgAtpkiKf', 'c9BAqotD4a', 'yPoAKpS6Ti', 'maBAx7x9Zj', 'CaLRuocCF5', 'a5tRcy82iv', 'tN1ReRXJUc'
Source: 0.2.DOC-20241029-WA0005_pdf .exe.42ac510.0.raw.unpack, P6x91ObxsyhE0m5Ws7.cs	High entropy of concatenated method names: 'KKYnWZPHf', 'ffQf8xSaN', 'ylZiebYFv', 'QFXbCncAe', 'z1MN88rx0', 'PpB60oNZr', 'lWCkvEqMfMItU1uVnS', 'd3trYB0A2M9LigesDl', 'dwYROXiCW', 'kUKSsoEHN'
Source: 0.2.DOC-20241029-WA0005_pdf .exe.42ac510.0.raw.unpack, jigqKXXSwg3mvDf7N3.cs	High entropy of concatenated method names: 'i8RRt9cIiU', 'r4aRqc5BFq', 'ikJRB2ZNNc', 'BRORK8Kfjo', 'LfqRxpE7QA', 'EB4RGHP3OF', 'mifRMGNEQT', 'mAmR7MbxwN', 'hmtRrbWFpg', 'qLJRHJXMK1'
Source: 0.2.DOC-20241029-WA0005_pdf .exe.b270000.5.raw.unpack, WfuDJbt5hAPFBOOBhi.cs	High entropy of concatenated method names: 'Dispose', 'sv4yexFZay', 'ag9dE3wgsJ', 'xr3CC0Xncn', 'cmxy21Ibc7', 'rFkyzFw3cQ', 'ProcessDialogKey', 'wXUds78Xdo', 'UcxdyN0ysC', 'uCldde9BJI'
Source: 0.2.DOC-20241029-WA0005_pdf .exe.b270000.5.raw.unpack, q8QrqICEysgcOouMmP.cs	High entropy of concatenated method names: 'Y2HIQ5Kv65', 'NolItWPJko', 'HjSIqHpvZB', 'TojIBTQCNp', 'H0gIKZ6bdh', 'AW5IxRLcce', 'MJEIGtwR40', 'VF8IMkwITy', 'OaRI76YbaZ', 'WTCIrt0JnD'
Source: 0.2.DOC-20241029-WA0005_pdf .exe.b270000.5.raw.unpack, hX1E3gm82OcdVViYGi.cs	High entropy of concatenated method names: 'ToString', 'qtiF3wDSra', 'JH1FEAgqa4', 'gImFasBDeY', 'TMBFvUoKiK', 'j5GFUd4aWr', 'XlQF16mNNM', 'BnbFoOG95J', 'HEeFwgcwD6', 'YnLFLXAhsu'
Source: 0.2.DOC-20241029-WA0005_pdf .exe.b270000.5.raw.unpack, H7yME9y0m82my39ZiX.cs	High entropy of concatenated method names: 'xaAKZJvK04', 'tx7KbvsgWi', 'UweBao446Y', 'KFZBv0Gv75', 'PPPBU5vkxb', 'KCVB1QVImi', 'VPxBoZV5ao', 'VlJBwAOgch', 'DnCBL6ejOI', 'RexBJWcxVo'
Source: 0.2.DOC-20241029-WA0005_pdf .exe.b270000.5.raw.unpack, FCZJ0We9fS24nDRfGF.cs	High entropy of concatenated method names: 'odMR4gSbZv', 'xTMREV9Ftp', 'y2iRaiVCpr', 'GCXRvWL24a', 'eVtRpQACKd', 'YtPRUyO7Rt', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.DOC-20241029-WA0005_pdf .exe.b270000.5.raw.unpack, URbu9d09E8hatKhhZV.cs	High entropy of concatenated method names: 'VmbhcvuWjR', 'qCWh2CMM9w', 'CXMRsqNxKr', 'H7FRy451ud', 'Iqih3HtBQq', 'KykhV1N999', 'zQBhDN0Bb8', 'MxGhprR6jN', 'qLchkG4smt', 'IkXh8PKpyG'
Source: 0.2.DOC-20241029-WA0005_pdf .exe.b270000.5.raw.unpack, nYeXo7lvR6pN43IDdb.cs	High entropy of concatenated method names: 'HQwGOZudBy', 'NdlGTdLlZt', 'hjFGnAcJ4d', 'kFoGfb28Mo', 'a8iGZcPMZg', 'r6xGiuEJyW', 'TNlGbqkma7', 'rRgGPiLXHk', 'xJWGNZ7jOt', 'qMxG6CIaTR'
Source: 0.2.DOC-20241029-WA0005_pdf .exe.b270000.5.raw.unpack, JgOJy2nae6CIsILLkE.cs	High entropy of concatenated method names: 'BeOyGRTlBM', 'KgQyM7gULn', 'Y5AyrZELkA', 'JQCyHZ0HQY', 'gTrygIJ3qP', 'yPJyFJmZiV', 'q1Ts5l2micqM18vSJA', 'k4VLvjHGu7gF1nP3Fo', 'l06yyDmWdo', 'BEoyI3f1Mr'
Source: 0.2.DOC-20241029-WA0005_pdf .exe.b270000.5.raw.unpack, cGjyOuACDZ1ak9VHJE.cs	High entropy of concatenated method names: 'vl7xQFNcfP', 'LJnxqNvP0I', 'aqExKN65VS', 'loDxGA81MB', 'IbFxMBDRtO', 'EWHK9axCji', 'XLDKYyH8oI', 'dfQKuXnlwF', 'YoJKc9lBKf', 'GQvKeqPKLS'
Source: 0.2.DOC-20241029-WA0005_pdf .exe.b270000.5.raw.unpack, zdeYs4rrOWeEt39qE2.cs	High entropy of concatenated method names: 'dRlqpEGvGM', 'PHVqkPGeEs', 'Jeiq8shIUr', 'X7Qql6lO0X', 'dkAq9NIuBA', 'MPlqYvCfvD', 'jtcqu1IAUg', 'Ig4qcbA1Xe', 'yRVqebOqOY', 'N9jq235MYy'
Source: 0.2.DOC-20241029-WA0005_pdf .exe.b270000.5.raw.unpack, NfFGAQwKp1IjXD6ed30.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'D0tSpmUNge', 'lDCSkm6N3D', 'vP8S8qGEUN', 'HZqSlnpacB', 'QrRS9h14fQ', 'LxHSYnIbA2', 'PfMSub3Cg8'
Source: 0.2.DOC-20241029-WA0005_pdf .exe.b270000.5.raw.unpack, WpHhOHwuyMnkimrNlGd.cs	High entropy of concatenated method names: 'fXLAOGLStl', 'jq6ATrTKBv', 'NM5AnrBGCW', 'HLbAfKfQCN', 'R7NAZJh5Bj', 'zijAiGID68', 'vHhAbJVYFR', 'HWQAPEhKl9', 'wskANCwqTx', 'Yp1A61RLv2'
Source: 0.2.DOC-20241029-WA0005_pdf .exe.b270000.5.raw.unpack, ixS6AGWNPpY1gL2Ph2.cs	High entropy of concatenated method names: 'xnUGt4UaAB', 'LSvGBFMUTA', 'SvQGxKIg99', 'iD9x2cWxwf', 'KRwxzrCElj', 'Uw2Gsdr6Zi', 'F2lGynsiuY', 'apjGdAkBOX', 'A0BGIocdlq', 'UV6GXo50vY'
Source: 0.2.DOC-20241029-WA0005_pdf .exe.b270000.5.raw.unpack, OOqZ0XY6LEny6UwqVX.cs	High entropy of concatenated method names: 'fxsmPI42V7', 'Yd8mNyoIZa', 'OUYm4s3Bch', 'eOrmERnN4d', 'PUWmv03QkV', 'l2emUlL2D4', 'uvMmo5pjL0', 'NKmmwXujHV', 'T1bmJFsdw0', 'eTZm3brqfW'
Source: 0.2.DOC-20241029-WA0005_pdf .exe.b270000.5.raw.unpack, IGqXqnOHiURV2QHy1e.cs	High entropy of concatenated method names: 'PeeBfD1SEo', 'hEJBiD3iYk', 'NHYBP5n8MU', 'QlZBNihrwy', 'i75Bg00da5', 'UGEBFjvO5s', 'Wf3BhbFFMO', 'YT4BRLH5O2', 'UxSBAH0yAZ', 'n20BS69iRE'
Source: 0.2.DOC-20241029-WA0005_pdf .exe.b270000.5.raw.unpack, qcv401Fe2FQBfDPXhW.cs	High entropy of concatenated method names: 'Jq5Ayf8hFr', 'tu2AIaaL1w', 'eIQAXuEjf7', 'bHgAtpkiKf', 'c9BAqotD4a', 'yPoAKpS6Ti', 'maBAx7x9Zj', 'CaLRuocCF5', 'a5tRcy82iv', 'tN1ReRXJUc'
Source: 0.2.DOC-20241029-WA0005_pdf .exe.b270000.5.raw.unpack, P6x91ObxsyhE0m5Ws7.cs	High entropy of concatenated method names: 'KKYnWZPHf', 'ffQf8xSaN', 'ylZiebYFv', 'QFXbCncAe', 'z1MN88rx0', 'PpB60oNZr', 'lWCkvEqMfMItU1uVnS', 'd3trYB0A2M9LigesDl', 'dwYROXiCW', 'kUKSsoEHN'
Source: 0.2.DOC-20241029-WA0005_pdf .exe.b270000.5.raw.unpack, jigqKXXSwg3mvDf7N3.cs	High entropy of concatenated method names: 'i8RRt9cIiU', 'r4aRqc5BFq', 'ikJRB2ZNNc', 'BRORK8Kfjo', 'LfqRxpE7QA', 'EB4RGHP3OF', 'mifRMGNEQT', 'mAmR7MbxwN', 'hmtRrbWFpg', 'qLJRHJXMK1'

Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	File created: \doc-20241029-wa0005_pdf .exe
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	File created: \doc-20241029-wa0005_pdf .exe
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	File created: \doc-20241029-wa0005_pdf .exe
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	File created: \doc-20241029-wa0005_pdf .exe
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	File created: \doc-20241029-wa0005_pdf .exe
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	File created: \doc-20241029-wa0005_pdf .exe
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	File created: \doc-20241029-wa0005_pdf .exe
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	File created: \doc-20241029-wa0005_pdf .exe	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	File created: \doc-20241029-wa0005_pdf .exe	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	File created: \doc-20241029-wa0005_pdf .exe	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	File created: \doc-20241029-wa0005_pdf .exe	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	File created: \doc-20241029-wa0005_pdf .exe	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	File created: \doc-20241029-wa0005_pdf .exe	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	File created: \doc-20241029-wa0005_pdf .exe	Jump to behavior

Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe

File created: C:\Users\user\AppData\Roaming\FQDffaysNf.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FQDffaysNf" /XML "C:\Users\user\AppData\Local\Temp\tmpC1F8.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Uses an obfuscated file name to hide its real file extension (a lot of spaces)

Source: Detected 66 consecutive spaces in filename

Static PE information: DOC-20241029-WA0005_pdf .exe

Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: DOC-20241029-WA0005_pdf .exe PID: 7296, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FQDffaysNf.exe PID: 7692, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: FQDffaysNf.exe, 0000000F.00000002.1748222231.00000000034F7000.00000004.00000800.00020000.00000000.sdmp, FQDffaysNf.exe, 0000000F.00000002.1748222231.0000000003281000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: FQDffaysNf.exe, 0000000F.00000002.1748222231.00000000034F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL@\^Q

Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Memory allocated: CA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Memory allocated: 2670000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Memory allocated: 4670000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Memory allocated: 89B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Memory allocated: 7410000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Memory allocated: 99B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Memory allocated: A9B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Memory allocated: B370000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Memory allocated: C370000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Memory allocated: D370000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Memory allocated: E10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Memory allocated: 2950000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Memory allocated: 4950000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Memory allocated: 8800000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Memory allocated: 9800000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Memory allocated: 9A00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Memory allocated: AA00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Memory allocated: B200000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Memory allocated: C200000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Memory allocated: D200000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Memory allocated: 1790000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Memory allocated: 3280000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Memory allocated: 5280000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7557			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 941			Jump to behavior

Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe TID: 7316	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7700	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7644	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe TID: 7716	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe TID: 7984	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS

Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: FQDffaysNf.exe, 0000000F.00000002.1748222231.00000000034F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware\V
Source: FQDffaysNf.exe, 0000000F.00000002.1748222231.00000000034F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|Virtual@\^q
Source: FQDffaysNf.exe, 0000000F.00000002.1748222231.00000000034F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: FQDffaysNf.exe, 0000000F.00000002.1748222231.00000000034F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwareLR^q
Source: FQDffaysNf.exe, 0000000F.00000002.1748222231.00000000034F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmGuestLib.dll@\^q
Source: FQDffaysNf.exe, 0000000F.00000002.1748222231.00000000034F7000.00000004.00000800.00020000.00000000.sdmp, FQDffaysNf.exe, 0000000F.00000002.1748222231.0000000003281000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmGuestLib.dll
Source: FQDffaysNf.exe, 0000000F.00000002.1748222231.0000000003281000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware\|VIRTUAL\|A M I\|Xen
Source: FQDffaysNf.exe, 0000000F.00000002.1748222231.00000000034F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dYpMyEpx cXMhOY 1VhA9gcA@\^q0Microsoft\|VMWare\|Virtual
Source: FQDffaysNf.exe, 0000000F.00000002.1748222231.00000000034F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWareLR^q
Source: FQDffaysNf.exe, 0000000F.00000002.1748222231.0000000003281000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|Virtual
Source: FQDffaysNf.exe, 0000000F.00000002.1748222231.00000000034F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q"C:\Windows\system32\vmGuestLib.dll@
Source: FQDffaysNf.exe, 0000000F.00000002.1748222231.00000000034F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q"C:\Windows\system32\vmGuestLib.dll
Source: FQDffaysNf.exe, 0000000F.00000002.1748222231.00000000034F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q 1:en-CH:Microsoft\|VMWare\|Virtual
Source: FQDffaysNf.exe, 0000000F.00000002.1748222231.00000000034F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware\|VIRTUAL\|A M I\|Xent-^q
Source: FQDffaysNf.exe, 0000000F.00000002.1748222231.00000000034F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 71ZZ2 SHNCVEC3Z7@\^q0VMware\|VIRTUAL\|A M I\|Xen
Source: FQDffaysNf.exe, 0000000F.00000002.1748222231.00000000034F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q 1:en-CH:VMware\|VIRTUAL\|A M I\|Xen

Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\FQDffaysNf.exe"
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\FQDffaysNf.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe

Memory written: C:\Users\user\AppData\Roaming\FQDffaysNf.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\FQDffaysNf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FQDffaysNf" /XML "C:\Users\user\AppData\Local\Temp\tmpC1F8.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process created: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe "C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe"	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process created: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe "C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe"	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process created: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe "C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe"	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process created: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe "C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe"	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Process created: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe "C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FQDffaysNf" /XML "C:\Users\user\AppData\Local\Temp\tmpD215.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Process created: C:\Users\user\AppData\Roaming\FQDffaysNf.exe "C:\Users\user\AppData\Roaming\FQDffaysNf.exe"	Jump to behavior

Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Queries volume information: C:\Users\user\AppData\Roaming\FQDffaysNf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Queries volume information: C:\Users\user\AppData\Roaming\FQDffaysNf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FQDffaysNf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	1 Scheduled Task/Job	111 Process Injection	11 Masquerading	OS Credential Dumping	211 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	13 Obfuscated Files or Information	Cached Domain Credentials	32 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	22 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
DOC-20241029-WA0005_pdf .exe	32%	Virustotal		Browse
DOC-20241029-WA0005_pdf .exe	37%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
DOC-20241029-WA0005_pdf .exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\FQDffaysNf.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\FQDffaysNf.exe	37%	ReversingLabs	ByteCode-MSIL.Trojan.Generic

Source	Detection	Scanner	Label	Link
http://www.fontbureau.com	0%	URL Reputation	safe
http://www.fontbureau.com	0%	URL Reputation	safe
http://www.fontbureau.com/designersG	0%	URL Reputation	safe
http://www.fontbureau.com/designers/?	0%	URL Reputation	safe
https://stackoverflow.com/q/14436606/23354	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.fontbureau.com/designers?	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.fontbureau.com/designers	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.fontbureau.com/designers/cabarga.htmlN	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.fontbureau.com/designers/frere-user.html	0%	URL Reputation	safe
http://www.fontbureau.com/designers/frere-user.html	0%	URL Reputation	safe
https://stackoverflow.com/q/11564914/23354;	0%	URL Reputation	safe
https://stackoverflow.com/q/2152978/23354	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.fontbureau.com/designers8	0%	URL Reputation	safe
http://www.fonts.com	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.apache.org/licenses/LICENSE-2.0	0%	Virustotal		Browse
https://github.com/mgravell/protobuf-net	0%	Virustotal		Browse
http://tempuri.org/DataSet1.xsd	0%	Virustotal		Browse

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	DOC-20241029-WA0005_pdf .exe, 00000000.00000002.1713784405.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://www.fontbureau.com	DOC-20241029-WA0005_pdf .exe, 00000000.00000002.1713784405.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designersG	DOC-20241029-WA0005_pdf .exe, 00000000.00000002.1713784405.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	DOC-20241029-WA0005_pdf .exe, 00000000.00000002.1713784405.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://stackoverflow.com/q/14436606/23354	FQDffaysNf.exe, 0000000F.00000002.1748222231.0000000003281000.00000004.00000800.00020000.00000000.sdmp, FQDffaysNf.exe, 0000000F.00000002.1750774864.0000000004281000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/bThe	DOC-20241029-WA0005_pdf .exe, 00000000.00000002.1713784405.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/mgravell/protobuf-netJ	FQDffaysNf.exe, 0000000F.00000002.1750774864.00000000043D8000.00000004.00000800.00020000.00000000.sdmp, FQDffaysNf.exe, 0000000F.00000002.1754054846.0000000005D30000.00000004.08000000.00040000.00000000.sdmp, FQDffaysNf.exe, 0000000F.00000002.1748222231.0000000003281000.00000004.00000800.00020000.00000000.sdmp, FQDffaysNf.exe, 0000000F.00000002.1750774864.0000000004281000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.fontbureau.com/designers?	DOC-20241029-WA0005_pdf .exe, 00000000.00000002.1713784405.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/DataSet1.xsd	DOC-20241029-WA0005_pdf .exe, FQDffaysNf.exe.0.dr	false	0%, Virustotal, Browse	unknown
https://github.com/mgravell/protobuf-net	FQDffaysNf.exe, 0000000F.00000002.1750774864.00000000043D8000.00000004.00000800.00020000.00000000.sdmp, FQDffaysNf.exe, 0000000F.00000002.1754054846.0000000005D30000.00000004.08000000.00040000.00000000.sdmp, FQDffaysNf.exe, 0000000F.00000002.1748222231.0000000003281000.00000004.00000800.00020000.00000000.sdmp, FQDffaysNf.exe, 0000000F.00000002.1750774864.0000000004281000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://www.tiro.com	DOC-20241029-WA0005_pdf .exe, 00000000.00000002.1713784405.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	DOC-20241029-WA0005_pdf .exe, 00000000.00000002.1713784405.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.goodfont.co.kr	DOC-20241029-WA0005_pdf .exe, 00000000.00000002.1713784405.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	DOC-20241029-WA0005_pdf .exe, 00000000.00000002.1713784405.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	DOC-20241029-WA0005_pdf .exe, 00000000.00000002.1713784405.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	DOC-20241029-WA0005_pdf .exe, 00000000.00000002.1713784405.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	DOC-20241029-WA0005_pdf .exe, 00000000.00000002.1713784405.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	DOC-20241029-WA0005_pdf .exe, 00000000.00000002.1713784405.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	DOC-20241029-WA0005_pdf .exe, 00000000.00000002.1713784405.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	DOC-20241029-WA0005_pdf .exe, 00000000.00000002.1713784405.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	DOC-20241029-WA0005_pdf .exe, 00000000.00000002.1713784405.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://github.com/mgravell/protobuf-neti	FQDffaysNf.exe, 0000000F.00000002.1750774864.00000000043D8000.00000004.00000800.00020000.00000000.sdmp, FQDffaysNf.exe, 0000000F.00000002.1754054846.0000000005D30000.00000004.08000000.00040000.00000000.sdmp, FQDffaysNf.exe, 0000000F.00000002.1748222231.0000000003281000.00000004.00000800.00020000.00000000.sdmp, FQDffaysNf.exe, 0000000F.00000002.1750774864.0000000004281000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://stackoverflow.com/q/11564914/23354;	FQDffaysNf.exe, 0000000F.00000002.1750774864.00000000043D8000.00000004.00000800.00020000.00000000.sdmp, FQDffaysNf.exe, 0000000F.00000002.1754054846.0000000005D30000.00000004.08000000.00040000.00000000.sdmp, FQDffaysNf.exe, 0000000F.00000002.1748222231.0000000003281000.00000004.00000800.00020000.00000000.sdmp, FQDffaysNf.exe, 0000000F.00000002.1750774864.0000000004281000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://stackoverflow.com/q/2152978/23354	FQDffaysNf.exe, 0000000F.00000002.1750774864.00000000043D8000.00000004.00000800.00020000.00000000.sdmp, FQDffaysNf.exe, 0000000F.00000002.1754054846.0000000005D30000.00000004.08000000.00040000.00000000.sdmp, FQDffaysNf.exe, 0000000F.00000002.1750774864.0000000004281000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	DOC-20241029-WA0005_pdf .exe, 00000000.00000002.1713784405.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	DOC-20241029-WA0005_pdf .exe, 00000000.00000002.1713784405.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	DOC-20241029-WA0005_pdf .exe, 00000000.00000002.1713784405.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com	DOC-20241029-WA0005_pdf .exe, 00000000.00000002.1713784405.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sandoll.co.kr	DOC-20241029-WA0005_pdf .exe, 00000000.00000002.1713784405.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	DOC-20241029-WA0005_pdf .exe, 00000000.00000002.1713784405.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	DOC-20241029-WA0005_pdf .exe, 00000000.00000002.1713784405.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	DOC-20241029-WA0005_pdf .exe, 00000000.00000002.1696568216.00000000027D2000.00000004.00000800.00020000.00000000.sdmp, FQDffaysNf.exe, 0000000B.00000002.1762340234.0000000002A5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	DOC-20241029-WA0005_pdf .exe, 00000000.00000002.1713784405.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1545875
Start date and time:	2024-10-31 08:52:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	DOC-20241029-WA0005_pdf .exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@24/11@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 216 Number of non-executed functions: 12
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:52:55	API Interceptor	3x Sleep call for process: DOC-20241029-WA0005_pdf .exe modified
03:52:57	API Interceptor	18x Sleep call for process: powershell.exe modified
03:53:00	API Interceptor	3x Sleep call for process: FQDffaysNf.exe modified
07:52:57	Task Scheduler	Run new task: FQDffaysNf path: C:\Users\user\AppData\Roaming\FQDffaysNf.exe

