Edit tour

Windows Analysis Report
ypauPrrA08.exe

Overview

General Information

Sample name:	ypauPrrA08.exe renamed because original name is a hash value
Original sample name:	2f8021e35e775898244a0be54c5eb37ca6b65ea7.exe
Analysis ID:	1552936
MD5:	4788afa2fd8b4d90e6fd1d18bbb88f48
SHA1:	2f8021e35e775898244a0be54c5eb37ca6b65ea7
SHA256:	d5b0f260bc71c5d65d075add4186c15ac68d676191ad4cf207f95a8c0bcfb6bf
Tags:	exesharpilratuser-NDA0E
Infos:

Detection

Ades Stealer, BlackGuard, VEGA Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Ades Stealer

Yara detected BlackGuard

Yara detected Telegram RAT

Yara detected Telegram Recon

Yara detected VEGA Stealer

AI detected suspicious sample

Contains functionality to capture screen (.Net source)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

ypauPrrA08.exe (PID: 7012 cmdline: "C:\Users\user\Desktop\ypauPrrA08.exe" MD5: 4788AFA2FD8B4D90E6FD1D18BBB88F48)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
BlackGuard	According to Zscaler, BlackGuard has the capability to steal all types of information related to Crypto wallets, VPN, Messengers, FTP credentials, saved browser credentials, and email clients.	No Attribution	https://blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/ https://blogs.blackberry.com/en/2022/04/threat-thursday-blackguard-infostealer https://cyberint.com/blog/research/blackguard-stealer/ https://ke-la.com/information-stealers-a-new-landscape/ https://medium.com/s2wblog/rising-stealer-in-q1-2022-blackguard-stealer-f516d9f85ee5	https://malpedia.caad.fkie.fraunhofer.de/details/win.blackguard

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
ypauPrrA08.exe	JoeSecurity_TelegramRecon	Yara detected Telegram Recon	Joe Security
ypauPrrA08.exe	JoeSecurity_BlackGuard	Yara detected BlackGuard	Joe Security
ypauPrrA08.exe	JoeSecurity_VEGAStealer	Yara detected VEGA Stealer	Joe Security
ypauPrrA08.exe	JoeSecurity_AdesStealer	Yara detected Ades Stealer	Joe Security
ypauPrrA08.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
ypauPrrA08.exe	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
ypauPrrA08.exe	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x51c41:$f1: FileZilla\recentservers.xml 0x52742:$b1: Chrome\User Data\ 0x52828:$b1: Chrome\User Data\ 0x56417:$b1: Chrome\User Data\ 0x56459:$b1: Chrome\User Data\ 0x56525:$b1: Chrome\User Data\ 0x58486:$b1: Chrome\User Data\ 0x58504:$b1: Chrome\User Data\ 0x5856a:$b1: Chrome\User Data\ 0x59604:$b1: Chrome\User Data\ 0x5968c:$b1: Chrome\User Data\ 0x596fc:$b1: Chrome\User Data\ 0x5940e:$b2: Mozilla\Firefox\Profiles 0x59863:$b4: Opera Software\Opera Stable\Login Data 0x52bb6:$b5: YandexBrowser\User Data\ 0x52c26:$b5: YandexBrowser\User Data\ 0x56359:$b5: YandexBrowser\User Data\ 0x5639b:$b5: YandexBrowser\User Data\ 0x59f92:$b5: YandexBrowser\User Data\ 0x5a01e:$b5: YandexBrowser\User Data\ 0x5a093:$b5: YandexBrowser\User Data\
ypauPrrA08.exe	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x51a0b:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
ypauPrrA08.exe	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x5594f:$s1: \VPN\NordVPN 0x559f3:$s1: \VPN\NordVPN 0x55a89:$s2: \VPN\OpenVPN 0x55af7:$s3: \VPN\ProtonVPN
ypauPrrA08.exe	MALWARE_Win_A310Logger	Detects A310Logger	ditekSHen	0x5175e:$s6: Content-Disposition: form-data; name="document"; filename=" 0x574d5:$s11: \Ethereum\keystore 0x51449:$v1_5: sharedSecret 0x56331:$v1_6: ":"([^"]+)" 0x48a83:$v1_8: WritePasswords 0x49468:$v1_9: sGeckoBrowserPaths 0x434ea:$v1_10: get_sPassword
Click to see the 5 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1760612465.0000022F4C370000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1760612465.0000022F4C370000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x121cc:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
00000000.00000000.1696244643.0000022F4A692000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_BlackGuard	Yara detected BlackGuard	Joe Security
00000000.00000000.1696244643.0000022F4A692000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_VEGAStealer	Yara detected VEGA Stealer	Joe Security
00000000.00000000.1696244643.0000022F4A692000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_AdesStealer	Yara detected Ades Stealer	Joe Security
00000000.00000000.1696244643.0000022F4A692000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000000.1696244643.0000022F4A692000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000000.1696244643.0000022F4A692000.00000002.00000001.01000000.00000003.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x5180b:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Process Memory Space: ypauPrrA08.exe PID: 7012	JoeSecurity_VEGAStealer	Yara detected VEGA Stealer	Joe Security
Process Memory Space: ypauPrrA08.exe PID: 7012	JoeSecurity_AdesStealer	Yara detected Ades Stealer	Joe Security
Process Memory Space: ypauPrrA08.exe PID: 7012	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: ypauPrrA08.exe PID: 7012	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: ypauPrrA08.exe PID: 7012	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x3b1dd:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84} 0x4d029:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.ypauPrrA08.exe.22f4a690000.0.unpack	JoeSecurity_BlackGuard	Yara detected BlackGuard	Joe Security
0.0.ypauPrrA08.exe.22f4a690000.0.unpack	JoeSecurity_VEGAStealer	Yara detected VEGA Stealer	Joe Security
0.0.ypauPrrA08.exe.22f4a690000.0.unpack	JoeSecurity_AdesStealer	Yara detected Ades Stealer	Joe Security
0.0.ypauPrrA08.exe.22f4a690000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.0.ypauPrrA08.exe.22f4a690000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.0.ypauPrrA08.exe.22f4a690000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x51c41:$f1: FileZilla\recentservers.xml 0x52742:$b1: Chrome\User Data\ 0x52828:$b1: Chrome\User Data\ 0x56417:$b1: Chrome\User Data\ 0x56459:$b1: Chrome\User Data\ 0x56525:$b1: Chrome\User Data\ 0x58486:$b1: Chrome\User Data\ 0x58504:$b1: Chrome\User Data\ 0x5856a:$b1: Chrome\User Data\ 0x59604:$b1: Chrome\User Data\ 0x5968c:$b1: Chrome\User Data\ 0x596fc:$b1: Chrome\User Data\ 0x5940e:$b2: Mozilla\Firefox\Profiles 0x59863:$b4: Opera Software\Opera Stable\Login Data 0x52bb6:$b5: YandexBrowser\User Data\ 0x52c26:$b5: YandexBrowser\User Data\ 0x56359:$b5: YandexBrowser\User Data\ 0x5639b:$b5: YandexBrowser\User Data\ 0x59f92:$b5: YandexBrowser\User Data\ 0x5a01e:$b5: YandexBrowser\User Data\ 0x5a093:$b5: YandexBrowser\User Data\
0.0.ypauPrrA08.exe.22f4a690000.0.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x51a0b:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
0.0.ypauPrrA08.exe.22f4a690000.0.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x5594f:$s1: \VPN\NordVPN 0x559f3:$s1: \VPN\NordVPN 0x55a89:$s2: \VPN\OpenVPN 0x55af7:$s3: \VPN\ProtonVPN
0.0.ypauPrrA08.exe.22f4a690000.0.unpack	MALWARE_Win_A310Logger	Detects A310Logger	ditekSHen	0x5175e:$s6: Content-Disposition: form-data; name="document"; filename=" 0x574d5:$s11: \Ethereum\keystore 0x51449:$v1_5: sharedSecret 0x56331:$v1_6: ":"([^"]+)" 0x48a83:$v1_8: WritePasswords 0x49468:$v1_9: sGeckoBrowserPaths 0x434ea:$v1_10: get_sPassword
Click to see the 4 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-09T22:53:07.350976+0100	2803305	3	Unknown Traffic	192.168.2.4	49734	208.95.112.1	80	TCP

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 09 Nov 2024 21:53:05 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeAge: 29893Cache-Control: public,max-age=0,must-revalidateCache-Status: "Netlify Edge"; hitVary: Accept-EncodingX-Nf-Request-Id: 01JC9EN73CRHCG264XCPT0QT79cf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ecHvyQ4ug2UQ9yMUF4PhMUu1jSEsTY3038%2FMttEB8vjk3b%2Fv3ehCh08yrhFocNXqip2SA78FI2ISLC74EOIZZRdu4o3AWUuPPLgkfBc6rcys1L43FOAyiCEkv94u"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e010899e86fddaf-DFWalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1026&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2824&recv_bytes=678&delivery_rate=2763358&cwnd=32&unsent_bytes=0&cid=d7cf7e7f630a016c&ts=221&x=0"

Source: cert9.db.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: cert9.db.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: cert9.db.0.dr	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: cert9.db.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: cert9.db.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: cert9.db.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: cert9.db.0.dr	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: ypauPrrA08.exe, 00000000.00000002.1760612465.0000022F4C4E7000.00000004.00000800.00020000.00000000.sdmp, ypauPrrA08.exe, 00000000.00000002.1760612465.0000022F4C509000.00000004.00000800.00020000.00000000.sdmp, ypauPrrA08.exe, 00000000.00000002.1760612465.0000022F4C4D4000.00000004.00000800.00020000.00000000.sdmp, ypauPrrA08.exe, 00000000.00000002.1760612465.0000022F4C390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: ypauPrrA08.exe	String found in binary or memory: http://ip-api.com/json/
Source: ypauPrrA08.exe	String found in binary or memory: http://ip-api.com/xml
Source: ypauPrrA08.exe, 00000000.00000002.1760612465.0000022F4C536000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ipbase.com
Source: cert9.db.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: cert9.db.0.dr	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: ypauPrrA08.exe, 00000000.00000002.1760612465.0000022F4C311000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: cert9.db.0.dr	String found in binary or memory: http://x1.c.lencr.org/0
Source: cert9.db.0.dr	String found in binary or memory: http://x1.i.lencr.org/0
Source: ypauPrrA08.exe, 00000000.00000002.1764906869.0000022F5C33B000.00000004.00000800.00020000.00000000.sdmp, tmp8B02.tmp.dat.0.dr, tmpB2F6.tmp.dat.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: ypauPrrA08.exe, 00000000.00000002.1760612465.0000022F4C5DC000.00000004.00000800.00020000.00000000.sdmp, ypauPrrA08.exe, 00000000.00000002.1760612465.0000022F4C368000.00000004.00000800.00020000.00000000.sdmp, ypauPrrA08.exe, 00000000.00000002.1760612465.0000022F4C40C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://answers.netlify.com/t/support-guide-i-ve-deployed-my-site-but-i-still-see-page-not-found/125
Source: ypauPrrA08.exe, 00000000.00000002.1760612465.0000022F4C311000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: ypauPrrA08.exe, 00000000.00000002.1760612465.0000022F4C311000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: ypauPrrA08.exe	String found in binary or memory: https://api.ipify.org/1------------------------
Source: ypauPrrA08.exe	String found in binary or memory: https://api.telegram.org/bot
Source: ypauPrrA08.exe, 00000000.00000002.1760612465.0000022F4C311000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.vimeworld.ru/user/name/
Source: ypauPrrA08.exe	String found in binary or memory: https://api.vimeworld.ru/user/name/5https://freegeoip.app/xml/
Source: ypauPrrA08.exe, 00000000.00000002.1764906869.0000022F5C33B000.00000004.00000800.00020000.00000000.sdmp, tmp8B02.tmp.dat.0.dr, tmpB2F6.tmp.dat.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: ypauPrrA08.exe, 00000000.00000002.1764906869.0000022F5C33B000.00000004.00000800.00020000.00000000.sdmp, tmp8B02.tmp.dat.0.dr, tmpB2F6.tmp.dat.0.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: ypauPrrA08.exe, 00000000.00000002.1764906869.0000022F5C33B000.00000004.00000800.00020000.00000000.sdmp, tmp8B02.tmp.dat.0.dr, tmpB2F6.tmp.dat.0.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: ypauPrrA08.exe	String found in binary or memory: https://discord.com/api/v10/users/
Source: ypauPrrA08.exe	String found in binary or memory: https://discordapp.com/api/v9/users/
Source: ypauPrrA08.exe, 00000000.00000002.1764906869.0000022F5C33B000.00000004.00000800.00020000.00000000.sdmp, tmp8B02.tmp.dat.0.dr, tmpB2F6.tmp.dat.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: ypauPrrA08.exe, 00000000.00000002.1764906869.0000022F5C33B000.00000004.00000800.00020000.00000000.sdmp, tmp8B02.tmp.dat.0.dr, tmpB2F6.tmp.dat.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: ypauPrrA08.exe, 00000000.00000002.1764906869.0000022F5C33B000.00000004.00000800.00020000.00000000.sdmp, tmp8B02.tmp.dat.0.dr, tmpB2F6.tmp.dat.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: ypauPrrA08.exe, 00000000.00000002.1760612465.0000022F4C5DC000.00000004.00000800.00020000.00000000.sdmp, ypauPrrA08.exe, 00000000.00000002.1760612465.0000022F4C40C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com/css?family=Roboto:400
Source: ypauPrrA08.exe, 00000000.00000002.1760612465.0000022F4C38B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://freegeoip.app
Source: ypauPrrA08.exe, 00000000.00000002.1760612465.0000022F4C311000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://freegeoip.app/xml/
Source: ypauPrrA08.exe, 00000000.00000002.1760612465.0000022F4C536000.00000004.00000800.00020000.00000000.sdmp, ypauPrrA08.exe, 00000000.00000002.1760612465.0000022F4C3A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipbase.com
Source: ypauPrrA08.exe, 00000000.00000002.1760612465.0000022F4C536000.00000004.00000800.00020000.00000000.sdmp, ypauPrrA08.exe, 00000000.00000002.1760612465.0000022F4C36C000.00000004.00000800.00020000.00000000.sdmp, ypauPrrA08.exe, 00000000.00000002.1760612465.0000022F4C3A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipbase.com/xml/
Source: ypauPrrA08.exe	String found in binary or memory: https://steamcommunity.com/profiles/ASOFTWARE
Source: tmpB348.tmp.tmpdb.0.dr	String found in binary or memory: https://support.mozilla.org
Source: tmpB348.tmp.tmpdb.0.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: tmpB348.tmp.tmpdb.0.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: ypauPrrA08.exe, 00000000.00000002.1760612465.0000022F4C536000.00000004.00000800.00020000.00000000.sdmp, tmpB2D5.tmp.dat.0.dr, tmp8B62.tmp.dat.0.dr, History.txt.0.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: tmpB2D5.tmp.dat.0.dr, tmp8B62.tmp.dat.0.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: ypauPrrA08.exe, 00000000.00000002.1764906869.0000022F5C420000.00000004.00000800.00020000.00000000.sdmp, ypauPrrA08.exe, 00000000.00000002.1760612465.0000022F4C536000.00000004.00000800.00020000.00000000.sdmp, tmpB2D5.tmp.dat.0.dr, tmp8B62.tmp.dat.0.dr, History.txt.0.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: tmpB2D5.tmp.dat.0.dr, tmp8B62.tmp.dat.0.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: ypauPrrA08.exe, Information.txt.0.dr	String found in binary or memory: https://t.me/VegaStealer_shop_bot
Source: ypauPrrA08.exe, 00000000.00000002.1764906869.0000022F5C33B000.00000004.00000800.00020000.00000000.sdmp, tmp8B02.tmp.dat.0.dr, tmpB2F6.tmp.dat.0.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: ypauPrrA08.exe, 00000000.00000002.1764906869.0000022F5C33B000.00000004.00000800.00020000.00000000.sdmp, tmp8B02.tmp.dat.0.dr, tmpB2F6.tmp.dat.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: tmpB348.tmp.tmpdb.0.dr	String found in binary or memory: https://www.mozilla.org
Source: tmpB348.tmp.tmpdb.0.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: tmpB348.tmp.tmpdb.0.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: ypauPrrA08.exe, 00000000.00000002.1764906869.0000022F5C940000.00000004.00000800.00020000.00000000.sdmp, ypauPrrA08.exe, 00000000.00000002.1764906869.0000022F5C440000.00000004.00000800.00020000.00000000.sdmp, tmp8AC1.tmp.tmpdb.0.dr, tmpB348.tmp.tmpdb.0.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: tmpB348.tmp.tmpdb.0.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: ypauPrrA08.exe, 00000000.00000002.1764906869.0000022F5C940000.00000004.00000800.00020000.00000000.sdmp, ypauPrrA08.exe, 00000000.00000002.1764906869.0000022F5C440000.00000004.00000800.00020000.00000000.sdmp, tmp8AC1.tmp.tmpdb.0.dr, tmpB348.tmp.tmpdb.0.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.85.189:443 -> 192.168.2.4:49733 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture screen (.Net source)

Source: ypauPrrA08.exe, Screen.cs

.Net Code: GetScreen

E-Banking Fraud

Yara detected BlackGuard

Source: Yara match	File source: ypauPrrA08.exe, type: SAMPLE
Source: Yara match	File source: 0.0.ypauPrrA08.exe.22f4a690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1696244643.0000022F4A692000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: ypauPrrA08.exe, type: SAMPLE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: ypauPrrA08.exe, type: SAMPLE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: ypauPrrA08.exe, type: SAMPLE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: ypauPrrA08.exe, type: SAMPLE	Matched rule: Detects A310Logger Author: ditekSHen
Source: 0.0.ypauPrrA08.exe.22f4a690000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.0.ypauPrrA08.exe.22f4a690000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 0.0.ypauPrrA08.exe.22f4a690000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 0.0.ypauPrrA08.exe.22f4a690000.0.unpack, type: UNPACKEDPE	Matched rule: Detects A310Logger Author: ditekSHen
Source: 00000000.00000002.1760612465.0000022F4C370000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000000.00000000.1696244643.0000022F4A692000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: Process Memory Space: ypauPrrA08.exe PID: 7012, type: MEMORYSTR	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen

Source: C:\Users\user\Desktop\ypauPrrA08.exe	Code function: 0_2_00007FFD9B8B8411	0_2_00007FFD9B8B8411
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Code function: 0_2_00007FFD9B8C5300	0_2_00007FFD9B8C5300
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Code function: 0_2_00007FFD9B8B6B26	0_2_00007FFD9B8B6B26
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Code function: 0_2_00007FFD9B8C6998	0_2_00007FFD9B8C6998
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Code function: 0_2_00007FFD9B8B78D2	0_2_00007FFD9B8B78D2
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Code function: 0_2_00007FFD9B8B1E11	0_2_00007FFD9B8B1E11
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Code function: 0_2_00007FFD9B8C6D98	0_2_00007FFD9B8C6D98
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Code function: 0_2_00007FFD9B8B1465	0_2_00007FFD9B8B1465
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Code function: 0_2_00007FFD9B8BC9D8	0_2_00007FFD9B8BC9D8
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Code function: 0_2_00007FFD9B8CD148	0_2_00007FFD9B8CD148
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Code function: 0_2_00007FFD9B8C480D	0_2_00007FFD9B8C480D
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Code function: 0_2_00007FFD9B8B8D44	0_2_00007FFD9B8B8D44

Source: ypauPrrA08.exe, 00000000.00000000.1696285024.0000022F4A6F6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesharp_build.exe0 vs ypauPrrA08.exe
Source: ypauPrrA08.exe	Binary or memory string: OriginalFilenamesharp_build.exe0 vs ypauPrrA08.exe

Source: ypauPrrA08.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: ypauPrrA08.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: ypauPrrA08.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: ypauPrrA08.exe, type: SAMPLE	Matched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
Source: 0.0.ypauPrrA08.exe.22f4a690000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.0.ypauPrrA08.exe.22f4a690000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 0.0.ypauPrrA08.exe.22f4a690000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 0.0.ypauPrrA08.exe.22f4a690000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
Source: 00000000.00000002.1760612465.0000022F4C370000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000000.00000000.1696244643.0000022F4A692000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: Process Memory Space: ypauPrrA08.exe PID: 7012, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions

Source: ypauPrrA08.exe, Help.cs

Suspicious URL: 'https://api.vimeworld.ru/user/name/'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/36@4/4

Source: C:\Users\user\Desktop\ypauPrrA08.exe

File created: C:\Users\Public\fqs92o4p.default-release

Jump to behavior

Source: C:\Users\user\Desktop\ypauPrrA08.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\ypauPrrA08.exe

File created: C:\Users\user\AppData\Local\Temp\tmp8AC1.tmp

Jump to behavior

Source: ypauPrrA08.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: ypauPrrA08.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\ypauPrrA08.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Users\user\Desktop\ypauPrrA08.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Users\user\Desktop\ypauPrrA08.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\ypauPrrA08.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: tmp8B51.tmp.dat.0.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: ypauPrrA08.exe

ReversingLabs: Detection: 68%

Source: C:\Users\user\Desktop\ypauPrrA08.exe

File read: C:\Users\user\Desktop\ypauPrrA08.exe

Jump to behavior

Source: C:\Users\user\Desktop\ypauPrrA08.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: C:\Users\user\Desktop\ypauPrrA08.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\ypauPrrA08.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: ypauPrrA08.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: ypauPrrA08.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: ypauPrrA08.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: ypauPrrA08.exe, 00000000.00000002.1760612465.0000022F4C5DC000.00000004.00000800.00020000.00000000.sdmp, ypauPrrA08.exe, 00000000.00000002.1767580158.0000022F64DCA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 2024\SHARP\obj\Release\sharp_build.pdb source: ypauPrrA08.exe
Source:	Binary string: System.pdb source: ypauPrrA08.exe, 00000000.00000002.1760612465.0000022F4C5DC000.00000004.00000800.00020000.00000000.sdmp, ypauPrrA08.exe, 00000000.00000002.1767580158.0000022F64DCA000.00000004.00000020.00020000.00000000.sdmp

Source: ypauPrrA08.exe

Static PE information: 0xCB342F8F [Wed Jan 12 06:34:55 2078 UTC]

Source: C:\Users\user\Desktop\ypauPrrA08.exe	Code function: 0_2_00007FFD9B8B021D push E95DB898h; ret	0_2_00007FFD9B8B0259
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Code function: 0_2_00007FFD9B8B00BD pushad ; iretd	0_2_00007FFD9B8B00C1
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Code function: 0_2_00007FFD9B8B0DE8 push ebx; ret	0_2_00007FFD9B8B0E0A
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Code function: 0_2_00007FFD9B8B0DCF push ebx; ret	0_2_00007FFD9B8B0E0A

Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\ypauPrrA08.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Source: C:\Users\user\Desktop\ypauPrrA08.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_LogicalDisk

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\ypauPrrA08.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\ypauPrrA08.exe	Memory allocated: 22F4AA40000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Memory allocated: 22F64310000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\ypauPrrA08.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Thread delayed: delay time: 599829	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Thread delayed: delay time: 599705	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Thread delayed: delay time: 599579	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Thread delayed: delay time: 599454	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Thread delayed: delay time: 599329	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Thread delayed: delay time: 598985	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Thread delayed: delay time: 598860	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Thread delayed: delay time: 598735	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Thread delayed: delay time: 597732	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Thread delayed: delay time: 597502	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Thread delayed: delay time: 597266	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Thread delayed: delay time: 597141	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Thread delayed: delay time: 596813	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Thread delayed: delay time: 596688	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Thread delayed: delay time: 596563	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Thread delayed: delay time: 596438	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Thread delayed: delay time: 596328	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Thread delayed: delay time: 596219	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Thread delayed: delay time: 596094	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\ypauPrrA08.exe	Window / User API: threadDelayed 1703			Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Window / User API: threadDelayed 5448			Jump to behavior

Source: C:\Users\user\Desktop\ypauPrrA08.exe TID: 1508	Thread sleep time: -13835058055282155s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe TID: 1508	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe TID: 1508	Thread sleep time: -599829s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe TID: 1508	Thread sleep time: -599705s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe TID: 1508	Thread sleep time: -599579s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe TID: 1508	Thread sleep time: -599454s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe TID: 1508	Thread sleep time: -599329s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe TID: 1508	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe TID: 1508	Thread sleep time: -599094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe TID: 1508	Thread sleep time: -598985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe TID: 1508	Thread sleep time: -598860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe TID: 1508	Thread sleep time: -598735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe TID: 1508	Thread sleep time: -598610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe TID: 1508	Thread sleep time: -598485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe TID: 1508	Thread sleep time: -598360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe TID: 1508	Thread sleep time: -598235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe TID: 1508	Thread sleep time: -598110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe TID: 1508	Thread sleep time: -597985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe TID: 1508	Thread sleep time: -597860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe TID: 1508	Thread sleep time: -597732s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe TID: 1508	Thread sleep time: -597502s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe TID: 1508	Thread sleep time: -597375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe TID: 1508	Thread sleep time: -597266s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe TID: 1508	Thread sleep time: -597141s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe TID: 1508	Thread sleep time: -597031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe TID: 1508	Thread sleep time: -596922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe TID: 1508	Thread sleep time: -596813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe TID: 1508	Thread sleep time: -596688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe TID: 1508	Thread sleep time: -596563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe TID: 1508	Thread sleep time: -596438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe TID: 1508	Thread sleep time: -596328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe TID: 1508	Thread sleep time: -596219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe TID: 1508	Thread sleep time: -596094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe TID: 7152	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe TID: 7084	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\ypauPrrA08.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\ypauPrrA08.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem

Source: C:\Users\user\Desktop\ypauPrrA08.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Users\user\Desktop\ypauPrrA08.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Users\user\Desktop\ypauPrrA08.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\ypauPrrA08.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Thread delayed: delay time: 599829	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Thread delayed: delay time: 599705	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Thread delayed: delay time: 599579	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Thread delayed: delay time: 599454	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Thread delayed: delay time: 599329	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Thread delayed: delay time: 598985	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Thread delayed: delay time: 598860	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Thread delayed: delay time: 598735	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Thread delayed: delay time: 597732	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Thread delayed: delay time: 597502	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Thread delayed: delay time: 597266	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Thread delayed: delay time: 597141	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Thread delayed: delay time: 596813	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Thread delayed: delay time: 596688	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Thread delayed: delay time: 596563	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Thread delayed: delay time: 596438	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Thread delayed: delay time: 596328	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Thread delayed: delay time: 596219	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Thread delayed: delay time: 596094	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: ypauPrrA08.exe, 00000000.00000002.1760225821.0000022F4A9A1000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\ypauPrrA08.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\ypauPrrA08.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\ypauPrrA08.exe

Memory allocated: page read and write | page guard

Jump to behavior

Language, Device and Operating System Detection

Yara detected Telegram Recon

Source: Yara match

File source: ypauPrrA08.exe, type: SAMPLE

Source: C:\Users\user\Desktop\ypauPrrA08.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\Desktop\ypauPrrA08.exe	Queries volume information: C:\Users\user\Desktop\ypauPrrA08.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\ypauPrrA08.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Ades Stealer

Source: Yara match	File source: ypauPrrA08.exe, type: SAMPLE
Source: Yara match	File source: 0.0.ypauPrrA08.exe.22f4a690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1696244643.0000022F4A692000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ypauPrrA08.exe PID: 7012, type: MEMORYSTR

Yara detected BlackGuard

Source: Yara match	File source: ypauPrrA08.exe, type: SAMPLE
Source: Yara match	File source: 0.0.ypauPrrA08.exe.22f4a690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1696244643.0000022F4A692000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: ypauPrrA08.exe, type: SAMPLE
Source: Yara match	File source: 0.0.ypauPrrA08.exe.22f4a690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1696244643.0000022F4A692000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ypauPrrA08.exe PID: 7012, type: MEMORYSTR

Yara detected VEGA Stealer

Source: Yara match	File source: ypauPrrA08.exe, type: SAMPLE
Source: Yara match	File source: 0.0.ypauPrrA08.exe.22f4a690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1696244643.0000022F4A692000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ypauPrrA08.exe PID: 7012, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: ypauPrrA08.exe, 00000000.00000000.1696244643.0000022F4A692000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: Electrum
Source: ypauPrrA08.exe, 00000000.00000000.1696244643.0000022F4A692000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: JaxxDir
Source: ypauPrrA08.exe, 00000000.00000000.1696244643.0000022F4A692000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: %\Wallets\DashCore\)\DashCore\wallet.dat#\Electrum\wallets%\Wallets\Electrum\%\Ethereum\keystore%\Wallets\Ethereum\-\Exodus\exodus.wallet\!\Wallets\Exodus\m\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: ypauPrrA08.exe, 00000000.00000000.1696244643.0000022F4A692000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: %\Wallets\DashCore\)\DashCore\wallet.dat#\Electrum\wallets%\Wallets\Electrum\%\Ethereum\keystore%\Wallets\Ethereum\-\Exodus\exodus.wallet\!\Wallets\Exodus\m\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: ypauPrrA08.exe, 00000000.00000000.1696244643.0000022F4A692000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: ExodusDir
Source: ypauPrrA08.exe, 00000000.00000000.1696244643.0000022F4A692000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: Ethereum
Source: ypauPrrA08.exe, 00000000.00000000.1696244643.0000022F4A692000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: %\Wallets\DashCore\)\DashCore\wallet.dat#\Electrum\wallets%\Wallets\Electrum\%\Ethereum\keystore%\Wallets\Ethereum\-\Exodus\exodus.wallet\!\Wallets\Exodus\m\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: ypauPrrA08.exe, 00000000.00000000.1696244643.0000022F4A692000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: %\Wallets\DashCore\)\DashCore\wallet.dat#\Electrum\wallets%\Wallets\Electrum\%\Ethereum\keystore%\Wallets\Ethereum\-\Exodus\exodus.wallet\!\Wallets\Exodus\m\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\ypauPrrA08.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.log	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\ypauPrrA08.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\ypauPrrA08.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior

Source: Yara match	File source: ypauPrrA08.exe, type: SAMPLE
Source: Yara match	File source: 0.0.ypauPrrA08.exe.22f4a690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1760612465.0000022F4C370000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1696244643.0000022F4A692000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ypauPrrA08.exe PID: 7012, type: MEMORYSTR

Remote Access Functionality

Yara detected Ades Stealer

Source: Yara match	File source: ypauPrrA08.exe, type: SAMPLE
Source: Yara match	File source: 0.0.ypauPrrA08.exe.22f4a690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1696244643.0000022F4A692000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ypauPrrA08.exe PID: 7012, type: MEMORYSTR

Yara detected BlackGuard

Source: Yara match	File source: ypauPrrA08.exe, type: SAMPLE
Source: Yara match	File source: 0.0.ypauPrrA08.exe.22f4a690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1696244643.0000022F4A692000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: ypauPrrA08.exe, type: SAMPLE
Source: Yara match	File source: 0.0.ypauPrrA08.exe.22f4a690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1696244643.0000022F4A692000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ypauPrrA08.exe PID: 7012, type: MEMORYSTR

Yara detected VEGA Stealer

Source: Yara match	File source: ypauPrrA08.exe, type: SAMPLE
Source: Yara match	File source: 0.0.ypauPrrA08.exe.22f4a690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1696244643.0000022F4A692000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ypauPrrA08.exe PID: 7012, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	331 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Masquerading	1 OS Credential Dumping	321 Security Software Discovery	Remote Services	1 Screen Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	251 Virtualization/Sandbox Evasion	Security Account Manager	251 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	3 Data from Local System	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	43 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
ypauPrrA08.exe	68%	ReversingLabs	ByteCode-MSIL.Infostealer.Stealgen
ypauPrrA08.exe	100%	Avira	TR/AD.GenSteal.apiqi
ypauPrrA08.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
https://api.vimeworld.ru/user/name/	0%	Avira URL Cloud	safe
https://api.vimeworld.ru/user/name/5https://freegeoip.app/xml/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
api.ipify.org	104.26.13.205	true	false	high
ip-api.com	208.95.112.1	true	false	high
ipbase.com	104.21.85.189	true	false	high
freegeoip.app	188.114.97.3	true	false	high

Contacted URLs

Name	Malicious	Reputation
https://api.ipify.org/	false	high
https://freegeoip.app/xml/	false	high
http://ip-api.com/xml	false	high
https://ipbase.com/xml/	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	ypauPrrA08.exe, 00000000.00000002.1764906869.0000022F5C33B000.00000004.00000800.00020000.00000000.sdmp, tmp8B02.tmp.dat.0.dr, tmpB2F6.tmp.dat.0.dr	false		high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF	tmpB348.tmp.tmpdb.0.dr	false		high
https://discord.com/api/v10/users/	ypauPrrA08.exe	false		high
https://duckduckgo.com/ac/?q=	ypauPrrA08.exe, 00000000.00000002.1764906869.0000022F5C33B000.00000004.00000800.00020000.00000000.sdmp, tmp8B02.tmp.dat.0.dr, tmpB2F6.tmp.dat.0.dr	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	ypauPrrA08.exe, 00000000.00000002.1764906869.0000022F5C33B000.00000004.00000800.00020000.00000000.sdmp, tmp8B02.tmp.dat.0.dr, tmpB2F6.tmp.dat.0.dr	false		high
https://api.telegram.org/bot	ypauPrrA08.exe	false		high
https://steamcommunity.com/profiles/ASOFTWARE	ypauPrrA08.exe	false		high
https://discordapp.com/api/v9/users/	ypauPrrA08.exe	false		high
https://freegeoip.app	ypauPrrA08.exe, 00000000.00000002.1760612465.0000022F4C38B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	ypauPrrA08.exe, 00000000.00000002.1764906869.0000022F5C33B000.00000004.00000800.00020000.00000000.sdmp, tmp8B02.tmp.dat.0.dr, tmpB2F6.tmp.dat.0.dr	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	cert9.db.0.dr	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	ypauPrrA08.exe, 00000000.00000002.1764906869.0000022F5C33B000.00000004.00000800.00020000.00000000.sdmp, tmp8B02.tmp.dat.0.dr, tmpB2F6.tmp.dat.0.dr	false		high
http://ocsp.rootca1.amazontrust.com0:	cert9.db.0.dr	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	ypauPrrA08.exe, 00000000.00000002.1760612465.0000022F4C536000.00000004.00000800.00020000.00000000.sdmp, tmpB2D5.tmp.dat.0.dr, tmp8B62.tmp.dat.0.dr, History.txt.0.dr	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	ypauPrrA08.exe, 00000000.00000002.1764906869.0000022F5C420000.00000004.00000800.00020000.00000000.sdmp, ypauPrrA08.exe, 00000000.00000002.1760612465.0000022F4C536000.00000004.00000800.00020000.00000000.sdmp, tmpB2D5.tmp.dat.0.dr, tmp8B62.tmp.dat.0.dr, History.txt.0.dr	false		high
https://www.ecosia.org/newtab/	ypauPrrA08.exe, 00000000.00000002.1764906869.0000022F5C33B000.00000004.00000800.00020000.00000000.sdmp, tmp8B02.tmp.dat.0.dr, tmpB2F6.tmp.dat.0.dr	false		high
https://api.ipify.org/1------------------------	ypauPrrA08.exe	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	tmpB348.tmp.tmpdb.0.dr	false		high
https://answers.netlify.com/t/support-guide-i-ve-deployed-my-site-but-i-still-see-page-not-found/125	ypauPrrA08.exe, 00000000.00000002.1760612465.0000022F4C5DC000.00000004.00000800.00020000.00000000.sdmp, ypauPrrA08.exe, 00000000.00000002.1760612465.0000022F4C368000.00000004.00000800.00020000.00000000.sdmp, ypauPrrA08.exe, 00000000.00000002.1760612465.0000022F4C40C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	ypauPrrA08.exe, 00000000.00000002.1764906869.0000022F5C33B000.00000004.00000800.00020000.00000000.sdmp, tmp8B02.tmp.dat.0.dr, tmpB2F6.tmp.dat.0.dr	false		high
https://api.ipify.org	ypauPrrA08.exe, 00000000.00000002.1760612465.0000022F4C311000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ipbase.com	ypauPrrA08.exe, 00000000.00000002.1760612465.0000022F4C536000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	cert9.db.0.dr	false		high
http://x1.i.lencr.org/0	cert9.db.0.dr	false		high
http://ip-api.com/json/	ypauPrrA08.exe	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	tmpB2D5.tmp.dat.0.dr, tmp8B62.tmp.dat.0.dr	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	ypauPrrA08.exe, 00000000.00000002.1764906869.0000022F5C33B000.00000004.00000800.00020000.00000000.sdmp, tmp8B02.tmp.dat.0.dr, tmpB2F6.tmp.dat.0.dr	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	cert9.db.0.dr	false		high
http://ip-api.com	ypauPrrA08.exe, 00000000.00000002.1760612465.0000022F4C4E7000.00000004.00000800.00020000.00000000.sdmp, ypauPrrA08.exe, 00000000.00000002.1760612465.0000022F4C509000.00000004.00000800.00020000.00000000.sdmp, ypauPrrA08.exe, 00000000.00000002.1760612465.0000022F4C4D4000.00000004.00000800.00020000.00000000.sdmp, ypauPrrA08.exe, 00000000.00000002.1760612465.0000022F4C390000.00000004.00000800.00020000.00000000.sdmp	false		high
https://t.me/VegaStealer_shop_bot	ypauPrrA08.exe, Information.txt.0.dr	false		high
https://api.vimeworld.ru/user/name/	ypauPrrA08.exe, 00000000.00000002.1760612465.0000022F4C311000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.vimeworld.ru/user/name/5https://freegeoip.app/xml/	ypauPrrA08.exe	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org	tmpB348.tmp.tmpdb.0.dr	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	tmpB2D5.tmp.dat.0.dr, tmp8B62.tmp.dat.0.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	ypauPrrA08.exe, 00000000.00000002.1760612465.0000022F4C311000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	ypauPrrA08.exe, 00000000.00000002.1764906869.0000022F5C33B000.00000004.00000800.00020000.00000000.sdmp, tmp8B02.tmp.dat.0.dr, tmpB2F6.tmp.dat.0.dr	false		high
https://ipbase.com	ypauPrrA08.exe, 00000000.00000002.1760612465.0000022F4C536000.00000004.00000800.00020000.00000000.sdmp, ypauPrrA08.exe, 00000000.00000002.1760612465.0000022F4C3A7000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	false
188.114.97.3	freegeoip.app	European Union	13335	CLOUDFLARENETUS	false
104.21.85.189	ipbase.com	United States	13335	CLOUDFLARENETUS	false
104.26.13.205	api.ipify.org	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1552936
Start date and time:	2024-11-09 22:52:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	1
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ypauPrrA08.exe renamed because original name is a hash value
Original Sample Name:	2f8021e35e775898244a0be54c5eb37ca6b65ea7.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/36@4/4
EGA Information:	Failed
HCA Information:	Successful, ratio: 76% Number of executed functions: 153 Number of non-executed functions: 6
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Execution Graph export aborted for target ypauPrrA08.exe, PID 7012 because it is empty
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: ypauPrrA08.exe

Simulations

Behavior and APIs

Time	Type	Description
16:53:03	API Interceptor	33x Sleep call for process: ypauPrrA08.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	Sara.exe.bin.exe	Get hash	malicious	Unknown	Browse	ip-api.com/csv
	Sara.exe.bin.exe	Get hash	malicious	Unknown	Browse	ip-api.com/csv
	2N7MHjWNns.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	202411070105F02558.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	RFQ500005576.js	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	T4tTl6dxyD.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	m08H8HhpXN.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	ip-api.com/line/?fields=hosting
	4QnTBz8fN3.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	ip-api.com/line/?fields=hosting
	0YlXBRHual.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	1CPM0LpwQB.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
188.114.97.3	ConfirmaciXnXdeXfacturaXPedidoXadicional.doc	Get hash	malicious	Unknown	Browse	paste.ee/d/qImtr
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	filetransfer.io/data-package/oV9U9W0U/download
	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/21zJLAjt/download
	SDBARVe3d3.exe	Get hash	malicious	FormBook	Browse	www.dodsrprolev.shop/42jb/
	Hesap.exe	Get hash	malicious	FormBook	Browse	www.rtprajalojago.live/74ri/
	file.exe	Get hash	malicious	LummaC, Amadey, HTMLPhisher, LummaC Stealer, Stealc, Vidar	Browse	sosipisos.cc/SXQNMYTM.exe
	7RAK4mZ6nc.exe	Get hash	malicious	Metasploit	Browse	downsexv.com:8080/pptFudI4N_bZd9h2vlE2HgX6nJupnvnNvPpodtqLmxX2OC5MJtjR8Cw2hx7Jj0FM_ofkLnmJ
	Shipping documents..exe	Get hash	malicious	FormBook	Browse	www.bzxs.info/v58i/
	icRicpJWczmiOf8.exe	Get hash	malicious	FormBook	Browse	www.figa1digital.services/zjtq/
	xBA TM06-Q6-11-24.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	paste.ee/d/Sv5Cw

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
freegeoip.app	Loader.exe	Get hash	malicious	44Caliber Stealer, BlackGuard, Rags Stealer	Browse	188.114.97.3
	Nursultan.exe	Get hash	malicious	44Caliber Stealer, BlackGuard, Blank Grabber, Rags Stealer, Umbral Stealer, XWorm	Browse	188.114.97.3
	External.exe	Get hash	malicious	Ades Stealer, BlackGuard, VEGA Stealer	Browse	188.114.96.3
	Insidious_protected.exe	Get hash	malicious	44Caliber Stealer, BlackGuard, Rags Stealer	Browse	188.114.96.3
	nyen2eabmfb.exe	Get hash	malicious	44Caliber Stealer, BlackGuard, Rags Stealer	Browse	188.114.97.3
	Cheat.exe	Get hash	malicious	44Caliber Stealer, BlackGuard, Rags Stealer	Browse	188.114.97.3
	B5U2ccQ8H1.exe	Get hash	malicious	RL STEALER, StormKitty	Browse	188.114.97.3
	xj40xovMsm.exe	Get hash	malicious	AsyncRAT, AveMaria, Keyzetsu Clipper, MicroClip, PureLog Stealer, RL STEALER, RedLine	Browse	188.114.96.3
	Pots.exe	Get hash	malicious	44userber Stealer, Rags Stealer	Browse	104.21.73.97
	qdHMT36Tn9.exe	Get hash	malicious	44Caliber Stealer, Njrat, Rags Stealer	Browse	172.67.160.84
ip-api.com	Sara.exe.bin.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	Sara.exe.bin.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	2N7MHjWNns.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	202411070105F02558.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	RFQ500005576.js	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	T4tTl6dxyD.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	m08H8HhpXN.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	4QnTBz8fN3.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	0YlXBRHual.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	1CPM0LpwQB.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
api.ipify.org	Sara.exe.bin.exe	Get hash	malicious	Unknown	Browse	172.67.74.152
	Sara.exe.bin.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	6G1YhrEmQu.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.13.205
	pago de PEDIDO PROFORMA.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	https://thrifty-wombat-mjszmd.mystrikingly.com/	Get hash	malicious	Unknown	Browse	172.67.74.152
	https://www.canva.com/design/DAGVsvWsNbI/iZzU0BNPZvRGZSXgumDARw/view?utm_content=DAGVsvWsNbI&utm_campaign=designshare&utm_medium=link&utm_source=editor	Get hash	malicious	Unknown	Browse	104.26.12.205
	TtyCIqbov8.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	Play-Audio_Vmail_Ach Statement Credi....html	Get hash	malicious	HtmlDropper	Browse	172.67.74.152
	XyXm15NU2A.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	PO#150003191.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
ipbase.com	Loader.exe	Get hash	malicious	44Caliber Stealer, BlackGuard, Rags Stealer	Browse	104.21.85.189
	Nursultan.exe	Get hash	malicious	44Caliber Stealer, BlackGuard, Blank Grabber, Rags Stealer, Umbral Stealer, XWorm	Browse	104.21.85.189
	External.exe	Get hash	malicious	Ades Stealer, BlackGuard, VEGA Stealer	Browse	172.67.209.71
	xj40xovMsm.exe	Get hash	malicious	AsyncRAT, AveMaria, Keyzetsu Clipper, MicroClip, PureLog Stealer, RL STEALER, RedLine	Browse	172.67.209.71
	Pots.exe	Get hash	malicious	44userber Stealer, Rags Stealer	Browse	104.21.85.189
	qdHMT36Tn9.exe	Get hash	malicious	44Caliber Stealer, Njrat, Rags Stealer	Browse	172.67.209.71
	64drop.exe	Get hash	malicious	44Caliber Stealer, Rags Stealer	Browse	104.21.85.189
	123.scr.exe	Get hash	malicious	Unknown	Browse	104.21.85.189
	123.scr.exe	Get hash	malicious	Rags Stealer	Browse	172.67.209.71
	123.scr.exe	Get hash	malicious	Rags Stealer	Browse	172.67.209.71

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	x8AH98H0eQ.exe	Get hash	malicious	Stealc	Browse	104.21.56.70
	New Fax Notification.html	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	188.114.96.3
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	172.64.41.3
	x8AH98H0eQ.exe	Get hash	malicious	Unknown	Browse	104.21.56.70
	file.exe	Get hash	malicious	LummaC Stealer, Stealc	Browse	188.114.97.3
	https://qrco.de/bfYBpc	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	104.18.95.41
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	188.114.97.3
	zGHItMC5Zc.exe	Get hash	malicious	Stealc	Browse	104.21.56.70
	Sara.exe.bin.exe	Get hash	malicious	Unknown	Browse	172.67.74.152
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	x8AH98H0eQ.exe	Get hash	malicious	Stealc	Browse	104.21.56.70
	New Fax Notification.html	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	188.114.96.3
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	172.64.41.3
	x8AH98H0eQ.exe	Get hash	malicious	Unknown	Browse	104.21.56.70
	file.exe	Get hash	malicious	LummaC Stealer, Stealc	Browse	188.114.97.3
	https://qrco.de/bfYBpc	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	104.18.95.41
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	188.114.97.3
	zGHItMC5Zc.exe	Get hash	malicious	Stealc	Browse	104.21.56.70
	Sara.exe.bin.exe	Get hash	malicious	Unknown	Browse	172.67.74.152
TUT-ASUS	Sara.exe.bin.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	Sara.exe.bin.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	2N7MHjWNns.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	202411070105F02558.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	RFQ500005576.js	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	T4tTl6dxyD.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	m08H8HhpXN.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	4QnTBz8fN3.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	0YlXBRHual.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	1CPM0LpwQB.exe	Get hash	malicious	XWorm	Browse	208.95.112.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	seethebestthingswithentirelifetaggreatwithmebestofthem.hta	Get hash	malicious	Cobalt Strike, FormBook, HTMLPhisher	Browse	104.21.85.189 104.26.13.205 188.114.97.3
	creatbesthingswithbettersytelgivenmebestthingstobe.hta	Get hash	malicious	Cobalt Strike, FormBook, HTMLPhisher	Browse	104.21.85.189 104.26.13.205 188.114.97.3
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.85.189 104.26.13.205 188.114.97.3
	DHL Parcel-CBM is 3.1- Total weight is 435kgs.==WOE1910053_____________________________.exe	Get hash	malicious	DarkCloud	Browse	104.21.85.189 104.26.13.205 188.114.97.3
	Purchase_order08112024_pdf.vbs	Get hash	malicious	Unknown	Browse	104.21.85.189 104.26.13.205 188.114.97.3
	WMdKM7E5Yg.exe	Get hash	malicious	Quasar	Browse	104.21.85.189 104.26.13.205 188.114.97.3
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	104.21.85.189 104.26.13.205 188.114.97.3
	IsVcdKSMbE.exe	Get hash	malicious	Unknown	Browse	104.21.85.189 104.26.13.205 188.114.97.3
	IsVcdKSMbE.exe	Get hash	malicious	Unknown	Browse	104.21.85.189 104.26.13.205 188.114.97.3
	RFQ500005576.js	Get hash	malicious	AgentTesla	Browse	104.21.85.189 104.26.13.205 188.114.97.3

Process:	C:\Users\user\Desktop\ypauPrrA08.exe
File Type:	ASCII text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	1537
Entropy (8bit):	5.443234616109441
Encrypted:	false
SSDEEP:	48:LxsmpFfq6w+smpFfqtVcDKJosmpFfqtVuDKJosmpFJ4DpFfqKp4DpFfqtVVpboDh:LempFfzwXmpFf4aDKBmpFf4EDKBmpFJx
MD5:	06EA6E7701ACC7806FC2BC00BA27DDEF
SHA1:	29A5E3519E9984E2B8856F3E51BD21BAFFCDA328
SHA-256:	CACFC6E62CB39615BE83D6B0CE86997F56986C77BF87A4B4FD9F4930ECA7124C
SHA-512:	733B6F198873DC1B22D99290BAF390C50FFE66196D7F4F57E00090B92E2DF207B0EC2B747DCDC6ACE9850A0E2966046D2EA50B2BD658EA8607051EB4F47499C1
Malicious:	false
Reputation:	low
Preview:	URL: https://go.microsoft.com/fwlink/?linkid=851546.SEARCH: ( Examples of Office product keys - Microsoft Support ) COUNTER: 3...URL: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016.SEARCH: ( Examples of Office product keys - Microsoft Support ) COUNTER: 3...URL: https://support.microsoft.com/en-us/office/7d48285b-20e8-4b9b-91ad-216e34163bad?wt.mc_id=enterpk2016&ui=en-us&rs=en-us&ad=us.SEARCH: ( Examples of Office product keys - Microsoft Support ) COUNTER: 3...URL: https://support.microsoft.com/en-us/office/examples-of-office-product-keys-7d48285b-20e8-4b9b-91ad-216e34163bad?wt.mc_id=enterpk2016&ui=en-us&rs=en-us&ad=us.SEARCH: ( Examples of Office product keys - Microsoft Support ) COUNTER: 1...URL: https://go.microsoft.com/fwlink/?LinkId=2106243.SEARCH: ( Install the English Language Pack for 32-bit Office - Microsoft Support ) COUNTER: 3...URL: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17.SEARCH: ( Install the E

C:\????? ?????\Files\DVWHKMNFNN.pdf

Download File

Process:	C:\Users\user\Desktop\ypauPrrA08.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694985340190863
Encrypted:	false
SSDEEP:	24:fGg1AbmVALQm72DOg+8XDQzjmyhdsENw8TRlrlGpKTkA+oBK:fv1AiVAUmyDruzj37sENjlSKAA+oU
MD5:	C9386BC43BF8FA274422EB8AC6BAE1A9
SHA1:	2CBDE59ADA19F0389A4C482667EC370D68F51049
SHA-256:	F0CC9B94627F910F2A6307D911B1DDD7D1DB69BAD6068EF3331549F3A0877446
SHA-512:	7AACA07E8A4B34E0F75B16B6F30686AC3FB2D5CBDAD92E5934819F969BAFF59385FB8F997334313EA5938FD955D6175C4548D6B1F915D652D9D9201C9418EF83
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	DVWHKMNFNNSXRPFRFSVVCQPXSKWHKPJJHYQWYYFONAJQSCOHZADBHUOWOSPDVAOIQVOBHGMIENZQZLABYDKWXGSUQNSEINIQSVMZZWTJLYMGYBQHIJSUWZKJPGBZUGFOXNAMLQTVGWDCYDMNHGVRTUWNHIWXJNQONTAXVVVCFDLWYDVWNMKHRFTZAVEQPXZHSEXPEHWUHPJZDMDXPYEJBYWZOQETVPLRKQRCYTAXMNRBOUJSCYZOUPOBJUWFDMUYFBXCBLZHFHONIURELJQVLWAJRIQCHHASBUAREPSIMJIZDUKJCHMMSSWSEDFHFQOUVYZORWJIUACXUVQKUMLXTQIKDBVNZOHJYYECOBYPNRILKERBHKZPVUSQLHAQRTPWCRMZADYONIIOVUWOBVHAUGZVAGTZTZBMHSOOQORENTXCJFMVWMGLOOXBDWANXXJQQTBDTWOSPFMFVQKLNTSHOPQMHYRYZMWDXVFGWFOSCSFMKCDDHTOQHBTQAFQTXPUHHEAKYRCQIODCCSHRSAJQEFRHCQLQVVMUHWOHHQJPSHCNKRLIRESUXLZIYSWDHHYZVRKLAGFLVTEJQHEEMVUUEQKQMTBDXFGSROZTNPLCVTEEZGUUCQUEKNMQFATATJRARXQQMZYEVACDAXILYPEHYTJOQWSFAJEGHIDIXMKDXPATNSATPECIMRBZNBXXVMGPLMVEKCUOXJWFGQSTWPMTEMRCYGXECVTNKYROYRYTPRDPCFGGKUUBXXSDFZEJCQRIRFLCNMPMLIGUCYPHMWYVAIPAAPHTQAYFSJWLSCZICIXZHXNKAKRHJVENGZTUTVWSNYDDYMWQHHAITLUZXNORBLYTBVCEBWBMSVZXNZMKYFPRFPLFCUSJUWNKQJIZRVZASPVFSUSBYQZZWKEORBDDRCYRBTIMTLHDTZRQUKYJIWHXVJYPEZSDLWZVPZGEYQPCSGGVJXXBUCNBXKQPZTMTVPZUETYYLRJEDWIHAZMS

C:\????? ?????\Files\HTAGVDFUIE\KZWFNRXYKI.jpg

Download File

Process:	C:\Users\user\Desktop\ypauPrrA08.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694982189683734
Encrypted:	false
SSDEEP:	24:MggAXr5945qa/jgwHvsjCIShLGmTSIp/6co4rHg+X:MgJXr5+pjBsUhJTSIGA
MD5:	E49F84B05A175C231342E6B705A24A44
SHA1:	41B4E74B5F82D72435DFF38DD1B8B6026691CB4E
SHA-256:	EE0E867E83FE0206F33F009F216D2986AE3903B6F8944FBE2CC36586E5844626
SHA-512:	84E29127671A2D2539F2E340C3465736F68C5545A256F9C2813B6BF955645A629FD80BCFF7CEC902F07492C1E40C0794C2D3A906DD402BACA5E647BDFA2B88AA
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	KZWFNRXYKIQQDFEFEKFUFTLSCHHVHHFJVLINSSPODUWFGYCFXENRRFQZQNVRFJLXTKRPVZFZUDBIVIHPJCTZSMJNOWNCQAPYYHLTMHJJYECMUWUKYXMYBEVYHAFCNHVTPHXQKEQMWLDZKOKDMDUORJRRWKHVJLZNSFERFDAFUHPRYSOCWFZCHPEXICNDGFOZLLLNASUKYIOHUBCGSHVHTAAMQFTBUNSBDIPJOCUDVCBYOUPDCATAMJESONSVVDFARQOQHDTKDRVDWNHMPSWQTCDBOSQIMASLDMFOKOIPUFJNASKNMQOVCYYFVCKNWJBVIBCWMYJGLWMAZWJABPWRYFHPZVZTRFLFKJIVQMYASPFSBODYXKEEFHBTFSHZEWSGAGGMSRRYSACIWVPBTHVGVVYONDRAYVOWBYTTLWWPGWQAJDLYFDALUZCIBUOEBMSCKJILYNBNADCKXDVTLOFEMKULPCSYYTTPBZKLBPMPEQZHPJCMRWISRYUKSYBUOCFXUPORADUTYINWCOLTVNYNBVHTATWIAMJBNCYZTMQLJOZXQMVQWJAGLZBDTPNMMKABCUCOYDSRVMYDKVJFRZRLIKSQNEMHUWIXWIACERSGEBQFEQJLXFLCITYZWKHIASCUIPVHOXQGWHFWSXEHOMVVXNFDEKOTOBBAEPJTBOCEJGWYSJBHWDRPPONMLWEDWWLGQVWLLREHLEZFZNEDNRDQMBTZWCUIFLPBHTTQGIEVFRJKMYLHMYUOCAAUGIRMYSCUPKJDFUJBVKKJHICSXHPXWUGXGPHCKBZLZXDCKURFIMZGIDDJWPBHEERWPLLCNTTKZRNYIMGHNYECXBHHHWCVILLPFPVXYOQODPYIIVKTOODIUKCMBBWHUEFORQUJCVYVBOBKKLPQJMOJEUOFUFAAJRTAZTXJJQPOORSRNCQDMHWVYQIGGCMZGYMXIBAKRNOPIPQWJHZEWBBJTYBESJTCCPYZHONYNVOXCBHCXRST

C:\????? ?????\Files\HTAGVDFUIE\WUTJSCBCFX.pdf

Download File

Process:	C:\Users\user\Desktop\ypauPrrA08.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.688284131239007
Encrypted:	false
SSDEEP:	24:94BsLCi4I4Bpno3+PqX1T1MziEko3RYNdEK:alI4BjP4x9JGK
MD5:	E8ACCA0F46CBA97FE289855535184C72
SHA1:	059878D0B535AEE9092BF82886FC68DC816D9F08
SHA-256:	CFB1D698291CFF6EFE21CB913EDEB823FA6F84B5F437F61ED9E04C6A80CC4DCD
SHA-512:	185601B848EDE2A752D1DC0534A2593231C67AF68E506DD3BA05D93435780F378250B27898CBD61F225C5FE6AB72CD21638C6159FC2D107767D2AB43547E0E71
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	WUTJSCBCFXNSEWGLWGYOOQVVDPFNFUMPQAJVNXNKMXQRORVUIYYNQWAMOZTIZPEADOKEPDLVMNENFIICEKOTBVPODCEHVNDEMTCADGQBTUSRFDCQOFZZQCSIEKBJNREDYYVFOXFLSAVVRDBODQPUEQUZAVGFLXOWSKRTDQOYTNPZUFOPXFJPIZPUZNQGPAVLZQOLZQMEBSIDSSSOCJNYRGTGEHRLTXLSBXCVGBOIDKKEIUHPVJXFIBUKHHHIZJXBNSFVSIBUVDLJVQHLZQNPKVUYGSBYLDPVSZZIAGXVZKTZMOMHKJTCACLNIHVZQOYHZUOCHMTDPXWSWWCTZKVXUPJXTUQVYKVNBTOOXYSOQYGOROUJYIQIBLZXWHWHSDDSIDRAQBFHFUASJJFJZGJMXLKHMELZDCBSAECBJUYDLONQSYTFIGRFXVYQXQGOAYYQXFJQFPARQPKZARUFLFZALPMOXFKFAAFQYQJSBYRLXSYWILKBWNNKNPTXDFHFCBTUEWYUGEMBZMEFHNMBDRELQEYFKIFARDWZODMHWXQBTISSHAEWZTVFJRKELIBQQEXSWFZUGGGKZXSPWOXYPOCCJIHNGOPVFNWYZRPTOWAGQPVVZLHPYYBDQTUFWFIVGYOBQSXERHTUDUHOJIRJFKQQOOIXOHPHYQPYDGSQQNOEUWFVOVYMHEJBARDLGPVSTERBBBFSGVNSUAZCVAXBSTLPAQENSALLVBNGJHCERSSMMHCALJSZJJKDFYFVTEQEUIBYNZPMUJQZNJVUGNGKENCJKNBTKBYOEUUGFFKIBVHNAUHYEUNDBZPKFZERTSXYHOMVAJJBPSNOOYHZFWINWEJCFGHKIORUHARZYNBKYMOWZHDVWQBITESVLGVECBBJDDHUCWOJFWBQJSKRWHJPPGEKBDXIPJJDDYHGUCDCBZQDUVHEBPPQBUDSOAYQTNFMYUBRJNRJFSMUCNFWURFGGIHZFMXDVIINVRGXSRYXBYBI