Process:	C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FQDffaysNf.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\FQDffaysNf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380805901110357
Encrypted:	false
SSDEEP:	48:lylWSU4xympjgs4RIoU99tK8NPZHUl7u1iMuge//x0Uyus:lGLHxvCsIfA2KRHmOugw1s
MD5:	F04317532D0B8B65C6056862B2CAF09A
SHA1:	D00EFCC0C8F0B66767EE88A808066D92EFF2ED63
SHA-256:	6D6C4A8E025BAEB29D10FBF63AE5124B553F3EE819F58A139927D1991E73C792
SHA-512:	AE5C2B53F9FC1C6D6EFB5AA9F57BAB4929C755B971B16D3ED0229BC8B89F8A3DD70349B8C2C9E17769ADD9C91E253621517D9C180F3DA139C55573057D48DA6C
Malicious:	false
Preview:	@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_calgutd0.kdh.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_klitpytl.nh1.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qmaedbwr.5wf.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yyqppxrr.u1z.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmpC1F8.tmp

Download File

Process:	C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1576
Entropy (8bit):	5.113487365427113
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaGcxvn:cge1wYrFdOFzOzN33ODOiDdKrsuT8v
MD5:	67AD68E068B8D253BA202A4D51091375
SHA1:	CCD4FA5F1ACE448FC28EA4409671AF9161DB8307
SHA-256:	B5E99F54840D3CCE6AFC093F2BA2D9E92994C30F742A693250639B394A03C1F0
SHA-512:	9474766ADCC85A00345F6940321447F1621170D2A4F4CEB9EDCEEA7F717667E2AF68ADF1EE358432298E4C33D07DD244547CBC31E110B4D21C11A81422131DA5
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Local\Temp\tmpD215.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\FQDffaysNf.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1576
Entropy (8bit):	5.113487365427113
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaGcxvn:cge1wYrFdOFzOzN33ODOiDdKrsuT8v
MD5:	67AD68E068B8D253BA202A4D51091375
SHA1:	CCD4FA5F1ACE448FC28EA4409671AF9161DB8307
SHA-256:	B5E99F54840D3CCE6AFC093F2BA2D9E92994C30F742A693250639B394A03C1F0
SHA-512:	9474766ADCC85A00345F6940321447F1621170D2A4F4CEB9EDCEEA7F717667E2AF68ADF1EE358432298E4C33D07DD244547CBC31E110B4D21C11A81422131DA5
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Roaming\FQDffaysNf.exe

Download File

Process:	C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1294336
Entropy (8bit):	7.844758568039926
Encrypted:	false
SSDEEP:	24576:xwUjdByy0sIV2CFeCBb3oGDNp82RwpZGAyY0zkZ/ayITnfgwTt+e:ucdp0sIV2CFeCloGDI2irGAT0EaBTnff
MD5:	10BD0F08AE622F203DBF10D870C87168
SHA1:	28866C0BF923F6BFFDB459978E3A55D37BB5878D
SHA-256:	2FD41CFB7C7D0653A396E538166B91DB7DDC56CB008701A437E8CD92D63156B6
SHA-512:	F9C5441BCE91F1698D20D660DBEA1E99406364C9A3E5F393298E8FFD1F039BAA2900BC9C1E9DD6D420528EE9C2845FC70ADEA1B2D7FF4DB1A41BA7DF8AC9F9C6
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 37%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...;"#g..............0..T...j......2s... ........@.. ....................... ............@..................................r..O........g..........................`?..T............................................ ............... ..H............text...pS... ...T.................. ..`.rsrc....g.......h...V..............@..@.reloc..............................@..B.................s......H.......P...........Y....[...............................................0..L.........}.....( ......(!.....(............s".....(#....o$.....(%....o&.....('.....0............}........((........().....,5...(............s".....(.....o$.....(.....o&....85....r...p.o...(...o+...to.......(,..........9.....s ........s-...s....o/......o#...r...po0..........,$..(#.....o#...r...po0...s....o1........o2...(3.......o4...(5.......o6...(7.......o8...(9.......o:...(;.......o<...(=.........

C:\Users\user\AppData\Roaming\FQDffaysNf.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.844758568039926
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	DOC-20241029-WA0005_pdf .exe
File size:	1'294'336 bytes
MD5:	10bd0f08ae622f203dbf10d870c87168
SHA1:	28866c0bf923f6bffdb459978e3a55d37bb5878d
SHA256:	2fd41cfb7c7d0653a396e538166b91db7ddc56cb008701a437e8cd92d63156b6
SHA512:	f9c5441bce91f1698d20d660dbea1e99406364c9a3e5f393298e8ffd1f039baa2900bc9c1e9dd6d420528ee9c2845fc70adea1b2d7ff4db1a41ba7df8ac9f9c6
SSDEEP:	24576:xwUjdByy0sIV2CFeCBb3oGDNp82RwpZGAyY0zkZ/ayITnfgwTt+e:ucdp0sIV2CFeCloGDI2irGAT0EaBTnff
TLSH:	2A55F0D03A767719DDB64AB5C228DD7543F12A687010FAEA5ED87BC735AC310AE08F42
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...;"#g..............0..T...j......2s... ........@.. ....................... ............@................................

File Icon


Icon Hash:	e1c9098a81d8584d

Static PE Info

General

Entrypoint:	0x537332
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6723223B [Thu Oct 31 06:22:51 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
push ebx
add byte ptr [ecx+00h], bh
jnc 00007FC43CB5EEA2h
je 00007FC43CB5EEA2h
add byte ptr [ebp+00h], ch
add byte ptr [ecx+00h], al
arpl word ptr [eax], ax
je 00007FC43CB5EEA2h
imul eax, dword ptr [eax], 00610076h
je 00007FC43CB5EEA2h
outsd
add byte ptr [edx+00h], dh
add dword ptr [eax], eax
add byte ptr [eax], al
add al, byte ptr [eax]
add byte ptr [eax], al
add eax, dword ptr [eax]
add byte ptr [eax], al
add al, 00h
add byte ptr [eax], al
add eax, 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1372de	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x138000	0x6794	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x140000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x133f60	0x54	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x135370	0x135400	42e4f0ac4a40a3f38333fe81799c02a9	False	0.9051155454223929	data	7.843924872961827	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x138000	0x6794	0x6800	5336b22c6a21cd52d2f9f218b2f5217b	False	0.9320913461538461	data	7.897736322434751	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x140000	0xc	0x200	7c089239945b5e25b7c11c5cf7df2c6a	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x138130	0x6147	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9633377504718307
RT_GROUP_ICON	0x13e278	0x14	data	0.9
RT_VERSION	0x13e28c	0x31c	data	0.4321608040201005
RT_MANIFEST	0x13e5a8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Target ID:	0
Start time:	03:52:54
Start date:	31/10/2024
Path:	C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe"
Imagebase:	0x1d0000
File size:	1'294'336 bytes
MD5 hash:	10BD0F08AE622F203DBF10D870C87168
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:52:56
Start date:	31/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\FQDffaysNf.exe"
Imagebase:	0xda0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:52:56
Start date:	31/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:52:56
Start date:	31/10/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FQDffaysNf" /XML "C:\Users\user\AppData\Local\Temp\tmpC1F8.tmp"
Imagebase:	0xa80000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:52:56
Start date:	31/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:52:57
Start date:	31/10/2024
Path:	C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe"
Imagebase:	0x3a0000
File size:	1'294'336 bytes
MD5 hash:	10BD0F08AE622F203DBF10D870C87168
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	03:52:57
Start date:	31/10/2024
Path:	C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe"
Imagebase:	0x390000
File size:	1'294'336 bytes
MD5 hash:	10BD0F08AE622F203DBF10D870C87168
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	03:52:57
Start date:	31/10/2024
Path:	C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe"
Imagebase:	0x90000
File size:	1'294'336 bytes
MD5 hash:	10BD0F08AE622F203DBF10D870C87168
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	03:52:57
Start date:	31/10/2024
Path:	C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe"
Imagebase:	0x90000
File size:	1'294'336 bytes
MD5 hash:	10BD0F08AE622F203DBF10D870C87168
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	03:52:57
Start date:	31/10/2024
Path:	C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\DOC-20241029-WA0005_pdf .exe"
Imagebase:	0x2b0000
File size:	1'294'336 bytes
MD5 hash:	10BD0F08AE622F203DBF10D870C87168
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	03:52:57
Start date:	31/10/2024
Path:	C:\Users\user\AppData\Roaming\FQDffaysNf.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\FQDffaysNf.exe
Imagebase:	0x590000
File size:	1'294'336 bytes
MD5 hash:	10BD0F08AE622F203DBF10D870C87168
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 37%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	03:52:59
Start date:	31/10/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	03:53:01
Start date:	31/10/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FQDffaysNf" /XML "C:\Users\user\AppData\Local\Temp\tmpD215.tmp"
Imagebase:	0xa80000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	03:53:01
Start date:	31/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	03:53:01
Start date:	31/10/2024
Path:	C:\Users\user\AppData\Roaming\FQDffaysNf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\FQDffaysNf.exe"
Imagebase:	0xde0000
File size:	1'294'336 bytes
MD5 hash:	10BD0F08AE622F203DBF10D870C87168
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000F.00000002.1753554050.0000000005B80000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000F.00000002.1750774864.0000000004281000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000F.00000002.1748222231.0000000003281000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	11.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	1.9%
Total number of Nodes:	157
Total number of Limit Nodes:	9

Executed Functions

Function 072C0E28 Relevance: .5, Instructions: 506COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1715461114.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72c0000_DOC-20241029-WA0005_pdf .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee236ef59534fd5dd8d3be768b93ab3b07950cca58d236ea4c749cb5cb9ed3ba
Instruction ID: b4460419971c1fded77adbc245a124818a5af63b69629cd26e88aadbd2a76722
Opcode Fuzzy Hash: ee236ef59534fd5dd8d3be768b93ab3b07950cca58d236ea4c749cb5cb9ed3ba
Instruction Fuzzy Hash: D24293B4E11229CFDB64CFA9D985B9DBBF6BF48300F1082A9D809A7355D734A981CF50

Function 046D2F28 Relevance: .4, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1703475870.00000000046D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_46d0000_DOC-20241029-WA0005_pdf .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ede5ea54c72b04bfefa9cd619ca50f16d23d91444b4bf30f0cdeb04e52b8a94a
Instruction ID: ad862dd78bedbca10cf2f3bb8710b8767ec4028d7794e20c3f95446f4139ff00
Opcode Fuzzy Hash: ede5ea54c72b04bfefa9cd619ca50f16d23d91444b4bf30f0cdeb04e52b8a94a
Instruction Fuzzy Hash: 59E1CC71B016809FEB29DB76C560BAEB7F6AF88300F10446DE5459B391EB35F841CB92

Function 00CE7018 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1696116231.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ce0000_DOC-20241029-WA0005_pdf .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b1ebaf28ba8c9736deba8bfaf1f5b05834280782d983cdb4f495da28de683c4
Instruction ID: 5077e5ced84ae6bcef28f33f78b9a0e08be28d8195f14eecf6d6687ca89aec71
Opcode Fuzzy Hash: 2b1ebaf28ba8c9736deba8bfaf1f5b05834280782d983cdb4f495da28de683c4
Instruction Fuzzy Hash: B8A1C774E00208DFDB09DFA9D994A9DBBB6FF88310F148429E409AB368DB355985DF50

Function 00CE4204 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1696116231.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ce0000_DOC-20241029-WA0005_pdf .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0f91d57b8ca9926424c698236f89ccb31447465abb2fc9e6b91deaa73c19efb
Instruction ID: 350024ab57472c0974a2d8d8d34918696032ff4f51529abdf144b8d05d79497c
Opcode Fuzzy Hash: c0f91d57b8ca9926424c698236f89ccb31447465abb2fc9e6b91deaa73c19efb
Instruction Fuzzy Hash: C9A1C774E00208DFDB09DFA9D994A9DBBB6FF88310F148429E409B7368DB319986DF50

Function 072C0E21 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1715461114.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72c0000_DOC-20241029-WA0005_pdf .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d851899eb1e572c77178d2ef3867cc8a38999a362048f52f049dfd620bacc60c
Instruction ID: 1fb157a5c62303655db6106b07f42f16076a0333546119dd33d9bfefd2c130f5
Opcode Fuzzy Hash: d851899eb1e572c77178d2ef3867cc8a38999a362048f52f049dfd620bacc60c
Instruction Fuzzy Hash: B061A7B4E11218CFDB18CFAAD985B9DBBF6BF88310F1481A9D809A7354D7359981CF50

Function 072C3CF0 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1715461114.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72c0000_DOC-20241029-WA0005_pdf .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3157a74b478caf681c175443469f89625c317a287ebf9dacea476074fba2d2f
Instruction ID: e970e00a57f7e90d2346f902332c5ad9974e85e2e8948014ab630499d17e4794
Opcode Fuzzy Hash: c3157a74b478caf681c175443469f89625c317a287ebf9dacea476074fba2d2f
Instruction Fuzzy Hash: 3F51A0B5D002199FDB08CFEAD9846EEBBB2FF89300F10C52AE419AB255DB345946CF40

Function 072C7988 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1715461114.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72c0000_DOC-20241029-WA0005_pdf .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b570fd04ef7e32c4a884666a01d6e33b9756181883ddc6de59efdf3feb7308a
Instruction ID: 18c8d391860c4a3578b5bbaad3f76f0699a1becde36018369b9bd04f6169f745
Opcode Fuzzy Hash: 0b570fd04ef7e32c4a884666a01d6e33b9756181883ddc6de59efdf3feb7308a
Instruction Fuzzy Hash: 382114B1D256188BEB18CFA6D8483DEBBB6FF99300F04C16AD40966254DBB409468F90

Function 072C7998 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1715461114.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72c0000_DOC-20241029-WA0005_pdf .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7baa353e94c3dbbd68850c7db979ac54cca3e9dbe70d7810c8d0bb6fde9bcf47
Instruction ID: ad9468b3953aa8633cca51d14692f172fb2406af48528928b84a119a2ea70e90
Opcode Fuzzy Hash: 7baa353e94c3dbbd68850c7db979ac54cca3e9dbe70d7810c8d0bb6fde9bcf47
Instruction Fuzzy Hash: 0921F4B0D246188BEB18CFABD9087DEFBF6BFD9300F04C16AD40966254DBB409458F90

Function 00CED5D0 Relevance: 6.1, APIs: 4, Instructions: 136
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00CED65E
GetCurrentThread.KERNEL32 ref: 00CED69B
GetCurrentProcess.KERNEL32 ref: 00CED6D8
GetCurrentThreadId.KERNEL32 ref: 00CED731

Memory Dump Source

Source File: 00000000.00000002.1696116231.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ce0000_DOC-20241029-WA0005_pdf .jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: cb3b8bbc250fb01f9010a2c270c046e5c982bb46478dd313a5c7ca3aee4fbf0b
Instruction ID: 6090c3fb1709a44ee31f74777bbff7ff67521d461748704b07c4d77c43b49e90
Opcode Fuzzy Hash: cb3b8bbc250fb01f9010a2c270c046e5c982bb46478dd313a5c7ca3aee4fbf0b
Instruction Fuzzy Hash: DE5165B0901389CFDB04DFAAD548BDEBBF5AB49304F20C469E059A7360DB749984CF65

Function 00CED5E0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00CED65E
GetCurrentThread.KERNEL32 ref: 00CED69B
GetCurrentProcess.KERNEL32 ref: 00CED6D8
GetCurrentThreadId.KERNEL32 ref: 00CED731

Memory Dump Source

Source File: 00000000.00000002.1696116231.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ce0000_DOC-20241029-WA0005_pdf .jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 79e2d84f6dbbf48b5115ccafecf72706548dcfc0e51b1ee821588f36a0d929dd
Instruction ID: 0d8e82caffac3d3b74e2016546047588c2216d3991b3fede016c596177b1365f
Opcode Fuzzy Hash: 79e2d84f6dbbf48b5115ccafecf72706548dcfc0e51b1ee821588f36a0d929dd
Instruction Fuzzy Hash: 555165B0901289CFDB04DFAAD548BDEBBF5AF88304F20C459E019A7360DB749984CF65

Function 072CD6B4 Relevance: 1.8, APIs: 1, Instructions: 250
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 072CD8F6

Memory Dump Source

Source File: 00000000.00000002.1715461114.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72c0000_DOC-20241029-WA0005_pdf .jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: fca57e4c104255632bbff1e183624c383cd49080763fd46203dbd06f797ea11c
Instruction ID: cb37dfb307580a89ed8c96993314e278c301d71183012fc4fbeba038347144e9
Opcode Fuzzy Hash: fca57e4c104255632bbff1e183624c383cd49080763fd46203dbd06f797ea11c
Instruction Fuzzy Hash: C0A16DB1E1021ADFDF20DF69C8417EDBBB2BF44314F1486A9E808A7250DB749985CF92

Function 072CD6C0 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 072CD8F6

Memory Dump Source

Source File: 00000000.00000002.1715461114.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72c0000_DOC-20241029-WA0005_pdf .jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 8751a3f59e181d8fc9a3d91f66711e1a00cae70d0acfe9617d83a834781d8ab2
Instruction ID: e1104941221ce3f7f531c90e05c8cd57511ccd831a7e2564999beccc48fb3780
Opcode Fuzzy Hash: 8751a3f59e181d8fc9a3d91f66711e1a00cae70d0acfe9617d83a834781d8ab2
Instruction Fuzzy Hash: 97917EB1E1025ADFDB20DF69C9417EDBBB2FF44310F1486A9E808A7250DB749985CF92

Function 00CEB33A Relevance: 1.7, APIs: 1, Instructions: 202
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00CEB59E

Memory Dump Source

Source File: 00000000.00000002.1696116231.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ce0000_DOC-20241029-WA0005_pdf .jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: e15e64770b2f03782785b1a1e3689a442ba8f3f85b3876c5c133d62248783a35
Instruction ID: d076172bc85bee8af45c727989bbac9dcc8bc1a071517c908ef875b4590c87ff
Opcode Fuzzy Hash: e15e64770b2f03782785b1a1e3689a442ba8f3f85b3876c5c133d62248783a35
Instruction Fuzzy Hash: BF813470A00B858FD724DF2AD4557ABBBF1FF88300F008929E496D7A51DB34E949CB91

Function 00CE5D0C Relevance: 1.6, APIs: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00CE5DC9

Memory Dump Source

Source File: 00000000.00000002.1696116231.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ce0000_DOC-20241029-WA0005_pdf .jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 1e8ddcdae981d366fcf8fdb69efc913cf66c36698a56d444aada6124733d4e8f
Instruction ID: e0cb81cff00c53d764cdccaa6789abde7ef173d975bf71ed152cdc0b90a8f21d
Opcode Fuzzy Hash: 1e8ddcdae981d366fcf8fdb69efc913cf66c36698a56d444aada6124733d4e8f
Instruction Fuzzy Hash: 204125B0D00659CFDB24DFA9C8847DEBBF5BF49308F24809AD408AB255DB755945CF90

Function 00CE4560 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00CE5DC9

Memory Dump Source

Source File: 00000000.00000002.1696116231.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ce0000_DOC-20241029-WA0005_pdf .jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 8d861ab825471b6802f9bf451f63a72912494fd53540591183ee2f53e126fc56
Instruction ID: 1e8f97fb7619cbd639d81cb089156e9c10c36e765c7485ffca3c7dfcbb6933b6
Opcode Fuzzy Hash: 8d861ab825471b6802f9bf451f63a72912494fd53540591183ee2f53e126fc56
Instruction Fuzzy Hash: 7F41F3B0C0075DCFDB25DFAAC94479EBBB5BF49304F20806AD408AB255DB756945CF90