C:\????? ?????\Files\HTAGVDFUIE\ZBEDCJPBEY.png

Download File

Process:	C:\Users\user\Desktop\ypauPrrA08.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6994061563025005
Encrypted:	false
SSDEEP:	24:B08PKUcagX20VoXE+FZx/9wb8CokRMdpcUuDdgyzat15b9DZd7:B00KZagXRVyEC/9wbtor+DstLbXR
MD5:	A2EF8D31A8DC8EAFB642142CAE0BDDE5
SHA1:	6D33FA6AE5C8F3D94A889AF2AFBE701A8939BD4A
SHA-256:	A63D52B4D40DE4D08B155AB05F7B239F6B826D2E9AEF65D14C536CC17B117180
SHA-512:	0183DCD7C9808191B0D67319318EDB8069F15943CD9AFFDD5D905CA66471A301A3745EC2BDA93FD30400A08856F9530F8DB8A91555E910534E43591DE6588680
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	ZBEDCJPBEYDZQGCVTGMBDASCMXWLERZBJTKXMSCERSGFDONQAMYGDFYKFYLRRNDSSGOWCSVJIWIVRJNDSQXJTTMAXVCSRDVBHJTJAHTUGCUAWHWEVTZMXBFFYFUVEYDCLBXZZXFGQTWOJCECEYXZGEOOJDMVGMJIBYUFGTAXZQFDALIISPEXNBMVCNQHJOUZVXMSFGVMMJSOTYBAIBARXRQIHGTHEJLHLQYVFLCLOFZPJJNGWGUFEFWDITXPCXBOEGYNGVEMPRSJBIUABRWYDIZIOEKFMGKERRXNEAUHHIGKJGZYYHOPIKNRRYEAZLMNYDGFIVIJPYMXKETIZCKXHUZFXIJHQQDRCSLMJZZJXMQYZJYWLCENOBYZRKIPDNTOCZBITNJXYFHPKLDLFNFTFPITPPGJYNAUOBLGWYVHPFDVDMRFKRTPDBLSNIHQBPMARNFKQAQJVIEOLDVNQKQXMHUIECHHCBWWKMSQPKKMTKTWVWEBVUAXWNLNMYEUBMGCGJTOJRQFGGHHLUDCSUNVREFGQLVZNTOMRGHSGVZCIEDGKHHTKATGJQYWMOXACOPMCHXJXNTBTSGCPUUSQVNCDVHCIQKUJWVUTGDNGWDNLQEWLMNYLKNVSFDBBIZZEHCDIMOJGCOBQZDWJNJPIEFNVWHFQSCSHGUQLBIQCMTBTOMPFZRCNWPIJILMFSCYXDRTMSMAVJZZGQJTZZACHQUIBTKCMOKJBPDOKJYCHADHETFJAVZAQIIWZRRGFSBGIIPYXFQSZKQPWXQCYERZGATQXEDAHDYBYZVROOBTIZFDOMRDVIUBHXTQOKCVSRLAYYMSBYFDGLRDCLXUKSNRGYDRFKSMAJGRBMDZLACAAKDZLPQZCVGELWTWVKPXDEMWCSQNQCJWQNLMOGJVDBANJWFKRRBFXUWVSMZLFJYCUJJORXEFPORKQLYKBMUOVWZKWNAHBCKBBJIYVVDQNIPFQZUTPFKYIRDTGOBWONUYXDVC

C:\????? ?????\Files\KATAXZVCPS\DVWHKMNFNN.pdf

Download File

Process:	C:\Users\user\Desktop\ypauPrrA08.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694985340190863
Encrypted:	false
SSDEEP:	24:fGg1AbmVALQm72DOg+8XDQzjmyhdsENw8TRlrlGpKTkA+oBK:fv1AiVAUmyDruzj37sENjlSKAA+oU
MD5:	C9386BC43BF8FA274422EB8AC6BAE1A9
SHA1:	2CBDE59ADA19F0389A4C482667EC370D68F51049
SHA-256:	F0CC9B94627F910F2A6307D911B1DDD7D1DB69BAD6068EF3331549F3A0877446
SHA-512:	7AACA07E8A4B34E0F75B16B6F30686AC3FB2D5CBDAD92E5934819F969BAFF59385FB8F997334313EA5938FD955D6175C4548D6B1F915D652D9D9201C9418EF83
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	DVWHKMNFNNSXRPFRFSVVCQPXSKWHKPJJHYQWYYFONAJQSCOHZADBHUOWOSPDVAOIQVOBHGMIENZQZLABYDKWXGSUQNSEINIQSVMZZWTJLYMGYBQHIJSUWZKJPGBZUGFOXNAMLQTVGWDCYDMNHGVRTUWNHIWXJNQONTAXVVVCFDLWYDVWNMKHRFTZAVEQPXZHSEXPEHWUHPJZDMDXPYEJBYWZOQETVPLRKQRCYTAXMNRBOUJSCYZOUPOBJUWFDMUYFBXCBLZHFHONIURELJQVLWAJRIQCHHASBUAREPSIMJIZDUKJCHMMSSWSEDFHFQOUVYZORWJIUACXUVQKUMLXTQIKDBVNZOHJYYECOBYPNRILKERBHKZPVUSQLHAQRTPWCRMZADYONIIOVUWOBVHAUGZVAGTZTZBMHSOOQORENTXCJFMVWMGLOOXBDWANXXJQQTBDTWOSPFMFVQKLNTSHOPQMHYRYZMWDXVFGWFOSCSFMKCDDHTOQHBTQAFQTXPUHHEAKYRCQIODCCSHRSAJQEFRHCQLQVVMUHWOHHQJPSHCNKRLIRESUXLZIYSWDHHYZVRKLAGFLVTEJQHEEMVUUEQKQMTBDXFGSROZTNPLCVTEEZGUUCQUEKNMQFATATJRARXQQMZYEVACDAXILYPEHYTJOQWSFAJEGHIDIXMKDXPATNSATPECIMRBZNBXXVMGPLMVEKCUOXJWFGQSTWPMTEMRCYGXECVTNKYROYRYTPRDPCFGGKUUBXXSDFZEJCQRIRFLCNMPMLIGUCYPHMWYVAIPAAPHTQAYFSJWLSCZICIXZHXNKAKRHJVENGZTUTVWSNYDDYMWQHHAITLUZXNORBLYTBVCEBWBMSVZXNZMKYFPRFPLFCUSJUWNKQJIZRVZASPVFSUSBYQZZWKEORBDDRCYRBTIMTLHDTZRQUKYJIWHXVJYPEZSDLWZVPZGEYQPCSGGVJXXBUCNBXKQPZTMTVPZUETYYLRJEDWIHAZMS

C:\????? ?????\Files\KATAXZVCPS\LTKMYBSEYZ.jpg

Download File

Process:	C:\Users\user\Desktop\ypauPrrA08.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.687722658485212
Encrypted:	false
SSDEEP:	24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
MD5:	9A59DF7A478E34FB1DD60514E5C85366
SHA1:	DE10B95426671A161E37E5CE1AD6424AB3C07D98
SHA-256:	582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
SHA-512:	70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
Malicious:	false
Preview:	LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

C:\????? ?????\Files\KATAXZVCPS\NWTVCDUMOB.png

Download File

Process:	C:\Users\user\Desktop\ypauPrrA08.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696250160603532
Encrypted:	false
SSDEEP:	24:5Gvoddnzj/gxR0e7uyJ9MLyy07KpRnPgNcnA+2/nSgTfK0Xzy:wv4zCR0ouAMG3wPgNuAZnSQXzy
MD5:	2B6A90B7D410E3A4E2B32C90D816B4FE
SHA1:	B8CD90C4CDCF41CBF18D88A4C01BBA22F670AD83
SHA-256:	D65D483904467EB7373EDA8DFAE2070C057FC93465A4AC5C9FEF8B42340D9DAB
SHA-512:	03AFBF42E5C04E928D03C687B0F17A0AB15428C78958B206DC6C50118B961C9DDF88A6E53B3115F09FDEE44EAFA46B262933164055532D3B4B4F9265F42A6C58
Malicious:	false
Preview:	NWTVCDUMOBTPRQQPHXQLIMGPJXTEMPBNYLBFKQFUEVGISJSVQRMPMZSAYEYQSOTUAJFILXLTKFEVHLSAMYEEFLNJSHLTTFXRTDNUGXEFIGVCAWPMDNUICDIZGPHMESKWSMUPNOFEVXFTSHSKLCVHQTNKDHDMDRJOUTEUSCAUAVMVBMOSYKKRPPZYFUGXFXWMWRACKFCQOUHITLUCHGFZEOIPNCJFJOVBZIKDRNERXOSPKSRMHKTJUGFEOONFWLVNTJWXUFPADWYIUDKAZQXCZRFPUQQAMRTIOEHUDTLGOWYMIDOZAXTLGVEGUCQLJZGMIEQYOLWEMSGZUBWXOIBQEMQLQVGRBTUICFCEJGFTZRZCKJQEMATEONIMJKBYGQYDYXOLLROWXGYCNCVPTMRZSMMSZXKMNPSCJJJKKNRAJXGSLZNKJRJRGMCCCBCIGTLTFKNVDVIHYLGRNXDVIVWBCPNKNIFJAPQQWDQQEDDKNHVJRQJTKCUADORWREEDYTVFAOWHPNXWSNAJCVXCLLTNQPMJQHDILFNQUZJZZJJMMNDNGEBEGSTVAGZJMSMZHWJKNIAFGBUYMVADKCVLDGFQETUZXGUOUWXBBPNOWFERKMKMPOXIOTKJERPVXJGCIUKAGDGITLFYRIBAPKRESMNOMTVTZCXMODUUIGFMEMBMGAGXFZGAAZFCXDWBKKCPUKFFNMVKDFFVZYWKEKBWMADWDZXUIOOLCLIACESGRBJRSMXKUSOKXJEICCPRFWSISDTKVTDVAYSWLRHTWJGCXQMNITQJHCBMSCDRWKMGADWILLATOPVPILEQQGAIPRRUCJFTRRSSWITQKIWJOATZOBETZDBBWAIJIOXCUQSILQHQKEZXWFWWNVEWKZCGFYPBDSDBSFAZDZFRHJBZIGOZCVUGODUTNCDHKKMFHSYKUSFSXOMOUXZYOSUZNJQBXAVPOBTVBINMSIPYONLYRKIHONKWHSUAJWIALOTZAQJSNTIH

C:\????? ?????\Files\KZWFNRXYKI.jpg

Download File

Process:	C:\Users\user\Desktop\ypauPrrA08.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694982189683734
Encrypted:	false
SSDEEP:	24:MggAXr5945qa/jgwHvsjCIShLGmTSIp/6co4rHg+X:MgJXr5+pjBsUhJTSIGA
MD5:	E49F84B05A175C231342E6B705A24A44
SHA1:	41B4E74B5F82D72435DFF38DD1B8B6026691CB4E
SHA-256:	EE0E867E83FE0206F33F009F216D2986AE3903B6F8944FBE2CC36586E5844626
SHA-512:	84E29127671A2D2539F2E340C3465736F68C5545A256F9C2813B6BF955645A629FD80BCFF7CEC902F07492C1E40C0794C2D3A906DD402BACA5E647BDFA2B88AA
Malicious:	false
Preview:	KZWFNRXYKIQQDFEFEKFUFTLSCHHVHHFJVLINSSPODUWFGYCFXENRRFQZQNVRFJLXTKRPVZFZUDBIVIHPJCTZSMJNOWNCQAPYYHLTMHJJYECMUWUKYXMYBEVYHAFCNHVTPHXQKEQMWLDZKOKDMDUORJRRWKHVJLZNSFERFDAFUHPRYSOCWFZCHPEXICNDGFOZLLLNASUKYIOHUBCGSHVHTAAMQFTBUNSBDIPJOCUDVCBYOUPDCATAMJESONSVVDFARQOQHDTKDRVDWNHMPSWQTCDBOSQIMASLDMFOKOIPUFJNASKNMQOVCYYFVCKNWJBVIBCWMYJGLWMAZWJABPWRYFHPZVZTRFLFKJIVQMYASPFSBODYXKEEFHBTFSHZEWSGAGGMSRRYSACIWVPBTHVGVVYONDRAYVOWBYTTLWWPGWQAJDLYFDALUZCIBUOEBMSCKJILYNBNADCKXDVTLOFEMKULPCSYYTTPBZKLBPMPEQZHPJCMRWISRYUKSYBUOCFXUPORADUTYINWCOLTVNYNBVHTATWIAMJBNCYZTMQLJOZXQMVQWJAGLZBDTPNMMKABCUCOYDSRVMYDKVJFRZRLIKSQNEMHUWIXWIACERSGEBQFEQJLXFLCITYZWKHIASCUIPVHOXQGWHFWSXEHOMVVXNFDEKOTOBBAEPJTBOCEJGWYSJBHWDRPPONMLWEDWWLGQVWLLREHLEZFZNEDNRDQMBTZWCUIFLPBHTTQGIEVFRJKMYLHMYUOCAAUGIRMYSCUPKJDFUJBVKKJHICSXHPXWUGXGPHCKBZLZXDCKURFIMZGIDDJWPBHEERWPLLCNTTKZRNYIMGHNYECXBHHHWCVILLPFPVXYOQODPYIIVKTOODIUKCMBBWHUEFORQUJCVYVBOBKKLPQJMOJEUOFUFAAJRTAZTXJJQPOORSRNCQDMHWVYQIGGCMZGYMXIBAKRNOPIPQWJHZEWBBJTYBESJTCCPYZHONYNVOXCBHCXRST

C:\????? ?????\Files\LTKMYBSEYZ.jpg

Download File

Process:	C:\Users\user\Desktop\ypauPrrA08.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.687722658485212
Encrypted:	false
SSDEEP:	24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
MD5:	9A59DF7A478E34FB1DD60514E5C85366
SHA1:	DE10B95426671A161E37E5CE1AD6424AB3C07D98
SHA-256:	582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
SHA-512:	70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
Malicious:	false
Preview:	LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

C:\????? ?????\Files\NWTVCDUMOB.png

Download File

Process:	C:\Users\user\Desktop\ypauPrrA08.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696250160603532
Encrypted:	false
SSDEEP:	24:5Gvoddnzj/gxR0e7uyJ9MLyy07KpRnPgNcnA+2/nSgTfK0Xzy:wv4zCR0ouAMG3wPgNuAZnSQXzy
MD5:	2B6A90B7D410E3A4E2B32C90D816B4FE
SHA1:	B8CD90C4CDCF41CBF18D88A4C01BBA22F670AD83
SHA-256:	D65D483904467EB7373EDA8DFAE2070C057FC93465A4AC5C9FEF8B42340D9DAB
SHA-512:	03AFBF42E5C04E928D03C687B0F17A0AB15428C78958B206DC6C50118B961C9DDF88A6E53B3115F09FDEE44EAFA46B262933164055532D3B4B4F9265F42A6C58
Malicious:	false
Preview:	NWTVCDUMOBTPRQQPHXQLIMGPJXTEMPBNYLBFKQFUEVGISJSVQRMPMZSAYEYQSOTUAJFILXLTKFEVHLSAMYEEFLNJSHLTTFXRTDNUGXEFIGVCAWPMDNUICDIZGPHMESKWSMUPNOFEVXFTSHSKLCVHQTNKDHDMDRJOUTEUSCAUAVMVBMOSYKKRPPZYFUGXFXWMWRACKFCQOUHITLUCHGFZEOIPNCJFJOVBZIKDRNERXOSPKSRMHKTJUGFEOONFWLVNTJWXUFPADWYIUDKAZQXCZRFPUQQAMRTIOEHUDTLGOWYMIDOZAXTLGVEGUCQLJZGMIEQYOLWEMSGZUBWXOIBQEMQLQVGRBTUICFCEJGFTZRZCKJQEMATEONIMJKBYGQYDYXOLLROWXGYCNCVPTMRZSMMSZXKMNPSCJJJKKNRAJXGSLZNKJRJRGMCCCBCIGTLTFKNVDVIHYLGRNXDVIVWBCPNKNIFJAPQQWDQQEDDKNHVJRQJTKCUADORWREEDYTVFAOWHPNXWSNAJCVXCLLTNQPMJQHDILFNQUZJZZJJMMNDNGEBEGSTVAGZJMSMZHWJKNIAFGBUYMVADKCVLDGFQETUZXGUOUWXBBPNOWFERKMKMPOXIOTKJERPVXJGCIUKAGDGITLFYRIBAPKRESMNOMTVTZCXMODUUIGFMEMBMGAGXFZGAAZFCXDWBKKCPUKFFNMVKDFFVZYWKEKBWMADWDZXUIOOLCLIACESGRBJRSMXKUSOKXJEICCPRFWSISDTKVTDVAYSWLRHTWJGCXQMNITQJHCBMSCDRWKMGADWILLATOPVPILEQQGAIPRRUCJFTRRSSWITQKIWJOATZOBETZDBBWAIJIOXCUQSILQHQKEZXWFWWNVEWKZCGFYPBDSDBSFAZDZFRHJBZIGOZCVUGODUTNCDHKKMFHSYKUSFSXOMOUXZYOSUZNJQBXAVPOBTVBINMSIPYONLYRKIHONKWHSUAJWIALOTZAQJSNTIH

C:\????? ?????\Files\WUTJSCBCFX.pdf

Download File

Process:	C:\Users\user\Desktop\ypauPrrA08.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.688284131239007
Encrypted:	false
SSDEEP:	24:94BsLCi4I4Bpno3+PqX1T1MziEko3RYNdEK:alI4BjP4x9JGK
MD5:	E8ACCA0F46CBA97FE289855535184C72
SHA1:	059878D0B535AEE9092BF82886FC68DC816D9F08
SHA-256:	CFB1D698291CFF6EFE21CB913EDEB823FA6F84B5F437F61ED9E04C6A80CC4DCD
SHA-512:	185601B848EDE2A752D1DC0534A2593231C67AF68E506DD3BA05D93435780F378250B27898CBD61F225C5FE6AB72CD21638C6159FC2D107767D2AB43547E0E71
Malicious:	false
Preview:	WUTJSCBCFXNSEWGLWGYOOQVVDPFNFUMPQAJVNXNKMXQRORVUIYYNQWAMOZTIZPEADOKEPDLVMNENFIICEKOTBVPODCEHVNDEMTCADGQBTUSRFDCQOFZZQCSIEKBJNREDYYVFOXFLSAVVRDBODQPUEQUZAVGFLXOWSKRTDQOYTNPZUFOPXFJPIZPUZNQGPAVLZQOLZQMEBSIDSSSOCJNYRGTGEHRLTXLSBXCVGBOIDKKEIUHPVJXFIBUKHHHIZJXBNSFVSIBUVDLJVQHLZQNPKVUYGSBYLDPVSZZIAGXVZKTZMOMHKJTCACLNIHVZQOYHZUOCHMTDPXWSWWCTZKVXUPJXTUQVYKVNBTOOXYSOQYGOROUJYIQIBLZXWHWHSDDSIDRAQBFHFUASJJFJZGJMXLKHMELZDCBSAECBJUYDLONQSYTFIGRFXVYQXQGOAYYQXFJQFPARQPKZARUFLFZALPMOXFKFAAFQYQJSBYRLXSYWILKBWNNKNPTXDFHFCBTUEWYUGEMBZMEFHNMBDRELQEYFKIFARDWZODMHWXQBTISSHAEWZTVFJRKELIBQQEXSWFZUGGGKZXSPWOXYPOCCJIHNGOPVFNWYZRPTOWAGQPVVZLHPYYBDQTUFWFIVGYOBQSXERHTUDUHOJIRJFKQQOOIXOHPHYQPYDGSQQNOEUWFVOVYMHEJBARDLGPVSTERBBBFSGVNSUAZCVAXBSTLPAQENSALLVBNGJHCERSSMMHCALJSZJJKDFYFVTEQEUIBYNZPMUJQZNJVUGNGKENCJKNBTKBYOEUUGFFKIBVHNAUHYEUNDBZPKFZERTSXYHOMVAJJBPSNOOYHZFWINWEJCFGHKIORUHARZYNBKYMOWZHDVWQBITESVLGVECBBJDDHUCWOJFWBQJSKRWHJPPGEKBDXIPJJDDYHGUCDCBZQDUVHEBPPQBUDSOAYQTNFMYUBRJNRJFSMUCNFWURFGGIHZFMXDVIINVRGXSRYXBYBI

C:\????? ?????\Files\ZBEDCJPBEY.png

Download File

Process:	C:\Users\user\Desktop\ypauPrrA08.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6994061563025005
Encrypted:	false
SSDEEP:	24:B08PKUcagX20VoXE+FZx/9wb8CokRMdpcUuDdgyzat15b9DZd7:B00KZagXRVyEC/9wbtor+DstLbXR
MD5:	A2EF8D31A8DC8EAFB642142CAE0BDDE5
SHA1:	6D33FA6AE5C8F3D94A889AF2AFBE701A8939BD4A
SHA-256:	A63D52B4D40DE4D08B155AB05F7B239F6B826D2E9AEF65D14C536CC17B117180
SHA-512:	0183DCD7C9808191B0D67319318EDB8069F15943CD9AFFDD5D905CA66471A301A3745EC2BDA93FD30400A08856F9530F8DB8A91555E910534E43591DE6588680
Malicious:	false
Preview:	ZBEDCJPBEYDZQGCVTGMBDASCMXWLERZBJTKXMSCERSGFDONQAMYGDFYKFYLRRNDSSGOWCSVJIWIVRJNDSQXJTTMAXVCSRDVBHJTJAHTUGCUAWHWEVTZMXBFFYFUVEYDCLBXZZXFGQTWOJCECEYXZGEOOJDMVGMJIBYUFGTAXZQFDALIISPEXNBMVCNQHJOUZVXMSFGVMMJSOTYBAIBARXRQIHGTHEJLHLQYVFLCLOFZPJJNGWGUFEFWDITXPCXBOEGYNGVEMPRSJBIUABRWYDIZIOEKFMGKERRXNEAUHHIGKJGZYYHOPIKNRRYEAZLMNYDGFIVIJPYMXKETIZCKXHUZFXIJHQQDRCSLMJZZJXMQYZJYWLCENOBYZRKIPDNTOCZBITNJXYFHPKLDLFNFTFPITPPGJYNAUOBLGWYVHPFDVDMRFKRTPDBLSNIHQBPMARNFKQAQJVIEOLDVNQKQXMHUIECHHCBWWKMSQPKKMTKTWVWEBVUAXWNLNMYEUBMGCGJTOJRQFGGHHLUDCSUNVREFGQLVZNTOMRGHSGVZCIEDGKHHTKATGJQYWMOXACOPMCHXJXNTBTSGCPUUSQVNCDVHCIQKUJWVUTGDNGWDNLQEWLMNYLKNVSFDBBIZZEHCDIMOJGCOBQZDWJNJPIEFNVWHFQSCSHGUQLBIQCMTBTOMPFZRCNWPIJILMFSCYXDRTMSMAVJZZGQJTZZACHQUIBTKCMOKJBPDOKJYCHADHETFJAVZAQIIWZRRGFSBGIIPYXFQSZKQPWXQCYERZGATQXEDAHDYBYZVROOBTIZFDOMRDVIUBHXTQOKCVSRLAYYMSBYFDGLRDCLXUKSNRGYDRFKSMAJGRBMDZLACAAKDZLPQZCVGELWTWVKPXDEMWCSQNQCJWQNLMOGJVDBANJWFKRRBFXUWVSMZLFJYCUJJORXEFPORKQLYKBMUOVWZKWNAHBCKBBJIYVVDQNIPFQZUTPFKYIRDTGOBWONUYXDVC

C:\????? ?????\Information.txt

Download File

Process:	C:\Users\user\Desktop\ypauPrrA08.exe
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	1649
Entropy (8bit):	4.598557755156445
Encrypted:	false
SSDEEP:	48:uMMOEMshMp11IATMphEQlpkayohCo6iuI7tlzYz:u4E+1IATpQUREuI7tY
MD5:	8D846B073EDF027C12D12888C6DD093E
SHA1:	D531B8BCBD3EA1F1BE0D3E6941328FEBD54110B9
SHA-256:	D63C385536706000FF7CE903D517D9E8D42D019A1E828EEA7B2EE3F54F0503D1
SHA-512:	775C1B9B95E4359272C4AB7EE9D011FC26C5AEB3D1CFB352D3CDAF81205FA38D62E24B901A75BEDF853219E8FB2832DFA6A0D92FDE70A51241EB4B7344F35766
Malicious:	false
Preview:	. * *****************************************. .................................. . .................................. . .................................. . .................................. . .................................. . .................................. . https://t.me/VegaStealer_shop_bot . . ******************************************. ==================================================. Operating system: Windows 10 Pro (64 Bit). PC user: 621365/user. Cl

C:\????? ?????\Process.txt

Download File

Process:	C:\Users\user\Desktop\ypauPrrA08.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	3606
Entropy (8bit):	4.742038225264574
Encrypted:	false
SSDEEP:	24:1qmYMmmmx85wzqHImqmumVEQUmqqqIpmqmQUmqpIqqmnqmmqmXsmmQUqQUpxjqqh:tjFcInA8ervZt/vsP9
MD5:	E6981B550190764E7AE31D23DD7339CD
SHA1:	D5AE8DB49B6EB800CC027F4255C8B670C57B39B3
SHA-256:	214A1303A235432DD0CEA93972772B860F975B397D0EA2F4EB8ACABD05F4A5C8
SHA-512:	9064BB49F542CDA9B82CB8A67CAE894A75E9C989BAB7EB2C0377E71A20195D9024E60AB4E78ED1150A1889AA5F462E9249E4E9B20C266D99DB446D1C2581095E
Malicious:	false
Preview:	NAME: ImpFVuIAFqqdYarg..NAME: svchost..NAME: ImpFVuIAFqqdYarg..NAME: explorer..NAME: ImpFVuIAFqqdYarg..NAME: ImpFVuIAFqqdYarg..NAME: ImpFVuIAFqqdYarg..NAME: fontdrvhost..NAME: smartscreen..NAME: WmiPrvSE..NAME: svchost..NAME: csrss..NAME: ImpFVuIAFqqdYarg..NAME: svchost..NAME: ImpFVuIAFqqdYarg..NAME: sihost..NAME: ImpFVuIAFqqdYarg..NAME: OfficeClickToRun..NAME: RuntimeBroker..NAME: ImpFVuIAFqqdYarg..NAME: svchost..NAME: svchost..NAME: svchost..NAME: dasHost..NAME: ctfmon..NAME: ImpFVuIAFqqdYarg..NAME: svchost..NAME: ImpFVuIAFqqdYarg..NAME: RuntimeBroker..NAME: ImpFVuIAFqqdYarg..NAME: svchost..NAME: WinStore.App..NAME: svchost..NAME: svchost..NAME: upfc..NAME: svchost..NAME: ImpFVuIAFqqdYarg..NAME: ImpFVuIAFqqdYarg..NAME: svchost..NAME: ImpFVuIAFqqdYarg..NAME: dllhost..NAME: ImpFVuIAFqqdYarg..NAME: ImpFVuIAFqqdYarg..NAME: RuntimeBroker..NAME: svchost..NAME: RuntimeBroker..NAME: StartMenuExperienceHost..NAME: fontdrvhost..NAME: TextInputHost..NAME: svchost..NAME: svchost..NAME: ImpFVuIAF

C:\????? ?????\Screen.png

Download File

Process:	C:\Users\user\Desktop\ypauPrrA08.exe
File Type:	PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	676408
Entropy (8bit):	7.925373684019346
Encrypted:	false
SSDEEP:	12288:8VGzM/G1pO82zoPybAoOhFQJkY9uDZ6gqT6TKdT9j53w/jSiw+lNiyTXhyCtEE:BCG/LKAThFrrDZ6gm1N53+zki
MD5:	DD6F06CE1613957C7D6729CD37F718BF
SHA1:	AAE2D70842EF389FA3AED5F8EF7C57484F11D2D6
SHA-256:	23E2386672A2000F3F091202F261C05EF3EEA7804DC48FAC067789B6B237D905
SHA-512:	6E615CAC6BF4AC06D3B9A1E2B31EDF7E3CD510E5B9A3DCD5BE324DC7BE2299FB2DEBDF655F3088CAC250C394816E9B27CAB879EB5A1B89BDA514317EE6E7D079
Malicious:	false
Preview:	.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..g..W......EuLw....3.]3..........0B.@.$P.M..+.....#...M......7..A ...........~...:;.9.'..+!R.O..Z{..yU...k..ht....r..n.B.UF......,.e.0zs..[l..7.....;...I..,7,..H....7......_~...."..yYz.....{.b.59K..u....WF{oY..g.3Yze9w...8K/.eM._......[4..\|g],.x.,...c.7.....)....}.s..P....s.....6...7.....g...g.0..gH....^....v...~m~...............1...K3...g_.....-a.OJ.&Xz...l{.l.?.\|.2.?..3......~...1=.....?......v.K...x.Z.z[`...Y......YE.G.N.t7z.5.?.L...kW...,?.:..sk8.......k.X:.S..a...v..%....\..N..~Z..v<..5..<,=...^=..~...S........+*.eg..1...jl.C..v<..R.gqr....O..[:..n........Vb..z...\...5...X.c.I]......Xo+.,=..:..r.<......w;N(.......;...../..v.\|u..rn..Z.....T.}.%..q..q....9...../....1.a....8:...n./.l.P..B..H.....,?...^\G..?...l9.OVX....+.cK..\|..W......9.m.\Ti.-.].=.\|.....x..<.\|...../..c.9.8.....Y.e.ut.sT..Y.....#J.a.v../.[.......c...b=...