Function 072CD521 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 072CD5A8

Memory Dump Source

Source File: 00000000.00000002.1715461114.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72c0000_DOC-20241029-WA0005_pdf .jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 570c99d25ec15f093dbdac5b37ddb165a7bce1f4ab83769badf0285dd37c5025
Instruction ID: 946573af5fc7af79467242978cda774781fef8fdb950a8b480eb8d86d93f3c50
Opcode Fuzzy Hash: 570c99d25ec15f093dbdac5b37ddb165a7bce1f4ab83769badf0285dd37c5025
Instruction Fuzzy Hash: 822136B19002599FCF10DFAAC884AEEBBF5FF48324F10842AE558A7250C7359945CBA5

Function 072CD299 Relevance: 1.6, APIs: 1, Instructions: 67
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64GetThreadContext.KERNEL32(?,00000000), ref: 072CD31E

Memory Dump Source

Source File: 00000000.00000002.1715461114.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72c0000_DOC-20241029-WA0005_pdf .jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 8de4ad7e536ee9a1503e049bc98a44b3b579be82455bad0bc74f935e4ed31280
Instruction ID: 3a6bc2444cf09ffb9520b73f8f141fb621372eb30f2f994457940d8e0e6e76b9
Opcode Fuzzy Hash: 8de4ad7e536ee9a1503e049bc98a44b3b579be82455bad0bc74f935e4ed31280
Instruction Fuzzy Hash: DE2159B19002098FDB10DFAAC4857EEBBF4EF88324F10842ED459A7241CB789944CFA5

Function 00CED820 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00CED8AF

Memory Dump Source

Source File: 00000000.00000002.1696116231.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ce0000_DOC-20241029-WA0005_pdf .jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2a7e3a673bf1ef222a6a1f6e5660629924e7ebb7b6175b134ca3d5493b30fc48
Instruction ID: fbcc034dd192f1b7c063fc02cbab5c313982482594ed84608aca4cb4123ef55a
Opcode Fuzzy Hash: 2a7e3a673bf1ef222a6a1f6e5660629924e7ebb7b6175b134ca3d5493b30fc48
Instruction Fuzzy Hash: 412105B5900248EFDB10CF9AD584ADEBBF8FB48310F14801AE914A7350D374A940CFA0

Function 072CD528 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 072CD5A8

Memory Dump Source

Source File: 00000000.00000002.1715461114.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72c0000_DOC-20241029-WA0005_pdf .jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: a4ef92efa8d7e788381e433302b44851e47d21b6dba4e6a6978bb08e29ef40e3
Instruction ID: 121037122e60b29b3a8de7c56f568ef1584f8d815fc670a0c967a10c7907f730
Opcode Fuzzy Hash: a4ef92efa8d7e788381e433302b44851e47d21b6dba4e6a6978bb08e29ef40e3
Instruction Fuzzy Hash: 672139B19003599FCB10DFAAC884AEEFBF5FF48310F10842EE559A7250C7359944CBA4

Function 072CD2A0 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64GetThreadContext.KERNEL32(?,00000000), ref: 072CD31E

Memory Dump Source

Source File: 00000000.00000002.1715461114.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72c0000_DOC-20241029-WA0005_pdf .jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 20ab5eb3972fcefcb4fef5bfe123c5c0ecb7343632027d7c27c3e9d690a53547
Instruction ID: 78614647d1c5cb6d87fbabb12b2d9e2574271e5defeb127c768e958ec507ee55
Opcode Fuzzy Hash: 20ab5eb3972fcefcb4fef5bfe123c5c0ecb7343632027d7c27c3e9d690a53547
Instruction Fuzzy Hash: B42138B19002098FDB10DFAAC4857EEBBF4EF88324F10842ED459A7241C7789945CFA5

Function 00CED828 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00CED8AF

Memory Dump Source

Source File: 00000000.00000002.1696116231.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ce0000_DOC-20241029-WA0005_pdf .jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ee366045bb0676acdf25d22d0b6a60e7a3a7f718f8defed7698b0112003d3c27
Instruction ID: 815d3020c880a72a1ae994a80c64c877f585545298f254f3731ae59549507e42
Opcode Fuzzy Hash: ee366045bb0676acdf25d22d0b6a60e7a3a7f718f8defed7698b0112003d3c27
Instruction Fuzzy Hash: E021E4B5900248DFDB10CF9AD584ADEBFF4FB48310F14801AE914A7350D374A944CFA5

Function 072CD371 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 072CD3E6

Memory Dump Source

Source File: 00000000.00000002.1715461114.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72c0000_DOC-20241029-WA0005_pdf .jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 138870af794ca72104f2c1768ec80b577ddbd23cc73bf54ffc3f588cefba2084
Instruction ID: 03f1c3f9f54b74c5a9527a7580a541a3711e0d4e66db482de848f8dd15044bd6
Opcode Fuzzy Hash: 138870af794ca72104f2c1768ec80b577ddbd23cc73bf54ffc3f588cefba2084
Instruction Fuzzy Hash: C02147B29002499FCB10DFAAC844BDEFFF5EF88320F208429E559A7250D735A554CFA0

Function 072CD378 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 072CD3E6

Memory Dump Source

Source File: 00000000.00000002.1715461114.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72c0000_DOC-20241029-WA0005_pdf .jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0296f02ec3e840874939f900181ad0941abe80fecea8fd4d9c2b27d628942ae1
Instruction ID: 82f9d4420cf0ec2fec664234dacdae32c16dddc2bb58ee38177a90b3a464764c
Opcode Fuzzy Hash: 0296f02ec3e840874939f900181ad0941abe80fecea8fd4d9c2b27d628942ae1
Instruction Fuzzy Hash: E01137B19002499FCB10DFAAC844BDEFFF5EF88320F108429E559A7250C775A944CFA4

Function 046D2100 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 046D2165

Memory Dump Source

Source File: 00000000.00000002.1703475870.00000000046D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_46d0000_DOC-20241029-WA0005_pdf .jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: bdca99231024715f3813413b4f965645999e1f65bde8fa79f2806c608fb704e1
Instruction ID: fcf408e3f03b6e328a8634d81c5721d3bc16e11f33dcafca1e64f2722d81efe2
Opcode Fuzzy Hash: bdca99231024715f3813413b4f965645999e1f65bde8fa79f2806c608fb704e1
Instruction Fuzzy Hash: C211F2B5800249DFDB10DF9AD885BDEBFF8EB48320F10845AE558A7610D375A984CFA1

Function 046D00BC Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 046D2165

Memory Dump Source

Source File: 00000000.00000002.1703475870.00000000046D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_46d0000_DOC-20241029-WA0005_pdf .jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 629cf83c2ad6e1046310a36670e2179ad091302c2bdb59f82208bbddf3293873
Instruction ID: 26a94af52f046abea04d669e876668adebe8bae6f40e5a25106354e99b1158d1
Opcode Fuzzy Hash: 629cf83c2ad6e1046310a36670e2179ad091302c2bdb59f82208bbddf3293873
Instruction Fuzzy Hash: BA1103B5900348DFDB10DF9AC988BDEBBF8EB48320F10845AE658A7310D375A944CFA5

Function 00CEB538 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00CEB59E

Memory Dump Source

Source File: 00000000.00000002.1696116231.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ce0000_DOC-20241029-WA0005_pdf .jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: ff75a7ba85332f5ce9efeff243bd19543ff859ec38b2b55d3479265435a81bb2
Instruction ID: c12bf84a4f802f316423ce58ada65aaaf0deb49f52314cf12f815c91d20b3c1c
Opcode Fuzzy Hash: ff75a7ba85332f5ce9efeff243bd19543ff859ec38b2b55d3479265435a81bb2
Instruction Fuzzy Hash: 8F11E3B5D013498FCB10CF9AD444ADEFBF4AB88314F14842AD469A7210D375A945CFA5

Function 00C0D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695887462.0000000000C0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0d000_DOC-20241029-WA0005_pdf .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09e0a58f60ad1f821f2a29e388d3b1fc5359852e980c9cae3bf1ddb59587cf41
Instruction ID: 4d295964311442b6d990417c1e4e50c932ecd58ca352106fe71bdfafd93c6654
Opcode Fuzzy Hash: 09e0a58f60ad1f821f2a29e388d3b1fc5359852e980c9cae3bf1ddb59587cf41
Instruction Fuzzy Hash: 0C2134B1500240DFCB05DF94D9C0B2BBF65FB98318F20C569EC0A0B296C336D956CBA2

Function 00C1D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695926153.0000000000C1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c1d000_DOC-20241029-WA0005_pdf .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f044cd93192f79c550de85bcced81875084557c5562608a3d6d333623292322
Instruction ID: 037ee275b079c306f7f4ddfb4dff8dc9a530dc64cc9cc664ee547b5d00c150a0
Opcode Fuzzy Hash: 5f044cd93192f79c550de85bcced81875084557c5562608a3d6d333623292322
Instruction Fuzzy Hash: D3212671504200EFDB05DF14D9C0B66BBA5FB85314F30C6ADE81A4B396C33ADC86DA61

Function 00C1D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695926153.0000000000C1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c1d000_DOC-20241029-WA0005_pdf .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50744cbaa60d21bc0b81ab08690f7b3fbb742049c2d3140b2d5a335cf9ebb24b
Instruction ID: e0e1e88d68316104a345e9aaee504b2ff9d835d518bb1bb3f2d6cdb8d53423ed
Opcode Fuzzy Hash: 50744cbaa60d21bc0b81ab08690f7b3fbb742049c2d3140b2d5a335cf9ebb24b
Instruction Fuzzy Hash: 5721F275604200DFCB14DF14D9C4B66BBA5EB89314F20C5ADE80A4B296C33AD887DA62

Function 00C1D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695926153.0000000000C1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c1d000_DOC-20241029-WA0005_pdf .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89494a57bf80a5def29b94e79a1ba7f45e6f68904937de0ea3599a49da7976d0
Instruction ID: ee0384d73741a724f9f6e090447713e8be621737e637568feb140cbb6bcef8da
Opcode Fuzzy Hash: 89494a57bf80a5def29b94e79a1ba7f45e6f68904937de0ea3599a49da7976d0
Instruction Fuzzy Hash: ED2180755093808FCB02CF24D994755BF71EB46314F28C5EAD8498F2A7C33A984ADB62

Function 00C0D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695887462.0000000000C0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0d000_DOC-20241029-WA0005_pdf .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: a7b28ac790898c70b7c32e56b862bd7460107ecf387f530bab42be08f35d3862
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 4D11E6B6504280CFCB16CF54D9C4B16BF71FB98318F24C6A9DC4A0B696C336D95ACBA1

Function 00C1D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695926153.0000000000C1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c1d000_DOC-20241029-WA0005_pdf .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: a9a669fd95767a539bcc785492de7e68da1bc700b876f734c727484e36a848bf
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 3D11BB75504280DFCB02CF14C5C4B55BBA1FB85314F24C6AAD85A4B696C33AD89ADB61

Non-executed Functions

Function 046D4538 Relevance: 2.8, Strings: 2, Instructions: 298COMMON

Download Yara Rule

Strings

PH^q, xrefs: 046D4723
PH^q, xrefs: 046D47FB

Memory Dump Source

Source File: 00000000.00000002.1703475870.00000000046D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_46d0000_DOC-20241029-WA0005_pdf .jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: ed52cf4609b41f125e638e47aa60f6201063baca8377d37bf5d47f72c78c2822
Instruction ID: 0e629c7a71dd84f44351854fc44a5751af7791ea4d91e39078f1fba60ecc7200
Opcode Fuzzy Hash: ed52cf4609b41f125e638e47aa60f6201063baca8377d37bf5d47f72c78c2822
Instruction Fuzzy Hash: 17D19034A006048FDB18DF69C598AA9B7F1BF8D715F2580A9E506AB371EB31ED41CF60

Function 072C30D0 Relevance: .3, Instructions: 316COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1715461114.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72c0000_DOC-20241029-WA0005_pdf .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4847fdde3370f88011faeb15830d94d81576752c4e1a8f4b77720fe09aa4dfa
Instruction ID: ba05f2d5a16bd497bf878d8bb10fa87deb74c71fb31a6c0681de70969eb5c364
Opcode Fuzzy Hash: f4847fdde3370f88011faeb15830d94d81576752c4e1a8f4b77720fe09aa4dfa
Instruction Fuzzy Hash: C0E11BB4E1021A8FDB14DFA9C5809AEFBB2BF49304F24C569D414AB35ADB31AD41CF61

Function 072CA518 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1715461114.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72c0000_DOC-20241029-WA0005_pdf .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1a6d6e9848ca5324aca8da5c063b2380b519d882657e41e0ed83552a964d909
Instruction ID: 3f164650b22b7c825ff5b29c70d66ed92ae444326c80ce43bc31e0f865091808
Opcode Fuzzy Hash: a1a6d6e9848ca5324aca8da5c063b2380b519d882657e41e0ed83552a964d909
Instruction Fuzzy Hash: 97E1EAB4E111198FCB14DFA9C5809AEFBB2FF89304F24D269E415AB35AD731A941CF60

Function 072CB1C0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1715461114.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72c0000_DOC-20241029-WA0005_pdf .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a92ce06d5b929240df645140b3a0bf5bc6676e8d5c7ca0a6ad2fe94a01c29749
Instruction ID: 3143308c72065c8773b949cf2257ddab3f5e5ec0694dc3a10db22c6091aa92f1
Opcode Fuzzy Hash: a92ce06d5b929240df645140b3a0bf5bc6676e8d5c7ca0a6ad2fe94a01c29749
Instruction Fuzzy Hash: 2CE11AB4E101198FCB14DFA9C5819AEFBB2FF89304F248269E415AB35AD730AD41CF61

Function 072CAD88 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1715461114.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72c0000_DOC-20241029-WA0005_pdf .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c098427a1313a8aac073604115ffd6cc0724a874a461d1500a7b3d70612d0817
Instruction ID: d2b426d32c945e83b713bd4ab241096af21d1b8e22e07147388517a6f6c7affd
Opcode Fuzzy Hash: c098427a1313a8aac073604115ffd6cc0724a874a461d1500a7b3d70612d0817
Instruction Fuzzy Hash: C9E11BB4E101198FDB14DFA9C5809AEFBB2FF89304F24D269E415AB35AD731A941CF60

Function 072CA950 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1715461114.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72c0000_DOC-20241029-WA0005_pdf .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64340059e15b483f83f0763397c0cd575f47fd9fe82fc150ffc65fb0f6a32b06
Instruction ID: 9a8080b4900702ff35aaed56e69e425388d2815f659988340fdcf7d93dd55adc
Opcode Fuzzy Hash: 64340059e15b483f83f0763397c0cd575f47fd9fe82fc150ffc65fb0f6a32b06
Instruction Fuzzy Hash: 28E1EAB4E101198FCB14DFA9C5809AEFBB2FF89304F24D269E415AB35AD731A941CF61

Function 072CC9C8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1715461114.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72c0000_DOC-20241029-WA0005_pdf .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: def5603589db5d7ff4d2209d5d6942775fdcfa68033733eecf8c80995b9a9674
Instruction ID: 3be7685ea02fc2aa9c70bef27fb9347dd70cd54a7e389f9d5d0ac90a2ba099a2
Opcode Fuzzy Hash: def5603589db5d7ff4d2209d5d6942775fdcfa68033733eecf8c80995b9a9674
Instruction Fuzzy Hash: 71E1EDB4E101198FCB14DFA9C5809AEFBB2FF49304F249159E419AB35AD731A981CF61

Function 00CEE134 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1696116231.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ce0000_DOC-20241029-WA0005_pdf .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a34dff7fc478c9ea32c0c0f7f496e8e36853da84c29bd97be44118f476491c3
Instruction ID: 83c8a300cd7e15fc4ef527058196071e3a4947f8c4c5d3af5914254886d01fc2
Opcode Fuzzy Hash: 3a34dff7fc478c9ea32c0c0f7f496e8e36853da84c29bd97be44118f476491c3
Instruction Fuzzy Hash: D1A16C32E00259CFCF15DFB6C8405AEB7B2FF85300B15457AE815AB266DB31EA56DB80

Function 072C3F88 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1715461114.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72c0000_DOC-20241029-WA0005_pdf .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 248d04e2ddb41cbf1e167d3339c108a2167968ebaa94fca3edf04103568e7396
Instruction ID: dc24cbfad256e12cdc6e7e6d087d4b38bbc49048c462c2fa120b647c15f514e7
Opcode Fuzzy Hash: 248d04e2ddb41cbf1e167d3339c108a2167968ebaa94fca3edf04103568e7396
Instruction Fuzzy Hash: 347170B4E116598FDB08DFAAD98499EFBF2FF88300F14D16AE418AB215D734A941CF50

Function 072C3F77 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1715461114.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72c0000_DOC-20241029-WA0005_pdf .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67ab7cc8d9de319dd934603ebf534accefc73f862e83852461370678b1a7bdf4
Instruction ID: 0f74278a715e7b2614af389d17952838b5dc4bcb7565de5ebf06df2ba6132fdc
Opcode Fuzzy Hash: 67ab7cc8d9de319dd934603ebf534accefc73f862e83852461370678b1a7bdf4
Instruction Fuzzy Hash: 525170B5E006598FDB08DFAAD98469EFBF2FF88300F14C12AD419AB315DB749946CB50

Function 072C3CEB Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1715461114.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72c0000_DOC-20241029-WA0005_pdf .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ad038bae053d11aeca005b19083d87445370398481d203bacdd215812862bd4
Instruction ID: 122af53da5791d9efb9b22ace17cc0dfff179aaee678ed77515196ebf9aa90f3
Opcode Fuzzy Hash: 5ad038bae053d11aeca005b19083d87445370398481d203bacdd215812862bd4
Instruction Fuzzy Hash: A74190B5E0061D9BDB08CFEAD9846DEFBF6AF88300F14C52AD419AB255DB345A46CF40

Analysis Process: FQDffaysNf.exePID: 7692, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	10.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	239
Total number of Limit Nodes:	14

Executed Functions

Function 0E9B0341 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1775288369.000000000E9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E9B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e9b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a70a6cce16351360837b56a53689c72eac430cf25aa5c60b7d751f14c1004a6
Instruction ID: 139ac07016d160baf137a32045d66dfaeab3bdcf34bb4a26cd26584a6bf0c2f9
Opcode Fuzzy Hash: 5a70a6cce16351360837b56a53689c72eac430cf25aa5c60b7d751f14c1004a6
Instruction Fuzzy Hash: A2D09E74C0A218DBC754DF56D5899F9B7B8AB4A300F8568559419A7211EA709DC0CF05

Function 0E9B08CC Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1775288369.000000000E9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E9B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e9b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81851170edeba83b0578e12b09334bea69dcb3ffa8b13988a368417709bae130
Instruction ID: d4c39ad4c24f82e65bdd9c6eaa4ec10282f38d49a6c3c627f3e608ed78e8618f
Opcode Fuzzy Hash: 81851170edeba83b0578e12b09334bea69dcb3ffa8b13988a368417709bae130
Instruction Fuzzy Hash: FEA00216C8F008C1C6184C1312611F3C07D416B194DD93C12944E73203A510CC459C0D

Function 00E1D5E0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00E1D65E
GetCurrentThread.KERNEL32 ref: 00E1D69B
GetCurrentProcess.KERNEL32 ref: 00E1D6D8
GetCurrentThreadId.KERNEL32 ref: 00E1D731

Memory Dump Source

Source File: 0000000B.00000002.1761102212.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e10000_FQDffaysNf.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 834c84837ff20bd786a2c8520465da3f7579dbc32c3ba725c83406a3baca654c
Instruction ID: 3f049e06079a6af756ff1cb1492e3ef195e93340b5bfa563095e67eebb232b8d
Opcode Fuzzy Hash: 834c84837ff20bd786a2c8520465da3f7579dbc32c3ba725c83406a3baca654c
Instruction Fuzzy Hash: 5D5159B09002498FDB04DFAAD948BDEBBF1EB88304F20C469D459A73A1D7749984CF65

Function 0726D6B4 Relevance: 1.7, APIs: 1, Instructions: 247
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0726D8F6

Memory Dump Source

Source File: 0000000B.00000002.1773035777.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7260000_FQDffaysNf.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 44809882f26a41e2824578bc6a531204f8c685a446d32fbf21873d2d170495a9
Instruction ID: 21d9ebb29aad767dee3ec279dfbde6e9e60c8e58fc9087e030b3474c03f6c124
Opcode Fuzzy Hash: 44809882f26a41e2824578bc6a531204f8c685a446d32fbf21873d2d170495a9
Instruction Fuzzy Hash: B8A14AB1E1021EDFDF14CFA8C8457EDBBB2AB44314F1485AAE808A7250D7749985CF92

Function 0726D6C0 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0726D8F6

Memory Dump Source

Source File: 0000000B.00000002.1773035777.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7260000_FQDffaysNf.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 0d9a871d7af7e3318a0eafb584005abda98b0d37a5718c906add608076e1158e
Instruction ID: 000fa4ef80c5ad64f548aef2165e4d10b5428424da8e86ce6031d115f83e9e02
Opcode Fuzzy Hash: 0d9a871d7af7e3318a0eafb584005abda98b0d37a5718c906add608076e1158e
Instruction Fuzzy Hash: FC914AB1E1021EDFDF24CF68C8457EDBAB2BF44310F1485AAE808A7250DB749985CF92