C:\Users\Public\fqs92o4p.default-release\cert9.db

Download File

Process:	C:\Users\user\Desktop\ypauPrrA08.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 32768, file counter 7, database pages 7, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	229376
Entropy (8bit):	0.64343788909108
Encrypted:	false
SSDEEP:	384:A1zkVmvQhyn+Zoz67dNlIMMz333JGN8j/LKXYj5kuv:AUUMXCyIr
MD5:	B6787B79D64948AAC1D6359AC18AB268
SHA1:	0831EB15AB2B330BE95975A24F8945ED284D0BA4
SHA-256:	9D6FD3B8AB8AA7934C75EDE36CEB9CF4DDAD06C5031E89872B4E814D7DB674E2
SHA-512:	9296866380EF966F1CB6E69B7B84D1A86CD5AE8D9A7332C57543875FAA4FC7F1387A4CF83B7D662E4BAB0381E4AFC9CB9999075EBB497C6756DF770454F3530E
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......z..{...{.{j{*z.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\Public\fqs92o4p.default-release\key4.db

Download File

Process:	C:\Users\user\Desktop\ypauPrrA08.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 32768, file counter 2, database pages 9, cookie 0x6, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	294912
Entropy (8bit):	0.08436842005578409
Encrypted:	false
SSDEEP:	192:5va0zkVmvQhyn+Zoz679fqlQbGhMHPaVAL23vIn:51zkVmvQhyn+Zoz67n
MD5:	2CD2840E30F477F23438B7C9D031FC08
SHA1:	03D5410A814B298B068D62ACDF493B2A49370518
SHA-256:	49F56AAA16086F2A9DB340CC9A6E8139E076765C1BFED18B1725CC3B395DC28D
SHA-512:	DCDD722C3A8AD79265616ADDDCA208E068E4ECEBE8820E4ED16B1D1E07FD52EB3A59A22988450071CFDA50BBFF7CB005ADF05A843DA38421F28572F3433C0F19
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......z<.{...{.{a{.z.z<z.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ypauPrrA08.exe.log

Download File

Process:	C:\Users\user\Desktop\ypauPrrA08.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1896
Entropy (8bit):	5.381327525579728
Encrypted:	false
SSDEEP:	48:MxHKQEAHKKkKYHKGSI6oPtHTH0HNp51qHGIsVHSLH5HQHKD:iqaqKkKYqGSI6oPtzH0tp5wmjVyLZwqD
MD5:	7DBF9D352DD9592C8E9A7FBEB02535A0
SHA1:	950EA51F835C96A9F91CFAF78E7F3208F51ED2F2
SHA-256:	7BE11C46BC365459C0B0A6A7CFCC7D0D5AC73DA0E10EE377A95E482C2EEDA2D6
SHA-512:	797E07C368CA6CD523B60AA0D3F5A19EE44B1815B30C83D26F1C23BC7A02151A41C7CF6EFA8B74C5FCF42241D51AD3DD1154720AE26A5AB5D893284E564BBEA7
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Managemen

C:\Users\user\AppData\Local\Temp\tmp8AC1.tmp.tmpdb

Download File

Process:	C:\Users\user\Desktop\ypauPrrA08.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.037963276276857943
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
MD5:	C0FDF21AE11A6D1FA1201D502614B622
SHA1:	11724034A1CC915B061316A96E79E9DA6A00ADE8
SHA-256:	FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
SHA-512:	A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp8AD2.tmp.dat

Download File

Process:	C:\Users\user\Desktop\ypauPrrA08.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp8B02.tmp.dat

Download File

Process:	C:\Users\user\Desktop\ypauPrrA08.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp8B51.tmp.dat

Download File

Process:	C:\Users\user\Desktop\ypauPrrA08.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp8B52.tmp.dat

Download File

Process:	C:\Users\user\Desktop\ypauPrrA08.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp8B62.tmp.dat

Download File

Process:	C:\Users\user\Desktop\ypauPrrA08.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.7873599747470391
Encrypted:	false
SSDEEP:	96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
MD5:	6A6BAD38068B0F6F2CADC6464C4FE8F0
SHA1:	4E3B235898D8E900548613DDB6EA59CDA5EB4E68
SHA-256:	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
SHA-512:	BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB2D5.tmp.dat

Download File

Process:	C:\Users\user\Desktop\ypauPrrA08.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.7873599747470391
Encrypted:	false
SSDEEP:	96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
MD5:	6A6BAD38068B0F6F2CADC6464C4FE8F0
SHA1:	4E3B235898D8E900548613DDB6EA59CDA5EB4E68
SHA-256:	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
SHA-512:	BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB2D6.tmp.dat

Download File

Process:	C:\Users\user\Desktop\ypauPrrA08.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB2F6.tmp.dat

Download File

Process:	C:\Users\user\Desktop\ypauPrrA08.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB307.tmp.dat

Download File

Process:	C:\Users\user\Desktop\ypauPrrA08.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	0.47147045728725767
Encrypted:	false
SSDEEP:	96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
MD5:	A2D1F4CF66465F9F0CAC61C4A95C7EDE
SHA1:	BA6A845E247B221AAEC96C4213E1FD3744B10A27
SHA-256:	B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
SHA-512:	C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB327.tmp.tmpdb

Download File

Process:	C:\Users\user\Desktop\ypauPrrA08.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB348.tmp.tmpdb

Download File

Process:	C:\Users\user\Desktop\ypauPrrA08.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.037963276276857943
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
MD5:	C0FDF21AE11A6D1FA1201D502614B622
SHA1:	11724034A1CC915B061316A96E79E9DA6A00ADE8
SHA-256:	FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
SHA-512:	A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpDA2E.tmp.dat

Download File

Process:	C:\Users\user\Desktop\ypauPrrA08.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpDA4E.tmp.dat

Download File

Process:	C:\Users\user\Desktop\ypauPrrA08.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpDA5F.tmp.dat

Download File

Process:	C:\Users\user\Desktop\ypauPrrA08.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	0.47147045728725767
Encrypted:	false
SSDEEP:	96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
MD5:	A2D1F4CF66465F9F0CAC61C4A95C7EDE
SHA1:	BA6A845E247B221AAEC96C4213E1FD3744B10A27
SHA-256:	B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
SHA-512:	C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpDA60.tmp.dat

Download File

Process:	C:\Users\user\Desktop\ypauPrrA08.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	0.47147045728725767
Encrypted:	false
SSDEEP:	96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
MD5:	A2D1F4CF66465F9F0CAC61C4A95C7EDE
SHA1:	BA6A845E247B221AAEC96C4213E1FD3744B10A27
SHA-256:	B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
SHA-512:	C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpDA70.tmp.dat

Download File

Process:	C:\Users\user\Desktop\ypauPrrA08.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.920786434212345
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	ypauPrrA08.exe
File size:	405'504 bytes
MD5:	4788afa2fd8b4d90e6fd1d18bbb88f48
SHA1:	2f8021e35e775898244a0be54c5eb37ca6b65ea7
SHA256:	d5b0f260bc71c5d65d075add4186c15ac68d676191ad4cf207f95a8c0bcfb6bf
SHA512:	be06e5ceec0fbdb07025a6275a6af5a865a1d47d87dadafaf39230b6187caa0621f127297d1daed1298462ceb546a2012ee61c1a51f0f755d3be8e019faaba18
SSDEEP:	6144:rbODqpwPEuxGH6OrwX3pwzZwEq7EtE6xBpgwSOm92BUz7BJwaPEqrPlTux0:ryPPDLOrwX3pwzZwGB7k2uvfwARI0
TLSH:	5C846D4067FC8646F1FF6BB5D0B2182883F2B013B97AE78E5D84B4DE19637419845BA3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..../4..........."...0..$............... ...`....@.. ....................................`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x461cf2
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xCB342F8F [Wed Jan 12 06:34:55 2078 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
adc byte ptr [ecx], dl
adc al, byte ptr [eax]
or byte ptr [edi], al
or dword ptr [esi], eax
or al, byte ptr [030C040Bh]
or eax, 0F010E02h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+eax], cl
or byte ptr [eax], al
mov word ptr [eax], es
or byte ptr [eax], al
dec esp
add byte ptr [eax], cl
add ah, cl
add byte ptr [eax], cl
add byte ptr [eax+eax], ch
or byte ptr [eax], al
lodsb
add byte ptr [eax], cl
add byte ptr [eax+eax+08h], ch
add ah, ch
add byte ptr [eax], cl
add byte ptr [eax+eax], bl
or byte ptr [eax], al
pushfd
add byte ptr [eax], cl
add byte ptr [eax+eax+08h], bl
add ah, bl
add byte ptr [eax], cl
add byte ptr [eax+eax], bh
or byte ptr [eax], al
mov esp, 7C000800h
add byte ptr [eax], cl
add ah, bh
add byte ptr [eax], cl
add byte ptr [edx], al
add byte ptr [eax], cl
add byte ptr [edx+42000800h], al
add byte ptr [eax], cl
add dl, al
add byte ptr [eax], cl
add byte ptr [edx], ah
add byte ptr [eax], cl
add byte ptr [edx+62000800h], ah
add byte ptr [eax], cl
add dl, ah
add byte ptr [eax], cl
add byte ptr [edx], dl
add byte ptr [eax], cl
add byte ptr [edx+52000800h], dl
add byte ptr [eax], cl
add dl, dl
add byte ptr [eax], cl
add byte ptr [edx], dh
add byte ptr [eax], cl
add byte ptr [edx+72000800h], dh
add byte ptr [eax], cl
add dl, dh
add byte ptr [eax], cl
add byte ptr [edx], cl
add byte ptr [eax], cl
add byte ptr [edx+4A000800h], cl
add byte ptr [eax], cl
add dl, cl
add byte ptr [eax], cl
add byte ptr [edx], ch
add byte ptr [eax], cl
add byte ptr [edx+6A000800h], ch
add byte ptr [eax], cl
add dl, ch
add byte ptr [eax], cl
add byte ptr [edx], bl
add byte ptr [eax], cl
add byte ptr [edx+5A000800h], bl

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x61c9e	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x66000	0x610	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x68000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x61c00	0x38	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x622f8	0x62400	64c052da7a96173695360c0f4149abef	False	0.3853123012086514	data	5.9366485448731305	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x66000	0x610	0x800	5ee37639e4d2619c205aa19dbbbb02ab	False	0.33642578125	data	3.4762999537127315	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x68000	0xc	0x200	4d4656b75a5aabafe7df411b1e01bea1	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x66090	0x380	data			0.4252232142857143
RT_MANIFEST	0x66420	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-09T22:53:07.350976+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49734	208.95.112.1	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 9, 2024 22:53:02.253992081 CET	49730	443	192.168.2.4	104.26.13.205
Nov 9, 2024 22:53:02.254048109 CET	443	49730	104.26.13.205	192.168.2.4
Nov 9, 2024 22:53:02.254143953 CET	49730	443	192.168.2.4	104.26.13.205
Nov 9, 2024 22:53:02.277939081 CET	49730	443	192.168.2.4	104.26.13.205
Nov 9, 2024 22:53:02.277966976 CET	443	49730	104.26.13.205	192.168.2.4
Nov 9, 2024 22:53:02.882905006 CET	443	49730	104.26.13.205	192.168.2.4
Nov 9, 2024 22:53:02.883064032 CET	49730	443	192.168.2.4	104.26.13.205
Nov 9, 2024 22:53:02.893115997 CET	49730	443	192.168.2.4	104.26.13.205
Nov 9, 2024 22:53:02.893145084 CET	443	49730	104.26.13.205	192.168.2.4
Nov 9, 2024 22:53:02.893376112 CET	443	49730	104.26.13.205	192.168.2.4
Nov 9, 2024 22:53:02.944703102 CET	49730	443	192.168.2.4	104.26.13.205
Nov 9, 2024 22:53:02.948013067 CET	49730	443	192.168.2.4	104.26.13.205
Nov 9, 2024 22:53:02.995327950 CET	443	49730	104.26.13.205	192.168.2.4
Nov 9, 2024 22:53:03.120372057 CET	443	49730	104.26.13.205	192.168.2.4
Nov 9, 2024 22:53:03.120425940 CET	443	49730	104.26.13.205	192.168.2.4
Nov 9, 2024 22:53:03.120475054 CET	49730	443	192.168.2.4	104.26.13.205
Nov 9, 2024 22:53:03.138659000 CET	49730	443	192.168.2.4	104.26.13.205
Nov 9, 2024 22:53:04.107492924 CET	49731	443	192.168.2.4	188.114.97.3
Nov 9, 2024 22:53:04.107536077 CET	443	49731	188.114.97.3	192.168.2.4
Nov 9, 2024 22:53:04.107562065 CET	49732	80	192.168.2.4	208.95.112.1
Nov 9, 2024 22:53:04.107604027 CET	49731	443	192.168.2.4	188.114.97.3
Nov 9, 2024 22:53:04.107939959 CET	49731	443	192.168.2.4	188.114.97.3
Nov 9, 2024 22:53:04.107956886 CET	443	49731	188.114.97.3	192.168.2.4
Nov 9, 2024 22:53:04.112368107 CET	80	49732	208.95.112.1	192.168.2.4
Nov 9, 2024 22:53:04.112447977 CET	49732	80	192.168.2.4	208.95.112.1
Nov 9, 2024 22:53:04.112554073 CET	49732	80	192.168.2.4	208.95.112.1
Nov 9, 2024 22:53:04.117567062 CET	80	49732	208.95.112.1	192.168.2.4
Nov 9, 2024 22:53:04.713777065 CET	80	49732	208.95.112.1	192.168.2.4
Nov 9, 2024 22:53:04.723992109 CET	443	49731	188.114.97.3	192.168.2.4
Nov 9, 2024 22:53:04.724088907 CET	49731	443	192.168.2.4	188.114.97.3
Nov 9, 2024 22:53:04.726875067 CET	49731	443	192.168.2.4	188.114.97.3
Nov 9, 2024 22:53:04.726885080 CET	443	49731	188.114.97.3	192.168.2.4
Nov 9, 2024 22:53:04.727253914 CET	443	49731	188.114.97.3	192.168.2.4
Nov 9, 2024 22:53:04.728169918 CET	49731	443	192.168.2.4	188.114.97.3
Nov 9, 2024 22:53:04.757245064 CET	49732	80	192.168.2.4	208.95.112.1
Nov 9, 2024 22:53:04.771343946 CET	443	49731	188.114.97.3	192.168.2.4
Nov 9, 2024 22:53:04.871010065 CET	443	49731	188.114.97.3	192.168.2.4
Nov 9, 2024 22:53:04.871067047 CET	443	49731	188.114.97.3	192.168.2.4
Nov 9, 2024 22:53:04.871155024 CET	49731	443	192.168.2.4	188.114.97.3
Nov 9, 2024 22:53:04.871613026 CET	49731	443	192.168.2.4	188.114.97.3
Nov 9, 2024 22:53:04.882837057 CET	49733	443	192.168.2.4	104.21.85.189
Nov 9, 2024 22:53:04.882890940 CET	443	49733	104.21.85.189	192.168.2.4
Nov 9, 2024 22:53:04.882962942 CET	49733	443	192.168.2.4	104.21.85.189
Nov 9, 2024 22:53:04.883229017 CET	49733	443	192.168.2.4	104.21.85.189
Nov 9, 2024 22:53:04.883244991 CET	443	49733	104.21.85.189	192.168.2.4
Nov 9, 2024 22:53:05.515908003 CET	443	49733	104.21.85.189	192.168.2.4
Nov 9, 2024 22:53:05.516057014 CET	49733	443	192.168.2.4	104.21.85.189
Nov 9, 2024 22:53:05.517921925 CET	49733	443	192.168.2.4	104.21.85.189
Nov 9, 2024 22:53:05.517937899 CET	443	49733	104.21.85.189	192.168.2.4
Nov 9, 2024 22:53:05.518173933 CET	443	49733	104.21.85.189	192.168.2.4
Nov 9, 2024 22:53:05.519251108 CET	49733	443	192.168.2.4	104.21.85.189
Nov 9, 2024 22:53:05.563328028 CET	443	49733	104.21.85.189	192.168.2.4
Nov 9, 2024 22:53:05.727552891 CET	443	49733	104.21.85.189	192.168.2.4
Nov 9, 2024 22:53:05.727602005 CET	443	49733	104.21.85.189	192.168.2.4
Nov 9, 2024 22:53:05.727636099 CET	443	49733	104.21.85.189	192.168.2.4
Nov 9, 2024 22:53:05.727677107 CET	49733	443	192.168.2.4	104.21.85.189
Nov 9, 2024 22:53:05.727695942 CET	443	49733	104.21.85.189	192.168.2.4
Nov 9, 2024 22:53:05.727727890 CET	443	49733	104.21.85.189	192.168.2.4
Nov 9, 2024 22:53:05.727746010 CET	49733	443	192.168.2.4	104.21.85.189
Nov 9, 2024 22:53:05.727966070 CET	49733	443	192.168.2.4	104.21.85.189
Nov 9, 2024 22:53:05.735696077 CET	49733	443	192.168.2.4	104.21.85.189
Nov 9, 2024 22:53:06.695662022 CET	49732	80	192.168.2.4	208.95.112.1
Nov 9, 2024 22:53:06.696424007 CET	49734	80	192.168.2.4	208.95.112.1
Nov 9, 2024 22:53:06.701248884 CET	80	49734	208.95.112.1	192.168.2.4
Nov 9, 2024 22:53:06.701323986 CET	80	49732	208.95.112.1	192.168.2.4
Nov 9, 2024 22:53:06.701328993 CET	49734	80	192.168.2.4	208.95.112.1
Nov 9, 2024 22:53:06.701370955 CET	49732	80	192.168.2.4	208.95.112.1
Nov 9, 2024 22:53:06.701524973 CET	49734	80	192.168.2.4	208.95.112.1
Nov 9, 2024 22:53:06.706276894 CET	80	49734	208.95.112.1	192.168.2.4
Nov 9, 2024 22:53:07.302335978 CET	80	49734	208.95.112.1	192.168.2.4
Nov 9, 2024 22:53:07.350975990 CET	49734	80	192.168.2.4	208.95.112.1
Nov 9, 2024 22:53:07.395617962 CET	49735	80	192.168.2.4	208.95.112.1
Nov 9, 2024 22:53:07.400470018 CET	80	49735	208.95.112.1	192.168.2.4
Nov 9, 2024 22:53:07.400562048 CET	49735	80	192.168.2.4	208.95.112.1
Nov 9, 2024 22:53:07.400624037 CET	49735	80	192.168.2.4	208.95.112.1
Nov 9, 2024 22:53:07.405457020 CET	80	49735	208.95.112.1	192.168.2.4
Nov 9, 2024 22:53:07.985193968 CET	80	49735	208.95.112.1	192.168.2.4
Nov 9, 2024 22:53:07.996123075 CET	49735	80	192.168.2.4	208.95.112.1
Nov 9, 2024 22:53:07.996181011 CET	49734	80	192.168.2.4	208.95.112.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 9, 2024 22:53:02.240518093 CET	60038	53	192.168.2.4	1.1.1.1
Nov 9, 2024 22:53:02.247495890 CET	53	60038	1.1.1.1	192.168.2.4
Nov 9, 2024 22:53:04.099710941 CET	56557	53	192.168.2.4	1.1.1.1
Nov 9, 2024 22:53:04.099888086 CET	58259	53	192.168.2.4	1.1.1.1
Nov 9, 2024 22:53:04.106791973 CET	53	56557	1.1.1.1	192.168.2.4
Nov 9, 2024 22:53:04.106810093 CET	53	58259	1.1.1.1	192.168.2.4
Nov 9, 2024 22:53:04.873083115 CET	63187	53	192.168.2.4	1.1.1.1
Nov 9, 2024 22:53:04.882208109 CET	53	63187	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 9, 2024 22:53:02.240518093 CET	192.168.2.4	1.1.1.1	0x202f	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Nov 9, 2024 22:53:04.099710941 CET	192.168.2.4	1.1.1.1	0x54ed	Standard query (0)	freegeoip.app	A (IP address)	IN (0x0001)	false
Nov 9, 2024 22:53:04.099888086 CET	192.168.2.4	1.1.1.1	0x2804	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Nov 9, 2024 22:53:04.873083115 CET	192.168.2.4	1.1.1.1	0x89c6	Standard query (0)	ipbase.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Nov 9, 2024 22:53:02.247495890 CET	1.1.1.1	192.168.2.4	0x202f	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Nov 9, 2024 22:53:02.247495890 CET	1.1.1.1	192.168.2.4	0x202f	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Nov 9, 2024 22:53:02.247495890 CET	1.1.1.1	192.168.2.4	0x202f	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Nov 9, 2024 22:53:04.106791973 CET	1.1.1.1	192.168.2.4	0x54ed	No error (0)	freegeoip.app	188.114.97.3	A (IP address)	IN (0x0001)	false
Nov 9, 2024 22:53:04.106791973 CET	1.1.1.1	192.168.2.4	0x54ed	No error (0)	freegeoip.app	188.114.96.3	A (IP address)	IN (0x0001)	false
Nov 9, 2024 22:53:04.106810093 CET	1.1.1.1	192.168.2.4	0x2804	No error (0)	ip-api.com	208.95.112.1	A (IP address)	IN (0x0001)	false
Nov 9, 2024 22:53:04.882208109 CET	1.1.1.1	192.168.2.4	0x89c6	No error (0)	ipbase.com	104.21.85.189	A (IP address)	IN (0x0001)	false
Nov 9, 2024 22:53:04.882208109 CET	1.1.1.1	192.168.2.4	0x89c6	No error (0)	ipbase.com	172.67.209.71	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

freegeoip.app

ipbase.com

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49732	208.95.112.1	80	7012	C:\Users\user\Desktop\ypauPrrA08.exe

Timestamp	Bytes transferred	Direction	Data
Nov 9, 2024 22:53:04.112554073 CET	63	OUT	GET /xml HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Nov 9, 2024 22:53:04.713777065 CET	627	IN	HTTP/1.1 200 OK Date: Sat, 09 Nov 2024 21:53:03 GMT Content-Type: application/xml; charset=utf-8 Content-Length: 451 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 71 75 65 72 79 3e 0a 20 20 3c 73 74 61 74 75 73 3e 73 75 63 63 65 73 73 3c 2f 73 74 61 74 75 73 3e 0a 20 20 3c 63 6f 75 6e 74 72 79 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 63 6f 75 6e 74 72 79 3e 0a 20 20 3c 63 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 63 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 20 20 3c 72 65 67 69 6f 6e 3e 54 58 3c 2f 72 65 67 69 6f 6e 3e 0a 20 20 3c 72 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 72 65 67 69 6f 6e 4e 61 6d 65 3e 0a 20 20 3c 63 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 63 69 74 79 3e 0a 20 20 3c 7a 69 70 3e 37 36 35 34 39 3c 2f 7a 69 70 3e 0a 20 20 3c 6c 61 74 3e 33 31 2e 30 30 36 35 3c 2f 6c 61 74 3e 0a 20 20 3c 6c 6f 6e 3e 2d 39 37 2e 38 34 30 36 3c 2f 6c 6f 6e 3e 0a 20 20 3c 74 69 6d 65 7a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 74 69 6d 65 7a 6f 6e 65 3e 0a 20 20 3c 69 73 70 3e 51 75 61 64 72 61 4e 65 74 3c 2f [TRUNCATED] Data Ascii: <?xml version="1.0" encoding="UTF-8"?><query> <status>success</status> <country>United States</country> <countryCode>US</countryCode> <region>TX</region> <regionName>Texas</regionName> <city>Killeen</city> <zip>76549</zip> <lat>31.0065</lat> <lon>-97.8406</lon> <timezone>America/Chicago</timezone> <isp>QuadraNet</isp> <org>OMGITSFAST</org> <as>AS8100 QuadraNet Enterprises LLC</as> <query>173.254.250.72</query></query>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49734	208.95.112.1	80	7012	C:\Users\user\Desktop\ypauPrrA08.exe

Timestamp	Bytes transferred	Direction	Data
Nov 9, 2024 22:53:06.701524973 CET	39	OUT	GET /xml HTTP/1.1 Host: ip-api.com
Nov 9, 2024 22:53:07.302335978 CET	627	IN	HTTP/1.1 200 OK Date: Sat, 09 Nov 2024 21:53:06 GMT Content-Type: application/xml; charset=utf-8 Content-Length: 451 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 71 75 65 72 79 3e 0a 20 20 3c 73 74 61 74 75 73 3e 73 75 63 63 65 73 73 3c 2f 73 74 61 74 75 73 3e 0a 20 20 3c 63 6f 75 6e 74 72 79 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 63 6f 75 6e 74 72 79 3e 0a 20 20 3c 63 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 63 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 20 20 3c 72 65 67 69 6f 6e 3e 54 58 3c 2f 72 65 67 69 6f 6e 3e 0a 20 20 3c 72 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 72 65 67 69 6f 6e 4e 61 6d 65 3e 0a 20 20 3c 63 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 63 69 74 79 3e 0a 20 20 3c 7a 69 70 3e 37 36 35 34 39 3c 2f 7a 69 70 3e 0a 20 20 3c 6c 61 74 3e 33 31 2e 30 30 36 35 3c 2f 6c 61 74 3e 0a 20 20 3c 6c 6f 6e 3e 2d 39 37 2e 38 34 30 36 3c 2f 6c 6f 6e 3e 0a 20 20 3c 74 69 6d 65 7a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 74 69 6d 65 7a 6f 6e 65 3e 0a 20 20 3c 69 73 70 3e 51 75 61 64 72 61 4e 65 74 3c 2f [TRUNCATED] Data Ascii: <?xml version="1.0" encoding="UTF-8"?><query> <status>success</status> <country>United States</country> <countryCode>US</countryCode> <region>TX</region> <regionName>Texas</regionName> <city>Killeen</city> <zip>76549</zip> <lat>31.0065</lat> <lon>-97.8406</lon> <timezone>America/Chicago</timezone> <isp>QuadraNet</isp> <org>OMGITSFAST</org> <as>AS8100 QuadraNet Enterprises LLC</as> <query>173.254.250.72</query></query>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49735	208.95.112.1	80	7012	C:\Users\user\Desktop\ypauPrrA08.exe

Timestamp	Bytes transferred	Direction	Data
Nov 9, 2024 22:53:07.400624037 CET	63	OUT	GET /xml HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Nov 9, 2024 22:53:07.985193968 CET	627	IN	HTTP/1.1 200 OK Date: Sat, 09 Nov 2024 21:53:07 GMT Content-Type: application/xml; charset=utf-8 Content-Length: 451 Access-Control-Allow-Origin: * X-Ttl: 56 X-Rl: 43 Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 71 75 65 72 79 3e 0a 20 20 3c 73 74 61 74 75 73 3e 73 75 63 63 65 73 73 3c 2f 73 74 61 74 75 73 3e 0a 20 20 3c 63 6f 75 6e 74 72 79 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 63 6f 75 6e 74 72 79 3e 0a 20 20 3c 63 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 63 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 20 20 3c 72 65 67 69 6f 6e 3e 54 58 3c 2f 72 65 67 69 6f 6e 3e 0a 20 20 3c 72 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 72 65 67 69 6f 6e 4e 61 6d 65 3e 0a 20 20 3c 63 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 63 69 74 79 3e 0a 20 20 3c 7a 69 70 3e 37 36 35 34 39 3c 2f 7a 69 70 3e 0a 20 20 3c 6c 61 74 3e 33 31 2e 30 30 36 35 3c 2f 6c 61 74 3e 0a 20 20 3c 6c 6f 6e 3e 2d 39 37 2e 38 34 30 36 3c 2f 6c 6f 6e 3e 0a 20 20 3c 74 69 6d 65 7a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 74 69 6d 65 7a 6f 6e 65 3e 0a 20 20 3c 69 73 70 3e 51 75 61 64 72 61 4e 65 74 3c 2f [TRUNCATED] Data Ascii: <?xml version="1.0" encoding="UTF-8"?><query> <status>success</status> <country>United States</country> <countryCode>US</countryCode> <region>TX</region> <regionName>Texas</regionName> <city>Killeen</city> <zip>76549</zip> <lat>31.0065</lat> <lon>-97.8406</lon> <timezone>America/Chicago</timezone> <isp>QuadraNet</isp> <org>OMGITSFAST</org> <as>AS8100 QuadraNet Enterprises LLC</as> <query>173.254.250.72</query></query>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	104.26.13.205	443	7012	C:\Users\user\Desktop\ypauPrrA08.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-09 21:53:02 UTC	63	OUT	GET / HTTP/1.1 Host: api.ipify.org Connection: Keep-Alive
2024-11-09 21:53:03 UTC	399	IN	HTTP/1.1 200 OK Date: Sat, 09 Nov 2024 21:53:03 GMT Content-Type: text/plain Content-Length: 14 Connection: close Vary: Origin cf-cache-status: DYNAMIC Server: cloudflare CF-RAY: 8e010889ca27e84f-DFW server-timing: cfL4;desc="?proto=TCP&rtt=2118&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2817&recv_bytes=677&delivery_rate=1345724&cwnd=236&unsent_bytes=0&cid=7a3e6492f662c964&ts=247&x=0"
2024-11-09 21:53:03 UTC	14	IN	Data Raw: 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 Data Ascii: 173.254.250.72