Function 00E1B33A Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00E1B59E

Memory Dump Source

Source File: 0000000B.00000002.1761102212.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e10000_FQDffaysNf.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: c14e28b322714431cbd60cf9a9ce28a1052ccab5969a9ce8fa828807f78e1863
Instruction ID: ba3a936250285e8d69f36109fc74afd27b799424e66fc4535137e9ea38cbef08
Opcode Fuzzy Hash: c14e28b322714431cbd60cf9a9ce28a1052ccab5969a9ce8fa828807f78e1863
Instruction Fuzzy Hash: FD812470A00B058FD724DF29D04579ABBF2FF88304F008A2DD496EBA51E774E989CB90

Function 00E14560 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00E15DC9

Memory Dump Source

Source File: 0000000B.00000002.1761102212.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e10000_FQDffaysNf.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 9f8b8c8cff09282d18748fb7773ebd781e0f70dd268a8fae29e695d4bf399629
Instruction ID: 409bd356ad5dd6658fd042555f02945f5dfadfe62e4d71fcccdf5b6ebe826a87
Opcode Fuzzy Hash: 9f8b8c8cff09282d18748fb7773ebd781e0f70dd268a8fae29e695d4bf399629
Instruction Fuzzy Hash: E341E2B1C00619CBDB24DFA9C9447DEBBB5BF88304F24805AD418BB255DB756985CF90

Function 00E15D0C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00E15DC9

Memory Dump Source

Source File: 0000000B.00000002.1761102212.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e10000_FQDffaysNf.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 49472d1547f4cb94abc94bc566f7ddeb7a146905c4b4711035ff443f01350f37
Instruction ID: 7caf38ca7a41299b4b33763d77cff27e4f00e1d288379d236473d48a2b498da8
Opcode Fuzzy Hash: 49472d1547f4cb94abc94bc566f7ddeb7a146905c4b4711035ff443f01350f37
Instruction Fuzzy Hash: 084122B1C00619CFDB24CFA9C844BDEBBB5BF88304F20805AD418BB255DB756985CF90

Function 00E15D11 Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00E15DC9

Memory Dump Source

Source File: 0000000B.00000002.1761102212.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e10000_FQDffaysNf.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: a6ce90937d826c0027c323c2b79365f06ee2af18bb1047a872d90ca1f74c286e
Instruction ID: b52ea2ab374030c13ae37e44af55885194bcea4ad60489dbcda4aa2ab6b41f58
Opcode Fuzzy Hash: a6ce90937d826c0027c323c2b79365f06ee2af18bb1047a872d90ca1f74c286e
Instruction Fuzzy Hash: F741F1B1C00619CFDB24DFA9C844BDEBBB5BF88304F24805AD418BB265DB756985CF90

Function 0726D430 Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0726D4C8

Memory Dump Source

Source File: 0000000B.00000002.1773035777.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7260000_FQDffaysNf.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: c685aaa45c9927dfd1d28dcb39cfe7a3e65020a56fc5568cb9c0069abb60a3e8
Instruction ID: d410cff240761f1e8d9d11722a1538a23dd7648a34275cf479017d29c2e37533
Opcode Fuzzy Hash: c685aaa45c9927dfd1d28dcb39cfe7a3e65020a56fc5568cb9c0069abb60a3e8
Instruction Fuzzy Hash: 922137B19003199FCB10CFAAC985BDEBBF5FF48310F10882AE558A7250D778A944CBA5

Function 0726D438 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0726D4C8

Memory Dump Source

Source File: 0000000B.00000002.1773035777.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7260000_FQDffaysNf.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: e8bd1c754b8cdafba05e8ad3768a7cf8c40f116ee19cd927bf91782043293c13
Instruction ID: 7451907d6886e3e113cda101766864e15b4044924af1840f5eb06f4606cd4925
Opcode Fuzzy Hash: e8bd1c754b8cdafba05e8ad3768a7cf8c40f116ee19cd927bf91782043293c13
Instruction Fuzzy Hash: DB212AB19003599FCF10CFA9C885BDEBBF5FF48310F10842AE558A7250D778A944CBA4

Function 0726D299 Relevance: 1.6, APIs: 1, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0726D31E

Memory Dump Source

Source File: 0000000B.00000002.1773035777.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7260000_FQDffaysNf.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: f3c2dcb07ab4bc87420dffb0d5efa39afac360c8c8195df633834a258ee70c1e
Instruction ID: 068d80d29ce7584c1c1c8168fc64c7730d8a1edd05d4a3e397adc3c142a49148
Opcode Fuzzy Hash: f3c2dcb07ab4bc87420dffb0d5efa39afac360c8c8195df633834a258ee70c1e
Instruction Fuzzy Hash: 9B213AB1D103098FDB10DFAAC5857EEBBF4EF88324F14842AD459A7240DB78A585CFA5

Function 0726D524 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0726D5A8

Memory Dump Source

Source File: 0000000B.00000002.1773035777.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7260000_FQDffaysNf.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: e39abd098d32ebb364182b72339b94821e4216405a27ed508c4e1c0ef9734432
Instruction ID: 1331ab3e1e6003b82ff40d5d72c96fa693d4a30603ddedc3431aaa26741b8f08
Opcode Fuzzy Hash: e39abd098d32ebb364182b72339b94821e4216405a27ed508c4e1c0ef9734432
Instruction Fuzzy Hash: 372125B1D102599FCB10DFAAC985BEEFBF5FF88320F14842AE558A7254C7389544CBA4

Function 0726D528 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0726D5A8

Memory Dump Source

Source File: 0000000B.00000002.1773035777.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7260000_FQDffaysNf.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: d2453b9c63a1ed186f2f79bda8bbb2ef605c66cd43e3507458f8b453000f8978
Instruction ID: 607fee26135a7adecc5d4dd08c6afdfa5cf2effd8716f6dc2c021b9a1e01a3f7
Opcode Fuzzy Hash: d2453b9c63a1ed186f2f79bda8bbb2ef605c66cd43e3507458f8b453000f8978
Instruction Fuzzy Hash: 992128B19002599FCB10DFAAC885ADEFBF5FF48310F14842AE558A7254C7389544CBA5

Function 0726D2A0 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0726D31E

Memory Dump Source

Source File: 0000000B.00000002.1773035777.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7260000_FQDffaysNf.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: fdd40e4f48610505557a40a47d36b649ebc22a2b65637a17c1315696e388398d
Instruction ID: cae4ec8cc28a5af9abec8ce58f29fb7507cb8d2f8f60543e05e9513956979831
Opcode Fuzzy Hash: fdd40e4f48610505557a40a47d36b649ebc22a2b65637a17c1315696e388398d
Instruction Fuzzy Hash: BF214CB1D003098FDB10DFAAC4857EEBBF4EF88314F14842AD459A7240C7789584CFA5

Function 00E1D828 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00E1D8AF

Memory Dump Source

Source File: 0000000B.00000002.1761102212.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e10000_FQDffaysNf.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0a92fe913bd83f689cd3deac41f7c3cd5ef58e503757fa505f0dc5f559bd0868
Instruction ID: 19201d2a3f67b5adcde2577d283835690e652786e67a2b27b6c21e1c5b376a4e
Opcode Fuzzy Hash: 0a92fe913bd83f689cd3deac41f7c3cd5ef58e503757fa505f0dc5f559bd0868
Instruction Fuzzy Hash: E121C4B5D00258DFDB10CF9AD985ADEBBF4FB48310F14841AE954A7350D374A944CFA5

Function 0726D371 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0726D3E6

Memory Dump Source

Source File: 0000000B.00000002.1773035777.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7260000_FQDffaysNf.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 64b8d0522800472e8ca323de285eb35e43769d9b95b458d1c15b8f49a0656595
Instruction ID: 9c66d0dcbed1aed3097271c88aba579a7f2762fe93a7352213a392d6316dc1f8
Opcode Fuzzy Hash: 64b8d0522800472e8ca323de285eb35e43769d9b95b458d1c15b8f49a0656595
Instruction Fuzzy Hash: CF1159B29002599FCB10DFAAC845BDEBFF5EF88320F14841AE555A7250CB35A550CFA1

Function 0726D378 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0726D3E6

Memory Dump Source

Source File: 0000000B.00000002.1773035777.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7260000_FQDffaysNf.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b498af9145f640e072d54540809708e773c208bda3a605071c3f521bdc4b3005
Instruction ID: de1343cba1e6c440c7d720434da8be6a68ca7da22494118afec8244ba05aba21
Opcode Fuzzy Hash: b498af9145f640e072d54540809708e773c208bda3a605071c3f521bdc4b3005
Instruction Fuzzy Hash: 821167B19002499FCB10DFAAC845BDEBFF5EF88320F10841AE559A7250CB35A550CFA0

Function 0726D1E8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0726D252

Memory Dump Source

Source File: 0000000B.00000002.1773035777.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7260000_FQDffaysNf.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 619fc279953c5e263378480d7218a0a32c6aa2352086a2b52658be68f74669a6
Instruction ID: 9d40ddb1a751be75c3ce388305c0cc1582b6c12207b5dd13d347027c897a5934
Opcode Fuzzy Hash: 619fc279953c5e263378480d7218a0a32c6aa2352086a2b52658be68f74669a6
Instruction Fuzzy Hash: 851158B1D002498FCB20DFAAC5457DEFBF5EB88324F24842AC459A7250C774A984CF95

Function 0726D1F0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0726D252

Memory Dump Source

Source File: 0000000B.00000002.1773035777.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7260000_FQDffaysNf.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: ff37344fcbeb30493db25129356684eb6f6133b858f8fc1d5d4dc010718d1247
Instruction ID: 01e7a547fee8c5e0193d286bf8fe34e1f66d8b35324f13fd5f896a810ffd6408
Opcode Fuzzy Hash: ff37344fcbeb30493db25129356684eb6f6133b858f8fc1d5d4dc010718d1247
Instruction Fuzzy Hash: 69116AB1D003498FCB10DFAAC4457DEFBF5EB88324F20841AC459A7250CB34A944CFA4

Function 00E1B538 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00E1B59E

Memory Dump Source

Source File: 0000000B.00000002.1761102212.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e10000_FQDffaysNf.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 7a0f36681ff6a08e73e3e4c443b548d6f1d6d8ca0bb263d9ed578eead789d1fc
Instruction ID: b0ed4b0bbab7eb82335362be70c4e6ff553bb6bad42584add79f5360ec15ec4c
Opcode Fuzzy Hash: 7a0f36681ff6a08e73e3e4c443b548d6f1d6d8ca0bb263d9ed578eead789d1fc
Instruction Fuzzy Hash: AD11E0B5C006498FCB14CF9AD444ADEFBF5EB88324F14842AD869B7210D379A585CFA5

Function 0E9B1198 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0E9B11FD

Memory Dump Source

Source File: 0000000B.00000002.1775288369.000000000E9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E9B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e9b0000_FQDffaysNf.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 1d27ebc7678139e04f57ebcc54a63433e9906391c705d6527168e2883d1ed413
Instruction ID: 1dc89e38fe3d6d64cf16a8edc111ee1efb3c737d98049ee08089a62dc60f274f
Opcode Fuzzy Hash: 1d27ebc7678139e04f57ebcc54a63433e9906391c705d6527168e2883d1ed413
Instruction Fuzzy Hash: 101103B5800349DFDB10DF9AD585BDEBFF8EB48320F14841AD958A7210C375AA44CFA1

Function 0E9B11A0 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0E9B11FD

Memory Dump Source

Source File: 0000000B.00000002.1775288369.000000000E9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E9B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_e9b0000_FQDffaysNf.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 6b4606ee8dd041f8f0aedb2e43b57b29ac2ff4f0a7cad3ced5de526f7ca79ac2
Instruction ID: f162b1eb9dd5dfe3dcb272c4697ae5c09d896c950bda79ca7fc0e72e4e19c280
Opcode Fuzzy Hash: 6b4606ee8dd041f8f0aedb2e43b57b29ac2ff4f0a7cad3ced5de526f7ca79ac2
Instruction Fuzzy Hash: CA11D0B58003499FDB10DF9AD985BDEBBF8EB48320F10841AE558A7250C375A984CFA5

Function 00D5D1FC Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1760727275.0000000000D5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d5d000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e8ea3889d68e10da59324d079e152b624a4dd4e4908e0f81f9cb3fba1e7e980
Instruction ID: 00915f67257b6774730e271072c14ad39f8c94d3aae0e6cfa64270376869c4cf
Opcode Fuzzy Hash: 0e8ea3889d68e10da59324d079e152b624a4dd4e4908e0f81f9cb3fba1e7e980
Instruction Fuzzy Hash: D4212171500200DFDF15DF04D9C0B2ABF66FB88311F24C169EC494A256C336D81ACBB1

Function 00D5D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1760727275.0000000000D5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d5d000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 819a5ab7c920f7949a38c8f8c4aba17a5890e7e53e06ce2fb98c73d053ec5679
Instruction ID: bcba7c6df79167f11ca9fe95d99ff185ad835fbc7bcfb901d4ed0adebbf40043
Opcode Fuzzy Hash: 819a5ab7c920f7949a38c8f8c4aba17a5890e7e53e06ce2fb98c73d053ec5679
Instruction Fuzzy Hash: 94213071500200DFCF21DF14C9C0B2ABF66FB98319F24C169EC490B256C336D84ACAB2

Function 00D6D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1760783960.0000000000D6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d6d000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f629c10b4e24e1ce7d219e893c094cf05078baa7026ccfa055f11e5f8cf97b1d
Instruction ID: dd8df6b7a8636f18c45a6536cd9c752b7980ea069465ad36de81424e1905598b
Opcode Fuzzy Hash: f629c10b4e24e1ce7d219e893c094cf05078baa7026ccfa055f11e5f8cf97b1d
Instruction Fuzzy Hash: BA212971A04200EFDB05DF14E5D0B26BBA6FB88314F34C56DD8494B255C336D846CA75

Function 00D6D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1760783960.0000000000D6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d6d000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a52aad66b21602e30c429ca16fef027ee93009beca535d57f6b9866f6e949cb
Instruction ID: d64dc52d5abb9112ee9d2d8739dbebe98c76e28d962de4a0b7fccf4e5ac42a0a
Opcode Fuzzy Hash: 7a52aad66b21602e30c429ca16fef027ee93009beca535d57f6b9866f6e949cb
Instruction Fuzzy Hash: 1921F275A04240DFCB14DF14E984B26BBA6EB88314F24C569E84A4B296C33BD847CAB1

Function 00D6D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1760783960.0000000000D6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d6d000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bb609f7dafee196eeef9619cb1b4ed5ff3f8bdb688283beb9f1d1950c18395f
Instruction ID: e78582fb309b2a8dae42ca3af5720f606e5ad4e1dfed664ce4259ca6fcc3090c
Opcode Fuzzy Hash: 7bb609f7dafee196eeef9619cb1b4ed5ff3f8bdb688283beb9f1d1950c18395f
Instruction Fuzzy Hash: 912150755093808FDB12CF24D994715BF72EB46314F28C5EAD8498F6A7C33A980ACB62

Function 00D5D1F7 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1760727275.0000000000D5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d5d000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4a9c2a4520ad29cc5014b186a1537c42efb92585eeaa8902cc1b22a323ac8e1
Instruction ID: 35b7a1a7f3c89c002c85387fe65efcc35edbe9d4d42324b7c92293da732ce5c1
Opcode Fuzzy Hash: d4a9c2a4520ad29cc5014b186a1537c42efb92585eeaa8902cc1b22a323ac8e1
Instruction Fuzzy Hash: C221CD76404240DFDF16CF00D9C4B16BF62FB94314F28C1A9DC080A256C33AD82ACBA1

Function 00D5D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1760727275.0000000000D5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d5d000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 6940e1d39e5fd083ba12ac46e6eb33d78c294d963f0a3b11f9e4e540fc183d04
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: C5118C76504280CFCB16CF14D584B16BF62FB94318F28C6A9DC490A656C336D85ACBA1

Function 00D6D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1760783960.0000000000D6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d6d000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: c4d6693f020540643333f9edce83a8dfcbe97ec7eef7e8c20769e25ad88720b2
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: D2118B75A04280DFDB16CF14D5D4B15BBA2FB88314F28C6AAD8494B696C33AD84ACB61

Analysis Process: FQDffaysNf.exePID: 7952, Parent PID: 7692COMMON

Execution Graph

Execution Coverage:	10.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	12
Total number of Limit Nodes:	1

Executed Functions

Function 05C27F21 Relevance: 16.1, Strings: 12, Instructions: 1135COMMON

Download Yara Rule

Strings

$^q, xrefs: 05C281B3
$^q, xrefs: 05C28377
4, xrefs: 05C28905
$^q, xrefs: 05C28387
$^q, xrefs: 05C2886A
$^q, xrefs: 05C28437
$^q, xrefs: 05C2885A
$^q, xrefs: 05C28801
$^q, xrefs: 05C28811
$^q, xrefs: 05C28427
,bq, xrefs: 05C289EA
$^q, xrefs: 05C281C3

Memory Dump Source

Source File: 0000000F.00000002.1753974816.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5c20000_FQDffaysNf.jbxd

Similarity

API ID:
String ID: ,bq$4$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-312445597
Opcode ID: 9ef52fa36881a65200bf8937dce4601b38efafbbbfa3075ccde2bda9f109e4eb
Instruction ID: 65b8a2d715e399dd648eecb9c097ddf0681424cbd9c0cedb699153b5ca942543
Opcode Fuzzy Hash: 9ef52fa36881a65200bf8937dce4601b38efafbbbfa3075ccde2bda9f109e4eb
Instruction Fuzzy Hash: 82B2E634A00228CFDB14CFA9C994BADB7B6FB48700F158999E505AB3A5DB70ED85CF50

Function 05C28257 Relevance: 8.0, Strings: 6, Instructions: 495COMMON

Download Yara Rule

Strings

$^q, xrefs: 05C28377
4, xrefs: 05C28905
$^q, xrefs: 05C2885A
$^q, xrefs: 05C28801
$^q, xrefs: 05C28427
,bq, xrefs: 05C289EA

Memory Dump Source

Source File: 0000000F.00000002.1753974816.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5c20000_FQDffaysNf.jbxd

Similarity

API ID:
String ID: ,bq$4$$^q$$^q$$^q$$^q
API String ID: 0-2546334966
Opcode ID: 9827cce2c866732d11000d92f33549e7411f7e2bcd23a4644e619c099a451251
Instruction ID: 544f3919b50b5d1f3df954343ae9ccd4a8d32ed2f6bccc9c9a635709a91e9000
Opcode Fuzzy Hash: 9827cce2c866732d11000d92f33549e7411f7e2bcd23a4644e619c099a451251
Instruction Fuzzy Hash: 8422F934A00229CFDB24DF65C994BADB7B2FF48704F148599E509AB2A5DB70AD82CF50

Function 05C2B3A8 Relevance: 3.1, Strings: 2, Instructions: 635
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Pl^q, xrefs: 05C2B590
$^q, xrefs: 05C2B676

Memory Dump Source

Source File: 0000000F.00000002.1753974816.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5c20000_FQDffaysNf.jbxd

Similarity

API ID:
String ID: Pl^q$$^q
API String ID: 0-2677662154
Opcode ID: 68641ef45c28d11e1afeae6d21c7c472f81bc6bfdce9f9e7babbe0375d5f13b6
Instruction ID: 1fa09cafd8773ae900a948e800baa09635d85137b18c6751b1da6bc045863a7f
Opcode Fuzzy Hash: 68641ef45c28d11e1afeae6d21c7c472f81bc6bfdce9f9e7babbe0375d5f13b6
Instruction Fuzzy Hash: 40323734B00219CFCB14DF29C588A6A77F6BF89704B2588A9E506DF3A5DB31ED42CB51

Function 059B8D41 Relevance: 1.4, Strings: 1, Instructions: 172COMMON

Download Yara Rule

Strings

4'^q, xrefs: 059B8D88

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: f8d707288af3c817d4801c28bbd69303c3528dc0526ab45a64b86d873a5caf92
Instruction ID: 34b954e7efcb63864f562eb8ff891c5a2bc6c1bcbcf1d333571c4c66f24ae607
Opcode Fuzzy Hash: f8d707288af3c817d4801c28bbd69303c3528dc0526ab45a64b86d873a5caf92
Instruction Fuzzy Hash: 7C715C74A01209DFEB44DF69E558BEDB7F6FB88308F50846ED416AB290EB785944CF00

Function 059B8D50 Relevance: 1.4, Strings: 1, Instructions: 166COMMON

Download Yara Rule

Strings

4'^q, xrefs: 059B8D88

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 96fbedeb092bd55dfe95a3c6643fd59efc00279fc01a38757d77e268e50d1e9d
Instruction ID: d337a6d32281c1a356857a1fe9bd736ae06fa5d30907b53dffc1f48026404569
Opcode Fuzzy Hash: 96fbedeb092bd55dfe95a3c6643fd59efc00279fc01a38757d77e268e50d1e9d
Instruction Fuzzy Hash: 30714C74A01209DFEB44DF69E558BEDB7F6FB88308F50846ED416AB290EB795944CF00

Function 059B098D Relevance: .4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2e717f9e61dabb7832f26b55f22b2f684ec7076a36f38d8de1c3ccdd5e108cc
Instruction ID: 9765fe99aefd97ebfe39d6c4d275e1438886f8d683e70095d6ac01c92683ac70
Opcode Fuzzy Hash: f2e717f9e61dabb7832f26b55f22b2f684ec7076a36f38d8de1c3ccdd5e108cc
Instruction Fuzzy Hash: F302F734A04219DFDB55DF68C998A99B7F6FB88300F1185D9E50AAB365DB30EE81CF40