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	188.114.97.3	443	7012	C:\Users\user\Desktop\ypauPrrA08.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-09 21:53:04 UTC	67	OUT	GET /xml/ HTTP/1.1 Host: freegeoip.app Connection: Keep-Alive
2024-11-09 21:53:04 UTC	823	IN	HTTP/1.1 301 Moved Permanently Date: Sat, 09 Nov 2024 21:53:04 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Sat, 09 Nov 2024 22:53:04 GMT Location: https://ipbase.com/xml/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=A6hGQbCQLQPb8xHprHOW8Ah7SZsspefDC6%2Fo91m0yvE9x6YXJJ7FewXSfBCClksEbmqP3FsIChCzQqJa5AKtqkr5qWiPCFZgB7kvllmRrexlGKXscd4Ur8bdNCjGDK5T"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e010894ec26a921-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3245&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2829&recv_bytes=681&delivery_rate=1100722&cwnd=128&unsent_bytes=0&cid=8c51ba9af0c7c355&ts=157&x=0"
2024-11-09 21:53:04 UTC	167	IN	Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49733	104.21.85.189	443	7012	C:\Users\user\Desktop\ypauPrrA08.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-09 21:53:05 UTC	64	OUT	GET /xml/ HTTP/1.1 Host: ipbase.com Connection: Keep-Alive
2024-11-09 21:53:05 UTC	920	IN	HTTP/1.1 404 Not Found Date: Sat, 09 Nov 2024 21:53:05 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Age: 29893 Cache-Control: public,max-age=0,must-revalidate Cache-Status: "Netlify Edge"; hit Vary: Accept-Encoding X-Nf-Request-Id: 01JC9EN73CRHCG264XCPT0QT79 cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ecHvyQ4ug2UQ9yMUF4PhMUu1jSEsTY3038%2FMttEB8vjk3b%2Fv3ehCh08yrhFocNXqip2SA78FI2ISLC74EOIZZRdu4o3AWUuPPLgkfBc6rcys1L43FOAyiCEkv94u"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e010899e86fddaf-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1026&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2824&recv_bytes=678&delivery_rate=2763358&cwnd=32&unsent_bytes=0&cid=d7cf7e7f630a016c&ts=221&x=0"
2024-11-09 21:53:05 UTC	449	IN	Data Raw: 63 30 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d Data Ascii: c0a<!DOCTYPE html><html> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no"> <title>Page Not Found</title> <link href='https://fonts.googleapis.com
2024-11-09 21:53:05 UTC	1369	IN	Data Raw: 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 2c 20 22 41 70 70 6c 65 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 53 79 6d 62 6f 6c 22 3b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 72 67 62 28 35 32 2c 20 35 36 2c 20 36 30 29 3b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 77 68 69 74 65 3b 0a 20 20 20 20 20 20 6f 76 65 72 66 6c 6f 77 3a 20 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 32 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e Data Ascii: rial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; background: rgb(52, 56, 60); color: white; overflow: hidden; margin: 0; padding: 0; } h1 { margin: 0; font-size: 22px; lin
2024-11-09 21:53:05 UTC	1271	IN	Data Raw: 20 6f 6e 20 74 68 69 73 20 73 69 74 65 2e 3c 2f 70 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 69 64 3d 22 62 61 63 6b 2d 6c 69 6e 6b 22 20 68 72 65 66 3d 22 2f 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 73 76 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 77 69 64 74 68 3d 22 31 36 22 20 68 65 69 67 68 74 3d 22 31 36 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 31 36 20 31 36 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 20 66 69 6c 6c 3d 22 23 30 30 37 30 36 37 22 20 64 3d 22 4d 31 31 2e 39 39 39 38 38 33 36 2c 34 2e 30 39 33 37 30 38 30 33 20 4c 38 2e 35 35 38 30 39 35 31 37 2c 37 2e 34 33 32 39 34 39 35 Data Ascii: on this site.</p> <p> <a id="back-link" href="/"> <svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 16 16"> <path fill="#007067" d="M11.9998836,4.09370803 L8.55809517,7.4329495
2024-11-09 21:53:05 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	16:53:00
Start date:	09/11/2024
Path:	C:\Users\user\Desktop\ypauPrrA08.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\ypauPrrA08.exe"
Imagebase:	0x22f4a690000
File size:	405'504 bytes
MD5 hash:	4788AFA2FD8B4D90E6FD1D18BBB88F48
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1760612465.0000022F4C370000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000000.00000002.1760612465.0000022F4C370000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_BlackGuard, Description: Yara detected BlackGuard, Source: 00000000.00000000.1696244643.0000022F4A692000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_VEGAStealer, Description: Yara detected VEGA Stealer, Source: 00000000.00000000.1696244643.0000022F4A692000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_AdesStealer, Description: Yara detected Ades Stealer, Source: 00000000.00000000.1696244643.0000022F4A692000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.1696244643.0000022F4A692000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000000.1696244643.0000022F4A692000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000000.00000000.1696244643.0000022F4A692000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Function 00007FFD9B8B8411 Relevance: 23.5, Strings: 18, Instructions: 953COMMON

Download Yara Rule

Strings

P71\, xrefs: 00007FFD9B8B8BF7
`]1\, xrefs: 00007FFD9B8B845C
a1\, xrefs: 00007FFD9B8B86E7
8a1\, xrefs: 00007FFD9B8B88A0
@a1\, xrefs: 00007FFD9B8B8933
Ha1\, xrefs: 00007FFD9B8B89C6
H71\, xrefs: 00007FFD9B8B8B99
`]1\, xrefs: 00007FFD9B8B8C50
7L_L, xrefs: 00007FFD9B8B8880
(a1\, xrefs: 00007FFD9B8B877A
0a1\, xrefs: 00007FFD9B8B880D
p]1\, xrefs: 00007FFD9B8B8C11
X71\, xrefs: 00007FFD9B8B8CA9
`81\, xrefs: 00007FFD9B8BA08F
X71\, xrefs: 00007FFD9B8B8C69
h81\, xrefs: 00007FFD9B8BA0B3
61\, xrefs: 00007FFD9B8B8C2B
H71\, xrefs: 00007FFD9B8B8BC8

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: a1\$(a1\$0a1\$7L_L$8a1\$@a1\$H71\$H71\$Ha1\$P71\$X71\$X71\$`81\$`]1\$`]1\$h81\$p]1\$61\
API String ID: 0-810305495
Opcode ID: 4046faa67c7f4874265ba1249d9050daab2a1666ace9bf54e79e44169ee0bd98
Instruction ID: 1bbb59c1154457c529577ccaa691c56a8ff26be07dfdda3666395a28edd209ee
Opcode Fuzzy Hash: 4046faa67c7f4874265ba1249d9050daab2a1666ace9bf54e79e44169ee0bd98
Instruction Fuzzy Hash: 16529C61B0E9DA0FD369A7B808765B97FD1EF4A70070845FED0898B1E7DD196807C782

Function 00007FFD9B8C6D98 Relevance: 17.4, Strings: 13, Instructions: 1127COMMON

Download Yara Rule

Strings

8!2\, xrefs: 00007FFD9B8C6F62
0"2\, xrefs: 00007FFD9B8C7548
0!2\, xrefs: 00007FFD9B8C6F25
("2\, xrefs: 00007FFD9B8C7526
H!2\, xrefs: 00007FFD9B8C6F9F
!2\/, xrefs: 00007FFD9B8C731D
8"2\, xrefs: 00007FFD9B8C7592
!2\/, xrefs: 00007FFD9B8C72C6
h!2\, xrefs: 00007FFD9B8C707D
`!2\, xrefs: 00007FFD9B8C7033
!2\, xrefs: 00007FFD9B8C73A2
x!2\, xrefs: 00007FFD9B8C7111
p!2\, xrefs: 00007FFD9B8C70C7

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: !2\/$!2\/$("2\$0!2\$0"2\$8!2\$8"2\$H!2\$`!2\$h!2\$p!2\$x!2\$!2\
API String ID: 0-4066887631
Opcode ID: 24af946e6a4aa42eeff31daf95c9c0feea75177265aa341c5fad4705ecf9f9ae
Instruction ID: b530762f9d0825c74a3d1198f8d0c0e05c1db45629498ef7e3bc3738b853d6fe
Opcode Fuzzy Hash: 24af946e6a4aa42eeff31daf95c9c0feea75177265aa341c5fad4705ecf9f9ae
Instruction Fuzzy Hash: 7B82097060E9D94FD756E7B888B69F97FF0DF4A310B4844EED089CB1A7C9196802C742

Function 00007FFD9B8B1465 Relevance: 16.6, Strings: 13, Instructions: 398COMMON

Download Yara Rule

Strings

P]1\, xrefs: 00007FFD9B8B1691
@]1\, xrefs: 00007FFD9B8B15B5
(]1\, xrefs: 00007FFD9B8B1636
]1\, xrefs: 00007FFD9B8B1603
X]1\, xrefs: 00007FFD9B8B16CC
8]1\, xrefs: 00007FFD9B8B1588
P]1\, xrefs: 00007FFD9B8B1651
P]1\, xrefs: 00007FFD9B8B1677
]1\, xrefs: 00007FFD9B8B1534
(]1\, xrefs: 00007FFD9B8B1550
p]1\, xrefs: 00007FFD9B8B1747
h]1\, xrefs: 00007FFD9B8B1716
@]1\, xrefs: 00007FFD9B8B15C7

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: ]1\$ ]1\$(]1\$(]1\$8]1\$@]1\$@]1\$P]1\$P]1\$P]1\$X]1\$h]1\$p]1\
API String ID: 0-3484246864
Opcode ID: fbd2fc02df2724d2c16bfb8283286de732e1554e0f40af66322a1915b7e81d2c
Instruction ID: d17aeac3ce61f4fe3b60826b0f9c27cd66eba05c38ac1280376c19a38e0a2429
Opcode Fuzzy Hash: fbd2fc02df2724d2c16bfb8283286de732e1554e0f40af66322a1915b7e81d2c
Instruction Fuzzy Hash: 5ED12520A1EADA5FD756E7BC48A65E9BFE0DF0730070849EED089CF0A7C919A417D741

Function 00007FFD9B8C5300 Relevance: 6.7, Strings: 5, Instructions: 466COMMON

Download Yara Rule

Strings

X 2\, xrefs: 00007FFD9B8C545C
2\, xrefs: 00007FFD9B8C56B3
H 2\, xrefs: 00007FFD9B8C541D
h 2\, xrefs: 00007FFD9B8C549B
x 2\, xrefs: 00007FFD9B8C54DA

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: H 2\$X 2\$h 2\$x 2\$ 2\
API String ID: 0-226773014
Opcode ID: ed1a870c67a54b711ae2af72c71e4a7559686e274139c90829ad9682cbdb9cfc
Instruction ID: 9690f975487e9a2d905d7a3d2cf65ac0dd9d8b82b609a97705ac9d631c413931
Opcode Fuzzy Hash: ed1a870c67a54b711ae2af72c71e4a7559686e274139c90829ad9682cbdb9cfc
Instruction Fuzzy Hash: 21E1DF5460F6EA5FD752E7B848B65FA7FE09F0B25070888EBC4C48F1A7C519A84BC742

Function 00007FFD9B8B1E11 Relevance: 5.2, Strings: 4, Instructions: 213COMMON

Download Yara Rule

Strings

@\1\, xrefs: 00007FFD9B8B1FD3
\1\, xrefs: 00007FFD9B8B1EDF
(\1\, xrefs: 00007FFD9B8B1EFB
H\1\, xrefs: 00007FFD9B8B2005

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: \1\$(\1\$@\1\$H\1\
API String ID: 0-1943667601
Opcode ID: 3565a94c86dcae4898a024738a6f66d9e892e540ad4ce9cf5e18f9ae0f6842ea
Instruction ID: d0fce2978c051a0ca3a3da34816728a431f5cfd13942d7717f6656c03f2e70dd
Opcode Fuzzy Hash: 3565a94c86dcae4898a024738a6f66d9e892e540ad4ce9cf5e18f9ae0f6842ea
Instruction Fuzzy Hash: 96611550A1EAD95FD756B7BC48B25F9BFE0DF4B300B4848EAC0998B0E7C949A407D741

Function 00007FFD9B8CD148 Relevance: 3.5, Strings: 2, Instructions: 965COMMON

Download Yara Rule

Strings

a1\/, xrefs: 00007FFD9B8CD431
#2\, xrefs: 00007FFD9B8CD9B7

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: #2\$a1\/
API String ID: 0-2015114827
Opcode ID: e07aa82c85303c71d6fe977dceef7136ef456a2ef804d4d38794ee99cc70d380
Instruction ID: 53c8d94308498a58ebc8a20f7faabf0805e3fff762fcd571652532ef1b8c2ef4
Opcode Fuzzy Hash: e07aa82c85303c71d6fe977dceef7136ef456a2ef804d4d38794ee99cc70d380
Instruction Fuzzy Hash: 0362B471B19A4E8FDB98FF58C4A5AB977E1FF58300B1145AAD41EC72A6DE34E802C740

Function 00007FFD9B8C6998 Relevance: 2.9, Strings: 2, Instructions: 432COMMON

Download Yara Rule

Strings

P"2\, xrefs: 00007FFD9B8C98D5
X"2\, xrefs: 00007FFD9B8C9A06

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: P"2\$X"2\
API String ID: 0-3844356525
Opcode ID: 90b6b7cd92fb82f66d1e9a14c64d9f32db7481df0220be19872c956d1ef86500
Instruction ID: 2d14121c1dbbd56994fdf667e9441436c7ce3f213cdd4c044b56504bbec49c46
Opcode Fuzzy Hash: 90b6b7cd92fb82f66d1e9a14c64d9f32db7481df0220be19872c956d1ef86500
Instruction Fuzzy Hash: 1CD15870B1DA0D4FE72AEB6894659B5B3D2FF89300B1145BEE09EC32D7DE25B8028741

Function 00007FFD9B8B6B26 Relevance: .5, Instructions: 472COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01c1a6a39e975d7aa3cee86cace466190c4f04a95e0230b51015b62e831903a9
Instruction ID: 726e1b5b7c918e81633c9db4c46ebf2efa05b66f4abdd144cbcaa49c15643f74
Opcode Fuzzy Hash: 01c1a6a39e975d7aa3cee86cace466190c4f04a95e0230b51015b62e831903a9
Instruction Fuzzy Hash: 3CF1D670A09A4D4FEBA8DF28C8657E977D1FF58310F04426EE84DC72A5CB34E9458B82

Function 00007FFD9B8B78D2 Relevance: .5, Instructions: 458COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bf06efa28ec33d655c3440353dd3dc86593ad1ea076c0904926ed6d28f78646
Instruction ID: ad78dde7af3285443b1ad37c10aee756fd61eef18234dce29e4892e497ea6a6f
Opcode Fuzzy Hash: 3bf06efa28ec33d655c3440353dd3dc86593ad1ea076c0904926ed6d28f78646
Instruction Fuzzy Hash: 35E1C430A09A4E4FEBA8DF28C8657E977D1FF58310F04426ED84DC72A5DE74A9458BC1

Function 00007FFD9B8B8B1F Relevance: 10.2, Strings: 8, Instructions: 181COMMON

Download Yara Rule

Strings

P71\, xrefs: 00007FFD9B8B8BF7
p]1\, xrefs: 00007FFD9B8B8C11
X71\, xrefs: 00007FFD9B8B8C69
61\, xrefs: 00007FFD9B8B8C2B
H, xrefs: 00007FFD9B8B8B6C
H71\, xrefs: 00007FFD9B8B8B99
`]1\, xrefs: 00007FFD9B8B8C50
H71\, xrefs: 00007FFD9B8B8BC8

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: H$H71\$H71\$P71\$X71\$`]1\$p]1\$61\
API String ID: 0-2827942810
Opcode ID: 1a0e2e69fc4efe8c3b71c684dda81debadf8c202f3981cf84fcdc6a6353207e4
Instruction ID: 3e7bbc5d2ded8b83fe520bad26b2970738f1933c284e3414ec16303cdb709495
Opcode Fuzzy Hash: 1a0e2e69fc4efe8c3b71c684dda81debadf8c202f3981cf84fcdc6a6353207e4
Instruction Fuzzy Hash: 3D51E760B1E99E4FE7A9A7B818766B97BD1EF09300F1406F9D05DC36D3CC1898038B41

Function 00007FFD9B8B2019 Relevance: 9.1, Strings: 7, Instructions: 304COMMON

Download Yara Rule

Strings

@\1\, xrefs: 00007FFD9B8B2060
H\1\, xrefs: 00007FFD9B8B212C
X\1\, xrefs: 00007FFD9B8B209B
h\1\, xrefs: 00007FFD9B8B2177
P\1\, xrefs: 00007FFD9B8B2024
@\1\, xrefs: 00007FFD9B8B2046
X\1\, xrefs: 00007FFD9B8B20DE

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: @\1\$@\1\$H\1\$P\1\$X\1\$X\1\$h\1\
API String ID: 0-1224438595
Opcode ID: 9862bb161a062d4510b9e8a6b5a4ea6c9cf28ff43ca1fd77bc46413d97863185
Instruction ID: 887cdd9b2b2b50b6de9d9da522a0cd3e3dbb3221b42928c2d5c839049b83df11
Opcode Fuzzy Hash: 9862bb161a062d4510b9e8a6b5a4ea6c9cf28ff43ca1fd77bc46413d97863185
Instruction Fuzzy Hash: 9CA12A11A0FADA4FE7169BF858665ADBFA0EF46310B1904FFD099CB0E7C5187906C742

Function 00007FFD9B8BC545 Relevance: 7.7, Strings: 6, Instructions: 205COMMON

Download Yara Rule

Strings

8:1\, xrefs: 00007FFD9B8BC5D2
]1\, xrefs: 00007FFD9B8BC63F
8:1\, xrefs: 00007FFD9B8BC5F0
H:1\, xrefs: 00007FFD9B8BC6A3
]1\, xrefs: 00007FFD9B8BC58C
H:1\, xrefs: 00007FFD9B8BC685

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: ]1\$ ]1\$8:1\$8:1\$H:1\$H:1\
API String ID: 0-2406345350
Opcode ID: f1781ca4f363af1fcaada30a97171eeb8b8619b627d7785f1fe77d43c030a777
Instruction ID: 3b47c7cb5f2037a6e493f05ca0eb18e4f562f7b066ab353d754dde8d79347647
Opcode Fuzzy Hash: f1781ca4f363af1fcaada30a97171eeb8b8619b627d7785f1fe77d43c030a777
Instruction Fuzzy Hash: A7511A20B0EA994FD796EBB8486A5F97FD1EF8A31070504FED449C71A7CD18A812CB41

Function 00007FFD9B8B8B16 Relevance: 7.6, Strings: 6, Instructions: 115COMMON

Download Yara Rule

Strings

P71\, xrefs: 00007FFD9B8B8BF7
p]1\, xrefs: 00007FFD9B8B8C11
X71\, xrefs: 00007FFD9B8B8C69
61\, xrefs: 00007FFD9B8B8C2B
`]1\, xrefs: 00007FFD9B8B8C50
H71\, xrefs: 00007FFD9B8B8BC8

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: H71\$P71\$X71\$`]1\$p]1\$61\
API String ID: 0-3508991169
Opcode ID: 144ef7fcc3b951ed60de32551b0818b4dccc2da5fccbc4a96b76e49cfdbf8db6
Instruction ID: 6acc59d24577f5f855d4ffbc7e5a89ae77b04a2a8403cfdb521286d6e15fe41c
Opcode Fuzzy Hash: 144ef7fcc3b951ed60de32551b0818b4dccc2da5fccbc4a96b76e49cfdbf8db6
Instruction Fuzzy Hash: 0D31D450B1E8995FE39AA3BC18766F96FD1DF4A700F1806FAD459C36E7DC1898038741

Function 00007FFD9B8CE44D Relevance: 5.1, Strings: 4, Instructions: 139COMMON

Download Yara Rule

Strings

@#2\, xrefs: 00007FFD9B8CE486
P#2\, xrefs: 00007FFD9B8CE52A
8#2\, xrefs: 00007FFD9B8CE46E
H#2\, xrefs: 00007FFD9B8CE50E

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: 8#2\$@#2\$H#2\$P#2\
API String ID: 0-1313315971
Opcode ID: 161f3e1da7d4bc0778c30fcc19d80dd896caec5dc9731d166083029e07e802ed
Instruction ID: 332d1d4a8094cc787cb134a8f74d00c3a84b4d820a6e3031c481180afc5ed875
Opcode Fuzzy Hash: 161f3e1da7d4bc0778c30fcc19d80dd896caec5dc9731d166083029e07e802ed
Instruction Fuzzy Hash: 7A412D21A1DEDE0FD769E77844655B6BBD1EF89214B0444FEC09AC35A7DD29E8038341

Function 00007FFD9B8BB564 Relevance: 5.1, Strings: 4, Instructions: 103COMMON

Download Yara Rule

Strings

]1\, xrefs: 00007FFD9B8BB56D
P91\, xrefs: 00007FFD9B8BB5B9
X91\, xrefs: 00007FFD9B8BB5E3
`91\, xrefs: 00007FFD9B8BB5FB

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: ]1\$P91\$X91\$`91\
API String ID: 0-4075532770
Opcode ID: 735b5455b87e9ffa5c65559539d0cdb753f645dab9ee56f4c4aad0f2967387d4
Instruction ID: 7b7575370615b820d108900c58224924502e2be381cea2eae43a1aa86a2e6fe5
Opcode Fuzzy Hash: 735b5455b87e9ffa5c65559539d0cdb753f645dab9ee56f4c4aad0f2967387d4
Instruction Fuzzy Hash: B021093171E9AA4FE75ABBB818A61F87BD2EF8A31170904FDC08AC71A3DD1964138741

Function 00007FFD9B8BFCD8 Relevance: 3.9, Strings: 3, Instructions: 174COMMON

Download Yara Rule

Strings

x61\, xrefs: 00007FFD9B8BFCF1
^1\, xrefs: 00007FFD9B8BFD81
^1\, xrefs: 00007FFD9B8BFD6F

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: x61\$^1\$^1\
API String ID: 0-2205120738
Opcode ID: c13755c5052088dc6b3248d5a6cd521fb2e5b46bb1b63450e4704f7808f4be32
Instruction ID: a6436edb33fe1c0610fc8696ff6bfdd2e98fc27af3da7f1625c3e0981be9ab58
Opcode Fuzzy Hash: c13755c5052088dc6b3248d5a6cd521fb2e5b46bb1b63450e4704f7808f4be32
Instruction Fuzzy Hash: 10512921B0EADD0FEB92E37C58B51B97FE0DF4A210B4845EBC489CB1E7D91958478781

Function 00007FFD9B8BC355 Relevance: 3.9, Strings: 3, Instructions: 164COMMON

Download Yara Rule

Strings

]1\, xrefs: 00007FFD9B8BC39D
0^1\, xrefs: 00007FFD9B8BC402
0^1\, xrefs: 00007FFD9B8BC3E5

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: ]1\$0^1\$0^1\
API String ID: 0-4109037516
Opcode ID: 5361c87a26073924ea301388bf07e108d173c5a24520a49caba8921358cea6ff
Instruction ID: b5e24e3749a52ddd2db40b6b1f66f3bfd40e1e622eb856f14e9e42b551774844
Opcode Fuzzy Hash: 5361c87a26073924ea301388bf07e108d173c5a24520a49caba8921358cea6ff
Instruction Fuzzy Hash: 01411631A0E99D4FD769EBBC586A4F97BD1EF8A310B4500FAD05DC71A3DD1868138B82

Function 00007FFD9B8BC2A5 Relevance: 3.9, Strings: 3, Instructions: 162COMMON

Download Yara Rule

Strings

]1\, xrefs: 00007FFD9B8BC39D
0^1\, xrefs: 00007FFD9B8BC402
0^1\, xrefs: 00007FFD9B8BC3E5

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: ]1\$0^1\$0^1\
API String ID: 0-4109037516
Opcode ID: f11b0bc5a2a085b88b8cb8342e76b5fa1cd7bcfc95ca90c34423c30354eb12d5
Instruction ID: 126e5136fe6c2d898f288d11b6fb97eac246b6a9f21d704092540fc4f7982661
Opcode Fuzzy Hash: f11b0bc5a2a085b88b8cb8342e76b5fa1cd7bcfc95ca90c34423c30354eb12d5
Instruction Fuzzy Hash: C9417831A0D99E4FD395EBBC586A1F97FE1EF4A310B4400FAC059C71E7CE2864128B82

Function 00007FFD9B8C2C79 Relevance: 3.9, Strings: 3, Instructions: 151COMMON

Download Yara Rule

Strings

`]1\, xrefs: 00007FFD9B8C2CD9
`]1\, xrefs: 00007FFD9B8C2D8C
]1\, xrefs: 00007FFD9B8C2CA6

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: ]1\$`]1\$`]1\
API String ID: 0-3246135458
Opcode ID: 31a1954bbc3bbc36ce68e81e0b54620189d540aab674ea6e041bff1f5188d08b
Instruction ID: 88abcd7742118cac7cf55c5fe24f57d7effc3f197fd6085a7ca42fbb6643913e
Opcode Fuzzy Hash: 31a1954bbc3bbc36ce68e81e0b54620189d540aab674ea6e041bff1f5188d08b
Instruction Fuzzy Hash: 82412A31A0E9DD0FD756EB7888A69F57FE1EF8A31470804E9D489C72E7CD186802C741

Function 00007FFD9B8BA55D Relevance: 3.9, Strings: 3, Instructions: 144COMMON

Download Yara Rule

Strings

0]1\, xrefs: 00007FFD9B8BA631
`]1\, xrefs: 00007FFD9B8BA5C0
8]1\, xrefs: 00007FFD9B8BA65D

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: 0]1\$8]1\$`]1\
API String ID: 0-1850001312
Opcode ID: 02cc73efdd73a0909c5cf449e4b42758404a36ef49b007e619d901dbd79e57e0
Instruction ID: 8b5d9dcd6ebb1fc8a74546ea677d3f70b1ba907aaeacc96e4729e8a5a67ca4f8
Opcode Fuzzy Hash: 02cc73efdd73a0909c5cf449e4b42758404a36ef49b007e619d901dbd79e57e0
Instruction Fuzzy Hash: 4641E22091F6EE5FD767E7B408764A93FE0CF07244B0844EED4C98B0E3C919964ACB52

Function 00007FFD9B8BB9D5 Relevance: 3.9, Strings: 3, Instructions: 127COMMON

Download Yara Rule

Strings

^1\, xrefs: 00007FFD9B8BBA65
^1\, xrefs: 00007FFD9B8BBA82
]1\, xrefs: 00007FFD9B8BBA1D

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: ]1\$ ^1\$ ^1\
API String ID: 0-137624098
Opcode ID: 8bcb0955342c8b811648ed3b5c4cc9e0a128d3ee26854e206bdc1bfdef9042e4
Instruction ID: 112cdead18e644cf06bbed1a79e53d1b45fe45b9593aa5f2b026f6de80758716
Opcode Fuzzy Hash: 8bcb0955342c8b811648ed3b5c4cc9e0a128d3ee26854e206bdc1bfdef9042e4
Instruction Fuzzy Hash: 6C31F931B0EA9D1FE765ABB818665F97FD2DF8A22070500FED09DC71A3DD1868138792

Function 00007FFD9B8C53D9 Relevance: 3.9, Strings: 3, Instructions: 103COMMON

Download Yara Rule

Strings

X 2\, xrefs: 00007FFD9B8C545C
H 2\, xrefs: 00007FFD9B8C541D
h 2\, xrefs: 00007FFD9B8C549B

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: H 2\$X 2\$h 2\
API String ID: 0-3579460494
Opcode ID: 05dd07643c58f15c76630ea0aca221b719648329b3d36c9465111b4125389814
Instruction ID: 39605867139a620cdff2c7c0aa9b50d8896c7e0693e0fef7bc948f24670bc52f
Opcode Fuzzy Hash: 05dd07643c58f15c76630ea0aca221b719648329b3d36c9465111b4125389814
Instruction Fuzzy Hash: 9E31075501F6E66FD753D7B818B65E6BFE19E0B25034C88CBC5C08F0A7C049589BC746

Function 00007FFD9B8BB681 Relevance: 3.8, Strings: 3, Instructions: 93COMMON

Download Yara Rule

Strings

x91\, xrefs: 00007FFD9B8BB726
h91\, xrefs: 00007FFD9B8BB6F8
091\, xrefs: 00007FFD9B8BB743

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: 091\$h91\$x91\
API String ID: 0-1552843987
Opcode ID: 0cd7adc76a3862de7bf3aab2af870df729c692920a44db0500ab5b2d3bff660f
Instruction ID: e27f19baeb9335f822fe023df6809c1b9e208954ed7e328f68cc8171902ef63c
Opcode Fuzzy Hash: 0cd7adc76a3862de7bf3aab2af870df729c692920a44db0500ab5b2d3bff660f
Instruction Fuzzy Hash: 3621A07091E6D86FD357E774486AADA7FF1EF4720070945DED4C58B0B3C62A440ACB42

Function 00007FFD9B8BBF64 Relevance: 3.8, Strings: 3, Instructions: 86COMMON

Download Yara Rule

Strings

]1\, xrefs: 00007FFD9B8BBF6D
(^1\, xrefs: 00007FFD9B8BBFB5
(^1\, xrefs: 00007FFD9B8BBFD2

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: ]1\$(^1\$(^1\
API String ID: 0-1985966293
Opcode ID: a34ee6a65fada27799d2ea11eeda906eb447ef36136e8adec31d0ed01a1c7f9c
Instruction ID: 3d2cec3fa9ecf5f11457d74ed83676b3b6c7d62fd5edc4ac6ebf08b338c43a8c
Opcode Fuzzy Hash: a34ee6a65fada27799d2ea11eeda906eb447ef36136e8adec31d0ed01a1c7f9c
Instruction Fuzzy Hash: 74214931B1D96A4FD729BBB818A24F87BD2EF8A31130504FDD08EC71A3CD1864138742

Function 00007FFD9B8BC104 Relevance: 3.8, Strings: 3, Instructions: 85COMMON

Download Yara Rule

Strings

]1\, xrefs: 00007FFD9B8BC10D
@^1\, xrefs: 00007FFD9B8BC172
@^1\, xrefs: 00007FFD9B8BC155

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: ]1\$@^1\$@^1\
API String ID: 0-1870040197
Opcode ID: 8a0366daac0d939c17b439a1107813d0a44c4d136bfe8bbbe9395698ff251a35
Instruction ID: 3989364c683c5e4d14d197a845533225cba1b8ad908c92ef759c5940a8bcc04a
Opcode Fuzzy Hash: 8a0366daac0d939c17b439a1107813d0a44c4d136bfe8bbbe9395698ff251a35
Instruction Fuzzy Hash: 05212530B1D95A4FE359BBB814665B87BD2EF8A21070500F9D05DC71A7CD18A8138742

Function 00007FFD9B8B8030 Relevance: 3.8, Strings: 3, Instructions: 81COMMON

Download Yara Rule

Strings

(71\, xrefs: 00007FFD9B8B80A3
x61\, xrefs: 00007FFD9B8B8061
871\, xrefs: 00007FFD9B8B80D8

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: (71\$871\$x61\
API String ID: 0-2668084800
Opcode ID: b4426c09fcf765e076066be696de7881b5d765ef2bbf91ae8dfc1a1eb5571724
Instruction ID: ac7fb79254174d4767a13964212ae0e3f4ac263c65bcf3f8d28ffa96717e462a
Opcode Fuzzy Hash: b4426c09fcf765e076066be696de7881b5d765ef2bbf91ae8dfc1a1eb5571724
Instruction Fuzzy Hash: 15213B71A0E6DE1FE357E77804661A97FE0DF46240B0841FAD485C71E3CD2C58078741

Function 00007FFD9B8C7FC5 Relevance: 3.2, Strings: 2, Instructions: 740COMMON

Download Yara Rule

Strings

H"2\, xrefs: 00007FFD9B8C81C5
@"2\, xrefs: 00007FFD9B8C7FEE

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: @"2\$H"2\
API String ID: 0-436022339
Opcode ID: 7b816f71f6ebc3140d869bd29f49ba4a0e6ac1ef2b970cc69927825d2e9557f7
Instruction ID: 50c95c35b2f7beaad79d5da695eed018a0ca3453cf34a59fadeefc3f27c715d1
Opcode Fuzzy Hash: 7b816f71f6ebc3140d869bd29f49ba4a0e6ac1ef2b970cc69927825d2e9557f7
Instruction Fuzzy Hash: BE429470A1994E8FDB98EF18C8A5AB977E2FF58300F5045A9E41DC7296DA35EC43CB40

Function 00007FFD9B8CC7FB Relevance: 3.0, Strings: 2, Instructions: 535COMMON

Download Yara Rule

Strings

|J_^, xrefs: 00007FFD9B8CC801
{J_^, xrefs: 00007FFD9B8CC901

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: {J_^$|J_^
API String ID: 0-384746692
Opcode ID: 165d76055aa5fb665caec61e2295baa707bd44325b8938e2a82a19d9ca28a3b9
Instruction ID: 0852e3502379d613a5d1b768d664123912b0ff38052a7566a4d89faceb3b7630
Opcode Fuzzy Hash: 165d76055aa5fb665caec61e2295baa707bd44325b8938e2a82a19d9ca28a3b9
Instruction Fuzzy Hash: 82F13AB2F0E55E4AE775B7A8A8695F93790EF49320F0502B7C04DCB1E3DD2869468BD0

Function 00007FFD9B8C0279 Relevance: 2.9, Strings: 2, Instructions: 371COMMON

Download Yara Rule

Strings

x61\, xrefs: 00007FFD9B8C03D2
`]1\, xrefs: 00007FFD9B8C0536

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: `]1\$x61\
API String ID: 0-532518799
Opcode ID: 25cb3e7657162745e88c78e31cec03b39f98d68f527d87efd6145e654741d6f5
Instruction ID: bcd48a1b677b55272549e36e332ddd2f83ae284826178f56ea46ac6bdfccefe7
Opcode Fuzzy Hash: 25cb3e7657162745e88c78e31cec03b39f98d68f527d87efd6145e654741d6f5
Instruction Fuzzy Hash: 71B17A61B1DA8D4FE769E7B858626F97BE0EF4A310F0401FAE09DC71D7DC1869068742

Function 00007FFD9B8BEAC0 Relevance: 2.8, Strings: 2, Instructions: 332COMMON

Download Yara Rule

Strings

`]1\, xrefs: 00007FFD9B8BED4C
]1\, xrefs: 00007FFD9B8BEB5D

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: `]1\$]1\
API String ID: 0-770769632
Opcode ID: 8c26e7a6320d1ceb7882fad030462d0c40a72fb9a414b418777a46fb18f2eb42
Instruction ID: ca36f7a5cb8c33e87d1408a7fd6912b360142b687406af4b8467e49217c98105
Opcode Fuzzy Hash: 8c26e7a6320d1ceb7882fad030462d0c40a72fb9a414b418777a46fb18f2eb42
Instruction Fuzzy Hash: ABA12360A1E9A91FE391F7B8447B9FABBD1DF49201B0408F9D0DAC71A7DC19A8438742

Function 00007FFD9B8BEAF8 Relevance: 2.8, Strings: 2, Instructions: 331COMMON

Download Yara Rule

Strings

`]1\, xrefs: 00007FFD9B8BED4C
]1\, xrefs: 00007FFD9B8BEB5D

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: `]1\$]1\
API String ID: 0-770769632
Opcode ID: 5c06b713713d00d2895f8b6aab022b609c4f15a84043d1656a75447cc949c732
Instruction ID: e6fbbc2acfff7e48e271ec0afbfe98d91cd2bafa6c5d9a5c7d5546f18386458b
Opcode Fuzzy Hash: 5c06b713713d00d2895f8b6aab022b609c4f15a84043d1656a75447cc949c732
Instruction Fuzzy Hash: 66A10560A1E9E91FE395B7B8447B5BABFD1DF4A201B0408FDD0DAC71A7DC19A8438742

Function 00007FFD9B8BDA68 Relevance: 2.8, Strings: 2, Instructions: 331COMMON

Download Yara Rule

Strings

`]1\, xrefs: 00007FFD9B8C5181
0 2\, xrefs: 00007FFD9B8C516C

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: 0 2\$`]1\
API String ID: 0-3128759188
Opcode ID: 507d1f8f59b4a9b30dbc74184faeed45e17889c1e694fbf4430abb626add3182
Instruction ID: 04e6d3fb40db3b2eb12487a4c3ad9005321623d71510ac977fdb218b12be5503
Opcode Fuzzy Hash: 507d1f8f59b4a9b30dbc74184faeed45e17889c1e694fbf4430abb626add3182
Instruction Fuzzy Hash: 01A15671B0D94D0FEB68FBA898625F97BD0EF49310F0501BED44AC71E7DE2968028782

Function 00007FFD9B8D000D Relevance: 2.7, Strings: 2, Instructions: 222COMMON

Download Yara Rule

Strings

`]1\, xrefs: 00007FFD9B8D01ED
`]1\, xrefs: 00007FFD9B8D0184

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: `]1\$`]1\
API String ID: 0-3465727038
Opcode ID: 6e28d62a8fbc563e3be9510f29c79933da59cb012dfc12142c692d697387c133
Instruction ID: 5170b980d182d9d9572888e024461840ffac7314c0e468b8eda64b96763da47b
Opcode Fuzzy Hash: 6e28d62a8fbc563e3be9510f29c79933da59cb012dfc12142c692d697387c133
Instruction Fuzzy Hash: 09615A31A1EA495FD766D77894366F9BBE1EF89310B0502FBD049C72E2C9286902C742

Function 00007FFD9B8B30FA Relevance: 2.7, Strings: 2, Instructions: 220COMMON

Download Yara Rule

Strings

x61\, xrefs: 00007FFD9B8B31E6
71\, xrefs: 00007FFD9B8B3272

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: 71\$x61\
API String ID: 0-2147756283
Opcode ID: 2abbb3416cbfefc99dab0872075761db14d569ee78e17adce9986633f23b31d4
Instruction ID: 3346a7ba04e45bf3002585e24af7b5defdc9ad52dfcb3ae3c9e1aa710f67c248
Opcode Fuzzy Hash: 2abbb3416cbfefc99dab0872075761db14d569ee78e17adce9986633f23b31d4
Instruction Fuzzy Hash: 69613B25B0FAAB5FE762DBBC58A50F53FA0EF4631174500BBD049C71A3EE1469068BD1

Function 00007FFD9B8CFAE0 Relevance: 2.7, Strings: 2, Instructions: 203COMMON

Download Yara Rule

Strings

IJ_^, xrefs: 00007FFD9B8CFB01
`]1\, xrefs: 00007FFD9B8CFC64

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: IJ_^$`]1\
API String ID: 0-16733767
Opcode ID: 50b1b6b9fb3e6c67fce7b75a013e395f8d331ce9584114d2d2a066ffecaf0869
Instruction ID: 8b796daa4d7735e868d968c35783ae6b2d243810b51e7d22af43fb4cfc0f562d
Opcode Fuzzy Hash: 50b1b6b9fb3e6c67fce7b75a013e395f8d331ce9584114d2d2a066ffecaf0869
Instruction Fuzzy Hash: C0513471B0EA594FE795EBAC94756F9B7E1EFA8310B0841BBD04DC32E2DE1468068341

Function 00007FFD9B8BFBB1 Relevance: 2.6, Strings: 2, Instructions: 107COMMON

Download Yara Rule

Strings

x\1\, xrefs: 00007FFD9B8BFCA7
p\1\, xrefs: 00007FFD9B8BFC2E

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: p\1\$x\1\
API String ID: 0-983014294
Opcode ID: ad88d146d27ffc51cd0dd72f667d14196a22173ff3bcdc862709be9d60fcb4ab
Instruction ID: 38a192ab9e65da7a3c277bf2edb7a67680a30aeef83f0db9c75cf16027a1a4de
Opcode Fuzzy Hash: ad88d146d27ffc51cd0dd72f667d14196a22173ff3bcdc862709be9d60fcb4ab
Instruction Fuzzy Hash: 1031F85090E5D95FD31AE3B85876AF97FE0EF46340F0845EAD4A98B0E3D9581506C702

Function 00007FFD9B8C0965 Relevance: 1.6, Strings: 1, Instructions: 391COMMON

Download Yara Rule

Strings

h^1\, xrefs: 00007FFD9B8C0A70

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: h^1\
API String ID: 0-494147879
Opcode ID: 094e9faf267dd180a20d8ac9588385c356404a912351916e2bccfda490a45803
Instruction ID: a63468bbd6830e0b27af06b034f881ce27ed48ba46e5d93ad162659fdf9016a5
Opcode Fuzzy Hash: 094e9faf267dd180a20d8ac9588385c356404a912351916e2bccfda490a45803
Instruction Fuzzy Hash: 51C1B871B2D95D4FEB98FB6894B56B877D2EF9C744B0500BAD01DC32E7DE28A8028741

Function 00007FFD9B8D052D Relevance: 1.5, Strings: 1, Instructions: 266COMMON

Download Yara Rule

Strings

`]1\, xrefs: 00007FFD9B8D072B

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: `]1\
API String ID: 0-3666251665
Opcode ID: 3b62fc5a789b5f6c3ed9a5a0275e4028a5b494196423d99058b61d31e21643ff
Instruction ID: 6b27ccbc7a3399d37e979309251ca3ebfe507b88d33163db39633569f07f42e2
Opcode Fuzzy Hash: 3b62fc5a789b5f6c3ed9a5a0275e4028a5b494196423d99058b61d31e21643ff
Instruction Fuzzy Hash: 76817831E1EA8D4FE764DB6894764F97BE0EF98310B1503BBD449C71A3DD28A942C781

Function 00007FFD9B8C3489 Relevance: 1.5, Strings: 1, Instructions: 263COMMON

Download Yara Rule

Strings

`]1\, xrefs: 00007FFD9B8C36A4

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: `]1\
API String ID: 0-3666251665
Opcode ID: 358f72d5e938413f2e377453fad77fd5bd6d0cd4eb0671e1ee0610840c727ea8
Instruction ID: 34207659fabfa666f155e4eabd196fae5d7c69a80ed77eaa18ae7e34eafa71d0
Opcode Fuzzy Hash: 358f72d5e938413f2e377453fad77fd5bd6d0cd4eb0671e1ee0610840c727ea8
Instruction Fuzzy Hash: 5E814A61F0EA4A4FE765E77898666B9BBE1EF59300F0501FBD049C72E7DD28AC068341

Function 00007FFD9B8CDE58 Relevance: 1.5, Strings: 1, Instructions: 248COMMON

Download Yara Rule

Strings

`]1\, xrefs: 00007FFD9B8CE038

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: `]1\
API String ID: 0-3666251665
Opcode ID: 76f212e0ee4ffa1cc3328bdb70a3fdcec2af241fedea15b6e9c59be833146666
Instruction ID: 5fba96e145a1f3d6fe217e8ea57a851b8b53ec4d36744788631486618cf9e534
Opcode Fuzzy Hash: 76f212e0ee4ffa1cc3328bdb70a3fdcec2af241fedea15b6e9c59be833146666
Instruction Fuzzy Hash: 8091E57190E7CA4FD71BAB7498615A57FA0EF17350B1E02EBC084CB1F7DA286846C762

Function 00007FFD9B8BAE60 Relevance: 1.5, Strings: 1, Instructions: 246COMMON

Download Yara Rule

Strings

`]1\, xrefs: 00007FFD9B8CC0F4

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: `]1\
API String ID: 0-3666251665
Opcode ID: df6d00ec022f10a92b139d0caa650348f4eacf7bbc06cbb2658a9515eb3f6a42
Instruction ID: e84d17eed8a962c60ac2d0c6b266ad6f3a8a02888a257b5af36c72932f26ccb2
Opcode Fuzzy Hash: df6d00ec022f10a92b139d0caa650348f4eacf7bbc06cbb2658a9515eb3f6a42
Instruction Fuzzy Hash: 5E71FA71B19D1D4FDBA8EB5C98656B9B7D2EF9C310F0441BBD44DC32E6DE24A8028781

Function 00007FFD9B8CD9C6 Relevance: 1.5, Strings: 1, Instructions: 230COMMON

Download Yara Rule

Strings

#2\, xrefs: 00007FFD9B8CD9B7

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: #2\
API String ID: 0-886096181
Opcode ID: be8280f07387e1dc4bf2d9496a4ed621833ff425718fc19bc62368e97c6281f9
Instruction ID: c0125a99e0f31e9cd436f6af04801ffdab2931dd2a62a50fdcf697baa1f7f91b
Opcode Fuzzy Hash: be8280f07387e1dc4bf2d9496a4ed621833ff425718fc19bc62368e97c6281f9
Instruction Fuzzy Hash: B2717070B0994D8FDBA8FF688461AB973E2FF98304B1545B9D41DC72AACE35E802C741

Function 00007FFD9B8D02D5 Relevance: 1.5, Strings: 1, Instructions: 217COMMON

Download Yara Rule

Strings

`]1\, xrefs: 00007FFD9B8D0454

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: `]1\
API String ID: 0-3666251665
Opcode ID: 8508ed99cb83ce0e597305c42d732b242d4cce14207cc28b6b2004dded9fa243
Instruction ID: 8ffd8c867241d639fdf6454944656160af0206dce3efb10fdef6fcceccd3a15e
Opcode Fuzzy Hash: 8508ed99cb83ce0e597305c42d732b242d4cce14207cc28b6b2004dded9fa243
Instruction Fuzzy Hash: 95615931A1EA494FDB69DBA858326FA7BE1EF99710F0542BBD049C72E2CD186902C741

Function 00007FFD9B8CC5E0 Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

`]1\, xrefs: 00007FFD9B8CF584

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: `]1\
API String ID: 0-3666251665
Opcode ID: 9c72589071d576ee69a7603aed437d9c13587e0c5d64a9250d7b30603257f5b2
Instruction ID: 8e9bed7609812d055e07abed83afa9da4dcec61b155d61894e83d84036b584a8
Opcode Fuzzy Hash: 9c72589071d576ee69a7603aed437d9c13587e0c5d64a9250d7b30603257f5b2
Instruction Fuzzy Hash: 9D513971F09A4D4FEBA5EB6894666F9B7E1EF9C310F0401BBD049C32E2DE14A8068741

Function 00007FFD9B8CFDB5 Relevance: 1.5, Strings: 1, Instructions: 212COMMON

Download Yara Rule

Strings

`]1\, xrefs: 00007FFD9B8CFF34

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: `]1\
API String ID: 0-3666251665
Opcode ID: e1d18ba37f4bb6d42623c694cb0978d420f53adedbb2223d1dc62b17582884dc
Instruction ID: c9ec5db0c4cd8b66565b141d6769c4256f4288d873f1f63a435847d4379563db
Opcode Fuzzy Hash: e1d18ba37f4bb6d42623c694cb0978d420f53adedbb2223d1dc62b17582884dc
Instruction Fuzzy Hash: E2517971F0DA894FEB65EB6858266F9BBE1EF59310B0501BBD04DC72E3CE186906C741

Function 00007FFD9B8C3235 Relevance: 1.4, Strings: 1, Instructions: 197COMMON

Download Yara Rule

Strings

`]1\, xrefs: 00007FFD9B8C327A

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: `]1\
API String ID: 0-3666251665
Opcode ID: 5480a0b852f59d28cc7218549fc3b1f5f6efabbb4f7cb8a2c74c213ef0dcaacf
Instruction ID: 17d551f47fab725a6669864f719c914e0955bb0a9a36c8b662ffb25d8c8937f2
Opcode Fuzzy Hash: 5480a0b852f59d28cc7218549fc3b1f5f6efabbb4f7cb8a2c74c213ef0dcaacf
Instruction Fuzzy Hash: C1512761B0E95E0FE765B7B858671F97BD1DF8A310B0501BAD45EC71E3DD1868038382

Function 00007FFD9B8C3056 Relevance: 1.4, Strings: 1, Instructions: 187COMMON

Download Yara Rule

Strings

`]1\, xrefs: 00007FFD9B8C31AB

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: `]1\
API String ID: 0-3666251665
Opcode ID: 6e122647580f536a3a4eb18ca8ceb214efa037577ac3228cc89f4f4f470d0cba
Instruction ID: 92b9e737d0ecfd4516b7513261a33baf301b963e5a66974df5295c5389eed61b
Opcode Fuzzy Hash: 6e122647580f536a3a4eb18ca8ceb214efa037577ac3228cc89f4f4f470d0cba
Instruction Fuzzy Hash: AB51587190EBC90FD793DBB894655E57FE1EF5A310B0941EBD488CB1A3C9198847C742

Function 00007FFD9B8CBFA5 Relevance: 1.4, Strings: 1, Instructions: 178COMMON

Download Yara Rule

Strings

`]1\, xrefs: 00007FFD9B8CC0F4

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: `]1\
API String ID: 0-3666251665
Opcode ID: c25580baab71dfc3728987cdb0605bf7a09fc48921eb23d9a6a1c5fc4e4a26b6
Instruction ID: 729387971fcaade8b260b790bf56395c66773bdcf6d71d36a8e4698107ce0765
Opcode Fuzzy Hash: c25580baab71dfc3728987cdb0605bf7a09fc48921eb23d9a6a1c5fc4e4a26b6
Instruction Fuzzy Hash: E151EA71F19A1D4FEBA5EB6C94656F9B7E1EF9C300F0541BBD00DC32A6DD24A8028781

Function 00007FFD9B8CF448 Relevance: 1.4, Strings: 1, Instructions: 170COMMON

Download Yara Rule

Strings

`]1\, xrefs: 00007FFD9B8CF584

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: `]1\
API String ID: 0-3666251665
Opcode ID: d6955bc02497ef5d0a36ece5d42dfaab7cf3356549d14027bafdd0add481143a
Instruction ID: a0c55b14e06a3ea44efe3fec1644aac223d2656c522e288be5bc65f751dab5bf
Opcode Fuzzy Hash: d6955bc02497ef5d0a36ece5d42dfaab7cf3356549d14027bafdd0add481143a
Instruction Fuzzy Hash: A8513971F09A0D4FEB95EB6C94656B9B7E1EF9C310F0441BBD049C32E2DE24A8068741

Function 00007FFD9B8D0922 Relevance: 1.4, Strings: 1, Instructions: 168COMMON

Download Yara Rule

Strings

`]1\, xrefs: 00007FFD9B8D0A6B

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: `]1\
API String ID: 0-3666251665
Opcode ID: 2ac6eb06d6ee53f4b283ec6cca9a72b80bc999e5677940b4e32ab771aeefd1b2
Instruction ID: 45d5f7e94a6291bc802a19f813cc543960e4c5339d31ecae2b27dcc94c29c464
Opcode Fuzzy Hash: 2ac6eb06d6ee53f4b283ec6cca9a72b80bc999e5677940b4e32ab771aeefd1b2
Instruction Fuzzy Hash: 16518B31E1EA9E0FD765DBBC94615E9BBE0EF99710B0846FFC048CB1A3C9109946C382

Function 00007FFD9B8D1499 Relevance: 1.4, Strings: 1, Instructions: 168COMMON

Download Yara Rule

Strings

)J_H, xrefs: 00007FFD9B8D1543

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: )J_H
API String ID: 0-3294084999
Opcode ID: f62aa25b01573123e4789d38ba69c5838b64c67d10f08edd866d8389ed34f2ff
Instruction ID: 23dfd2aa47743a9787cab8bab35794e6f3eae7780c0fe7580f205202379d9709
Opcode Fuzzy Hash: f62aa25b01573123e4789d38ba69c5838b64c67d10f08edd866d8389ed34f2ff
Instruction Fuzzy Hash: E151095160FBC65FD356D7BC08A60A57FE1EF8B25030986FBD089CB1B3D919680AC341

Function 00007FFD9B8D0AF5 Relevance: 1.4, Strings: 1, Instructions: 166COMMON

Download Yara Rule

Strings

`]1\, xrefs: 00007FFD9B8D0C0B

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: `]1\
API String ID: 0-3666251665
Opcode ID: 985b09ef405601663e772e3061291167a197c0e0b663eefbc5c7f17d7c8d17a3
Instruction ID: c4b07bec9348875c34cae3ae2a0313e6266f7dd50718146f399c0a54aa9bedff
Opcode Fuzzy Hash: 985b09ef405601663e772e3061291167a197c0e0b663eefbc5c7f17d7c8d17a3
Instruction Fuzzy Hash: A6517B31E1EA8D4FD765DBA894654E9BBE1EF9D310B0943FFC048C71A3C9249946C782

Function 00007FFD9B8D0C95 Relevance: 1.4, Strings: 1, Instructions: 166COMMON

Download Yara Rule

Strings

`]1\, xrefs: 00007FFD9B8D0DAB

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: `]1\
API String ID: 0-3666251665
Opcode ID: 4083dc21ea4a17de290f25f86dd51f05196007f4b49aaf1f2b432f1611f73a30
Instruction ID: 9de653d13b906bf88355e3f643889f06f78a518ac4ac85f628f401d08205903a
Opcode Fuzzy Hash: 4083dc21ea4a17de290f25f86dd51f05196007f4b49aaf1f2b432f1611f73a30
Instruction Fuzzy Hash: F1517732A0EA8D4FD7A5DB7884614E9BBE0EF59300B0842FFD049C71A3CD24A946C782

Function 00007FFD9B8D0955 Relevance: 1.4, Strings: 1, Instructions: 165COMMON

Download Yara Rule

Strings

`]1\, xrefs: 00007FFD9B8D0A6B

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: `]1\
API String ID: 0-3666251665
Opcode ID: f99d63a745cfa1ec8920d5e6f0d4d59d2db1aaec963b83be05a8a25f907c0f42
Instruction ID: b37614c4728f283639451c382f7ee1daef90398c6de305aa9b89752500c09248
Opcode Fuzzy Hash: f99d63a745cfa1ec8920d5e6f0d4d59d2db1aaec963b83be05a8a25f907c0f42
Instruction Fuzzy Hash: 63516931E0EACE4FE765DB7854725E97FE0EF99710B0942EBC048CB1A3C9249986C781

Function 00007FFD9B8D07B5 Relevance: 1.4, Strings: 1, Instructions: 160COMMON

Download Yara Rule

Strings

`]1\, xrefs: 00007FFD9B8D08CB

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: `]1\
API String ID: 0-3666251665
Opcode ID: 080a1815cb35881120e5e92aa5d81b34514fa36aade7eb0c5f1d0eb5950d5c94
Instruction ID: 1845b692bdcb7095a43d8cd62f67875391dce623870d565cce31750484b673a9
Opcode Fuzzy Hash: 080a1815cb35881120e5e92aa5d81b34514fa36aade7eb0c5f1d0eb5950d5c94
Instruction Fuzzy Hash: F8515931A1EA8D4FD765DB7888664E97FE0EF89710B0542FBD049CB1A3C9249986C781

Function 00007FFD9B8BAAD3 Relevance: 1.4, Strings: 1, Instructions: 159COMMON

Download Yara Rule

Strings

`]1\, xrefs: 00007FFD9B8BAB70

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: `]1\
API String ID: 0-3666251665
Opcode ID: 1687c75aed9c2504b4279824b248be5289fa756128abf96b0813c6282b4c68e4
Instruction ID: eb267ed0cbb7df004023d023690fa6c49fdb5a464bdf8c0bd9e94c854df0fdc9
Opcode Fuzzy Hash: 1687c75aed9c2504b4279824b248be5289fa756128abf96b0813c6282b4c68e4
Instruction Fuzzy Hash: 1341587270EA6E6FE666B7BCA8611EC7B60EF8532070501F7D058CB193DD2816478BD1

Function 00007FFD9B8BA1FB Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

`]1\, xrefs: 00007FFD9B8BA323

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: `]1\
API String ID: 0-3666251665
Opcode ID: 852224adf157e467f98547125fc9b0060342097ca49af0f949678dcdb150b3a2
Instruction ID: d7e1da38c0edd95ca1e78a0b930a0458d78fb1a2f0970d78f9f9ab10b43eab79
Opcode Fuzzy Hash: 852224adf157e467f98547125fc9b0060342097ca49af0f949678dcdb150b3a2
Instruction Fuzzy Hash: F641F37190F7CA1FE32797748C6A5A57FA0DF03260B0902EAD095CB0F3E9696816C752

Function 00007FFD9B8BF5F0 Relevance: 1.4, Strings: 1, Instructions: 147COMMON

Download Yara Rule

Strings

`]1\, xrefs: 00007FFD9B8C4252

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: `]1\
API String ID: 0-3666251665
Opcode ID: 6f287c14d53562143bd37948f952207f287abc0efde0362f5e83aca2b74b8d3e
Instruction ID: 9b347d7b5427a651fa9f10b53f417e01099a2bcc6fcd1dae7df55adffbb1f6c4
Opcode Fuzzy Hash: 6f287c14d53562143bd37948f952207f287abc0efde0362f5e83aca2b74b8d3e
Instruction Fuzzy Hash: DD515E30A0E55A4FE7A5FBB8C4A65B47BA0EF09310B1905FBD498CB0F7CA18B945C791

Function 00007FFD9B8C6835 Relevance: 1.4, Strings: 1, Instructions: 131COMMON

Download Yara Rule

Strings

`"2\, xrefs: 00007FFD9B8CAD15

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: `"2\
API String ID: 0-2919691071
Opcode ID: f8bbff6923d0977ca7a270cd4a20ad31ca09e535832911e6688c9eb2e23b8884
Instruction ID: 02425dc433cabfd9024030141a2a1886b2683f63925efe277d0c0b3ecaecedc7
Opcode Fuzzy Hash: f8bbff6923d0977ca7a270cd4a20ad31ca09e535832911e6688c9eb2e23b8884
Instruction Fuzzy Hash: 2941F896A0F7D65FE316A7B868B54E43FA0DF56268B0A41F7C0C88B0E3DD18154A8352

Function 00007FFD9B8BB835 Relevance: 1.4, Strings: 1, Instructions: 126COMMON

Download Yara Rule

Strings

]1\, xrefs: 00007FFD9B8BB87D

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: ]1\
API String ID: 0-1100142508
Opcode ID: 73b36d034b0149790d30ed865f8bbe150baccee6a9dd0e49cb91c60edd8e1aad
Instruction ID: 53a11ac69b7dc6b8ef7a2228e4944537cff2bd19cd78c993162769e0b41ff4ee
Opcode Fuzzy Hash: 73b36d034b0149790d30ed865f8bbe150baccee6a9dd0e49cb91c60edd8e1aad
Instruction Fuzzy Hash: E0316D31B0EA9D5FD765EBB818660F97BD1DF8A31070500FED089C71A3CC1868138782

Function 00007FFD9B8C179D Relevance: 1.4, Strings: 1, Instructions: 126COMMON

Download Yara Rule

Strings

`]1\, xrefs: 00007FFD9B8C17AF

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: `]1\
API String ID: 0-3666251665
Opcode ID: 4799e746bd94702266f0333db1d1c187b5667948f9dfc116a65ccef7d47c8d13
Instruction ID: 5940846849c7a07dc728843f377069e5de804b6aef65edfb76463cc445b822aa
Opcode Fuzzy Hash: 4799e746bd94702266f0333db1d1c187b5667948f9dfc116a65ccef7d47c8d13
Instruction Fuzzy Hash: 72411360B0E98D4FE749FB7844AA5B9BBE1DF5930071444FED48ACB2A7CD29A803C705

Function 00007FFD9B8BB291 Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

]1\, xrefs: 00007FFD9B8BB2DD

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: ]1\
API String ID: 0-1100142508
Opcode ID: bc86135ea29d9f4118a9e1f9d29e153632c63e43179cb61b87394e5dda290390
Instruction ID: 7682d9c53583971809a557ae3e99073c3a6fb71bdc4488d95610419413e94b4d
Opcode Fuzzy Hash: bc86135ea29d9f4118a9e1f9d29e153632c63e43179cb61b87394e5dda290390
Instruction Fuzzy Hash: BE314E31B1EA994FD766AB7818674B97FD1EF4A31070500FED049C71A3DD1868138782

Function 00007FFD9B8BAC95 Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

]1\, xrefs: 00007FFD9B8BACDD

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: ]1\
API String ID: 0-1100142508
Opcode ID: 4a3f6aa85f43570ca68f6725682e5c8009fc7765b3b27f4177aecca7ef75735d
Instruction ID: ed5854cd8f5ca321475ab529289e222bc075ee396c5a28cab8301078ae2fce8a
Opcode Fuzzy Hash: 4a3f6aa85f43570ca68f6725682e5c8009fc7765b3b27f4177aecca7ef75735d
Instruction Fuzzy Hash: 5C315B31B0ED9D5FE369E7B818660F97BD1DF8A32070500EED089C31A3DD1868138782

Function 00007FFD9B8C812A Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

H"2\, xrefs: 00007FFD9B8C81C5

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: H"2\
API String ID: 0-3414193390
Opcode ID: c9b2e9008f8f577e095579eeacd15343ac3d1a1f61cab5ba4c8be5ebb3258b67
Instruction ID: edefe9ccda4c640750504abca49153e75067e71ec4e96bd7696b66f68b0963e7
Opcode Fuzzy Hash: c9b2e9008f8f577e095579eeacd15343ac3d1a1f61cab5ba4c8be5ebb3258b67
Instruction Fuzzy Hash: 6741B674618A4E8FDB88EF18C4A0AB577E2FF9C310B5446A9D41DC729ADA31EC43CB40

Function 00007FFD9B8BFAA9 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

`]1\, xrefs: 00007FFD9B8BFAD8

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: `]1\
API String ID: 0-3666251665
Opcode ID: 89b038ddee82b9ce887b7ab710b90d875a0b9cba36b5c9516d4d3817ea378ee4
Instruction ID: 522c72bd6543e8a4e225842c8ba5cc4078afd87f813681502fe1381e3dd6745e
Opcode Fuzzy Hash: 89b038ddee82b9ce887b7ab710b90d875a0b9cba36b5c9516d4d3817ea378ee4
Instruction Fuzzy Hash: 9F21263190E6EA1FE322A7B848A64FABFE0DE4721070804EAD485C7063D5196817C792

Function 00007FFD9B8BC1F1 Relevance: 1.3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