Function 059BD558 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57d168792f292285044651f8cbf22deea502c72b7cf380f3abf49f291d5a5717
Instruction ID: 267fb8bf14320559f2422eec9f9fecdef39ef48d8b8be560d8ca936839d63ae5
Opcode Fuzzy Hash: 57d168792f292285044651f8cbf22deea502c72b7cf380f3abf49f291d5a5717
Instruction Fuzzy Hash: 3EA19C34A0530ACFFB04DB59E688BED77B3FB84309F188169D4059B648DBB99A81CF44

Function 059BD568 Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aec8d71379fc5517a7aa00b799cc28094c5645cfbba4349c27b3f692eacbc150
Instruction ID: d67b487cebd5c53e70d7b3b6c09eb6cf8e147d207b81c77830802d8de86caa15
Opcode Fuzzy Hash: aec8d71379fc5517a7aa00b799cc28094c5645cfbba4349c27b3f692eacbc150
Instruction Fuzzy Hash: 6AA18C34A0530ACFFB04DB19E688BED77B3FB84319F188169D4059B648DBB99A81CF44

Function 059BD635 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec1f75d79a73f14e506d25a95e2fb2588bdee47d0ced3be98c298567f15ffabc
Instruction ID: 596c641ae0e0b0dd48af2a1527f831b0a10631a5f451201fe5ae13cdd5e87209
Opcode Fuzzy Hash: ec1f75d79a73f14e506d25a95e2fb2588bdee47d0ced3be98c298567f15ffabc
Instruction Fuzzy Hash: 6F919C34A0530ACFFB04DB19E688BED77B3FB84319F198169D4059B648DBB99A81CF44

Function 05C2E6D8 Relevance: 4.2, Strings: 3, Instructions: 476
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hbq, xrefs: 05C2EBAD
Hbq, xrefs: 05C2EBDC
Hbq, xrefs: 05C2EC2C

Memory Dump Source

Source File: 0000000F.00000002.1753974816.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5c20000_FQDffaysNf.jbxd

Similarity

API ID:
String ID: Hbq$Hbq$Hbq
API String ID: 0-2297679979
Opcode ID: 6130b1e4d1016b6ae329ea26cad038cfc0e3f7638382108df19d390857a167c3
Instruction ID: 892a697ff169606f6fe4d5ab09f9f0e6dea025bd8617812dc76e48bcac13dd1f
Opcode Fuzzy Hash: 6130b1e4d1016b6ae329ea26cad038cfc0e3f7638382108df19d390857a167c3
Instruction Fuzzy Hash: 15124B31A102158FCB24DFA9D894A6EBBF6FF88300F14892DD546AB395DB31ED46CB50

Function 05960B28 Relevance: 3.9, Strings: 2, Instructions: 1383COMMON

Download Yara Rule

Strings

4'^q, xrefs: 05961CDE
4'^q, xrefs: 05961CEA

Memory Dump Source

Source File: 0000000F.00000002.1752530981.0000000005960000.00000040.00000800.00020000.00000000.sdmp, Offset: 05960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5960000_FQDffaysNf.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 86fad579496f0394d01090c4b75563582bc03e6b559d3d36c7a4d8abceb5f6c7
Instruction ID: ddae74558f0c0b4016930d014faf79c7e49970a7147a87f7df821358f0abd553
Opcode Fuzzy Hash: 86fad579496f0394d01090c4b75563582bc03e6b559d3d36c7a4d8abceb5f6c7
Instruction Fuzzy Hash: 86A2C434F203158FCF255A696568A3E69EFBFC8740B54542ADA07D7384EE30CC4AD7A2

Function 05A1CFA6 Relevance: 3.1, APIs: 2, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(00000000), ref: 05A1D04E
GetSystemMetrics.USER32(00000001), ref: 05A1D088

Memory Dump Source

Source File: 0000000F.00000002.1752952300.0000000005A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5a10000_FQDffaysNf.jbxd

Similarity

API ID: CallbackDispatcherMetricsSystemUser
String ID:
API String ID: 365337688-0
Opcode ID: f4eb4531352b014551beb0db0d3faca0429f03438e90d0043d264c0919709164
Instruction ID: 4a35f743291d61e6bee05d73a5b451dd421483df130c57e5ca29c5ea15e9c127
Opcode Fuzzy Hash: f4eb4531352b014551beb0db0d3faca0429f03438e90d0043d264c0919709164
Instruction Fuzzy Hash: F32146B48003488FDB10CF9AC449B9EBFF4EB18318F148469D59AA7290C779A545CFA4

Function 059B0040 Relevance: 3.1, Strings: 2, Instructions: 599
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 059B02DF
2, xrefs: 059B04B6

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID: 2$$^q
API String ID: 0-1071376767
Opcode ID: 9770522cb7f2316829d9b88cd6471824b527ae8ddd910af998b512fd08766d54
Instruction ID: 5657551fc3aa62a7bafe4bd12393d940f73a3b83a2810e046b46030fadefd006
Opcode Fuzzy Hash: 9770522cb7f2316829d9b88cd6471824b527ae8ddd910af998b512fd08766d54
Instruction Fuzzy Hash: 88420C74A01205CFEB64DF68DA88BAEB7F2FB88300F1085A9D50997355EB74AD85CF41

Function 05A1D000 Relevance: 3.1, APIs: 2, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(00000000), ref: 05A1D04E
GetSystemMetrics.USER32(00000001), ref: 05A1D088

Memory Dump Source

Source File: 0000000F.00000002.1752952300.0000000005A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5a10000_FQDffaysNf.jbxd

Similarity

API ID: CallbackDispatcherMetricsSystemUser
String ID:
API String ID: 365337688-0
Opcode ID: b901243b720478a004a13758c274a1651bc4a98f9c8991fa83de34cd67688196
Instruction ID: 9af0517cc933380d7d9f295b6efc19fc48659ff7423c177845dfa86d8f0e1bd7
Opcode Fuzzy Hash: b901243b720478a004a13758c274a1651bc4a98f9c8991fa83de34cd67688196
Instruction Fuzzy Hash: A721F5B4C003498EDB20DF9AC44979EBFF4AB08314F248459D59AA7250C775A585CFA5

Function 05C2DD90 Relevance: 2.8, Strings: 2, Instructions: 337
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d, xrefs: 05C2DFF1
(bq, xrefs: 05C2DDA4

Memory Dump Source

Source File: 0000000F.00000002.1753974816.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5c20000_FQDffaysNf.jbxd

Similarity

API ID:
String ID: (bq$d
API String ID: 0-3334038649
Opcode ID: e930975014027ddc36e10b3e5333fcb60fbbaead49b0302465ac233514fc9c80
Instruction ID: ed3717518805d71db149535514077cedd9ffd8cc88ae02d9e6b14aeed28c7461
Opcode Fuzzy Hash: e930975014027ddc36e10b3e5333fcb60fbbaead49b0302465ac233514fc9c80
Instruction Fuzzy Hash: BCD157346006128FCB24CF29C584A7AB7F6FF88310B15C969E45A9B365DB30F942CB91

Function 05961D20 Relevance: 2.8, Strings: 2, Instructions: 281
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'^q, xrefs: 059620BD
4'^q, xrefs: 059620B1

Memory Dump Source

Source File: 0000000F.00000002.1752530981.0000000005960000.00000040.00000800.00020000.00000000.sdmp, Offset: 05960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5960000_FQDffaysNf.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 41bb7235804e3c1568b1e17df3aa28fbf39b348c136f76e3dd582a9d11bb92a6
Instruction ID: 78853da9a5804ea00e1102e5fb19b861ec96d9db21652d666548e80b56feef24
Opcode Fuzzy Hash: 41bb7235804e3c1568b1e17df3aa28fbf39b348c136f76e3dd582a9d11bb92a6
Instruction Fuzzy Hash: 72914F38F243248B4E2A2774A06D53D2AABFFC9691354051EF803EB384DF659C0BD796

Function 05C2BC28 Relevance: 2.7, Strings: 2, Instructions: 175
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(bq, xrefs: 05C2BD4C
(bq, xrefs: 05C2BDA3

Memory Dump Source

Source File: 0000000F.00000002.1753974816.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5c20000_FQDffaysNf.jbxd

Similarity

API ID:
String ID: (bq$(bq
API String ID: 0-4224401849
Opcode ID: 76e444c9467f225e60cafda3819c19ba2fc209e04fcf8fb56444fdbed46b43cf
Instruction ID: 9e005cf21943d1a76e9e44801f688ce7c3fefefdf18ecb1aafa1e5c0517a121e
Opcode Fuzzy Hash: 76e444c9467f225e60cafda3819c19ba2fc209e04fcf8fb56444fdbed46b43cf
Instruction Fuzzy Hash: 9751BC313046158FCB059F28D854AAE7BB2FF84345F24856AE905CB3A6CF39DD46CBA0

Function 05C29620 Relevance: 2.7, Strings: 2, Instructions: 153
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hbq, xrefs: 05C297B5
(bq, xrefs: 05C29726

Memory Dump Source

Source File: 0000000F.00000002.1753974816.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5c20000_FQDffaysNf.jbxd

Similarity

API ID:
String ID: (bq$Hbq
API String ID: 0-4081012451
Opcode ID: b9c1f57709aaba9a04d855e861321961d420b6d8579ecf986e2a39ca0876b24d
Instruction ID: cd305782963df1f99d0bc02206a25d32f8a683e3ebbab234fa33f6e7554812c5
Opcode Fuzzy Hash: b9c1f57709aaba9a04d855e861321961d420b6d8579ecf986e2a39ca0876b24d
Instruction Fuzzy Hash: 2D5167307002158FCB18AF38C89492EBBB6FF99340B24486ED5069B3A0DF35ED46CB95

Function 05C25A78 Relevance: 2.6, Strings: 2, Instructions: 132COMMON

Download Yara Rule

Strings

Hbq, xrefs: 05C25BCC
(bq, xrefs: 05C25BA0

Memory Dump Source

Source File: 0000000F.00000002.1753974816.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5c20000_FQDffaysNf.jbxd

Similarity

API ID:
String ID: (bq$Hbq
API String ID: 0-4081012451
Opcode ID: ac59768baac99c5d652a1447bc5a7ac57dfc0bc8a3923985d71ed0a30d9c7e09
Instruction ID: d291b7c0ec3db8be7701d8217a2abd850893ecf3235ccf115f3ca385a91728a3
Opcode Fuzzy Hash: ac59768baac99c5d652a1447bc5a7ac57dfc0bc8a3923985d71ed0a30d9c7e09
Instruction Fuzzy Hash: B041A7312047518FD724DF2AC49431BBBE2FF85310F108A6ED0468B7A5DAB4E949CBA1

Function 059BF428 Relevance: 2.6, Strings: 2, Instructions: 82COMMON

Download Yara Rule

Strings

(bq, xrefs: 059BF477
Hbq, xrefs: 059BF4A3

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID: (bq$Hbq
API String ID: 0-4081012451
Opcode ID: fb610bba38db3dcb1f73f92ec0bb80b798f796aa3f3600327d4f835362e831a3
Instruction ID: a93522a9825c282b59576b445543ccbaa2588aebdd5914a4759cca6afdf139b6
Opcode Fuzzy Hash: fb610bba38db3dcb1f73f92ec0bb80b798f796aa3f3600327d4f835362e831a3
Instruction Fuzzy Hash: 2B212F303082488FC745EBA8DA406AEBBE7FFC5300B1445AAD509DB3A9DF359D06C396

Function 05C2AC20 Relevance: 1.8, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

(_^q, xrefs: 05C2AEB0

Memory Dump Source

Source File: 0000000F.00000002.1753974816.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5c20000_FQDffaysNf.jbxd

Similarity

API ID:
String ID: (_^q
API String ID: 0-538443824
Opcode ID: 349201cb37ba6cb809a3f75d8972995f3ca15b9b8f689c11faa1dd7a9ca8c572
Instruction ID: 398e215bca71c1096b60c29cd45e697b772bb9b258251f17988f13eb1b5616bc
Opcode Fuzzy Hash: 349201cb37ba6cb809a3f75d8972995f3ca15b9b8f689c11faa1dd7a9ca8c572
Instruction Fuzzy Hash: 35229D75B102149FCB04DFA9D894A6DBBB2FF88300F15885AE905EB3A1DB75ED41CB50

Function 0179CE20 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0179CE94

Memory Dump Source

Source File: 0000000F.00000002.1747840309.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1790000_FQDffaysNf.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 17238ad96abc697eaf9bc9ca72cf02183890434425ac8bfa3cf02c4bc2a12504
Instruction ID: 1e4a5803042a2a1fce21fcd69899bdf0d7c47be71afce164eb1e9b9e575f4fc1
Opcode Fuzzy Hash: 17238ad96abc697eaf9bc9ca72cf02183890434425ac8bfa3cf02c4bc2a12504
Instruction Fuzzy Hash: F311F4B1D002499FDB10DFAAC444ADEFBF4EF48324F14842AD459A7250C775A944CFA5

Function 059BED00 Relevance: 1.6, Strings: 1, Instructions: 301COMMON

Download Yara Rule

Strings

,bq, xrefs: 059BE999

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID: ,bq
API String ID: 0-2474004448
Opcode ID: 95fef76be3d5de70a6fdd60a92a8cc44fd89f5d373f5b4910a0f2abb2e93b6dd
Instruction ID: 603daac3e4ed62330165e559b358c297af948bbfcd32eee3ca0576ce5b9ff5ca
Opcode Fuzzy Hash: 95fef76be3d5de70a6fdd60a92a8cc44fd89f5d373f5b4910a0f2abb2e93b6dd
Instruction Fuzzy Hash: BAE1B175A102288FDB64DF69C980BDDBBF6BF88300F1045EAE549A7351DA709E81CF61

Function 059B90B8 Relevance: 1.5, Strings: 1, Instructions: 233COMMON

Download Yara Rule

Strings

Deq, xrefs: 059B9153

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID: Deq
API String ID: 0-948982800
Opcode ID: eea8929a9e1d3bd279fce8cf2c87e1a9af3f6690339363d0df8cddee7ab71344
Instruction ID: ca6ee211768d64e4f7496fca8b34356461cbfb1750978da83fc9029fe8cf77a3
Opcode Fuzzy Hash: eea8929a9e1d3bd279fce8cf2c87e1a9af3f6690339363d0df8cddee7ab71344
Instruction Fuzzy Hash: A4919F34B016059FDB14DF68E588A9DBBF2FF88310F158568E5069B3A5EB70EC41CB94

Function 05C25060 Relevance: 1.4, Strings: 1, Instructions: 151COMMON

Download Yara Rule

Strings

pbq, xrefs: 05C25110

Memory Dump Source

Source File: 0000000F.00000002.1753974816.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5c20000_FQDffaysNf.jbxd

Similarity

API ID:
String ID: pbq
API String ID: 0-3896149868
Opcode ID: 5aade4fce8632be708546aaa70e38c6928ab663f59ed8fb42e3f1ea00069a416
Instruction ID: 8e086ed95de34e233bb004c8874dccd67bb02525f7d671e30e4118eae6bdb866
Opcode Fuzzy Hash: 5aade4fce8632be708546aaa70e38c6928ab663f59ed8fb42e3f1ea00069a416
Instruction Fuzzy Hash: 99512D76600104AFCB459FA8D914D297BF7FF8C3147168498E2099F376DA32DC22EB51

Function 059BDE10 Relevance: 1.4, Strings: 1, Instructions: 141COMMON

Download Yara Rule

Strings

Te^q, xrefs: 059BDE97

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: d6b73011c82025b9bc6cac9dbb577f258902a0d537f91384332397a8c4cd0343
Instruction ID: ea55f386ff5adc3aad1968758efb32d4f7db67a8b7b965b6e20fbba427b9d33a
Opcode Fuzzy Hash: d6b73011c82025b9bc6cac9dbb577f258902a0d537f91384332397a8c4cd0343
Instruction Fuzzy Hash: 5A51AE30B08206CFFB14DB18E158BEE77A7FB88314F658469E5069B795CBB69C81CB41

Function 05C26088 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

(bq, xrefs: 05C2609C

Memory Dump Source

Source File: 0000000F.00000002.1753974816.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5c20000_FQDffaysNf.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: 963651395af19405c91d91891f32d04167316ab50706471c1d5892b831298455
Instruction ID: 49eab0a2281b81fbe3004302fd4036e4577e9453bda6da031ba6b73f8dc37d38
Opcode Fuzzy Hash: 963651395af19405c91d91891f32d04167316ab50706471c1d5892b831298455
Instruction Fuzzy Hash: 3F418231A05626CFCB00CF59C48496AFBB1FF49320B158695D925AB392DB30F951CBE1

Function 05C29F70 Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

p<^q, xrefs: 05C29FBA

Memory Dump Source

Source File: 0000000F.00000002.1753974816.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5c20000_FQDffaysNf.jbxd

Similarity

API ID:
String ID: p<^q
API String ID: 0-1680888324
Opcode ID: 008b9e8c79f6644e7dca24cb63179b4862a4e481975724d8f41669ec099ab7a8
Instruction ID: 2d6f985776a16418dd7368ba73ffd840beb35e8372619e8fe3490e674818b5c9
Opcode Fuzzy Hash: 008b9e8c79f6644e7dca24cb63179b4862a4e481975724d8f41669ec099ab7a8
Instruction Fuzzy Hash: 8C31923A3081149FCB55CF2AD854A6A7BE6FF89310F194465F916CB371CA35DD81CB10

Function 05C258E8 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

(bq, xrefs: 05C25960

Memory Dump Source

Source File: 0000000F.00000002.1753974816.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5c20000_FQDffaysNf.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: 18ba5d872d1e341477c1e31f13041cbb2631bcc3d53c9d64b304de8904182c0b
Instruction ID: 2a200124f3b8e70c7ba95882dd3535618cd19779cb257bff3722503aa7cb371f
Opcode Fuzzy Hash: 18ba5d872d1e341477c1e31f13041cbb2631bcc3d53c9d64b304de8904182c0b
Instruction Fuzzy Hash: AA3129353082915FD7065F78D854A6E7F66EF89320B1944BBE905CB3A6CA348C06C7A1

Function 059B17A9 Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

TJcq, xrefs: 059B17F1

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID: TJcq
API String ID: 0-1911830065
Opcode ID: d19fce4c27ddc15fbdf0bc742425f610d9463b9aa1e1312951306e7f4d93ae5a
Instruction ID: 802c6473647dfec0267674a74ce132c89b3bdd692d6d5c3be5156353aef81757
Opcode Fuzzy Hash: d19fce4c27ddc15fbdf0bc742425f610d9463b9aa1e1312951306e7f4d93ae5a
Instruction Fuzzy Hash: 1F3103397042008FE7109B78D5A8B2ABBE6FF89610F0604ADE506CB3A1DE64DC01CB91

Function 059B17B8 Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

TJcq, xrefs: 059B17F1

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID: TJcq
API String ID: 0-1911830065
Opcode ID: b35c0eb8baaea2c9ac7d49c734d56b0aceb22b2107e96c96b9848c5a5e8f3cad
Instruction ID: e74b6b84d591862544c69a2dd26daa24a221dfd9a95fc9e1851b0142fd9bb977
Opcode Fuzzy Hash: b35c0eb8baaea2c9ac7d49c734d56b0aceb22b2107e96c96b9848c5a5e8f3cad
Instruction Fuzzy Hash: D631D0357042108FE7249B78D598B2EBBE6FF89610F0644A9E506CB3A1DE64DC01CB92

Function 05C2F3FB Relevance: 1.3, Strings: 1, Instructions: 92COMMON

Download Yara Rule

Strings

4'^q, xrefs: 05C2F441

Memory Dump Source

Source File: 0000000F.00000002.1753974816.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5c20000_FQDffaysNf.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: d0085cd8b560e6df69cefd3717f688368ab27f468466662407b9c3f77d881b84
Instruction ID: 841904f97f5b301b447362427782522dd5ae2f55db667f0e7edc4783c8ed5efe
Opcode Fuzzy Hash: d0085cd8b560e6df69cefd3717f688368ab27f468466662407b9c3f77d881b84
Instruction Fuzzy Hash: C0319F317101149FCF189FA4D864D69BBB3FF88320B0545A9E6059B3A5CB31DC56CB91

Function 05960AD9 Relevance: 1.3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

4'^q, xrefs: 05961CDE

Memory Dump Source

Source File: 0000000F.00000002.1752530981.0000000005960000.00000040.00000800.00020000.00000000.sdmp, Offset: 05960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5960000_FQDffaysNf.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 1d048afe46279493933265d51b37e3d5fe1f65bb094afc91f4cc4ed6d2b19c48
Instruction ID: eb12bbdde4cdc39fd655c936e7487dd7cead04e2c2de9978946efe56c817ee2f
Opcode Fuzzy Hash: 1d048afe46279493933265d51b37e3d5fe1f65bb094afc91f4cc4ed6d2b19c48
Instruction Fuzzy Hash: DD210632A083A58FCB134B34C8647AD7F75BF42714F0A44ABD881AB292D734880AC7A1

Function 059BEFF0 Relevance: 1.3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

,bq, xrefs: 059BE999

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID: ,bq
API String ID: 0-2474004448
Opcode ID: 21d68b6b4d7ce3a010d01cf47d8e5613cb299dc93c9d52235cbc44a76aaa72b5
Instruction ID: 1278da339976e90e573bdc84565dd20a6874e7a273051922761117917459c1c2
Opcode Fuzzy Hash: 21d68b6b4d7ce3a010d01cf47d8e5613cb299dc93c9d52235cbc44a76aaa72b5
Instruction Fuzzy Hash: 69315C71A101288FDB15DB54CA85EEC77BBBB88310F1505D9E609AB361CBB1DC85CFA1

Function 05C29F80 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

p<^q, xrefs: 05C29FBA

Memory Dump Source

Source File: 0000000F.00000002.1753974816.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5c20000_FQDffaysNf.jbxd

Similarity

API ID:
String ID: p<^q
API String ID: 0-1680888324
Opcode ID: 1905ad8422f9c6b289cc50c5de08d0c83777677cd84d8ce79cd3404bc30f3ecd
Instruction ID: d20f9689d666e8501ef39008cadc29b86bff9ada1db2e132a95013f4a4050394
Opcode Fuzzy Hash: 1905ad8422f9c6b289cc50c5de08d0c83777677cd84d8ce79cd3404bc30f3ecd
Instruction Fuzzy Hash: A02179343082689FCB15CF2AC890EAA7BEABF8E200F044495FC45CB360CA35DD91CB60

Function 0179CFF0 Relevance: 1.3, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE ref: 0179D052

Memory Dump Source

Source File: 0000000F.00000002.1747840309.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1790000_FQDffaysNf.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 819950e4b2836619c7363e13b630d3eec481c964e7a2566af9ae75f88eec5630
Instruction ID: f2a64fbf48bc0556a8c0cb6330b99c6666a28423199195c48b6eafc0190265f7
Opcode Fuzzy Hash: 819950e4b2836619c7363e13b630d3eec481c964e7a2566af9ae75f88eec5630
Instruction Fuzzy Hash: 591125B19002498BDB20DFAAC4457DEFBF4EB88324F248429D559A7250CA75A944CFA4

Function 05C2A038 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1753974816.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5c20000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b57cc2a0c6177ba53c8f709e37a0eb3c5c282585d2f36a5422a46a39d285dc1f
Instruction ID: 98cbfc94c4d47dada8989ca2f5481c866a4d8f4352820b0bedcf485ffe59ad89
Opcode Fuzzy Hash: b57cc2a0c6177ba53c8f709e37a0eb3c5c282585d2f36a5422a46a39d285dc1f
Instruction Fuzzy Hash: 56C16F31E11629CFDF15CFA9D884AEEBBB1FF48710F148559E811A7240DB789A42CF61

Function 05C26798 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1753974816.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5c20000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8348c37ff28b8574c85ffb0f09e71bb582c7de19d687ee82917ecab627325c79
Instruction ID: fd185ba01a173021adcc993c43e5a7f99647f87fa6e07dd026426fce94ac4e95
Opcode Fuzzy Hash: 8348c37ff28b8574c85ffb0f09e71bb582c7de19d687ee82917ecab627325c79
Instruction Fuzzy Hash: 1D915C35B152159FCB05DF65D495AADBBB2FF88301F24886AE402AB391CF35DD42CBA0

Function 05C2C0FC Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1753974816.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5c20000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e7516826507635be00208e6ef01ea9f2e4e75c7f5c83f511c041520ab80c010
Instruction ID: 23344d23b39e819de591adb65fa3a50bba257506dddb0c8de7777f27365b11d1
Opcode Fuzzy Hash: 1e7516826507635be00208e6ef01ea9f2e4e75c7f5c83f511c041520ab80c010
Instruction Fuzzy Hash: 91812875A40628DFCB14DFA8C58499DB7F6FF88710B15886AE816DB360DB30ED42CB90

Function 059B9640 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68d7c236a971991df25390815d127a98c322ff16d79e92b7f71c2f090ea3753a
Instruction ID: 81fc399106d8b7d93b490ee9d76c6f0db3d56a9b8b12b11fd139720b40359c37
Opcode Fuzzy Hash: 68d7c236a971991df25390815d127a98c322ff16d79e92b7f71c2f090ea3753a
Instruction Fuzzy Hash: EC511C30B18219CBF715AA599A587BE66EFFBC1350F194439DB06CB384EEB8CC018791

Function 05C26A50 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1753974816.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5c20000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0687ee79b6cb835beb2c15294b83f6b71b8144df243bc092915db1bd4f8e5376
Instruction ID: 07ad0b1d38b825ed9570927f9684a25b975bd1cb6c7bd0b09997d212b3ebb87d
Opcode Fuzzy Hash: 0687ee79b6cb835beb2c15294b83f6b71b8144df243bc092915db1bd4f8e5376
Instruction Fuzzy Hash: 7D516135704215DFCB14DB69D885A5ABBF6FB88310F14C92AE519DB390DF71E882CBA0

Function 059B9631 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c4cc4b0a4e1e142571871b8af27a69cbfa000566fe2b0440c9fa04f06511564
Instruction ID: b40b8533b497e55b3a2768916f9569382dd6febb9b591050e8dcb38458318089
Opcode Fuzzy Hash: 1c4cc4b0a4e1e142571871b8af27a69cbfa000566fe2b0440c9fa04f06511564
Instruction Fuzzy Hash: C351F930B28115C7FB15AA589A187BE77EBFBC5310F194439DB169B380EEB8DC048791

Function 059BD198 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4394e11118c2c940143446d721e1639b5c0f9187e10fec5a10a5541ca2c9292
Instruction ID: a0d6d588a8a2ba92a947115dcbcde2ffd4c8c1adcbf4217bbd245880724d2eb9
Opcode Fuzzy Hash: b4394e11118c2c940143446d721e1639b5c0f9187e10fec5a10a5541ca2c9292
Instruction Fuzzy Hash: EC519034B09306CBEB04EB68E65876E77A3FB85300F15842DD5029B789DB78AC41CB85

Function 059BD1A8 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f18507c35c8f18dd8c6d07e14922e30046748623ea00b4a598c20c16ee40fd9
Instruction ID: 196aa7f434ea91f0f1160d83ac4dff308283226eebf9cedf6515252f70f5df76
Opcode Fuzzy Hash: 7f18507c35c8f18dd8c6d07e14922e30046748623ea00b4a598c20c16ee40fd9
Instruction Fuzzy Hash: 5A518F34B09306CBEB04EB68E65876E77A3FB85300F55842DD5029B789EB78AC45CB85

Function 059BD1EB Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c920ab40fb69651607726ff18ec1b0b896703beeea1bd82d27c07951fcd28fd1
Instruction ID: 6bebf0cb1725723cfb5a2c0cfdbc0f9bf1a9f75f72b7b54badeab7550a6a9d83
Opcode Fuzzy Hash: c920ab40fb69651607726ff18ec1b0b896703beeea1bd82d27c07951fcd28fd1
Instruction Fuzzy Hash: 40518C34709206CBFB09EB18E6587AD77A3FB85300F19852DD8025F789DB78AC41CB86

Function 05C26C38 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1753974816.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5c20000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59980ddc764bb4ee4d508578a5e219643417f54b6a525073fafdbf7d1939d235
Instruction ID: 44b6e895eca9ec8cd25730f203214b1e07ee32049b5301b045870c6a0a3a560c
Opcode Fuzzy Hash: 59980ddc764bb4ee4d508578a5e219643417f54b6a525073fafdbf7d1939d235
Instruction Fuzzy Hash: BA41A530A00229CFDB14CFA5D8947BEBBB1FF84340F008869D415E7250DB38DA46CBA1

Function 059BF638 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8992f90cb8d3cb619e3193ec65ac156f17f6eb1c6aadafff1ef8b87f71f40ca8
Instruction ID: e14fca78e04794d15004418ca0bd3d146ec4362119216c52655600a264034d50
Opcode Fuzzy Hash: 8992f90cb8d3cb619e3193ec65ac156f17f6eb1c6aadafff1ef8b87f71f40ca8
Instruction Fuzzy Hash: 5A31F536610108DFDB05CF58D998EA9BBB6FF48320F1680A8E9099B372D771ED56CB40

Function 05C25A68 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1753974816.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5c20000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 801bd4e98df6e0de2d47f3673b000e3b9cd2863f0a5f8b49218b8699c07c0c34
Instruction ID: a6f902cb35164ecadf343accdd82b676eda31abebc0d0f0e60cf0837a5510a6f
Opcode Fuzzy Hash: 801bd4e98df6e0de2d47f3673b000e3b9cd2863f0a5f8b49218b8699c07c0c34
Instruction Fuzzy Hash: B1315B71204B11CFD724DF6AD584757BAF2BF84311F108A2DD1A68A6A4DBB0E945CB50

Function 05C24781 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1753974816.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5c20000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed5493dc9ac0024a0331286e46d3a3198c39b0d7748e65a10fc2933db9b77f9
Instruction ID: 97f2c54e74ad2cbcd719373cb5c5d76ab7f7d7a1cd663b305023a72a9fe9c2e5
Opcode Fuzzy Hash: fed5493dc9ac0024a0331286e46d3a3198c39b0d7748e65a10fc2933db9b77f9
Instruction Fuzzy Hash: 1931CF34B201A9CFDF18CB99E888BAD77F3FBC8310F158469E005ABA94DB345985CB40

Function 05C29613 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1753974816.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5c20000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1409577d4066c548649514167f167574aa6b6799a39866e82aedd1dea2b00411
Instruction ID: 309e36efa03305343a26f124d1c6a277579d998bb7bc5f696f9bdb21f5d12963
Opcode Fuzzy Hash: 1409577d4066c548649514167f167574aa6b6799a39866e82aedd1dea2b00411
Instruction Fuzzy Hash: A2317134711215CFCB249F35D884A6ABBB6FF95705B10886DE8168B3A0DF31E946CB50

Function 05C24790 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1753974816.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5c20000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9799447f3cc53f4eed4b3f035051241b8ef2242870cee1eab8de67c0b8a6913d
Instruction ID: 02b344343b8f4ae5f9897759c36e6bed52e9e2918b49fe439bb2acb790ac41da
Opcode Fuzzy Hash: 9799447f3cc53f4eed4b3f035051241b8ef2242870cee1eab8de67c0b8a6913d
Instruction Fuzzy Hash: FD31BC34B20169CFDF18CB59E888BAE77F3FB88710F148469E006ABA94DB345D45CB40

Function 059BDC28 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d762cf3ad084a7062ce998868faaee6d7e1f40047c205076eced0542e6beae4
Instruction ID: 06167094bfa2b43a86c3adabdc96c9697aafff3d8cfd27ec8d917b6e8c2da25d
Opcode Fuzzy Hash: 5d762cf3ad084a7062ce998868faaee6d7e1f40047c205076eced0542e6beae4
Instruction Fuzzy Hash: 95314874A043058FEB18CF69C658BEDBBB2FF88314F148069D406A73A0CBB5AD45CB90

Function 059BF628 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c76f49620d3c404c9ad541137da80aac108bff2b9a693230275f2557f0a559fc
Instruction ID: afd78a6cd6f5e5eea0076168c482a7f3955d36025fb80768a8b7a2211ec8b130
Opcode Fuzzy Hash: c76f49620d3c404c9ad541137da80aac108bff2b9a693230275f2557f0a559fc
Instruction Fuzzy Hash: DB213C76A00108DFDB05CFA9D998EA9BBB2FF89320F0640A9E5059B372C771E911DB50

Function 05C24F58 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1753974816.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5c20000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7270e929ba03555d6df2d10509d2af7b4912510e6af45b0d9625877663aca7e3
Instruction ID: 6905cf48a7933e9c4ec920145e5888a5cbe88e00b6b2f4d111a33a02d648e821
Opcode Fuzzy Hash: 7270e929ba03555d6df2d10509d2af7b4912510e6af45b0d9625877663aca7e3
Instruction Fuzzy Hash: C1215B662085548BD7295775881413E6BB6FFD5341B29887FD646CFAC1CE288C02C36A

Function 05C29480 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1753974816.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5c20000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e33b73b88432e28d6e5c7003ddc77cad77579bbf40e7921747a980d134ef52e9
Instruction ID: 044714011704d339633595cfd8b981b3ee6c63c109991b1d711b4b74dfc23bcc
Opcode Fuzzy Hash: e33b73b88432e28d6e5c7003ddc77cad77579bbf40e7921747a980d134ef52e9
Instruction Fuzzy Hash: 2D214831E002299FDB40DEB9D404BAEBBF5EF44244F10847AD91ADB290E734CA81CB91

Function 05C25408 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1753974816.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5c20000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30c685cc2762930cfbb91600d98034a0a55634c5f55670cd2ceb165c799e4628
Instruction ID: d96ead023034fd127f9dfc5d749785d89a051658dfcba92c06768b9a55bfc33a
Opcode Fuzzy Hash: 30c685cc2762930cfbb91600d98034a0a55634c5f55670cd2ceb165c799e4628
Instruction Fuzzy Hash: 83218335A102189FCB159F68C458ADEBFB2EF8C320F14952AE411B7390DE718982CB90

Function 059BE0D0 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5fadc8cdded9c4b85a5af563d944cb722d3b1aedb799c29d4a44edc8cfb043e
Instruction ID: fe11c63bb72c858edd136ef130cbd56651ac63b8f257da64392ca1972ada3f27
Opcode Fuzzy Hash: b5fadc8cdded9c4b85a5af563d944cb722d3b1aedb799c29d4a44edc8cfb043e
Instruction Fuzzy Hash: B41108317052289FF7219BADFA04AF67BDEEB84760F158066E509CB241EA61EC0187A5

Function 05C2E5A8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1753974816.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5c20000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e54cd1fc28affbd1f8f15a4cc449ced5a3adf6dfbcfe8dd4faebc280a2e4f75a
Instruction ID: 4fb62566179d09c21e51ac598b8263183300ab7bcb11ed14416016f6adea2cb9
Opcode Fuzzy Hash: e54cd1fc28affbd1f8f15a4cc449ced5a3adf6dfbcfe8dd4faebc280a2e4f75a
Instruction Fuzzy Hash: F7211731A001198FCB04DF98C585AEDB7F2FF88310F2045A5E405BB365CB72AE45CBA0

Function 05C25418 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1753974816.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5c20000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa25c7f6bb036c483f98d30682e893010aedcbb46fd5b9a34752c1eaa1a014e3
Instruction ID: 350d6674fbcc7d76496becc2dafc6ca9a87c23b5c54810c2c39f80bc487ba5e2
Opcode Fuzzy Hash: fa25c7f6bb036c483f98d30682e893010aedcbb46fd5b9a34752c1eaa1a014e3
Instruction Fuzzy Hash: AB213035A102189FCB158F69C458ADEBFB6EF8C321F14956AE811A7390DA719942CB90

Function 05C2F288 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1753974816.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5c20000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6503f6f993a6ae15a802386a998c8cab2935895a4e450b88729c3a7525167be2
Instruction ID: aac63104b08fd7beee68274c40bbb17d78de8d91b8ca49ded62a4589098f3671
Opcode Fuzzy Hash: 6503f6f993a6ae15a802386a998c8cab2935895a4e450b88729c3a7525167be2
Instruction Fuzzy Hash: 1121BB30A00A2AEFCB05DF68C9819A9FBB6FB44300F12C96AD4059B245DB31E995CBC0

Function 05C26C48 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1753974816.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5c20000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85c4d17aac7bff4220a4c5d6cf25340cfa864ce3317b02e7ab2fb98f667d191e
Instruction ID: ea6b3670dbfce52c44f4cda563dc7b2cd9c2bb8413bc0736ac6bf34a3e461c8b
Opcode Fuzzy Hash: 85c4d17aac7bff4220a4c5d6cf25340cfa864ce3317b02e7ab2fb98f667d191e
Instruction Fuzzy Hash: E3215374A00229CFCB14DF65D884AAFB7F1FF88755F004969D909A7350EB35D942CBA1

Function 05C25DF1 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1753974816.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5c20000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d194ae2680c0a515491a1bf2035df65de70d00d4e2d33f9960b5169e2f2a5c24
Instruction ID: 07beb63ca5cd436ad84b7383252d8a347a09df9a8c24e1d147c6d03737eef574
Opcode Fuzzy Hash: d194ae2680c0a515491a1bf2035df65de70d00d4e2d33f9960b5169e2f2a5c24
Instruction Fuzzy Hash: B911A335300354AFDB248F69DC84FAA3BA6EBC8720F15845BF911DB291CA75C911C750

Function 05C24D90 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1753974816.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5c20000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f349b3f6e01de827d62adecc69ca78ee9a714ebb40fef10ec936ebc5c239b2b
Instruction ID: d463b8f9ef24e8076ddd72915046eafa75b7f244c97cb288e282a35794e18957
Opcode Fuzzy Hash: 2f349b3f6e01de827d62adecc69ca78ee9a714ebb40fef10ec936ebc5c239b2b
Instruction Fuzzy Hash: BE2195306502058FDB14EB68E849B9EBBE6FB88300F40853DD00AD7695DF74A94587A0

Function 05C24051 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1753974816.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5c20000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d41a1bf08c493f60ba57db5c7a9b1d57cf5e987d2f18bda9a1445c8ea2d2a27b
Instruction ID: 4a0945d433776ec12d955969d37bb08b75e2607c7c744895e96416b7fe6aefbd
Opcode Fuzzy Hash: d41a1bf08c493f60ba57db5c7a9b1d57cf5e987d2f18bda9a1445c8ea2d2a27b
Instruction Fuzzy Hash: 7E11A0757403185FD308AB799C99B6B7A9AFFC8610F10442DB10ADB394DD71DC0187A4

Function 05C2E598 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1753974816.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5c20000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ffe7155cc9f5b95eb38779ff56b891ef9a26a71655982b95a6aaa8cb34ee9c5
Instruction ID: 8aab114840c90e25d3be5f4ddf080510e24c36bf4e801976c7c123473dcbb90b
Opcode Fuzzy Hash: 0ffe7155cc9f5b95eb38779ff56b891ef9a26a71655982b95a6aaa8cb34ee9c5
Instruction Fuzzy Hash: 6F21F535A001198FDB14DFA4C695AADB7F2FF88300F2149A5E405BB3A5CB759E45CBA0

Function 05C261C0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1753974816.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5c20000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e42cdaca2b8d8053f7ddd8981414ada8b808ad3a2747aebe745b0e467b2ec56
Instruction ID: 4f82e8956e9689e94200a5cd5e33bfe8651163c18ac23cfb93b629bded153ee8
Opcode Fuzzy Hash: 9e42cdaca2b8d8053f7ddd8981414ada8b808ad3a2747aebe745b0e467b2ec56
Instruction Fuzzy Hash: 4E118F35A142149FCB20DF6998557AE7BF6BB88301F04442AE555EB280DF35C942CBA0

Function 05C261D0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1753974816.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5c20000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b11fe16a15faad7a19852841d1d7066cfbd5e1a031339faeeb86b3d4c2e9be63
Instruction ID: 2b30357ff9877d060e3de2f3abae0b44deb3074c5980ad9f2ae51acec538d59d
Opcode Fuzzy Hash: b11fe16a15faad7a19852841d1d7066cfbd5e1a031339faeeb86b3d4c2e9be63
Instruction Fuzzy Hash: E4115E31B142149FCF24DF699855BAEBBF6AB89701F10442AE505EB380DF71C9428BA0

Function 05C25F41 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1753974816.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5c20000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b83bc3cd6a0ed1b81758e44c21687a2eabea60cd6e4bb0f163a8b4b9dce96e31
Instruction ID: edba75d70176b055f53f9d44fb81e4226737d437f0f12b40166b6c4af0788da5
Opcode Fuzzy Hash: b83bc3cd6a0ed1b81758e44c21687a2eabea60cd6e4bb0f163a8b4b9dce96e31
Instruction Fuzzy Hash: BD215E78A46619AFDB04CFA8D594EADBBF2BF49300F244458F806EB361DB34AD41CB50

Function 059B003F Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8796f91ce02cfe0242627392154e3945e30069647459bb788e2f5891da1453d
Instruction ID: f84406ef20467b1f8442f0e6253fe0a76cdba2e82993a6bcbf946f7828dd167e
Opcode Fuzzy Hash: d8796f91ce02cfe0242627392154e3945e30069647459bb788e2f5891da1453d
Instruction Fuzzy Hash: 78216F70E052069FFB24CB68E6887EEBFB2FB85300F1580A9D405A7285DB755D80CF80

Function 05C245A0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1753974816.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5c20000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f4ace99894bfe8a698459df19c714ba04c0cf3491b9abd30a66952f44e53406
Instruction ID: a41176db3daeb13713ab81b36a45b6a3dfc3cda6eb40dc440aa866690cae7fb9
Opcode Fuzzy Hash: 4f4ace99894bfe8a698459df19c714ba04c0cf3491b9abd30a66952f44e53406
Instruction Fuzzy Hash: 98014C313046248BD71DCA96DC8475BB6D7F7C4710F11C83EE24983345CA708C028B94

Function 05C29432 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1753974816.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5c20000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62afaaae463cac30cbe0e224c6003fe09e9aba71496064cb5ac88b2053e5a46c
Instruction ID: 9e697f4bfe6e314a6690c441d3541398c5a0864e1e56fe2a4d35e2beed4c0d11
Opcode Fuzzy Hash: 62afaaae463cac30cbe0e224c6003fe09e9aba71496064cb5ac88b2053e5a46c
Instruction Fuzzy Hash: 3E0171B6D00256CFDF10CBA989457AABBB0FB54321F588896C119D72D1E3398681CB90

Function 059B3083 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7aed4ca986dbe78cd93e0d08a005321645c70a6eec8ee29e3fccf38b5b623e6
Instruction ID: 45b8f7a94d3ade6e1c459f3e5b45eafb904143ae6d56f022f10a656a62e88b94
Opcode Fuzzy Hash: f7aed4ca986dbe78cd93e0d08a005321645c70a6eec8ee29e3fccf38b5b623e6
Instruction Fuzzy Hash: 6C01B139A0C254CFFF01CB94DA886E9BBB1FF01310F494DA6D84697195DBA0A9068741

Function 059B2A40 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea7c825bc4383b54e8eac579cf249b95c64045dae3865fff7cd55711fc51910c
Instruction ID: fa84e05b85b951cb524d84118693d761b8bfe1c9f4152d143c811a355dd64c7c
Opcode Fuzzy Hash: ea7c825bc4383b54e8eac579cf249b95c64045dae3865fff7cd55711fc51910c
Instruction Fuzzy Hash: D801DB7AA0C211DFEF23DBA5DD446EEBBA5EB45210B0941BBD409E3281DB749A018791

Function 059BF400 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31c77c3b7c0b72b8f015c03be5761506da2ea951e0011f0e9577856e26ace489
Instruction ID: 7cdd6109ec1af14b42f1f192f71e0d3c5d0f5a5acb99c9f89763a1080724fb56
Opcode Fuzzy Hash: 31c77c3b7c0b72b8f015c03be5761506da2ea951e0011f0e9577856e26ace489
Instruction Fuzzy Hash: 2701D1713001018FD700AB58CE98AA9F7B6FF84364B058475E5088B3AAEB30D985CB50

Function 059B4ACC Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5adcf0da9e5a12b3da57abb20552e3e8c4b3c89c156ea87e7e89659829f266f1
Instruction ID: 6dd92c93be9767d21507f6adc4ed067c71b76950d6729bacb6fd7002a1131e09
Opcode Fuzzy Hash: 5adcf0da9e5a12b3da57abb20552e3e8c4b3c89c156ea87e7e89659829f266f1
Instruction Fuzzy Hash: F1113930A05219CFFB249F24CA84BA877B7BF94301F150AA9D50A9B382DB709D81EF51

Function 05EEFAE8 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1754447808.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5ee0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05d3e9e7d34646195d129570368d81d8a1f799253561ee5957f44d280fb649ff
Instruction ID: 35184cddca5a52001ebcac2019396ec4ab0d15c7006b9c6c7fd6512a3eb52911
Opcode Fuzzy Hash: 05d3e9e7d34646195d129570368d81d8a1f799253561ee5957f44d280fb649ff
Instruction Fuzzy Hash: A40181353405149FC7089B28D468A2EBBA6FBCD721B108228E90A87394CF36EC43CB91

Function 059B9400 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 485446afa9b9cb78927701774c8c33123ab1e4d929fafb681fa38f510eb1fe30
Instruction ID: ef789af8ef0c8843c6766e733514cc2c22a96a609d9bf9a567b3022dac5b5d30
Opcode Fuzzy Hash: 485446afa9b9cb78927701774c8c33123ab1e4d929fafb681fa38f510eb1fe30
Instruction Fuzzy Hash: EDF065617002186FD30865BE5D59B7BA98FEBD5650F14843EB20DDB395CC62DC4A43E4

Function 05C246FD Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1753974816.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5c20000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c01d2c8f5c949d697cf866dd2839733a2cba1b7966ed7b6e51a55fb3699e2fa7
Instruction ID: 4434e607d4309f491aef908e62f980ee7ff0d85210c6d75eb69ab2c2e7c6ac17
Opcode Fuzzy Hash: c01d2c8f5c949d697cf866dd2839733a2cba1b7966ed7b6e51a55fb3699e2fa7
Instruction Fuzzy Hash: 29F0C238700565CBDF1CDBAAA49473926A3BBC1612F15C8A8E61587A44DF748C41C704

Function 05C252A0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1753974816.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5c20000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b7c16b1fe362d81f1c30b5bce0f4f9967a57f8aff0f6bd40173edc3c259fd3a
Instruction ID: 7a9ca081802bf67cadef418ba2f639ce82d7550e9d6c79ad27537c59c6816427
Opcode Fuzzy Hash: 4b7c16b1fe362d81f1c30b5bce0f4f9967a57f8aff0f6bd40173edc3c259fd3a
Instruction Fuzzy Hash: CBF02472B0E2A11FE3161778686432A6FA29BC6204F1808DAC0828F2E6DA56DC03C350

Function 05C25238 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1753974816.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5c20000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e35816337c446a542c536fe7caad89db76eafae774b8fc040877060777642cf8
Instruction ID: 6134c8622c11b2029c26991b5f1be5c7bddbf5f5008649ea021a031ad90a58f2
Opcode Fuzzy Hash: e35816337c446a542c536fe7caad89db76eafae774b8fc040877060777642cf8
Instruction Fuzzy Hash: 10F04632B091215FE3148698981472FB7A9EFCC310F08446AD449AF3D5CA71EC418BC0

Function 05C23FF0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1753974816.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5c20000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 645d1e3fa3973a317c5a8a60ff55d01e7702f7e0787dd3afa6bf631141d6ed24
Instruction ID: b20545ea8bfeb32f998eb5506b364bb184ee89d2de1a45805362cd0f28284ab1
Opcode Fuzzy Hash: 645d1e3fa3973a317c5a8a60ff55d01e7702f7e0787dd3afa6bf631141d6ed24
Instruction Fuzzy Hash: CDF067AA21D7C84FC3024B789C163407FB68B0B515F4E48D7F0C8CB2A3C618A919832A

Function 059B2A50 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 854f97784bc573630b4280f96afcd9532a39b1ab4497fa84ca278135f965a94f
Instruction ID: 254b8d3e4740733fd311f98886227d45255812032af585cf50707a43053b6079
Opcode Fuzzy Hash: 854f97784bc573630b4280f96afcd9532a39b1ab4497fa84ca278135f965a94f
Instruction Fuzzy Hash: EDF0FC76E08115DBFF22DF99D9045DFF79AEB84620B09817BD509E3180EB704A018791

Function 05C2F33F Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1753974816.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5c20000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e58999c71c175ff245e9326a0081912518f23c35016afdf0e17f1ae1869a4de
Instruction ID: a0f3c313bc985863956d0432b3ecbc26d7cc94cb8a17031ae8f6b87aae307b84
Opcode Fuzzy Hash: 1e58999c71c175ff245e9326a0081912518f23c35016afdf0e17f1ae1869a4de
Instruction Fuzzy Hash: F9F0241120E2AD8FDB2106693C9179D9BB1FB85350F1A107FE452D7386D9188846C3A2

Function 059BFDF0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a55721f2a1be01c1971d5dbb14def289bebd99101b14b0d09c495698da0a5d4
Instruction ID: 5470af248d89325bee9edf0aa569d1e7bfa9e4ea85fcf824a7c4f5906861c06d
Opcode Fuzzy Hash: 8a55721f2a1be01c1971d5dbb14def289bebd99101b14b0d09c495698da0a5d4
Instruction Fuzzy Hash: 34F062353502009FC7049B55D858E2A7BAAEFC9721F144169F906CB3A0CA31EC43CB90

Function 059BE0C0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a43dc1ace5f30b7ba364a9fd29d6d6f2ffb614cf5857437d6414f77a365bb60e
Instruction ID: 212cdf8725e4534bad6e9f75b70f6cdd450a23a8f9e4bfb3c62ca83fbe275487
Opcode Fuzzy Hash: a43dc1ace5f30b7ba364a9fd29d6d6f2ffb614cf5857437d6414f77a365bb60e
Instruction Fuzzy Hash: D3F0F631A043159FFB308B98EB04BF13B9EEB887A4F568015E4059B240D660E8428B95

Function 059B302A Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 457c96fdeccbeddf26b866bc2faaadcc502fcc83441fd15a41b70ca22bd7fb5e
Instruction ID: 5f3764e0077c09c9a7de5075810b8393657898d25419260e1cca05ae0af87341
Opcode Fuzzy Hash: 457c96fdeccbeddf26b866bc2faaadcc502fcc83441fd15a41b70ca22bd7fb5e
Instruction Fuzzy Hash: DEF0493AE08224DFFF04CB84D988BADB372FB44321F464DA6E90567395C7B4AD458B81

Function 059BC042 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bb402acd54a1213c4613445c0932d3c98941dc5117cc8bd61e30a7ab2fc1b00
Instruction ID: 7787de234d8e82d9c9209aab77e72124588cde1674b3ee924e4c39b296b3ba7b
Opcode Fuzzy Hash: 5bb402acd54a1213c4613445c0932d3c98941dc5117cc8bd61e30a7ab2fc1b00
Instruction Fuzzy Hash: 27F0A77290930DAFC701E6E4DD4269DB7FBCB45208F4480E7D508DB251FA31D9058781

Function 059BFE00 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 277f51e96ea2bdd97be708f2acba93fec59cdc97f4c8672c4743023e844c476f
Instruction ID: 33d6c6e625f60aa3122dc017d2f171a1b6e0c0a6985af30bb3476a3a325b3983
Opcode Fuzzy Hash: 277f51e96ea2bdd97be708f2acba93fec59cdc97f4c8672c4743023e844c476f
Instruction Fuzzy Hash: DBF0FE393606109FC714DB29D458D2ABBAAFFC9761B154169F946CB3A0CA71EC42CB90

Function 059B9410 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1791583df129a68da71ef37a74e97d4b6c4b11be8405644537e9df706a3552ac
Instruction ID: 16f47e4a2b72c4213ad0013640b99cb236818591de8062884ae86fcc15a5d835
Opcode Fuzzy Hash: 1791583df129a68da71ef37a74e97d4b6c4b11be8405644537e9df706a3552ac
Instruction Fuzzy Hash: 3AE048217002185BD71C667F5C58B3BA98FEBC5A50F14843EA10DDB395CC62CC4543E4

Function 05C27E21 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1753974816.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5c20000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b6155a9ad20b13b8c2620ab655208bd8704bcbbecbae0eea7e3504625d37952
Instruction ID: b461fb6eb73b477fd4d3b12a8895b9b43e9fa264165e302e558d399e9bfdfb84
Opcode Fuzzy Hash: 8b6155a9ad20b13b8c2620ab655208bd8704bcbbecbae0eea7e3504625d37952
Instruction Fuzzy Hash: EBF08231A04218DFDB19DB94E48839C7FF6EFC4711F05C4A6E006A6280DF740B82C780

Function 05C2F3AB Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1753974816.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5c20000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e9fc960e46946f89a7b64eeeedaee81a539459088df5b439a8c2369820e2075
Instruction ID: 427546f015d022f6f2c8ecc8f04f9e6a374d24066d31975aff4cf0463c96f91c
Opcode Fuzzy Hash: 8e9fc960e46946f89a7b64eeeedaee81a539459088df5b439a8c2369820e2075
Instruction Fuzzy Hash: 40E065312102059FC7109A3AED9894FFB96DFC0360B04963AE01987625CE70DD8A8791

Function 05EE6FDE Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1754447808.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5ee0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fe88b59284dbb0e518a10525c21c5d5024dbed748778a44cbaaac2f294f27ec
Instruction ID: 49c9f0d1713aa7e5d9af4b24c8ff1169099a4000c42f85cf46c3d0354a0c331c
Opcode Fuzzy Hash: 5fe88b59284dbb0e518a10525c21c5d5024dbed748778a44cbaaac2f294f27ec
Instruction Fuzzy Hash: 2901B278E15218CFDB69DF28D894B9DB7F2FB88310F1042EA9509A3355DA345E80CF51

Function 05C24F48 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1753974816.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5c20000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 231a96b61eb4b8caf52a1353017d90584eef2f053a75350bf107e698ac6f6223
Instruction ID: 809040d3dc009168fa0902d134205cdc44f0d67225540cf1e1dd4334168e5d3f
Opcode Fuzzy Hash: 231a96b61eb4b8caf52a1353017d90584eef2f053a75350bf107e698ac6f6223
Instruction Fuzzy Hash: 36E0203721C26417C72602599C56527BBFDDBC6751704005BF586CB250CD58880483B5

Function 05C27E30 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1753974816.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5c20000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 362c26a15fb1a73c9c054acc14ddaa9a2ae01d6d450a588201053226812ee617
Instruction ID: f16638c77c5da174fc9a9636e6e24582fa786b265e20ef28b60984c6d293a11c
Opcode Fuzzy Hash: 362c26a15fb1a73c9c054acc14ddaa9a2ae01d6d450a588201053226812ee617
Instruction Fuzzy Hash: 23F06531A08218AFCB09CB94D4896DDBFFAEB44710F04C496E00693240DB701B81C784

Function 05EE5F1B Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1754447808.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5ee0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06444aec828908ad7cda9be40e6bfe21b7a3d754762d315f6367114d29489d72
Instruction ID: 5cb77cc5b6d7a81d26c0d6f899e0dc7f7b82e556575087b9e3bbbde6ecdb920f
Opcode Fuzzy Hash: 06444aec828908ad7cda9be40e6bfe21b7a3d754762d315f6367114d29489d72
Instruction Fuzzy Hash: 65F0C434A05219CFD756DF68D848B89B7B6FB88305F1051E9A50DA7385DB346E808F51

Function 05C2F3B8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1753974816.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5c20000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecc2ae0933497e281a3a9d8d9cf11dab9c65fe2d5cde826b2b74048a8ec930c1
Instruction ID: ce1bceb9c2c9f8447913865c076a0663e254f7751cadf7d0233b7d64782e7b87
Opcode Fuzzy Hash: ecc2ae0933497e281a3a9d8d9cf11dab9c65fe2d5cde826b2b74048a8ec930c1
Instruction Fuzzy Hash: D5E012313103055FC7109A2AE994C4FFB9ADEC03647109639A11A87625DE70ED4A8690

Function 05C29820 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1753974816.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5c20000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acdfd4e36bd636eb338e4d1fb1158b81412cba41a94c2e9abff760f1f3bdded4
Instruction ID: 79d7f2a586a13554498d2eb8d81328a1006a98c2a28782edb734552bab9b5612
Opcode Fuzzy Hash: acdfd4e36bd636eb338e4d1fb1158b81412cba41a94c2e9abff760f1f3bdded4
Instruction Fuzzy Hash: 00E0CD317443389FCE20A5649800BA673DE9F45714F254C6AD6059F7C4DD71E8818761

Function 059B95F9 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc793586cdbece41fa3af022fec3691c86f89c88fe91f6fd0c7b6a2ebef602de
Instruction ID: 33d40a25726656f03c3ea8c6169a8facab9e42104be74461219f453b15bc9f7c
Opcode Fuzzy Hash: bc793586cdbece41fa3af022fec3691c86f89c88fe91f6fd0c7b6a2ebef602de
Instruction Fuzzy Hash: C6E08C762041586FC300CA99CC52FA6BBEDCB8D520B08C05AB994C6242C466EA1287A0

Function 05C248D0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1753974816.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5c20000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d047ca6ee45f40413edeb4ff56ec680fbaf79835d18fb0289437ae9518631be
Instruction ID: 46cdb489de4f08e1bcd83296356385a0f339811521fdb857ba67300b7f93c4b8
Opcode Fuzzy Hash: 0d047ca6ee45f40413edeb4ff56ec680fbaf79835d18fb0289437ae9518631be
Instruction Fuzzy Hash: 35E04F71A00109EFCB40EBA8FA5575DB7FAEB88301F50856AD808A3341EA716F049791

Function 05C24D20 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1753974816.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5c20000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72b6cfa5cc037f1df6e4ffc3123f7c1932a90e762a07c5bebf3c71245ccddefc
Instruction ID: 60235126effd2cfa6e38a439dce1e58cf510db4f38c6094ce5faa7e7876fb5bd
Opcode Fuzzy Hash: 72b6cfa5cc037f1df6e4ffc3123f7c1932a90e762a07c5bebf3c71245ccddefc
Instruction Fuzzy Hash: A6E0D834605285DFCB01DFB4A990BAD7FB2EF55204F0650EDD5489B2C2D6301E01DB65

Function 059BDDD0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18457407872415c5eccc9aa16ada58d3a2cc8bea9a9fc5c0185e33e36f4a9eb9
Instruction ID: aeacd02f0b004596f5b4cc4186a637961c0cd553b76b81ebff8982f42d105ff6
Opcode Fuzzy Hash: 18457407872415c5eccc9aa16ada58d3a2cc8bea9a9fc5c0185e33e36f4a9eb9
Instruction Fuzzy Hash: 94E08671801304EFC711CF7099046DABBB89F15205F1040FDC809C7202DA328A02DB51

Function 059BDDE0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 155984bd3a17adfe5f9d3be12f8a064be1621a1570a6f53d6124af3d7fa45d8f
Instruction ID: 7ff702f53448cd32f251ec0ea23afba1b1efc08f6a45152177e71be0c18237c0
Opcode Fuzzy Hash: 155984bd3a17adfe5f9d3be12f8a064be1621a1570a6f53d6124af3d7fa45d8f
Instruction Fuzzy Hash: 47D01772A0530DEBCB20DEB099015AAB7ACEB05515B1005E9DD0DC3240EE32DA11DB91

Function 059BBFE2 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19ff477ed7e8d46dab9df486292934ee14273e1e64f6130720698bd59f7ffab0
Instruction ID: 7e2b3820fdad7132f24240d9743b17682fa3ad41cedf82cef9563e11d58a47f0
Opcode Fuzzy Hash: 19ff477ed7e8d46dab9df486292934ee14273e1e64f6130720698bd59f7ffab0
Instruction Fuzzy Hash: 98D05E366041189BD200A694F9427A8B3A7D78862CF14C05AF50C8B741EB32980289C4

Function 05C24D30 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1753974816.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5c20000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 930867a47b5212d3f78102818855333ce92598d0b3c5d45346e037dcd2572f46
Instruction ID: 8c6b6dbc840c5b39e172ddf1e56792fe0e24bf18f06e39da2d582d54c7d06e99
Opcode Fuzzy Hash: 930867a47b5212d3f78102818855333ce92598d0b3c5d45346e037dcd2572f46
Instruction Fuzzy Hash: 1BE01230A11209EFCB00EFB4E955B6EB7F6EB94300F5155ADD5049B380EA717E01D791

Function 059B9DF0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7025dccd102ab4063b01cea38d378ef20b4dcb16cff2bb51d9cbc98069360d7a
Instruction ID: c785d1c83afddbd53b6b2c5560ba8d74c9198e1bffb024b4ce3841ec9925dd93
Opcode Fuzzy Hash: 7025dccd102ab4063b01cea38d378ef20b4dcb16cff2bb51d9cbc98069360d7a
Instruction Fuzzy Hash: E3D0A97634020A1BD700C5A9DC83B61B3AACB8CB10F18C03DB908E3346C936EA1791A8

Function 059BBF62 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a22f214b30e3064df9a211773c1addcc0555d24331048741f4157f3a3dc31ac1
Instruction ID: 3d860b8a090b0fbaeb359ff3672ec23a1380abf33ca00f160037e2a8d726bef1
Opcode Fuzzy Hash: a22f214b30e3064df9a211773c1addcc0555d24331048741f4157f3a3dc31ac1
Instruction Fuzzy Hash: 4DD0A93270A22887C3002598EC0378AB3DBD38A265F19802AF60493382CD649C0242DE

Function 059B9078 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ef7f5f0ee0dbb5cf1d8925e406b41799d5eb4dec8dbecbd1eea3246711cf62e
Instruction ID: e15c19205dc8c4155fbc5298f44967800c7317ff6cfc5cf2877d290a332bc815
Opcode Fuzzy Hash: 9ef7f5f0ee0dbb5cf1d8925e406b41799d5eb4dec8dbecbd1eea3246711cf62e
Instruction Fuzzy Hash: 76D0237250D21497C7011354DC1134BF14FEB45214F054039F709C73C6DD65590083DF

Function 05C248E0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1753974816.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5c20000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 253b43843e8f44047e3e9e946c5b2e62f010c60d485a49977e66de8ee6c0d64b
Instruction ID: bb7db961b705e25a438e907eacc9caeb4f783ac3b11e1bbe1258c934d6a81430
Opcode Fuzzy Hash: 253b43843e8f44047e3e9e946c5b2e62f010c60d485a49977e66de8ee6c0d64b
Instruction Fuzzy Hash: DEE01231A0510DEFCB00DFA8EA4165DB7F9EB48300F1045ADD808E3301EA716F109791

Function 059B9608 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61cb6eb0c2bb6e897218618b6b5390077a8f722db0d7936c049c9ac793e91f32
Instruction ID: bb559cd9e63285f842ffa59cec69cfb130f4eb354ed15726ef19bdad66fad4c8
Opcode Fuzzy Hash: 61cb6eb0c2bb6e897218618b6b5390077a8f722db0d7936c049c9ac793e91f32
Instruction Fuzzy Hash: 63D05E322041686F8300CA89C810CB6BBEC9A8D120708C05BB958C7241C976ED0287A0

Function 059BE1D7 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c93cb29fa26621107a1ad62a8a674512986e1bcf79ac520468290e3b9233c178
Instruction ID: 172906b29d971b48c0681d809cf47d85b884d2dc93edf4286e2b1be0a914bb8e
Opcode Fuzzy Hash: c93cb29fa26621107a1ad62a8a674512986e1bcf79ac520468290e3b9233c178
Instruction Fuzzy Hash: C3D02B317087428FDB22A729BE2418B3BE55FC8700725457AD045D7346EE10DC0787A2

Function 059B9049 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9cd8490b3cf8301cb356245edeeb4361d78df99dcd6237ea8d4476f780b6606
Instruction ID: ea0641fd425cb40a2836c0f7d21ca8a76693e055b6a75ec995a97c3502979873
Opcode Fuzzy Hash: f9cd8490b3cf8301cb356245edeeb4361d78df99dcd6237ea8d4476f780b6606
Instruction Fuzzy Hash: 96C08C8320A20E03EA0331E8BC0635AF28EA384A29F598035B70C4278BDC11E52901AE

Function 059BB238 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bfb22c1422db5607a2548baebd4682f848a21842053ed10761b27f1ea983d1d
Instruction ID: a1299bcff2aa8dff20277e5569d97029f8e9f10444941a38256bf0981513cc2b
Opcode Fuzzy Hash: 4bfb22c1422db5607a2548baebd4682f848a21842053ed10761b27f1ea983d1d
Instruction Fuzzy Hash: C1D0C7B2144204BFE7318D55CC03F517B58EB16770F250251F7109E6F1D5B2F4104658

Function 059B1BA3 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46eb540fa5dad39ac490593954ffa1a1601f3fc9bb56ffdf74187c9baee4931c
Instruction ID: 5fd526fc005d6f6d9a215b17344b3d0b0880819636ad20e5aedcc5f747c0c562
Opcode Fuzzy Hash: 46eb540fa5dad39ac490593954ffa1a1601f3fc9bb56ffdf74187c9baee4931c
Instruction Fuzzy Hash: C9E08C35B06313CBFB11AB28E52876D33A2FB86221F114028C90253344DB749C01CB86

Function 05C2372D Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1753974816.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5c20000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93b984526177beb31c85a92038aaa3b34cce02672633445d62c95970f2d2a1be
Instruction ID: 18317d07d422174d858d90ae4bf19a28b1a43648582d6ff744e7b88d39273d6f
Opcode Fuzzy Hash: 93b984526177beb31c85a92038aaa3b34cce02672633445d62c95970f2d2a1be
Instruction Fuzzy Hash: 53D012B4B2566ACFCF14AA15E6485352677B7C4F10B248D6AC0011B109EA799D454E45

Function 05C29450 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1753974816.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5c20000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 450371d3da23f87f1abf4eb874e5045f774478bf12b517632888fbf6f6c1d35f
Instruction ID: d62dddda856a84a3a037cc78f6bdee80bbdf88a0824dcd3ae4be39e5a269540b
Opcode Fuzzy Hash: 450371d3da23f87f1abf4eb874e5045f774478bf12b517632888fbf6f6c1d35f
Instruction Fuzzy Hash: F4D0A7734181488FFF01C364CC99B552B70EBA1740F458496D049DB1D1D63198C2C610

Function 05C22ED7 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1753974816.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5c20000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fa0db98cca614cef92bb57de8d992eec6012b696da3999b04c4dc17b4487125
Instruction ID: 2433ae0c3915afc84af83978806a4b3ab8ced5cd00036d8718fbdcc9c6266dd0
Opcode Fuzzy Hash: 3fa0db98cca614cef92bb57de8d992eec6012b696da3999b04c4dc17b4487125
Instruction Fuzzy Hash: C7D05E31D19762EFE7018A5058586B5B7A2BF06340B480C6BEC8296045F3288E15C647

Function 059BFDC8 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc4242d2d9c07551b047ec7c85c35c4f1fe86417bcdd95ec1b322c77c596af32
Instruction ID: ae33a6a88946d173ebc28cd2f92ac84f4463ca9da671f7255e18319dcfc51c5a
Opcode Fuzzy Hash: cc4242d2d9c07551b047ec7c85c35c4f1fe86417bcdd95ec1b322c77c596af32
Instruction Fuzzy Hash: BFD012B7150214AFC7809B14EC45F91776DDB15320F255651F504CB332E237ED109564

Function 059BA121 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3ef022c1d00aa1b869dd58dd04222802cc1cbcca772923b4beab1a034c740c1
Instruction ID: 274f52a5907d46cf4b3d0c8c385e69b49824930a77032c55e6c8c116a3140852
Opcode Fuzzy Hash: c3ef022c1d00aa1b869dd58dd04222802cc1cbcca772923b4beab1a034c740c1
Instruction Fuzzy Hash: 3FD05E30E24214CBFF10EBA0DA046EDB3B5BB85211F110C39CA456B140D7B1BC028F92

Function 059B2B30 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2875e4c04fd3367e4b565430b0feb44120db59a98f3227ab713a173eb481df87
Instruction ID: 2fec3029967938871f17f3cba852f13b0ca326e39a9ce1d0554adc0ea326f109
Opcode Fuzzy Hash: 2875e4c04fd3367e4b565430b0feb44120db59a98f3227ab713a173eb481df87
Instruction Fuzzy Hash: 00D0A7750482C05FC302CB94CEA38957F606E4229470E40DBC4C48F5A3C7159221E701

Function 05C2466F Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1753974816.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5c20000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 610e6bad5d3eb958fa7072a4169354ba7ec180f80e0962fca62df6abd1bb7f6c
Instruction ID: 06931d3ec54aef61490a3c3af71851d88c158e464cd672a8b057ddd1d5564f46
Opcode Fuzzy Hash: 610e6bad5d3eb958fa7072a4169354ba7ec180f80e0962fca62df6abd1bb7f6c
Instruction Fuzzy Hash: 16D06C35100208AFCB859E65D849FC6BBA9AF19328F5180A8F9088E222C633D8169A41

Function 059BBD42 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69655274a27eeb467d9c53be6b71ed0ff3aeb391aac50e869970f33b6ce8799c
Instruction ID: 565f6280d5b54231162ea1fc3090a1951fb4ae034b1e6437bfe33d496e5ab7cf
Opcode Fuzzy Hash: 69655274a27eeb467d9c53be6b71ed0ff3aeb391aac50e869970f33b6ce8799c
Instruction Fuzzy Hash: ADC04C7A2041085BD344D5E4D853B19B39AD788618F58C069E95CCB341CA27EA178598

Function 059B1FB0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3403269b033d232e1db16ddf67d2cf2f3d1d376fe350c7e8fbb17fcda04f2789
Instruction ID: ffd8e9c6f22956e30225927a6b9c92b06088495bb9a942bcddf3a15a0425b455
Opcode Fuzzy Hash: 3403269b033d232e1db16ddf67d2cf2f3d1d376fe350c7e8fbb17fcda04f2789
Instruction Fuzzy Hash: 77D0C971A082408FC346C794D865659FFE29F96314F1984EF9449CB262D6629812CB05

Function 059BBF70 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0af3b326014333070a987df03343d45c3b0033d826d6e0e0790a47c46d649b76
Instruction ID: aba751f23f2500425680a2e2467484bf6e11cc181e1237fddacffabc5102e83e
Opcode Fuzzy Hash: 0af3b326014333070a987df03343d45c3b0033d826d6e0e0790a47c46d649b76
Instruction Fuzzy Hash: F3C0123170A228C786052688B804A9EB6DAE78A669B11402AEA0993786DE645C0147DA

Function 059B3950 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7de047b08e623d29cf1d0d4163c9e3f3786d03f5da60697f2e9b2f9f8767446d
Instruction ID: cbe1feeb6e482d098b1d438741b335d4a8d9259bbd5f8b0ad64ac2c5c812a0a5
Opcode Fuzzy Hash: 7de047b08e623d29cf1d0d4163c9e3f3786d03f5da60697f2e9b2f9f8767446d
Instruction Fuzzy Hash: 79D0A77910C2C45FC301C798DDA25467F505E8225470E45DED0858F053C3148621EB62

Function 059B8B41 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e6af8f3c108862ae55d36f3b61003c5f8b209559eb5b070a8bd883ea1396315
Instruction ID: 67204d66b72bc63708c6447178ae5b53d6e91aeaf0e2f57d4c3399aca90dfb3b
Opcode Fuzzy Hash: 1e6af8f3c108862ae55d36f3b61003c5f8b209559eb5b070a8bd883ea1396315
Instruction Fuzzy Hash: 43C08C3110D2084FC200C2A8DC82B05B7ADDB84204F88C0ADE90CCB306CB67F807C295

Function 059B2A21 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 497e7601ee31c39d42caf913b05981fcf3e73825def25ca687e0111b7fd458ae
Instruction ID: c6020bd94b3a0a716af6524f873666880d1b02a7ac27258fee9d966027f225d8
Opcode Fuzzy Hash: 497e7601ee31c39d42caf913b05981fcf3e73825def25ca687e0111b7fd458ae
Instruction Fuzzy Hash: A2D0123450E1448FC342CBA8DD52C44BFA1DF861143188AEB900CCB676CA26E916C751

Function 059B9E00 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbcef5c395f5c673d87ed76c55c2f1c93d814102d17bdb09fc090918b690f88a
Instruction ID: 58c7e918dc9fc6e739d0296992eb27fcb8a7bf4254ad48f247067e0340e6a738
Opcode Fuzzy Hash: dbcef5c395f5c673d87ed76c55c2f1c93d814102d17bdb09fc090918b690f88a
Instruction Fuzzy Hash: A6C012313402095BD304CA88C842A22B3AADBC8614B14C079A808C7746DE36EC028694

Function 059B6990 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0aa552ca9ceeabb40b2255afb12c57deda3286d61b2171f3dd182edf441c3ba5
Instruction ID: 9ee8ddf882c9f27e9575fa720e774089587e6929afd4352ee5c8924215a2d6a4
Opcode Fuzzy Hash: 0aa552ca9ceeabb40b2255afb12c57deda3286d61b2171f3dd182edf441c3ba5
Instruction Fuzzy Hash: 83D012FE0501555BC300CA90D5D6B57BF11AB64354F19809DD4894F152C3268662EA64

Function 059B30A9 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 144635b8fdd003b93c0045f21c2ff814f342f908ffd0ed0881e49ceca3ebdeac
Instruction ID: 9fd0b025d6a37092243de554a0fc9a41da6c9e03540c1e6d1631f526acff4ab2
Opcode Fuzzy Hash: 144635b8fdd003b93c0045f21c2ff814f342f908ffd0ed0881e49ceca3ebdeac
Instruction Fuzzy Hash: 0BD0C934709105CBEB01EB98ED5876EBBABFF90200B0884A96206D7298DFA09C008B61

Function 05EEF880 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1754447808.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5ee0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction ID: 89f7625bcd3042e5662e2b0f59687678129b36ffb3fe7dec0c562e4284fda470
Opcode Fuzzy Hash: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction Fuzzy Hash: 05C04C753042085F9344DA9DD851C26F7E9DBD8614714C06DA90DC7351EA72FD13C694

Function 059B5D22 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9958520028a2202cf51bfc897bdab8a16d2d41838eaa9bc240e4ae626a4f7996
Instruction ID: a244f205c08dfb21b6aeafcf39f1a317c6bed9386a9357f0fad5a8e47bfbda75
Opcode Fuzzy Hash: 9958520028a2202cf51bfc897bdab8a16d2d41838eaa9bc240e4ae626a4f7996
Instruction Fuzzy Hash: 91C08C353080040FC746C6F5E802788BB22DB88214FA8C0BEE08CC7322CA338A178A00

Function 059B69A0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction ID: 89f7625bcd3042e5662e2b0f59687678129b36ffb3fe7dec0c562e4284fda470
Opcode Fuzzy Hash: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction Fuzzy Hash: 05C04C753042085F9344DA9DD851C26F7E9DBD8614714C06DA90DC7351EA72FD13C694

Function 059B3960 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction ID: 89f7625bcd3042e5662e2b0f59687678129b36ffb3fe7dec0c562e4284fda470
Opcode Fuzzy Hash: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction Fuzzy Hash: 05C04C753042085F9344DA9DD851C26F7E9DBD8614714C06DA90DC7351EA72FD13C694

Function 059BB248 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b3cf73ecc0437b7ba418ab1aa0e16a313d668e98a5c47dae4f63aedb3a58e83
Instruction ID: 1559b7bb1d66cdfc4324202593fed40f7269f97be06a62174427e62a94373c76
Opcode Fuzzy Hash: 6b3cf73ecc0437b7ba418ab1aa0e16a313d668e98a5c47dae4f63aedb3a58e83
Instruction Fuzzy Hash: 8DC00235280208AFD7109A55DC46F457B68AB15B50F554091F7045F6A1C6A2E8109A98

Function 05C236FB Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1753974816.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5c20000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 650af61d9c06b5722cea3bb502f050a436e3b2b51e0d392c2166fdd88fc8644d
Instruction ID: bbf422dc633f068cd8b7f2b19a524217df899ca3aa36bc526e3f82a02b8dcd28
Opcode Fuzzy Hash: 650af61d9c06b5722cea3bb502f050a436e3b2b51e0d392c2166fdd88fc8644d
Instruction Fuzzy Hash: B2D09238A24128CBDB54DB21E85E7987BB2BB48201F2084A7A80AE3341EF304D85CF24

Function 059BD51A Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a9ab7ea1a103b21515a0a641865a3a9b62beb7024a6586162f08bcbcb55c852
Instruction ID: 498f46347b01f00a5c3fbbfb4edd06600980af5f851a1d97df471d4758f689e1
Opcode Fuzzy Hash: 1a9ab7ea1a103b21515a0a641865a3a9b62beb7024a6586162f08bcbcb55c852
Instruction Fuzzy Hash: 27C092312082085B8244D6E8EC83E14B3A9DB88A18398C0AEA91CCB306CA33FD138588

Function 05C24680 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1753974816.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5c20000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9360f6c3753071abd6b5a8e86689413885372535260cb3c19a445abdef9116e5
Instruction ID: 740b9759760942d22b17a3cca9430a66c5404184698edbd653c299f37843b55b
Opcode Fuzzy Hash: 9360f6c3753071abd6b5a8e86689413885372535260cb3c19a445abdef9116e5
Instruction Fuzzy Hash: ECC04C39140108EFCB419F55D844C45BBA9FF19770741C051F9494B632C732E960DB50

Function 05C2F320 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1753974816.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5c20000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a9bf39c8659dc99ac4dca4a0bd628787c48de3f86e88ce5b8712afba6ea5dd2
Instruction ID: 44958f1b2fe5f6bd856e8820f48e8b847ae95800fde3a0d835efd791711d23dc
Opcode Fuzzy Hash: 7a9bf39c8659dc99ac4dca4a0bd628787c48de3f86e88ce5b8712afba6ea5dd2
Instruction Fuzzy Hash: 1AC02B22040941C3F22413D04E9538DF332EB40310F0D4001D11856349C9145183C041

Function 05C261A0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1753974816.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5c20000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb03020b22f8cf50e5ad0cc9b84b27509535f8fcab95bdf74489c285b19ffd28
Instruction ID: c40eea535a5b5016fa8fe3248053280dd2f5580d1009e30001fa42c779f598a9
Opcode Fuzzy Hash: bb03020b22f8cf50e5ad0cc9b84b27509535f8fcab95bdf74489c285b19ffd28
Instruction Fuzzy Hash: 9FB09BE451C185CEDE5197B109193187E31DFC5305B1FD6C65C7F282C35D184013C541

Function 059BFDD8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
Instruction ID: a5ced1602b898661de329531365079a034e3d75a808f59c5ffcbefa728424f66
Opcode Fuzzy Hash: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
Instruction Fuzzy Hash: 58C0927A140208EFC700DF69E848C85BBB8EF1977171180A1FA088B332C732EC60DA94

Function 059B5D30 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Function 059BBD50 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Function 059B19EC Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d970786aae38a9166e2f7cfd749d3d94313124ace62e1ea0028b50622ac89d9
Instruction ID: b943270abcdd55f4f8db016c84506d9012b44dcab15d75f091f62b8d7f4aa01e
Opcode Fuzzy Hash: 9d970786aae38a9166e2f7cfd749d3d94313124ace62e1ea0028b50622ac89d9
Instruction Fuzzy Hash: 8EB092322554068FD288DA84E982814F3A6EBC432C318C5DAA40CCBA09CB37A9538A80

Function 059BBBD0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Function 059B8B50 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Function 059B2A30 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Function 059BDD8C Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e20a0165479a3014f7a72663e53cdfc9d879362912034b35415b4e388bab9dc
Instruction ID: e3035e1df7ffdbc822d593d919369507016f68dfc9301ef73b291b06a96b9eaf
Opcode Fuzzy Hash: 8e20a0165479a3014f7a72663e53cdfc9d879362912034b35415b4e388bab9dc
Instruction Fuzzy Hash: 27B0123BB400199ACB00D6C8F4504ECFB30EBD4332F004033C300620008B31157AC760

Function 059B9F91 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0e54db66fc442a03c8f6729fd72c804d041743c6ce8689abbec04f3d68040b7
Instruction ID: 72ba1b22cd5606709c8f3daf78751f81abe6d8bf6e8ac89cd6509ca02a9daa64
Opcode Fuzzy Hash: c0e54db66fc442a03c8f6729fd72c804d041743c6ce8689abbec04f3d68040b7
Instruction Fuzzy Hash: AEC04C74D04104CBEB118F54C44469DFF72BB48310F208676C909A7354CA315841CB41

Function 05C2344C Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1753974816.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5c20000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a3ab1480b898b71db9a744f7dee4f64751d9a3a0d4b69a3f52145afe5fc8e90
Instruction ID: 0feaa61fc5e34349302fe4d854f4da00daccbd12110aecb1f283568390aabf50
Opcode Fuzzy Hash: 8a3ab1480b898b71db9a744f7dee4f64751d9a3a0d4b69a3f52145afe5fc8e90
Instruction Fuzzy Hash: 62C0923025621ACFDB10EB28EA49F6A7B22EB80300F008577A00656164EF345D8DCB46

Function 05C24000 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1753974816.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5c20000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 338a56d00ebccd83b8cadcf91fad25db00f23508977a1918cfcc1e24ce94a07f
Instruction ID: 7f041774427ad110105b316100d0562f60aef813c9e939cd1001b46fa09d8d90
Opcode Fuzzy Hash: 338a56d00ebccd83b8cadcf91fad25db00f23508977a1918cfcc1e24ce94a07f
Instruction Fuzzy Hash: 77A02230082B0C838F023AB03800020B38C0820208BC000B8820C08E280833F0B0C2CC

Function 059BE1C0 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1752823260.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_59b0000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e4021f53d2b905e18e06ec4c02aadd3fa6f8975932a46673b11722a0a8cc640
Instruction ID: 48627893c764ae9bd3e61028a65feea7900cd219387c669552cd6cc77bce490e
Opcode Fuzzy Hash: 0e4021f53d2b905e18e06ec4c02aadd3fa6f8975932a46673b11722a0a8cc640
Instruction Fuzzy Hash: 50A011028A08B388FC203AE0288838882A08B8830AFCA0AA2008030380BE38800022A2

Function 05C24590 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1753974816.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5c20000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9550efdb7faad063725c2c0b24828b01dea26d3835fe4d40f5484abbe87bf6b
Instruction ID: 0e353135b13ff838cb8e4d4ac0e5b36bed3107c17f8ff40817124e3b141e5fca
Opcode Fuzzy Hash: e9550efdb7faad063725c2c0b24828b01dea26d3835fe4d40f5484abbe87bf6b
Instruction Fuzzy Hash: 9290023104470CCB49A127997409555F79C9544529780A055A74D4154B5E6564104A95

Function 05C24020 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1753974816.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5c20000_FQDffaysNf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c8cfa0aba85630526715ff37f2a5c62e9eb2319d14abb7f7f18e0fe5353868c
Instruction ID: 2a7d3242d48d8a6a47410d8449192f230a319536c20308ee36c4432e1e3c1a55
Opcode Fuzzy Hash: 8c8cfa0aba85630526715ff37f2a5c62e9eb2319d14abb7f7f18e0fe5353868c
Instruction Fuzzy Hash: 9390023105870C8F49402795750A5557B5D99545197810052B50D415025E557510459D

Non-executed Functions

Function 05C24BC8 Relevance: 6.3, Strings: 5, Instructions: 43COMMON

Download Yara Rule

Strings

l^c, xrefs: 05C24BEA
l^Z, xrefs: 05C24BE2
l^H, xrefs: 05C24BD2
l^Q, xrefs: 05C24BDA
l^u, xrefs: 05C24BFA

Memory Dump Source

Source File: 0000000F.00000002.1753974816.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5c20000_FQDffaysNf.jbxd

Similarity

API ID:
String ID: l^H$l^Q$l^Z$l^c$l^u
API String ID: 0-2880685442
Opcode ID: 68988b7176e374b13e8ab313f673dc69ebfda952ed707981337c56198e6e1093
Instruction ID: 5356b850046ccbee9f61506733dce7dde1b422f6f63dbb76134e4bca168753f0
Opcode Fuzzy Hash: 68988b7176e374b13e8ab313f673dc69ebfda952ed707981337c56198e6e1093
Instruction Fuzzy Hash: ADF022276908798BD2057E1C99540E4B7E2FB8839075A053EC18C8F228AB31ECCBC6C6

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report DOC-20241029-WA0005_pdf .exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DOC-20241029-WA0005_pdf .exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FQDffaysNf.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_calgutd0.kdh.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_klitpytl.nh1.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qmaedbwr.5wf.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yyqppxrr.u1z.psm1

C:\Users\user\AppData\Local\Temp\tmpC1F8.tmp

C:\Users\user\AppData\Local\Temp\tmpD215.tmp

C:\Users\user\AppData\Roaming\FQDffaysNf.exe

C:\Users\user\AppData\Roaming\FQDffaysNf.exe:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Windows Analysis Report
DOC-20241029-WA0005_pdf .exe

Function 00CED5D0 Relevance: 6.1, APIs: 4, Instructions: 136
threadCOMMON