`]1\, xrefs: 00007FFD9B8BC236

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: `]1\
API String ID: 0-3666251665
Opcode ID: 2b37efaae71fd025492dd175e8a8067682ac5c37ab317926898e351fc31c8d2f
Instruction ID: f97f4ca9e69e7dd049c29564c35d925ca5427dd48085b57fa3f911855ee741d8
Opcode Fuzzy Hash: 2b37efaae71fd025492dd175e8a8067682ac5c37ab317926898e351fc31c8d2f
Instruction Fuzzy Hash: BA11082050F6DD1FE31AA3B8A86A9F67FA4EF87220B0501EFE0D9C60B3D5591556CB81

Function 00007FFD9B8BC25D Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

`]1\, xrefs: 00007FFD9B8BC236

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: `]1\
API String ID: 0-3666251665
Opcode ID: 3d5171b8580f2ab0c9045ea89af8457feae746f40eb936bd725bc6a65e7735e7
Instruction ID: 9c74694732c8bce614f6b93b44524cb42652f9cac3fb942d1b6350e68ab25da0
Opcode Fuzzy Hash: 3d5171b8580f2ab0c9045ea89af8457feae746f40eb936bd725bc6a65e7735e7
Instruction Fuzzy Hash: 5011B21094F7E90FE76693B858BA5E93FE0AF4B210B0A44EBD0C5CB0B3D5495547CB82

Function 00007FFD9B8C6815 Relevance: 1.3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

Strings

`"2\, xrefs: 00007FFD9B8CAD15

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: `"2\
API String ID: 0-2919691071
Opcode ID: 29745bba1201a14fa83f6dbe99581aac2eab92d9c39e53ecb1623fd1ac845a43
Instruction ID: ef243ac3f9d6b7ce0a8af081b2a3b433ee5d97ddd5eb40f81220a92e1b57ef0a
Opcode Fuzzy Hash: 29745bba1201a14fa83f6dbe99581aac2eab92d9c39e53ecb1623fd1ac845a43
Instruction Fuzzy Hash: 4E01D26051F7C81FD757A77848755A47FF0EF57244B0A04EBD0C8CB0A3D9284649C312

Function 00007FFD9B8BEFFA Relevance: 1.3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

Strings

TK_^, xrefs: 00007FFD9B8BF001

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: TK_^
API String ID: 0-2819889312
Opcode ID: 8ac4fb32a7de1f9a3939c6242cd86a29d7b8c69cb554b8de694435fb342c617d
Instruction ID: e4e900b2902141e17e1d885f717e9dbc725cac41d8b2d9704102641382238dca
Opcode Fuzzy Hash: 8ac4fb32a7de1f9a3939c6242cd86a29d7b8c69cb554b8de694435fb342c617d
Instruction Fuzzy Hash: B6F0CD21A5F2AD4FE75137F418720E97764FF56201B062973F04DC64E3DD18260546E3

Function 00007FFD9B8C4DE4 Relevance: 1.3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

Strings

x61\, xrefs: 00007FFD9B8C4E09

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: x61\
API String ID: 0-195679264
Opcode ID: f47cf02e16506689127afabbf5c25e2cbdb10e5b027dde63f9d55474ee49c8e4
Instruction ID: 8a7c11710337aba66a13f5a7dac161bd15d6e0a2aac42ffbbb20ba843df13331
Opcode Fuzzy Hash: f47cf02e16506689127afabbf5c25e2cbdb10e5b027dde63f9d55474ee49c8e4
Instruction Fuzzy Hash: EDF09A32A0D6198FDF04EB88E8929E8B7B0FF59320B090096C049AB112C621F982CBC0

Function 00007FFD9B8BDAE8 Relevance: .8, Instructions: 771COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfb7256db108d6217561049624d8c82846f8bba6d6c618d43c79d67184cb5a4c
Instruction ID: 0318db3d749d3a9ff5090ac3e75e75299d587a0b1d6cf53ac8253985b305afca
Opcode Fuzzy Hash: dfb7256db108d6217561049624d8c82846f8bba6d6c618d43c79d67184cb5a4c
Instruction Fuzzy Hash: C7427570B18A1D8FDB58EF58C895AB9B3E2FF98300F104579D44ED7299DA34B942CB81

Function 00007FFD9B8C8899 Relevance: .5, Instructions: 454COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8207561c19a502734601d012dccb68b9a8285e5ac54a3cb8715cd4955d3a286a
Instruction ID: 11663e8f52ac7458440c3556c67fd121cd7689c33edce6a36679c4c4fcbe8fcf
Opcode Fuzzy Hash: 8207561c19a502734601d012dccb68b9a8285e5ac54a3cb8715cd4955d3a286a
Instruction Fuzzy Hash: E6D17B51B0EACA0FE75AA77C58626B57BD1EF9A250B0941FFD08DC71D7ED1868078302

Function 00007FFD9B8C9E01 Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77b4aaa6fadd25f45a51147dfb0b31920e063b691c4c36c4c4c56367d47cbec9
Instruction ID: dffa4572f0baf496bff79f6b63b4a40e5f7bb03efb3a65b58df10f45ec3f683c
Opcode Fuzzy Hash: 77b4aaa6fadd25f45a51147dfb0b31920e063b691c4c36c4c4c56367d47cbec9
Instruction Fuzzy Hash: FFD1B870A19A1D8FDB58EF58C8956B9B3E1FB98300F10457AC44EC725ADE35A982CB81

Function 00007FFD9B8B6629 Relevance: .4, Instructions: 415COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd82b019d936d4b2cb0d5f82c281700404cbc8d41043d2c1241a2ea8c6d550ce
Instruction ID: b219641ff57942f7e925eb6d24f264dece048f91ab8b44a3c9c80207edddf1c1
Opcode Fuzzy Hash: cd82b019d936d4b2cb0d5f82c281700404cbc8d41043d2c1241a2ea8c6d550ce
Instruction Fuzzy Hash: 31D1D470A08A8D8FEBA8DF28C8557E977D1FF59310F04426EE85DC7295CB34E9458B82

Function 00007FFD9B8B74E6 Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd6b9fcdcee7e524819ba91423fc7536e590c340eee15c7b2da4a536c1be532b
Instruction ID: be88bb808b1049107e0a496f595f70ab3ae66345c0f3be45c4545459ff7eb996
Opcode Fuzzy Hash: cd6b9fcdcee7e524819ba91423fc7536e590c340eee15c7b2da4a536c1be532b
Instruction Fuzzy Hash: 72B1B230609B4D4FEB69DF28C8557E93BD1EF59310F14426EE84DC7296CA34A9458B82

Function 00007FFD9B8C3CF8 Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 332c07c920d2253621f50a36d132f1b04f7257a5e9d13e39ac742b378cf2502c
Instruction ID: 0d13d9d808aae96e08f749389caea95a9b9653a4ef592cfbc10ef888e2b0a8f9
Opcode Fuzzy Hash: 332c07c920d2253621f50a36d132f1b04f7257a5e9d13e39ac742b378cf2502c
Instruction Fuzzy Hash: 2CA13671A0E58D4FEB75EB68D4665F97BA0EF4A310F0501FBD049CB1A2DB24AA06C781

Function 00007FFD9B8BDC88 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57e759f7dce0711113577fa77395904091fec56a99dd2d90f79f621586bf68b8
Instruction ID: b48c3ab6b5442be202db521678f0895afe4763d435dc155dfa9a8a518d1f364e
Opcode Fuzzy Hash: 57e759f7dce0711113577fa77395904091fec56a99dd2d90f79f621586bf68b8
Instruction Fuzzy Hash: 07615A71A0E69D4EE326A7B498215F97BF0EF86320F1502B7D0DCCB0E7DD28560A4792

Function 00007FFD9B8BA348 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f663ef45e4f87f1dfa3bbf18d7c84b9df4cee98675f3d2491df55a7aa099c111
Instruction ID: bbdec658cbcf0f6fec7178ce953955f079fda924a087481d4e7b7fa0ddeb9da7
Opcode Fuzzy Hash: f663ef45e4f87f1dfa3bbf18d7c84b9df4cee98675f3d2491df55a7aa099c111
Instruction Fuzzy Hash: BD514471F0E99E1FEB68DB7864649B97BD2EF5874070401FEE049872EBDD34A8068780

Function 00007FFD9B8C69D2 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a002d4d5e3c68ba5d532bc60ad0d50985e830c6869c84636c0e4efd5e152e94
Instruction ID: 107e855d03513d8b789e91cb929c24b306c4b20e67fcde1eb8d0c050b8edab7d
Opcode Fuzzy Hash: 0a002d4d5e3c68ba5d532bc60ad0d50985e830c6869c84636c0e4efd5e152e94
Instruction Fuzzy Hash: 525107D3F0F69A5EF76677A868751F43BA0EFA9724B0A41B3C09C8B0E3EC14290A4551

Function 00007FFD9B8C1125 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da881c1fb8072b187b33b854b842f1ecb00ad13233ab8ba63746adf1d56771e3
Instruction ID: 80c8cc66ef4b3023fe59de957cdf1f35c419ceb271941157e1ed2c9f0f7b026f
Opcode Fuzzy Hash: da881c1fb8072b187b33b854b842f1ecb00ad13233ab8ba63746adf1d56771e3
Instruction Fuzzy Hash: 6951EA71A0EA8E4FDF95FF6858B65B83FE1EF99340F0601ABE09CC32B2D95555018741

Function 00007FFD9B8B400C Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c00601e0e7a529ba0b81bdd79cf43560c16a2c9206cdc62b52ac9f3f1b4a50af
Instruction ID: c6708d95b570d8eaa4fe5c6975e84fad6ebf1e9e932f33d6339a3f7b884fa332
Opcode Fuzzy Hash: c00601e0e7a529ba0b81bdd79cf43560c16a2c9206cdc62b52ac9f3f1b4a50af
Instruction Fuzzy Hash: E8519331D08A1C8FDB68DB58D855BE9BBF1FF59310F0482AAD00DD3292DE34A9858F81

Function 00007FFD9B8C0F70 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8936494741442daefc3402fb9f16edd1227de0e4abfd19932384c1ada4b28cf8
Instruction ID: d2f36c7f8069173dfb0f444abb5ecaa52838faf9616a9d4820b2276ddc4c209e
Opcode Fuzzy Hash: 8936494741442daefc3402fb9f16edd1227de0e4abfd19932384c1ada4b28cf8
Instruction Fuzzy Hash: C3511871B1DA5D4FE765B7A898666F9B7E1EF89320F0501BBD04DC31A3DD146C028781

Function 00007FFD9B8CD062 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a323c78e49f864355745acf1531e53d3c839f90d3695a4884fd335387d03ce15
Instruction ID: e707a7d228a4d99db716f936e819008b9266fbf7b0eef548c2ae47fa54f16e78
Opcode Fuzzy Hash: a323c78e49f864355745acf1531e53d3c839f90d3695a4884fd335387d03ce15
Instruction Fuzzy Hash: CB51B93460898E8FDB48EF58C4A1AFA77E1FF99310F1445AAD459C729ACA35E853CB40

Function 00007FFD9B8C9ADA Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c77190945fef46c54e44695aa66c812e36104743565c818d639233097ee6a24
Instruction ID: 9895c7bea21d816fe6c215b0588e74e7faaf4322d31b66175a0b8617b4611038
Opcode Fuzzy Hash: 0c77190945fef46c54e44695aa66c812e36104743565c818d639233097ee6a24
Instruction Fuzzy Hash: C9416D71E0DE4D4FEB69EB68981A6B977E0EF5A320F0402BFD44DD31A6DD24684283C1

Function 00007FFD9B8C0E9D Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b14b444752fa114bc3efd72040b3c6ef61b2dacac916081d978a1879a172436
Instruction ID: 757c1b58067f821acacf3b3c269d1345c6f4c52d7422b0ae093479beda36723e
Opcode Fuzzy Hash: 1b14b444752fa114bc3efd72040b3c6ef61b2dacac916081d978a1879a172436
Instruction Fuzzy Hash: 1251D3A956F2CA6FD76367B41C709B37FB8CE47265B1900EBE0D4CA0A3D5481916C363

Function 00007FFD9B8C6A70 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3b415bfaeab89352b75157cc3bd3bb16c3ce48bcd9fda1b68e0055771fc797e
Instruction ID: a4db7b985a1703f0c6d20c121b4401d0769d11a5f5e7f6f64d7545363dbc9199
Opcode Fuzzy Hash: e3b415bfaeab89352b75157cc3bd3bb16c3ce48bcd9fda1b68e0055771fc797e
Instruction Fuzzy Hash: D05108A2A0F6D94FE72667B458751F47BA0EF5A324F0A41F7D09CCB0E3D8195A0A8351

Function 00007FFD9B8C2E05 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e67a6dfaa4eec8ccf4a7993378daf1edd85e03ebd0565031f19c6281fcc0c9d2
Instruction ID: 7f7369dd49320a5013d7363a6f23c90a02c19a84edca32d61c592eea0ec6b9b4
Opcode Fuzzy Hash: e67a6dfaa4eec8ccf4a7993378daf1edd85e03ebd0565031f19c6281fcc0c9d2
Instruction Fuzzy Hash: 6B51C6B0B1AA8E8FD7A6EBF884656B87BE0EF59310F4541FBD009D71E2CE585901C741

Function 00007FFD9B8C4F8E Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e5c3bcf17d148c885f05d3c5efcc19d7c739265e46c1055fac1fc2048adb92b
Instruction ID: d1f3dc8ae2e7693ad8e9b73b49e065ed51695f5ddaacc376b813f4d8a05c97fd
Opcode Fuzzy Hash: 2e5c3bcf17d148c885f05d3c5efcc19d7c739265e46c1055fac1fc2048adb92b
Instruction Fuzzy Hash: E3512C71E0E64D4FEBB4EBA488625F87BE0EF09310F0501BED44DD71E2DE2869068781

Function 00007FFD9B8BFFAD Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a570ca2739b9aa271178debffa0908a7e9c5279fad7dd551a5e3853d8b1ea2b
Instruction ID: c5fc3793ac51acb92400a8b3e4424a8805f8c8fd87dde1c96e735b69c0c6bea9
Opcode Fuzzy Hash: 3a570ca2739b9aa271178debffa0908a7e9c5279fad7dd551a5e3853d8b1ea2b
Instruction Fuzzy Hash: 0B414330B1C92D8FEB5CEBACE4519B8B3E1EB98310F114179E00DD7297DD24A8828BC4

Function 00007FFD9B8C1195 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d9875254c79743ea8285e65cbed5452c0322ef871f7574ac7295cd196b974b7
Instruction ID: 52936136cb6039eee126e1c94392175a261f9ef589e960e07c0cfe1fa08ef3fd
Opcode Fuzzy Hash: 8d9875254c79743ea8285e65cbed5452c0322ef871f7574ac7295cd196b974b7
Instruction Fuzzy Hash: DF41CB72B0DA4E4FEF95FF6858B65B83BE1EF9D300B06006AE49CC32A2DE6559018741

Function 00007FFD9B8BE231 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00dd352080fc5311685bcba4a2d7ae37b50349487c1dd4cd8c99407db5251359
Instruction ID: a535c8c03ef0267aa399fb06e3c5713a19857150fed9f5afcb0567c6c0d01254
Opcode Fuzzy Hash: 00dd352080fc5311685bcba4a2d7ae37b50349487c1dd4cd8c99407db5251359
Instruction Fuzzy Hash: DE415B21A0E6EE0FEBA2A7B808765EA7FD1DF4E315F0409FAD48CC35D7D90958168781

Function 00007FFD9B8C6810 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81eced5ab8de46755486b23676a3af129949ede2e7aaf2d0c846ae15a4e652af
Instruction ID: dab32d56e39e3ec05251148f625a018c19d3b247dd11aaea5f05a3a9e6b91483
Opcode Fuzzy Hash: 81eced5ab8de46755486b23676a3af129949ede2e7aaf2d0c846ae15a4e652af
Instruction Fuzzy Hash: 8441D475A0E59D0FE765ABA858216F57BE0EF4A320F0601B7D49CC71E3DD1D6B0A8382

Function 00007FFD9B8C157D Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 252d5449cddfa749bcd6205d104505efd2bedb359543fb3479754373ef21eb45
Instruction ID: 7857abd80dc193be8d5c4db8d0c67d236ec4a5b96ab36a6b18c8ed71c8b17528
Opcode Fuzzy Hash: 252d5449cddfa749bcd6205d104505efd2bedb359543fb3479754373ef21eb45
Instruction Fuzzy Hash: 9B41697160D6CD5FD756EB6888615F63FE1EF8B320B0400ABD08AC71A7CA296806C341

Function 00007FFD9B8BDA48 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0690f1d4bc327c4c5c07515f6396738e90a0771f740ec674bab71928ba07945
Instruction ID: 97f56c8c2307dec9528da13718f811f21d541bd7dd2ebb0509c92df5950e5042
Opcode Fuzzy Hash: e0690f1d4bc327c4c5c07515f6396738e90a0771f740ec674bab71928ba07945
Instruction Fuzzy Hash: 2841F630A0968E4ADB25EBB894525FDBBE0EF4A324F0502FED45A971E2DA14660A8741

Function 00007FFD9B8C580D Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2679984c40a039e46a4e173191cd025a3af9639b0b792f714ee69305221119ac
Instruction ID: 3a8566b6eb26487de7af3de4c3bac2dbdde05fec3f1d068e5aecd9bfe2e5fc63
Opcode Fuzzy Hash: 2679984c40a039e46a4e173191cd025a3af9639b0b792f714ee69305221119ac
Instruction Fuzzy Hash: 15410870A0E6CD4EEF21E7B494225FDBBE0EF4A324F0902FFD489D71A2D915560A8741

Function 00007FFD9B8C583D Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53832dea9f58eb7f71b00768b5d9cdf1a29522d053ce2dc200ae8e989b67ac08
Instruction ID: 9dab4ed433b3ff8722d281c7fd344de6d1f5ffa828473c2b5d726af7cf485327
Opcode Fuzzy Hash: 53832dea9f58eb7f71b00768b5d9cdf1a29522d053ce2dc200ae8e989b67ac08
Instruction Fuzzy Hash: A541F670A0E6CE4EEB21E7B498625FD7FE0DF4A324F0901FFD489970A3D919560A8741

Function 00007FFD9B8C6A60 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 076782f40282f3b503349835af6bbe2cf6a9c6c61d4d35aa35c656f110c7a329
Instruction ID: 654c8f09f1d4756d35a4e92c705686a144ea47c8cd968d95817c7a4bc595d319
Opcode Fuzzy Hash: 076782f40282f3b503349835af6bbe2cf6a9c6c61d4d35aa35c656f110c7a329
Instruction Fuzzy Hash: 4731E4E2F0F69E5AE775B7A828311F83790EFA9324F0A41B7D05C870E3EC196A0A4141

Function 00007FFD9B8CB94A Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3241afe66efdef606ebea8e79715c1b24900eab28af358398d9b3fe3ceaa640d
Instruction ID: 44d304a17806847c8ba5c544e9d3c4dd764d29dd133441aca515677089f51755
Opcode Fuzzy Hash: 3241afe66efdef606ebea8e79715c1b24900eab28af358398d9b3fe3ceaa640d
Instruction Fuzzy Hash: DA31153190E6CD5FE36AA7688829AB57FA4EF47360F0440EFE089CB0A3D9551856C751

Function 00007FFD9B8BE8F8 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4f3206210b551c277b119b1c55eddf09567aeddabb7cfcd6f72d856d90d0582
Instruction ID: 6eacb531e9572dea8c5918497ebbbb77d9224b9d59e9fda7e5e1a42ae8ca2a81
Opcode Fuzzy Hash: b4f3206210b551c277b119b1c55eddf09567aeddabb7cfcd6f72d856d90d0582
Instruction Fuzzy Hash: DA312671B1A95D8FEB60F7AC94A56F9BBE1EF9C321F054177D00DC3162DE24A8428780

Function 00007FFD9B8BDC80 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2a560325c40a22547e673e6c6f7f90ca30569898fe1758b2a6b2b962feba4e5
Instruction ID: 9e816d968e76ce97896cb95828b04fcabf5d132e6b5c74b237bfbb61f6029a77
Opcode Fuzzy Hash: b2a560325c40a22547e673e6c6f7f90ca30569898fe1758b2a6b2b962feba4e5
Instruction Fuzzy Hash: D231487AF0A94E4AF774BB6458216F972D1EF88320F01067BD06DC31E1ED2D6B0D0682

Function 00007FFD9B8CBDAD Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 893c0136d6fbaae73af877766dada58130b0cc1ee769c54882dd0ddba1ede3cf
Instruction ID: 4a9a1f2a9a98f44e9200e6e9e1883c32b37b48a59190b75101acaef2db585871
Opcode Fuzzy Hash: 893c0136d6fbaae73af877766dada58130b0cc1ee769c54882dd0ddba1ede3cf
Instruction Fuzzy Hash: 2131273060E58A4FD756DFB8C4E59B17BA0EF4631071982FAD048CB1A7D62CE886C780

Function 00007FFD9B8C797A Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2135fb1e5e3ba019fb3e23c4be8ce506ac97928a2cd47060302bc92164f5b09b
Instruction ID: 107ba04fafbbd2ab67e30ecf9cbf04396d9cf07bcce1d91ae8bbb0ef03733f35
Opcode Fuzzy Hash: 2135fb1e5e3ba019fb3e23c4be8ce506ac97928a2cd47060302bc92164f5b09b
Instruction Fuzzy Hash: 7C21277AF0A95E4AF774BFA458216F976D0EF89320F020177D41CC30E2ED282B1A4681

Function 00007FFD9B8BA16B Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef45d488e15210547b3499d3efd12fd823e4baefde46fb88dae7bdd27021e7c
Instruction ID: f961ec094f20826ae151f33a10e660e5f07cb5ae6d830a71a9114b93fd5397ea
Opcode Fuzzy Hash: 3ef45d488e15210547b3499d3efd12fd823e4baefde46fb88dae7bdd27021e7c
Instruction Fuzzy Hash: FA21F37364D61C5EF758AA48EC475F973D4E782334F00026BD48EC2062F62266238B84

Function 00007FFD9B8CA66A Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62bf32bf03876909449dd7212d744fa2e690283df4f5a0cdabb60e41f7e39242
Instruction ID: 892b88013331bd0f78a9e63ebe815659bdb03ea8b3b0652d993d3bd3eac4f04d
Opcode Fuzzy Hash: 62bf32bf03876909449dd7212d744fa2e690283df4f5a0cdabb60e41f7e39242
Instruction Fuzzy Hash: 01213575E0A55E9AE774B7A448216F977E0FF49310F220177D49CC30E6DD286B1A4A81

Function 00007FFD9B8C2E40 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c28f80fc37030ba82fcadb32edcd935fa4c194a0a5dced38f525d6eb0b07ae1d
Instruction ID: 8b421ddd65665e5352cc231618a92b4a2ae9db7058ed250688c2e022b4d86908
Opcode Fuzzy Hash: c28f80fc37030ba82fcadb32edcd935fa4c194a0a5dced38f525d6eb0b07ae1d
Instruction Fuzzy Hash: 8E3191B1E1AE5D8FD7B9FBE884666B9BBE0EF49310F8501BED009D31E1CE6914418741

Function 00007FFD9B8BE2A0 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 333da7579b5c9128e6eb43fc508d4adf8a3d7d1774e9beef9b9784e4a1e6438a
Instruction ID: 9392c6134c06692d4d25aaf1be2a09c79cbada2b143af5b04a119e7f11fc8217
Opcode Fuzzy Hash: 333da7579b5c9128e6eb43fc508d4adf8a3d7d1774e9beef9b9784e4a1e6438a
Instruction Fuzzy Hash: 30212621B1D9A90FEB91F7B808A6AFB7BD1DF4D209F1408F8D49DC3197D919A8028781

Function 00007FFD9B8C1940 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa3dcc31da5e98b87360dd0e6489186d220001ed917f30c17bf383c005762724
Instruction ID: c4cee460379966c569b2280d0c7ff2ef7f1df6b95e18c61b805b8a3b4d6d6d4d
Opcode Fuzzy Hash: fa3dcc31da5e98b87360dd0e6489186d220001ed917f30c17bf383c005762724
Instruction Fuzzy Hash: E321096190FACA5FE762B3B418662F97FE0DF1B260F0902F7D488C70B3D95818068352

Function 00007FFD9B8B5BF0 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f897bf22c9cfc91d9972c89da05556e5ee1d33ef368854957fe9c872ea38ea4
Instruction ID: bea230290e678a3389b7d4f34a93261447738c5bb6a18a351829613a0bf2ad1f
Opcode Fuzzy Hash: 5f897bf22c9cfc91d9972c89da05556e5ee1d33ef368854957fe9c872ea38ea4
Instruction Fuzzy Hash: 9521B971B0DA4E4BDF94FF6858B66B93BE1EF98304F06006BE49DC32B1DD6555018741

Function 00007FFD9B8BE16A Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37fc93c81c73b35cd57337d8537891c7d73e18b4316715d0b4b750b872bc8b76
Instruction ID: f763fb38ebc2d18acf4ec1a2dee39212c3f6f611bb2065329520c903469701d9
Opcode Fuzzy Hash: 37fc93c81c73b35cd57337d8537891c7d73e18b4316715d0b4b750b872bc8b76
Instruction Fuzzy Hash: B421073171DA6D0FE7A0ABBC64652B5B7D1DF4D321F0505BEE04DC32A2DD19AC428781

Function 00007FFD9B8C0600 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b768d43db2410c6a80f8631b0ced8aaefcad45d65beb1de2892d126da3ccafe7
Instruction ID: c40885ee43ecb3138c8a2a476b5a643ed39fe42a0b1fbd55788f25d1d5846298
Opcode Fuzzy Hash: b768d43db2410c6a80f8631b0ced8aaefcad45d65beb1de2892d126da3ccafe7
Instruction Fuzzy Hash: AD21B6A190FBD82FE766977888696A53FA1DF87751F0942EBE0C9C7073C9551802C741

Function 00007FFD9B8D0E35 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faae90f4999b2527f9a0dd94664f52ae71d18cec9a6acb7930ef8005b2644c57
Instruction ID: 42c103b8917a95e2131d959b60b1188f0feecb33a0ee060d7f31c514bf6ca6f8
Opcode Fuzzy Hash: faae90f4999b2527f9a0dd94664f52ae71d18cec9a6acb7930ef8005b2644c57
Instruction Fuzzy Hash: BD212772E1EA9D0FE7A1DB6848251EA7BE1DF9CB10B0642BFD048D71A2D9185A468381

Function 00007FFD9B8BE0AD Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60109a5e5c36547d7b6925a8ca37ed6f493c6975351c62d25640bfac53c7dfc0
Instruction ID: 8eb99f2c23c536565be7a794046f961b87d890a48d87461db499239c74987ced
Opcode Fuzzy Hash: 60109a5e5c36547d7b6925a8ca37ed6f493c6975351c62d25640bfac53c7dfc0
Instruction Fuzzy Hash: 7D21C06260FAD91FE791E3B808AA6F53FE0DF9A25070C45EFD488C7273D80948578742

Function 00007FFD9B8C26A1 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db076113157ec2126adc560445b8486ea590fe6050945767ce63b6e9fbeccc09
Instruction ID: 335e817aa25043433a37d1cb50761321811a1d2cd06b90e04e8a7bad6f07be73
Opcode Fuzzy Hash: db076113157ec2126adc560445b8486ea590fe6050945767ce63b6e9fbeccc09
Instruction Fuzzy Hash: EE21D12450FAC96FD707E77888AA9EABFE0DF0B210B0844DAD4D4CB167C5685817C711

Function 00007FFD9B8BDAC0 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e13a37b76ab2781fea13d27c039e0e5d77c9bd3a0deec3d5b184e90a568c6c36
Instruction ID: 54d67afdf869fe561543f866cf9d5a642cf9a840d8ae77144280434f32a429c3
Opcode Fuzzy Hash: e13a37b76ab2781fea13d27c039e0e5d77c9bd3a0deec3d5b184e90a568c6c36
Instruction Fuzzy Hash: 0221F5A1B19E8A0FE75CFB7C44257B5B6D1EF58300F1484FAD04EC32E6ED68A8068341

Function 00007FFD9B8C01D0 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb1c3c0191952bdb45eb65ea95cb5d54990b86a71a0b095dac52653d83fcbc5e
Instruction ID: deb8f05bd2cb5cf0f66ae0dfef7c2b286d961d4b12d79d191ffe664b319eddbc
Opcode Fuzzy Hash: cb1c3c0191952bdb45eb65ea95cb5d54990b86a71a0b095dac52653d83fcbc5e
Instruction Fuzzy Hash: 56112721B1981D0FFBA4B6BC68A92B967D1CF9C261F0400BBD45DC32ABDC198C824380

Function 00007FFD9B8CA6A0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 677914f6cf1735b9d5a9347d2a237cb378a25cad4cc7a7cac2d5082382ded8de
Instruction ID: 7d41aad4a59a04d41e835e3ae06268569c5b3ff9a2ca0b907b6b0ac4128f6066
Opcode Fuzzy Hash: 677914f6cf1735b9d5a9347d2a237cb378a25cad4cc7a7cac2d5082382ded8de
Instruction Fuzzy Hash: 9711D4A5E0A94E99F77473A448312F976F0FF49310F660177D49CC34DADD2C6E1A0681

Function 00007FFD9B8CCC09 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d05015282b89d0d70a79dd453689133d821e954a83e5f53b8f3d263c6fa9d88
Instruction ID: ba0bc6042c092948f1047c1419d6d6e45a9e9ff66ee7559559af033216529bee
Opcode Fuzzy Hash: 9d05015282b89d0d70a79dd453689133d821e954a83e5f53b8f3d263c6fa9d88
Instruction Fuzzy Hash: 1E2129B2E0EF8D0FE7A5E76854242B97BE2EF5D310F0542B7D049D32A2DE145D054781

Function 00007FFD9B8C5BC5 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3ebf859578e85cacd6dcb9163cd7d8e44765930f75c09477ff30786ef1684b8
Instruction ID: c425320f3162fc7cc8d53558f22a9819d701432f0032ffc75ced1107597db4f0
Opcode Fuzzy Hash: d3ebf859578e85cacd6dcb9163cd7d8e44765930f75c09477ff30786ef1684b8
Instruction Fuzzy Hash: 7711E271A1E5C95FC712A37858279F67FB4DF47301B0A05EBE088C7173CA196916CB91

Function 00007FFD9B8C69F0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad4a6517e655e94328572f3f038020a9156bc02dd9a5f1fbeea47d02c9a86379
Instruction ID: 7fb38476e81aafb57c442c44e9756910f3074323f56df5607819d079e4205452
Opcode Fuzzy Hash: ad4a6517e655e94328572f3f038020a9156bc02dd9a5f1fbeea47d02c9a86379
Instruction Fuzzy Hash: 0D11DFB5F0A80EA9F7B4B3A458216B972E0FF8C310F620136D49CC34DADD286A1A0981

Function 00007FFD9B8BB3C9 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15b752010c15a84e98fae3a810075c6eae47dce30b1ac618238a7a553f0ea365
Instruction ID: 6fb62a8831bbdb6d88523e9d7eab287499d0964fe27e9ee00950f9805d42532a
Opcode Fuzzy Hash: 15b752010c15a84e98fae3a810075c6eae47dce30b1ac618238a7a553f0ea365
Instruction Fuzzy Hash: 3C218C3050E6D99FE317E7B498669957FF0AF47300B0984EEE4C58B0B3C66A554ACB82

Function 00007FFD9B8CACDD Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3018a6e5f8fca2d058c25c5837aa31fa4a0e8687fbfeb912cd086f376e85efc1
Instruction ID: bd6b75f0e681f438ceef8bf9cffc2201052b0ec9ebf47586c5d889002f56c4c9
Opcode Fuzzy Hash: 3018a6e5f8fca2d058c25c5837aa31fa4a0e8687fbfeb912cd086f376e85efc1
Instruction Fuzzy Hash: 0B11A99441F3C96FE353A7B418784A5BFB09E07225B0E04EBD0C88B0A3D9180609C323

Function 00007FFD9B8BE01D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db1cabd6ac22e3b2b3ef22958c7aef03b031a4f6d23ceaf3e7786a3ab302952c
Instruction ID: ed918e8e783baccc017b5ea44b091e0c562c308ba484dcebcca287a818d2128d
Opcode Fuzzy Hash: db1cabd6ac22e3b2b3ef22958c7aef03b031a4f6d23ceaf3e7786a3ab302952c
Instruction Fuzzy Hash: FA11023150EBC81FD35393349864A997FE1EF86324F0907EAF489CA0F3CE9855468782

Function 00007FFD9B8C0640 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79de6f51be8392027ef37b265049e306c835125ae4ce9ac0ee1a42925053296c
Instruction ID: bfb7d8bee67c54ae2393209f3880d9542eb88c942fa3964004aea9f5f531aa14
Opcode Fuzzy Hash: 79de6f51be8392027ef37b265049e306c835125ae4ce9ac0ee1a42925053296c
Instruction Fuzzy Hash: EE01D6A150AA9C2FEB6596788C6A7FA7FE1DF8B720F0442EAD089C7166D9545C028381

Function 00007FFD9B8B1BC5 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43e4595b9cc46a459629cf59b43e603877850e0e58c443a103f9aa5e2c6d4a8c
Instruction ID: 4ab50f6a168f0914ac1ad876f18d010a093e5c881f24ea4e9cc084882ba73131
Opcode Fuzzy Hash: 43e4595b9cc46a459629cf59b43e603877850e0e58c443a103f9aa5e2c6d4a8c
Instruction Fuzzy Hash: E1112B62E1EACD5FE76567B448750A87FF0EF1A600B0905FBC464CB0E3E81419198741

Function 00007FFD9B8BBB09 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83a6ff4b0dc0396e6c9faff8edb81c698f7c853ca7d6ba1719d2fb8fed612ae7
Instruction ID: 3e96f6dac57f882580ddfd3e7b2e8764393d8aaae991679c17a797f7f8337e8c
Opcode Fuzzy Hash: 83a6ff4b0dc0396e6c9faff8edb81c698f7c853ca7d6ba1719d2fb8fed612ae7
Instruction Fuzzy Hash: FB11CE30A0F6D85FE35BD734486699A3FA0AF47300B0941EEE4C5CB0B3C669484ACB42

Function 00007FFD9B8BBCB5 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17a63b708c175411fedba6914a9fb8e2b68ce95dd96c20a1de66904f45fff9d5
Instruction ID: ed56c3e1cbf6733d5e4e19ca66b631b2e193ad8d8a0b700d4ec22815f8c4d910
Opcode Fuzzy Hash: 17a63b708c175411fedba6914a9fb8e2b68ce95dd96c20a1de66904f45fff9d5
Instruction Fuzzy Hash: 8801A23050F7D95FD35ADB7548668D67FB0EE4721070844EFD485CB1A2C958580AC7A2

Function 00007FFD9B8CB9D8 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 806fc36aff062449dfb4d49fd0987476cce078cd4df8c7d9288667ca83e8f200
Instruction ID: 1825936808d0d9d0ab91103c18d69c695c93e031776f0f2ee5cd8f854bbb49fb
Opcode Fuzzy Hash: 806fc36aff062449dfb4d49fd0987476cce078cd4df8c7d9288667ca83e8f200
Instruction Fuzzy Hash: 9D01457250EA9D0FE7B8A268483A7B67BE5DF8A350F0580BB908CC30A3DD101C158341

Function 00007FFD9B8CA5ED Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73f84a4c004abf7e8549a2113cf88a86446132504cad38cf2febd13f7aaa69e4
Instruction ID: 6e105f27db9458cbf91cda198b358928e2a12b0f392a10b5a3fb5d89de30b038
Opcode Fuzzy Hash: 73f84a4c004abf7e8549a2113cf88a86446132504cad38cf2febd13f7aaa69e4
Instruction Fuzzy Hash: 850145B290EB8D0AF321A33088248E57FD0EB91260F09077FD0A1870F6ED68964A4383

Function 00007FFD9B8C78FD Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ef681b22cf9ffe81d2452edbf7b98c6a52e6470d5d6322c125c9f2db792fa10
Instruction ID: 2e22486b76315d7fdf6aaada9b9355a1c86d0b9e81310d8bee6e078f00f9ee06
Opcode Fuzzy Hash: 9ef681b22cf9ffe81d2452edbf7b98c6a52e6470d5d6322c125c9f2db792fa10
Instruction Fuzzy Hash: 6E0128B290EB890BF735AA3098255E57BA1EB95220F05077BD0958B1F2ED5C660D4383

Function 00007FFD9B8C66B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2f3520ca0d9e33491329b781fa077c2ae15766552917d3fbd5e5768f3f2d2c3
Instruction ID: 15bf97b28010845d6adc8af68c2904033ac50193373ab14cf942c7ba44f9dafe
Opcode Fuzzy Hash: a2f3520ca0d9e33491329b781fa077c2ae15766552917d3fbd5e5768f3f2d2c3
Instruction Fuzzy Hash: C601C062A0E3D54FD303A768A8719E53FB09F43218B4E01F7D0988B0E7DD4C69499352

Function 00007FFD9B8BFB47 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 414a38ed90849f0c0f85a4b0289247eb6ae5d08e6f00f2a8fbb22b2374c7db25
Instruction ID: da1c286197ff935fe97f395c5a29ce3759eb6fca04fc1cbcae3cc9253219cd38
Opcode Fuzzy Hash: 414a38ed90849f0c0f85a4b0289247eb6ae5d08e6f00f2a8fbb22b2374c7db25
Instruction Fuzzy Hash: B0F08135B1D9A50FE705B37828674FD7BC0DF4A22171404F9D58683197DD0A781347C2

Function 00007FFD9B8C5C58 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c12d09e67cf518e559e59c0bd9ec6d36defbf737f468bf1ce27dd1b21d95ce7
Instruction ID: 23a083ec73a948948778e27a5fe5926d709528d8565f39a45e2ab91175ffa1ab
Opcode Fuzzy Hash: 5c12d09e67cf518e559e59c0bd9ec6d36defbf737f468bf1ce27dd1b21d95ce7
Instruction Fuzzy Hash: 70F0463471888D8FCB44FBA89425AFA7BE0FF9A314B0401FBD44DCB1A2EA29D5148701

Function 00007FFD9B8BE3FD Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 495095708c26bf03099ddba127e8ad7a6b89d40052a9ad3a2392cacb9663de3c
Instruction ID: 7f640dca5889b90ee38d76f9d1ad3d3d08eff4508f16b8daa3e30c93877d25a9
Opcode Fuzzy Hash: 495095708c26bf03099ddba127e8ad7a6b89d40052a9ad3a2392cacb9663de3c
Instruction Fuzzy Hash: 8501AF5845F2D9AEC76367B45C204E67F789E47229B0A04E7E0D8C60A3D9081A28CBA3

Function 00007FFD9B8BEE34 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 158f8e053375d75c630f64b5e7ab84fa5c1527aedc2fce9a74885b0f1cf12b76
Instruction ID: 70bec394dac551fa44ce479ef4e20ba8abee0418bfcda6784e6aa0ae0b3841de
Opcode Fuzzy Hash: 158f8e053375d75c630f64b5e7ab84fa5c1527aedc2fce9a74885b0f1cf12b76
Instruction Fuzzy Hash: 5FF09620D0E2AD4EF3F177F454221E87B509F5A211F060DB6F05D864B3DD28261D8AE2

Function 00007FFD9B8C7AE9 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38a56dcdb9c6bbb4c47a91da604de30bc5eb38027aabec0a3579b5427de7471b
Instruction ID: e5de4324f965cd066acbe4cff29f8e3dd33f1ba076c808cac5fb480ca2c4fa68
Opcode Fuzzy Hash: 38a56dcdb9c6bbb4c47a91da604de30bc5eb38027aabec0a3579b5427de7471b
Instruction Fuzzy Hash: 41F0EC55B0F58A4FD768EB9864302B8A6C0EF9A710F1841BFD14CC71D7D85C5B454782

Function 00007FFD9B8C404D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ed1b02701b4b7ffb1d803c652edb933eddf7c72c1077886ca4e31e61db93408
Instruction ID: 68ba18b20aad8f873e16e483ad472d8d099b3866a8856493b96384f15fbc54c8
Opcode Fuzzy Hash: 2ed1b02701b4b7ffb1d803c652edb933eddf7c72c1077886ca4e31e61db93408
Instruction Fuzzy Hash: 7DF0F679F4E60E45DBF0AB8484211F87790AF48310F1E013FC49D57191DD15265A8682

Function 00007FFD9B8BDEF4 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b011968e212ef90812af8114464e5d2da169061f785cc2a29301f046f7183bf9
Instruction ID: 75d03143afdaed0f68296bf45ef8e0e237331df5292b383a1eb50d537954f2a6
Opcode Fuzzy Hash: b011968e212ef90812af8114464e5d2da169061f785cc2a29301f046f7183bf9
Instruction Fuzzy Hash: F6E0E511B2ACBD2AF666B7B8443A1BC76D19F5EA1174500F9D84EC32B3DD086A4287C6

Function 00007FFD9B8C65B8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c69f2f4f1eef27d4461c84237bd016e8a23010c3f18065fa09260aea2ca5d14
Instruction ID: 76d825482671f3badbba0e450cf7eec1643264317c3d6e1140e4c1dd5b161762
Opcode Fuzzy Hash: 8c69f2f4f1eef27d4461c84237bd016e8a23010c3f18065fa09260aea2ca5d14
Instruction Fuzzy Hash: 04E08671251A4D8FCB44CE589C551E53391FB596217104115E82AC32E0CA35A812CB41

Function 00007FFD9B8C4CAD Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2442ea5175222ecd2f2e5a5c8f4349751312d4a83df9b11d9d78403e90b147e4
Instruction ID: 945e9582ae129914f735f431bd51af0739f1f99c091f9da767353e334aea8125
Opcode Fuzzy Hash: 2442ea5175222ecd2f2e5a5c8f4349751312d4a83df9b11d9d78403e90b147e4
Instruction Fuzzy Hash: 53D0C23160895C1ECB10BA659C449D63BACE784338F000237E81CC2095D5319265C391

Function 00007FFD9B8C645D Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8132cd41f34f44fbe70d0bd6145887663cdcbbc8503c391f8db862febe769a9
Instruction ID: 14bc6269bb58ce877783b02aeab3b7ebec32f41ac2b6a66b0dabbf2cde7b0999
Opcode Fuzzy Hash: f8132cd41f34f44fbe70d0bd6145887663cdcbbc8503c391f8db862febe769a9
Instruction Fuzzy Hash: CAD01761F4581E49EB58B7B878369FDB2A5EF88214B810476E42DC308ADD2A2A164682

Function 00007FFD9B8BF638 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d5c53b2b987f667785592cb8d8f9ffd8fc5a8627ad3b56a5538b9159a88004
Instruction ID: 81daadaea20fdd52cd6f049eb2b7c8b3aae41c172896642317533f3ea75f9689
Opcode Fuzzy Hash: 67d5c53b2b987f667785592cb8d8f9ffd8fc5a8627ad3b56a5538b9159a88004
Instruction Fuzzy Hash: 36E0BF41E0F57EDDF5A077FC05620A866186F6D282B165870E44AD64F3DC08260846A2

Function 00007FFD9B8C63C7 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 841dcb71fe97f1f523a2f97dca68cf0936ed385353c2886eaaa0b47af69f0166
Instruction ID: f61d4f6b397265c44e58067ab02f83355024d6584898b1e43d3d0a6006b33f7b
Opcode Fuzzy Hash: 841dcb71fe97f1f523a2f97dca68cf0936ed385353c2886eaaa0b47af69f0166
Instruction Fuzzy Hash: DAC080A377E50A07F750E29C70530F57382E765660F455533F05DC2166EC5D69438281

Function 00007FFD9B8C6687 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7f7c3ad2b2679eadf5dc24609be7f4d02a16374865658ffc46c8f9e81884182
Instruction ID: e336b8c64dd5d477c8dcfd1b26d18affcaecbe8e18a1b833828bb40dc7443bfe
Opcode Fuzzy Hash: c7f7c3ad2b2679eadf5dc24609be7f4d02a16374865658ffc46c8f9e81884182
Instruction Fuzzy Hash: 08D05B7142C7095BC348EF14D4518DA77A0FF84324F440B3DF06E821D5DE7492818683

Function 00007FFD9B8BFA7E Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2f39f518425b34f58b1767a4d0ef7024208c7c267e3d8830ff20b9e067dbde1
Instruction ID: e377b34ab840b1799a2353e3398f9a9198e37c594f665d3869ee7439b8affa8a
Opcode Fuzzy Hash: f2f39f518425b34f58b1767a4d0ef7024208c7c267e3d8830ff20b9e067dbde1
Instruction Fuzzy Hash: E0D09296E1F57F4AE564BBFC00320F867015F0D784F568475E04D960B3DC08260C49A2

Function 00007FFD9B8C171C Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0397328a5a41c063c4bc80734d11a43c3c404a0fecce86fbda943a49d0e93a2a
Instruction ID: 0425afa085982ad93769e623e085cb20446e3d4b12ab2ef9aec7f3d0ff1cd2a8
Opcode Fuzzy Hash: 0397328a5a41c063c4bc80734d11a43c3c404a0fecce86fbda943a49d0e93a2a
Instruction Fuzzy Hash: 12D0A900E1D9E82FD740E7B400AA4AD6FE09F8910070404B9C088C31A3CE1984028B01

Function 00007FFD9B8C169A Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d81140877b5d8612e3cbbc915b2d36584cc39dc4e4f622a5bcdd42a785ad9f4
Instruction ID: 6fa5646cbb4f1d660086c5ffd732d5b6b21f81d1791e5bcf0485ce13b48d5a7f
Opcode Fuzzy Hash: 4d81140877b5d8612e3cbbc915b2d36584cc39dc4e4f622a5bcdd42a785ad9f4
Instruction Fuzzy Hash: FBC01204A2D9D51FD741F379047F4BD7FD14F8E105B0444F8D895C71A7DC0D98118682

Function 00007FFD9B8C16BA Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2ec2dd07e163bc3aaf0a94c8289c713be669bc7e91e1682a8d24ee4bcefaf0e
Instruction ID: 9408b3f8720a695b6fb730c7f8185ab8611f633c9045fecf3a9d1ddaf7d6ea9d
Opcode Fuzzy Hash: b2ec2dd07e163bc3aaf0a94c8289c713be669bc7e91e1682a8d24ee4bcefaf0e
Instruction Fuzzy Hash: DCC01204A1D9E91FD741B3B8047E5BD7BD14F4A104B4444F89495C71A7DC5D98128741

Function 00007FFD9B8C16DA Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2736170e8ee386ff4b9d402d2b5e6471fe0a3b07032c65154bed420d9039e128
Instruction ID: 7f14e3fbb9fe8feddd4e7756a223475b40d9d95ae8ccf92e66bd5507069834dd
Opcode Fuzzy Hash: 2736170e8ee386ff4b9d402d2b5e6471fe0a3b07032c65154bed420d9039e128
Instruction Fuzzy Hash: E2D0A910E1D9EC0FD741A7B800AE4ADBBE29F8910470404E88098C71A3CA1D88018700

Function 00007FFD9B8C6256 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6178e5945a4f30183d25f0cd0b6b151c28702c860e6515c36b62a6c462f181f2
Instruction ID: aaa9f9d17970c458628c5428de4901c804cd79122428720e8e576e8cf5a15469
Opcode Fuzzy Hash: 6178e5945a4f30183d25f0cd0b6b151c28702c860e6515c36b62a6c462f181f2
Instruction Fuzzy Hash: 03C04CC7B2AC2E16EAE5A66811761B94182EBA8A457510075A06EC31E6ED1C69024284

Function 00007FFD9B8BA51A Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 729aa7e87c5bc281e295f8645d71c5e405a9ec1e56e366fc986c8b096e05c031
Instruction ID: 689e7a9606de13bf8df25a7edf19158781da115d7d805462f1ea8d0fd9f0c6f6
Opcode Fuzzy Hash: 729aa7e87c5bc281e295f8645d71c5e405a9ec1e56e366fc986c8b096e05c031
Instruction Fuzzy Hash: 65B01233B4E03C48AF5161D878230ECF310E749175B411137D20DE10025907313107C0

Function 00007FFD9B8BBD20 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b7385d92b5f10c5b7157a98c864f549000c6421b7d1cab043e6573e125f7f6e
Instruction ID: db999182f86452bb67100d9c780a414885af2ff53dac2cfbdac831c4b9afe042
Opcode Fuzzy Hash: 2b7385d92b5f10c5b7157a98c864f549000c6421b7d1cab043e6573e125f7f6e
Instruction Fuzzy Hash: 6DC0924631D9EC6FE28AE2781D6A3B57FE24E9B00131C88EE80CACB163C40A840A8700

Function 00007FFD9B8BBB8B Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d6e0f7a4b7f8d076c6c66fb4b4749ba2fa58756f5de865227c61e12bf91c28a
Instruction ID: ebfade8e5dd800a2d01628d6e1d4ec86d2c40667d204b1c396ea584cbf8838f4
Opcode Fuzzy Hash: 7d6e0f7a4b7f8d076c6c66fb4b4749ba2fa58756f5de865227c61e12bf91c28a
Instruction Fuzzy Hash: 48C0921531E8E85FE28AD27818696A97FE28E8B00131C48EE80C5CB266D91A841B9700

Function 00007FFD9B8BDAE2 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 002930b62f4cf3ae27f5b835f9247b90c379dd427812ffd006af8fa89a99a7e4
Instruction ID: 8db2e43ece9fd2f1a3b32eb9bd18b0eac276a299941a98462c495f54dab1a6f8
Opcode Fuzzy Hash: 002930b62f4cf3ae27f5b835f9247b90c379dd427812ffd006af8fa89a99a7e4
Instruction Fuzzy Hash: 98B012153692D0CEC70E8A258CF10963F304D4311032414EFC8C44E463C0086149E255

Non-executed Functions

Function 00007FFD9B8B8D44 Relevance: 57.2, Strings: 45, Instructions: 977COMMON

Download Yara Rule

Strings

x61\, xrefs: 00007FFD9B8B91E8
H71\, xrefs: 00007FFD9B8B8E82
x61\, xrefs: 00007FFD9B8B9342
H81\, xrefs: 00007FFD9B8B9778
x61\, xrefs: 00007FFD9B8B9373
X^1\, xrefs: 00007FFD9B8B8E34
881\, xrefs: 00007FFD9B8B974E
71\, xrefs: 00007FFD9B8B9648
x61\, xrefs: 00007FFD9B8B9406
`81\, xrefs: 00007FFD9B8B97CC
71\, xrefs: 00007FFD9B8B965D
`\1\, xrefs: 00007FFD9B8B8DE9
p81\, xrefs: 00007FFD9B8B982B
x61\, xrefs: 00007FFD9B8B94D5
h71\, xrefs: 00007FFD9B8B8E1A
x61\, xrefs: 00007FFD9B8B9499
x61\, xrefs: 00007FFD9B8B93D5
8\1\, xrefs: 00007FFD9B8B8E9C
x61\, xrefs: 00007FFD9B8B9219
x81\, xrefs: 00007FFD9B8B9862
x61\, xrefs: 00007FFD9B8B93A4
x61\, xrefs: 00007FFD9B8B9468
x61\, xrefs: 00007FFD9B8B92DD
081\, xrefs: 00007FFD9B8B9739
`]1\, xrefs: 00007FFD9B8B9506
x61\, xrefs: 00007FFD9B8B924A
@81\, xrefs: 00007FFD9B8B9763
x61\, xrefs: 00007FFD9B8B92AC
x61\, xrefs: 00007FFD9B8B930E
x61\, xrefs: 00007FFD9B8B8D50
x61\, xrefs: 00007FFD9B8B918C
p71\, xrefs: 00007FFD9B8B8E4E
x61\, xrefs: 00007FFD9B8B927B
P81\, xrefs: 00007FFD9B8B978D
x61\, xrefs: 00007FFD9B8B9165
(81\, xrefs: 00007FFD9B8B9724
x71\, xrefs: 00007FFD9B8B8F14
x61\, xrefs: 00007FFD9B8B9437
x61\, xrefs: 00007FFD9B8B91BA
H71\, xrefs: 00007FFD9B8B8EE5
h81\, xrefs: 00007FFD9B8B97F4
81\, xrefs: 00007FFD9B8B970F
X81\, xrefs: 00007FFD9B8B97A2
P^1\, xrefs: 00007FFD9B8B8E00
H71\, xrefs: 00007FFD9B8B8EB6

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: 81\$(81\$081\$881\$8\1\$@81\$H71\$H71\$H71\$H81\$P81\$P^1\$X81\$X^1\$`81\$`\1\$`]1\$h71\$h81\$p71\$p81\$x61\$x61\$x61\$x61\$x61\$x61\$x61\$x61\$x61\$x61\$x61\$x61\$x61\$x61\$x61\$x61\$x61\$x61\$x61\$x61\$x71\$x81\$71\$71\
API String ID: 0-3051810372
Opcode ID: c07f0cda2b4ec5ae9ffce6731ce1c068c7c08b7fe2fb2f6f81013fa7a3c1416f
Instruction ID: ded3b4069b3699762107cda57465421fde926b0b1e08877b6b02a09fa38fd439
Opcode Fuzzy Hash: c07f0cda2b4ec5ae9ffce6731ce1c068c7c08b7fe2fb2f6f81013fa7a3c1416f
Instruction Fuzzy Hash: 2462B120B1C9A99FD719A7B868677F97BE1DF4A700F1484FEE058832D7CD689806CB41

Function 00007FFD9B8BC9D8 Relevance: 12.5, Strings: 9, Instructions: 1251COMMON

Download Yara Rule

Strings

p:1\, xrefs: 00007FFD9B8BD096
]1\, xrefs: 00007FFD9B8BD57D
X:1\, xrefs: 00007FFD9B8BD045
h:1\, xrefs: 00007FFD9B8BD07B
_, xrefs: 00007FFD9B8BCC3C
]1\, xrefs: 00007FFD9B8BD47D
P:1\, xrefs: 00007FFD9B8BD02D
`:1\, xrefs: 00007FFD9B8BD060
"#w, xrefs: 00007FFD9B8BCD96

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: "#w$P:1\$X:1\$_$`:1\$h:1\$p:1\$]1\$]1\
API String ID: 0-55744925
Opcode ID: 7f6226a7412fa6bbf2439a2c0504e5dde05d45464bc246039697162ef2a59fb9
Instruction ID: b14727c1da739c0d8ea937e4482b0bce5d21de1c4941f86a1bd9de5ac447a813
Opcode Fuzzy Hash: 7f6226a7412fa6bbf2439a2c0504e5dde05d45464bc246039697162ef2a59fb9
Instruction Fuzzy Hash: 99827802B0E9E95FE32AA3FC78369ED7F90DF45350F1845FBD0A98B0E7984865078A51

Function 00007FFD9B8C480D Relevance: 1.7, Strings: 1, Instructions: 437COMMON

Download Yara Rule

Strings

`]1\, xrefs: 00007FFD9B8C4852

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: `]1\
API String ID: 0-3666251665
Opcode ID: 0a27a61c7c7a19f07ae0c7b14837065a8194006ae6f6f9fd20dbb1162a0ced3f
Instruction ID: dee2d9b9d9f2f859b7d28268543b01a6faf4bd8c2a8272a2ca0e0a4b1ac48313
Opcode Fuzzy Hash: 0a27a61c7c7a19f07ae0c7b14837065a8194006ae6f6f9fd20dbb1162a0ced3f
Instruction Fuzzy Hash: B1E13970A0A99D5FD755EBF8C4656FDBBE1EF49300F1844EEC489C72A7CA28A842C741

Function 00007FFD9B8B1C68 Relevance: 5.2, Strings: 4, Instructions: 156COMMON

Download Yara Rule

Strings

61\, xrefs: 00007FFD9B8B1D9A
H^1\, xrefs: 00007FFD9B8B1C98
h^1\, xrefs: 00007FFD9B8B1DEB
61\, xrefs: 00007FFD9B8B1DB5

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: H^1\$h^1\$61\$61\
API String ID: 0-2384248811
Opcode ID: 273ab21f1fbcaf3c86d833db263cebd016930370f966273a40791f0f44ddb1c1
Instruction ID: 91669afffbf510a16da0c10a1793ad14086cc0f8ce93caaafa8adcc646b8054d
Opcode Fuzzy Hash: 273ab21f1fbcaf3c86d833db263cebd016930370f966273a40791f0f44ddb1c1
Instruction Fuzzy Hash: 1151FB60A1E9D96FD30AD7B85873AD9BFE0EF06210F1889DED0A98B1D7C46C5416C712

Function 00007FFD9B8CF1FA Relevance: 5.1, Strings: 4, Instructions: 84COMMON

Download Yara Rule

Strings

RJ_^, xrefs: 00007FFD9B8CF201
!CR, xrefs: 00007FFD9B8CF276
;R, xrefs: 00007FFD9B8CF27E
"KR, xrefs: 00007FFD9B8CF26E

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: ;R$!CR$"KR$RJ_^
API String ID: 0-1828030820
Opcode ID: c7dad635c7377b3e791e156a2a0dc5b186c271833541df2907d500099758047a
Instruction ID: f73f2540ddb9ff939b11d419c959a4e5d6afd1bde006d85d970ef6802d6ba52c
Opcode Fuzzy Hash: c7dad635c7377b3e791e156a2a0dc5b186c271833541df2907d500099758047a
Instruction Fuzzy Hash: 9411866F7188328DA609B67EB9184F853C8DFE8736744C977D205CF187A580688F42F4

Function 00007FFD9B8B0B58 Relevance: 5.0, Strings: 4, Instructions: 30COMMON

Download Yara Rule

Strings

#C9, xrefs: 00007FFD9B8B0B76
";9, xrefs: 00007FFD9B8B0B7E
$K9, xrefs: 00007FFD9B8B0B6E
!39, xrefs: 00007FFD9B8B0B86

Memory Dump Source

Source File: 00000000.00000002.1768368018.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8b0000_ypauPrrA08.jbxd

Similarity

API ID:
String ID: !39$";9$#C9$$K9
API String ID: 0-1489306562
Opcode ID: 2f72aa73383dee65c1fdbffe70cf212bc40dfb2c3fabc2e86efa3251cb1d219e
Instruction ID: 0d4f07d9b71f24c24dce4eb494e00881dd3671dc0efe0e90b8d04965eccad063
Opcode Fuzzy Hash: 2f72aa73383dee65c1fdbffe70cf212bc40dfb2c3fabc2e86efa3251cb1d219e
Instruction Fuzzy Hash: 9EE0864BB3583142950D32EDF8124E82348DBDB17A34542B7E569CF1D764817847C2F6

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml HTTP/1.1Host: ip-api.com
Source: global traffic	HTTP traffic detected: GET /xml HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml HTTP/1.1Host: ip-api.com
Source: global traffic	HTTP traffic detected: GET /xml HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: freegeoip.app
Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: ipbase.com

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: ip-api.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ypauPrrA08.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\????? ?????\Browsers\Google\History.txt

C:\????? ?????\Files\DVWHKMNFNN.pdf

C:\????? ?????\Files\HTAGVDFUIE\KZWFNRXYKI.jpg

C:\????? ?????\Files\HTAGVDFUIE\WUTJSCBCFX.pdf

C:\????? ?????\Files\HTAGVDFUIE\ZBEDCJPBEY.png

C:\????? ?????\Files\KATAXZVCPS\DVWHKMNFNN.pdf

C:\????? ?????\Files\KATAXZVCPS\LTKMYBSEYZ.jpg

C:\????? ?????\Files\KATAXZVCPS\NWTVCDUMOB.png

C:\????? ?????\Files\KZWFNRXYKI.jpg

C:\????? ?????\Files\LTKMYBSEYZ.jpg

C:\????? ?????\Files\NWTVCDUMOB.png

C:\????? ?????\Files\WUTJSCBCFX.pdf

C:\????? ?????\Files\ZBEDCJPBEY.png

C:\????? ?????\Information.txt

C:\????? ?????\Process.txt

C:\????? ?????\Screen.png

Windows Analysis Report
ypauPrrA08.exe

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre