Edit tour

Windows Analysis Report
RFQ List and airflight 2024.pif.exe

Overview

General Information

Sample name:	RFQ List and airflight 2024.pif.exe
Analysis ID:	1555605
MD5:	fc3b92bd1d5c64c55cc2eba9cdd51ea1
SHA1:	1bb9df21e4dadb8231f940625f1dfd27871792a7
SHA256:	8e0820ff70c60d33f688098a454e4cbcaf04bafd4c2489be8bd91132b963ee63
Tags:	exepifuser-abuse_ch
Infos:

Detection

PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected PureLog Stealer

.NET source code contains potential unpacker

.NET source code contains very large array initializations

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

Connects to many ports of the same IP (likely port scanning)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

RFQ List and airflight 2024.pif.exe (PID: 7276 cmdline: "C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe" MD5: FC3B92BD1D5C64C55CC2EBA9CDD51EA1)

powershell.exe (PID: 7492 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7532 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gaZNjdzDI.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7932 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 7568 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gaZNjdzDI" /XML "C:\Users\user\AppData\Local\Temp\tmp2051.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

vbc.exe (PID: 7744 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)

gaZNjdzDI.exe (PID: 7792 cmdline: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe MD5: FC3B92BD1D5C64C55CC2EBA9CDD51EA1)

schtasks.exe (PID: 8060 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gaZNjdzDI" /XML "C:\Users\user\AppData\Local\Temp\tmp33B9.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 8068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

vbc.exe (PID: 8112 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000009.00000002.2646655557.000000000843F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000009.00000002.2640691641.0000000006C63000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000E.00000002.1799584646.0000000009A70000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000E.00000002.1796765181.0000000009720000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000E.00000002.1786719606.00000000087B5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000E.00000002.1786719606.00000000087B5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000E.00000002.1782939079.0000000007164000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000E.00000002.1786719606.00000000080E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: RFQ List and airflight 2024.pif.exe PID: 7276	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: vbc.exe PID: 7744	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: vbc.exe PID: 7744	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: gaZNjdzDI.exe PID: 7792	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: vbc.exe PID: 8112	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: vbc.exe PID: 8112	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 9 entries

Unpacked PEs

Source	Rule	Description	Author
9.2.vbc.exe.843f250.4.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
14.2.vbc.exe.9a70000.10.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
14.2.vbc.exe.87b5610.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
14.2.vbc.exe.9720000.9.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
14.2.vbc.exe.84355b0.8.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
14.2.vbc.exe.895f250.3.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
14.2.vbc.exe.83d5570.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
14.2.vbc.exe.9720000.9.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
14.2.vbc.exe.84355b0.8.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
14.2.vbc.exe.83f5590.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
14.2.vbc.exe.87b5610.2.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
14.2.vbc.exe.87b5610.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
14.2.vbc.exe.83f5590.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
14.2.vbc.exe.83d5570.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 9 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe", ParentImage: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe, ParentProcessId: 7276, ParentProcessName: RFQ List and airflight 2024.pif.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe", ProcessId: 7492, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gaZNjdzDI" /XML "C:\Users\user\AppData\Local\Temp\tmp33B9.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gaZNjdzDI" /XML "C:\Users\user\AppData\Local\Temp\tmp33B9.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe, ParentImage: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe, ParentProcessId: 7792, ParentProcessName: gaZNjdzDI.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gaZNjdzDI" /XML "C:\Users\user\AppData\Local\Temp\tmp33B9.tmp", ProcessId: 8060, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gaZNjdzDI" /XML "C:\Users\user\AppData\Local\Temp\tmp2051.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gaZNjdzDI" /XML "C:\Users\user\AppData\Local\Temp\tmp2051.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe", ParentImage: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe, ParentProcessId: 7276, ParentProcessName: RFQ List and airflight 2024.pif.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gaZNjdzDI" /XML "C:\Users\user\AppData\Local\Temp\tmp2051.tmp", ProcessId: 7568, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe", ParentImage: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe, ParentProcessId: 7276, ParentProcessName: RFQ List and airflight 2024.pif.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe", ProcessId: 7492, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gaZNjdzDI" /XML "C:\Users\user\AppData\Local\Temp\tmp2051.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gaZNjdzDI" /XML "C:\Users\user\AppData\Local\Temp\tmp2051.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe", ParentImage: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe, ParentProcessId: 7276, ParentProcessName: RFQ List and airflight 2024.pif.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gaZNjdzDI" /XML "C:\Users\user\AppData\Local\Temp\tmp2051.tmp", ProcessId: 7568, ProcessName: schtasks.exe

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-14T07:52:18.879660+0100	2022930	1	A Network Trojan was detected	20.109.210.53	443	192.168.2.8	49715	TCP
2024-11-14T07:52:56.560462+0100	2022930	1	A Network Trojan was detected	20.109.210.53	443	192.168.2.8	49721	TCP

ETPRO MALWARE Win32/zgRAT CnC Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-14T07:52:18.061675+0100	2857938	1	Malware Command and Control Activity Detected	192.168.2.8	49714	45.137.22.174	16057	TCP
2024-11-14T07:52:26.561657+0100	2857938	1	Malware Command and Control Activity Detected	192.168.2.8	49717	45.137.22.174	16057	TCP
2024-11-14T07:52:35.061424+0100	2857938	1	Malware Command and Control Activity Detected	192.168.2.8	49718	45.137.22.174	16057	TCP
2024-11-14T07:52:43.705551+0100	2857938	1	Malware Command and Control Activity Detected	192.168.2.8	49719	45.137.22.174	16057	TCP
2024-11-14T07:52:52.189703+0100	2857938	1	Malware Command and Control Activity Detected	192.168.2.8	49720	45.137.22.174	16057	TCP
2024-11-14T07:53:00.514982+0100	2857938	1	Malware Command and Control Activity Detected	192.168.2.8	49722	45.137.22.174	16057	TCP
2024-11-14T07:53:09.014564+0100	2857938	1	Malware Command and Control Activity Detected	192.168.2.8	49723	45.137.22.174	16057	TCP
2024-11-14T07:53:17.499653+0100	2857938	1	Malware Command and Control Activity Detected	192.168.2.8	49724	45.137.22.174	16057	TCP
2024-11-14T07:53:26.014674+0100	2857938	1	Malware Command and Control Activity Detected	192.168.2.8	49725	45.137.22.174	16057	TCP
2024-11-14T07:53:34.637807+0100	2857938	1	Malware Command and Control Activity Detected	192.168.2.8	49726	45.137.22.174	16057	TCP
2024-11-14T07:53:43.452037+0100	2857938	1	Malware Command and Control Activity Detected	192.168.2.8	49727	45.137.22.174	16057	TCP
2024-11-14T07:53:52.173409+0100	2857938	1	Malware Command and Control Activity Detected	192.168.2.8	49728	45.137.22.174	16057	TCP
2024-11-14T07:54:00.436255+0100	2857938	1	Malware Command and Control Activity Detected	192.168.2.8	49729	45.137.22.174	16057	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: RFQ List and airflight 2024.pif.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe

Avira: detection malicious, Label: TR/AD.Nekark.nctpk

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe

ReversingLabs: Detection: 71%

Multi AV Scanner detection for submitted file

Source: RFQ List and airflight 2024.pif.exe

ReversingLabs: Detection: 71%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: RFQ List and airflight 2024.pif.exe

Joe Sandbox ML: detected

Source: RFQ List and airflight 2024.pif.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: RFQ List and airflight 2024.pif.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: costura.dotnetzip.pdb.compressed source: vbc.exe, 00000009.00000002.2646655557.000000000843F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.2640691641.0000000006C63000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000E.00000002.1782939079.0000000007164000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000E.00000002.1786719606.00000000087B5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: q costura.dotnetzip.pdb.compressedt- source: vbc.exe, 00000009.00000002.2640691641.0000000006C63000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000E.00000002.1782939079.0000000007164000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: q costura.dotnetzip.pdb.compressed source: vbc.exe, 00000009.00000002.2640691641.0000000006C63000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000E.00000002.1782939079.0000000007164000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Vkxyjasbrw.pdb source: vbc.exe, 0000000E.00000002.1796765181.0000000009720000.00000004.08000000.00040000.00000000.sdmp, vbc.exe, 0000000E.00000002.1786719606.00000000080E1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000E.00000002.1786719606.00000000087B5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: vbc.exe, 0000000E.00000002.1800276763.0000000009B10000.00000004.08000000.00040000.00000000.sdmp, vbc.exe, 0000000E.00000002.1786719606.0000000008A70000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000E.00000002.1782939079.0000000007164000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000E.00000002.1786719606.00000000087B5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: vbc.exe, 0000000E.00000002.1800276763.0000000009B10000.00000004.08000000.00040000.00000000.sdmp, vbc.exe, 0000000E.00000002.1786719606.0000000008A70000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000E.00000002.1782939079.0000000007164000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000E.00000002.1786719606.00000000087B5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: q@costura.dotnetzip.pdb.compressed source: vbc.exe, 00000009.00000002.2640691641.0000000006C63000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000E.00000002.1782939079.0000000007164000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7c805118-99b4-441d-b2f8-0440debefdd4<Module>costura.costura.dll.compressedcostura.dotnetzip.dll.compressedcostura.dotnetzip.pdb.compressedcostura.protobuf-net.dll.compressedVkxyjasbrw.g.resourcesaR3nbf8dQp2feLmk31.lSfgApatkdxsVcGcrktoFd.resourcesoC source: vbc.exe, 00000009.00000002.2646655557.000000000843F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000E.00000002.1786719606.00000000087B5000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Code function: 4x nop then jmp 031EA93Fh	0_2_031EABA3
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Code function: 4x nop then jmp 031EA93Fh	0_2_031EAC6B
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Code function: 4x nop then jmp 031EA93Fh	0_2_031EABEE
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Code function: 4x nop then jmp 031EA93Fh	0_2_031EAF21
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Code function: 4x nop then jmp 01A69C27h	10_2_01A69F53
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Code function: 4x nop then jmp 01A69C27h	10_2_01A69E8B
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Code function: 4x nop then jmp 01A69C27h	10_2_01A6A209
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Code function: 4x nop then jmp 01A69C27h	10_2_01A6A503
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Code function: 4x nop then jmp 01A69C27h	10_2_01A69ED6

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2857938 - Severity 1 - ETPRO MALWARE Win32/zgRAT CnC Checkin : 192.168.2.8:49718 -> 45.137.22.174:16057
Source: Network traffic	Suricata IDS: 2857938 - Severity 1 - ETPRO MALWARE Win32/zgRAT CnC Checkin : 192.168.2.8:49717 -> 45.137.22.174:16057
Source: Network traffic	Suricata IDS: 2857938 - Severity 1 - ETPRO MALWARE Win32/zgRAT CnC Checkin : 192.168.2.8:49726 -> 45.137.22.174:16057
Source: Network traffic	Suricata IDS: 2857938 - Severity 1 - ETPRO MALWARE Win32/zgRAT CnC Checkin : 192.168.2.8:49719 -> 45.137.22.174:16057
Source: Network traffic	Suricata IDS: 2857938 - Severity 1 - ETPRO MALWARE Win32/zgRAT CnC Checkin : 192.168.2.8:49723 -> 45.137.22.174:16057
Source: Network traffic	Suricata IDS: 2857938 - Severity 1 - ETPRO MALWARE Win32/zgRAT CnC Checkin : 192.168.2.8:49722 -> 45.137.22.174:16057
Source: Network traffic	Suricata IDS: 2857938 - Severity 1 - ETPRO MALWARE Win32/zgRAT CnC Checkin : 192.168.2.8:49714 -> 45.137.22.174:16057
Source: Network traffic	Suricata IDS: 2857938 - Severity 1 - ETPRO MALWARE Win32/zgRAT CnC Checkin : 192.168.2.8:49720 -> 45.137.22.174:16057
Source: Network traffic	Suricata IDS: 2857938 - Severity 1 - ETPRO MALWARE Win32/zgRAT CnC Checkin : 192.168.2.8:49728 -> 45.137.22.174:16057
Source: Network traffic	Suricata IDS: 2857938 - Severity 1 - ETPRO MALWARE Win32/zgRAT CnC Checkin : 192.168.2.8:49724 -> 45.137.22.174:16057
Source: Network traffic	Suricata IDS: 2857938 - Severity 1 - ETPRO MALWARE Win32/zgRAT CnC Checkin : 192.168.2.8:49729 -> 45.137.22.174:16057
Source: Network traffic	Suricata IDS: 2857938 - Severity 1 - ETPRO MALWARE Win32/zgRAT CnC Checkin : 192.168.2.8:49725 -> 45.137.22.174:16057
Source: Network traffic	Suricata IDS: 2857938 - Severity 1 - ETPRO MALWARE Win32/zgRAT CnC Checkin : 192.168.2.8:49727 -> 45.137.22.174:16057

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 45.137.22.174 ports 16057,0,1,5,6,7

Source: global traffic

TCP traffic: 192.168.2.8:49711 -> 45.137.22.174:16057

Source: Joe Sandbox View

ASN Name: ROOTLAYERNETNL ROOTLAYERNETNL

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.8:49715
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.8:49721

Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.174
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.174
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.174
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.174
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.174
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.174
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.174
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.174
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.174
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.174
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.174
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.174
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.174
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.174
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.174
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.174
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.174
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.174
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.174
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.174
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.174
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.174
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.174
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.174
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.174
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.174
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.174
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.174
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.174
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.174
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.174
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.174
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.174
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.174
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.174
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.174
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.174
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.174
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.174
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.174
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.174
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.174
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.174
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.174
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.174
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.174
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.174
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.174
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.174
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.174

Source: RFQ List and airflight 2024.pif.exe, 00000000.00000002.1451915115.00000000075E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODA
Source: RFQ List and airflight 2024.pif.exe, gaZNjdzDI.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: RFQ List and airflight 2024.pif.exe, gaZNjdzDI.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: RFQ List and airflight 2024.pif.exe, gaZNjdzDI.exe.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: RFQ List and airflight 2024.pif.exe, 00000000.00000002.1445817217.00000000035A4000.00000004.00000800.00020000.00000000.sdmp, gaZNjdzDI.exe, 0000000A.00000002.1495774843.0000000003614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RFQ List and airflight 2024.pif.exe, gaZNjdzDI.exe.0.dr	String found in binary or memory: http://tempuri.org/myDatabaseDataSet.xsd
Source: vbc.exe, 00000009.00000002.2640691641.0000000006C63000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000E.00000002.1782939079.0000000007164000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://archive.torproject.org/tor-package-archive/torbrowser/13.0.9/tor-expert-bundle-windows-i686-
Source: vbc.exe, 0000000E.00000002.1800276763.0000000009B10000.00000004.08000000.00040000.00000000.sdmp, vbc.exe, 0000000E.00000002.1786719606.0000000008A70000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000E.00000002.1782939079.0000000007164000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000E.00000002.1786719606.00000000087B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: vbc.exe, 00000009.00000002.2646655557.0000000008596000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000E.00000002.1800276763.0000000009B10000.00000004.08000000.00040000.00000000.sdmp, vbc.exe, 0000000E.00000002.1786719606.0000000008A70000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000E.00000002.1782939079.0000000007164000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000E.00000002.1786719606.00000000087B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: vbc.exe, 0000000E.00000002.1800276763.0000000009B10000.00000004.08000000.00040000.00000000.sdmp, vbc.exe, 0000000E.00000002.1786719606.0000000008A70000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000E.00000002.1782939079.0000000007164000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000E.00000002.1786719606.00000000087B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: vbc.exe, 0000000E.00000002.1800276763.0000000009B10000.00000004.08000000.00040000.00000000.sdmp, vbc.exe, 0000000E.00000002.1786719606.0000000008A70000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000E.00000002.1782939079.0000000007164000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000E.00000002.1786719606.00000000087B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: vbc.exe, 0000000E.00000002.1782939079.0000000007164000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000E.00000002.1786719606.00000000087B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: vbc.exe, 0000000E.00000002.1800276763.0000000009B10000.00000004.08000000.00040000.00000000.sdmp, vbc.exe, 0000000E.00000002.1786719606.0000000008A70000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000E.00000002.1786719606.00000000087B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: RFQ List and airflight 2024.pif.exe, gaZNjdzDI.exe.0.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

System Summary

.NET source code contains very large array initializations

Source: 0.2.RFQ List and airflight 2024.pif.exe.9f95a78.7.raw.unpack, Program.cs	Large array initialization: Main: array initializer size 851872
Source: 0.2.RFQ List and airflight 2024.pif.exe.77d0000.4.raw.unpack, -Module-.cs	Large array initialization: _206A_200E_202E_206C_206B_206B_202B_206A_206B_200C_202D_200E_206D_200C_200E_206E_206D_202C_202C_200C_206A_206F_200B_206D_202E_206A_200E_206F_200E_202B_206B_202A_202B_206D_206D_202A_206B_200B_202C_200E_202E: array initializer size 2976
Source: 0.2.RFQ List and airflight 2024.pif.exe.9ec4258.8.raw.unpack, Program.cs	Large array initialization: Main: array initializer size 851872

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: RFQ List and airflight 2024.pif.exe

Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Code function: 0_2_031EE0D0	0_2_031EE0D0
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Code function: 0_2_031EC679	0_2_031EC679
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Code function: 0_2_031E4530	0_2_031E4530
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Code function: 0_2_031E6448	0_2_031E6448
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Code function: 0_2_031E4968	0_2_031E4968
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Code function: 0_2_031E6880	0_2_031E6880
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Code function: 0_2_031E4DA0	0_2_031E4DA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_069E9368	9_2_069E9368
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_069E1010	9_2_069E1010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_069E1020	9_2_069E1020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_09367B08	9_2_09367B08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_09364690	9_2_09364690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_093649B7	9_2_093649B7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_09365728	9_2_09365728
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_09565418	9_2_09565418
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_0956ACD8	9_2_0956ACD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_0956A188	9_2_0956A188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_0956ACC8	9_2_0956ACC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_09775D70	9_2_09775D70
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Code function: 10_2_01A6B961	10_2_01A6B961
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Code function: 10_2_01A64968	10_2_01A64968
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Code function: 10_2_01A66880	10_2_01A66880
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Code function: 10_2_01A6D3B8	10_2_01A6D3B8
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Code function: 10_2_01A64DA0	10_2_01A64DA0
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Code function: 10_2_01A64510	10_2_01A64510
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Code function: 10_2_01A66448	10_2_01A66448
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 14_2_06F29368	14_2_06F29368
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 14_2_06F21020	14_2_06F21020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 14_2_06F21010	14_2_06F21010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 14_2_09967B08	14_2_09967B08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 14_2_09964690	14_2_09964690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 14_2_099649B7	14_2_099649B7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 14_2_09965728	14_2_09965728
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 14_2_09B65658	14_2_09B65658
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 14_2_09D75D70	14_2_09D75D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 14_2_09D7B218	14_2_09D7B218
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 14_2_09D7A548	14_2_09D7A548

Source: RFQ List and airflight 2024.pif.exe

Static PE information: invalid certificate

Source: RFQ List and airflight 2024.pif.exe, 00000000.00000002.1445817217.00000000035F2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameJzfsagi.exe" vs RFQ List and airflight 2024.pif.exe
Source: RFQ List and airflight 2024.pif.exe, 00000000.00000002.1444191791.000000000170E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs RFQ List and airflight 2024.pif.exe
Source: RFQ List and airflight 2024.pif.exe, 00000000.00000002.1457580346.000000000F100000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs RFQ List and airflight 2024.pif.exe
Source: RFQ List and airflight 2024.pif.exe	Binary or memory string: OriginalFilenamefrJp.exe8 vs RFQ List and airflight 2024.pif.exe

Source: RFQ List and airflight 2024.pif.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: RFQ List and airflight 2024.pif.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: gaZNjdzDI.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.RFQ List and airflight 2024.pif.exe.52593f0.3.raw.unpack, FPyq1432EqidaMglWk.cs	Security API names: _0020.SetAccessControl
Source: 0.2.RFQ List and airflight 2024.pif.exe.52593f0.3.raw.unpack, FPyq1432EqidaMglWk.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.RFQ List and airflight 2024.pif.exe.52593f0.3.raw.unpack, FPyq1432EqidaMglWk.cs	Security API names: _0020.AddAccessRule
Source: 0.2.RFQ List and airflight 2024.pif.exe.52593f0.3.raw.unpack, EAMRcfkS0Ve3ROFv7q.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.RFQ List and airflight 2024.pif.exe.f100000.9.raw.unpack, FPyq1432EqidaMglWk.cs	Security API names: _0020.SetAccessControl
Source: 0.2.RFQ List and airflight 2024.pif.exe.f100000.9.raw.unpack, FPyq1432EqidaMglWk.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.RFQ List and airflight 2024.pif.exe.f100000.9.raw.unpack, FPyq1432EqidaMglWk.cs	Security API names: _0020.AddAccessRule
Source: 0.2.RFQ List and airflight 2024.pif.exe.f100000.9.raw.unpack, EAMRcfkS0Ve3ROFv7q.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@19/16@0/1

Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe

File created: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7548:120:WilError_03
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Mutant created: \Sessions\1\BaseNamedObjects\erJNewGHVCQvQRcBdguOJLBt
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7500:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Mutant created: \Sessions\1\BaseNamedObjects\e287a57c70834e29
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8068:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7604:120:WilError_03

Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe

File created: C:\Users\user\AppData\Local\Temp\tmp2051.tmp

Jump to behavior

Source: RFQ List and airflight 2024.pif.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: RFQ List and airflight 2024.pif.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%

Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RFQ List and airflight 2024.pif.exe

ReversingLabs: Detection: 71%

Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe

File read: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe "C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe"
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gaZNjdzDI.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gaZNjdzDI" /XML "C:\Users\user\AppData\Local\Temp\tmp2051.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe C:\Users\user\AppData\Roaming\gaZNjdzDI.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gaZNjdzDI" /XML "C:\Users\user\AppData\Local\Temp\tmp33B9.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe"	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gaZNjdzDI.exe"	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gaZNjdzDI" /XML "C:\Users\user\AppData\Local\Temp\tmp2051.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gaZNjdzDI" /XML "C:\Users\user\AppData\Local\Temp\tmp33B9.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior

Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: cryptbase.dll

Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: RFQ List and airflight 2024.pif.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: RFQ List and airflight 2024.pif.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: RFQ List and airflight 2024.pif.exe

Static file information: File size 1373704 > 1048576

Source: RFQ List and airflight 2024.pif.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x148000

Source: RFQ List and airflight 2024.pif.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: costura.dotnetzip.pdb.compressed source: vbc.exe, 00000009.00000002.2646655557.000000000843F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.2640691641.0000000006C63000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000E.00000002.1782939079.0000000007164000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000E.00000002.1786719606.00000000087B5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: q costura.dotnetzip.pdb.compressedt- source: vbc.exe, 00000009.00000002.2640691641.0000000006C63000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000E.00000002.1782939079.0000000007164000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: q costura.dotnetzip.pdb.compressed source: vbc.exe, 00000009.00000002.2640691641.0000000006C63000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000E.00000002.1782939079.0000000007164000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Vkxyjasbrw.pdb source: vbc.exe, 0000000E.00000002.1796765181.0000000009720000.00000004.08000000.00040000.00000000.sdmp, vbc.exe, 0000000E.00000002.1786719606.00000000080E1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000E.00000002.1786719606.00000000087B5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: vbc.exe, 0000000E.00000002.1800276763.0000000009B10000.00000004.08000000.00040000.00000000.sdmp, vbc.exe, 0000000E.00000002.1786719606.0000000008A70000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000E.00000002.1782939079.0000000007164000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000E.00000002.1786719606.00000000087B5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: vbc.exe, 0000000E.00000002.1800276763.0000000009B10000.00000004.08000000.00040000.00000000.sdmp, vbc.exe, 0000000E.00000002.1786719606.0000000008A70000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000E.00000002.1782939079.0000000007164000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000E.00000002.1786719606.00000000087B5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: q@costura.dotnetzip.pdb.compressed source: vbc.exe, 00000009.00000002.2640691641.0000000006C63000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000E.00000002.1782939079.0000000007164000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7c805118-99b4-441d-b2f8-0440debefdd4<Module>costura.costura.dll.compressedcostura.dotnetzip.dll.compressedcostura.dotnetzip.pdb.compressedcostura.protobuf-net.dll.compressedVkxyjasbrw.g.resourcesaR3nbf8dQp2feLmk31.lSfgApatkdxsVcGcrktoFd.resourcesoC source: vbc.exe, 00000009.00000002.2646655557.000000000843F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000E.00000002.1786719606.00000000087B5000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: RFQ List and airflight 2024.pif.exe, Form1.cs	.Net Code: InitializeComponent
Source: gaZNjdzDI.exe.0.dr, Form1.cs	.Net Code: InitializeComponent
Source: 0.2.RFQ List and airflight 2024.pif.exe.52593f0.3.raw.unpack, FPyq1432EqidaMglWk.cs	.Net Code: vck9mfaFK9 System.Reflection.Assembly.Load(byte[])
Source: 0.2.RFQ List and airflight 2024.pif.exe.f100000.9.raw.unpack, FPyq1432EqidaMglWk.cs	.Net Code: vck9mfaFK9 System.Reflection.Assembly.Load(byte[])
Source: 0.2.RFQ List and airflight 2024.pif.exe.9f95a78.7.raw.unpack, Program.cs	.Net Code: Main System.Reflection.Assembly.Load(byte[])
Source: 0.2.RFQ List and airflight 2024.pif.exe.77d0000.4.raw.unpack, -Module-.cs	.Net Code: _206A_200E_202E_206C_206B_206B_202B_206A_206B_200C_202D_200E_206D_200C_200E_206E_206D_202C_202C_200C_206A_206F_200B_206D_202E_206A_200E_206F_200E_202B_206B_202A_202B_206D_206D_202A_206B_200B_202C_200E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.RFQ List and airflight 2024.pif.exe.77d0000.4.raw.unpack, Dill.cs	.Net Code: Justy
Source: 0.2.RFQ List and airflight 2024.pif.exe.77d0000.4.raw.unpack, Dill.cs	.Net Code: _200C_202B_202A_200B_200F_202E_202D_202A_206F_202A_202A_206D_202D_200F_202E_206C_206C_200B_202B_200E_202B_200E_200C_200C_206F_202E_202D_200F_202E_202B_200E_206C_202A_202D_202A_206E_202B_206A_200C_200F_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.RFQ List and airflight 2024.pif.exe.9ec4258.8.raw.unpack, Program.cs	.Net Code: Main System.Reflection.Assembly.Load(byte[])

Yara detected Costura Assembly Loader

Source: Yara match	File source: 9.2.vbc.exe.843f250.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.vbc.exe.9a70000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.vbc.exe.895f250.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.vbc.exe.87b5610.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2646655557.000000000843F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2640691641.0000000006C63000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1799584646.0000000009A70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1786719606.00000000087B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1782939079.0000000007164000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 7744, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 8112, type: MEMORYSTR

Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Code function: 0_2_031E1781 push FC031A4Ah; iretd	0_2_031E178D
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Code function: 0_2_031E04EB push ecx; ret	0_2_031E04EC
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Code function: 0_2_095AA690 push eax; mov dword ptr [esp], ecx	0_2_095AA694
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_069E4B6B push esp; retf	9_2_069E4B71
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_0936ADF0 push edx; retf	9_2_0936AE29
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 9_2_0976289C push esi; retn 0000h	9_2_0976289D
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Code function: 10_2_01A6DA99 push ds; ret	10_2_01A6DAA6
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Code function: 10_2_01A604EB push ecx; ret	10_2_01A604EC
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Code function: 10_2_0922A690 push eax; mov dword ptr [esp], ecx	10_2_0922A694
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 14_2_06F24B6B push esp; retf	14_2_06F24B71
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 14_2_0996BCFC push 8B53D08Bh; iretd	14_2_0996BCC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 14_2_09D6289C push esi; retn 0000h	14_2_09D6289D

Source: RFQ List and airflight 2024.pif.exe	Static PE information: section name: .text entropy: 7.969044230360198
Source: gaZNjdzDI.exe.0.dr	Static PE information: section name: .text entropy: 7.969044230360198

Source: 0.2.RFQ List and airflight 2024.pif.exe.52593f0.3.raw.unpack, xMhtT3bElkcZ7frZEc.cs	High entropy of concatenated method names: 'hqLDlGUukJ', 'qt5DA0Xpre', 'ToString', 'rAXDG2Zji3', 'eXVDIAoVQY', 's93DuxIIQx', 'HZxDobSbqo', 'pHrDCIO5PP', 'jZ2DpiZaNZ', 'YfbD3I6HIf'
Source: 0.2.RFQ List and airflight 2024.pif.exe.52593f0.3.raw.unpack, EAMRcfkS0Ve3ROFv7q.cs	High entropy of concatenated method names: 'zaMIRToucu', 'Dc9Ixvg0QO', 'gh6IPGu9CR', 'rE3IblHYuk', 'LDOIjMFek9', 'EaVIYevRW4', 'jEHIyyVZWf', 'fVuIKUHxKF', 'Iy9ILJguDC', 'SJKI7hHmSX'
Source: 0.2.RFQ List and airflight 2024.pif.exe.52593f0.3.raw.unpack, MEuWA1P0dpZq5wuiFp.cs	High entropy of concatenated method names: 'ToString', 'oTAf82mIOA', 'ojMf4Fwma2', 'A7Hfia254f', 'KMsfnaHuJY', 'qadfh4HBGY', 'wT3fVUlnGE', 'egLfF8E1rs', 'a52fw7FnjR', 'gV4fM2h90S'
Source: 0.2.RFQ List and airflight 2024.pif.exe.52593f0.3.raw.unpack, jN5tT303EhoIGeKiZP.cs	High entropy of concatenated method names: 'JCQm2dQGS', 'yfrqscPRn', 'F872Cr8q9', 'n9LvavGeH', 'kfJXoF6bN', 'NoFcmTrx7', 'iVy1IgFUSKpRa2YY30', 'OQ0Ulpr1QUb6GZ52Aw', 'eaLBOAbQq', 'X3DrmOGo6'
Source: 0.2.RFQ List and airflight 2024.pif.exe.52593f0.3.raw.unpack, WJu3cFRnhU2mMf94ZK.cs	High entropy of concatenated method names: 'mYwUSsWx8c', 'ch6UZYcbXf', 'av0UR52HWS', 'IYNUxTlAOj', 'R5bU4UYjim', 'GctUiEAdnD', 'F0gUnOLQEm', 'qoqUhFLlwK', 'IsnUVjhVT0', 'DFaUFBG6dj'
Source: 0.2.RFQ List and airflight 2024.pif.exe.52593f0.3.raw.unpack, In0x7DdRcEbFn7NuZr.cs	High entropy of concatenated method names: 'SZgHk1qIsm', 'MDxHXv4vM3', 'CgmH6d9TNL', 'wjBH4AU0NQ', 'kvmHndqRTF', 'sY6HhW1si8', 'IhcHFYrNWc', 'gtQHwl4cnK', 'XyFHSgXZjS', 'YkUH8yGZfL'
Source: 0.2.RFQ List and airflight 2024.pif.exe.52593f0.3.raw.unpack, AeMXZkYXZxoiZnJwVH.cs	High entropy of concatenated method names: 'wajDK7ExQE', 'r5TD7GAABi', 'hkbBJZL4AF', 'yeqBOK6tW9', 'U8rD8FUHRO', 'nlNDZGZxHD', 'XdhDdqmPQS', 'nrLDROpBou', 'JLyDxJx7wV', 'IjjDP5k1Eo'
Source: 0.2.RFQ List and airflight 2024.pif.exe.52593f0.3.raw.unpack, lLZCoSF4EvbUFbGcKk.cs	High entropy of concatenated method names: 'angpGNMwQM', 'BYUpuFvilX', 'JFDpC17RGM', 'i04C7LU9NY', 'PinCzJsW7F', 'UJppJH5p2T', 'GqqpO4goCK', 'Xp3p0hq16Z', 'GEapsehwVr', 'xdpp9wPN5Y'
Source: 0.2.RFQ List and airflight 2024.pif.exe.52593f0.3.raw.unpack, TDcSTNMIidgNCZqVTm.cs	High entropy of concatenated method names: 'C2apEIPLoL', 'MZLpTN4Whs', 'OyfpmOcBMP', 'pZ8pqacPQ8', 'vYBpQwv8LV', 'Ynqp25DHw7', 'SIhpvSci1V', 'fHnpkUjulN', 'z1vpX6xmgy', 'BCspcbiKXv'
Source: 0.2.RFQ List and airflight 2024.pif.exe.52593f0.3.raw.unpack, KXFLRp9Q7UotfPuBps.cs	High entropy of concatenated method names: 'KJXOpAMRcf', 'N0VO3e3ROF', 'ulcOly7rKo', 'JxcOAYBRET', 'OObOUI8S1e', 'T6sOfMnwek', 'npkrl0BrY0nu2gu3F3', 'jV5dQPIqYZRp52ZPV3', 'Gt9OOnCOLL', 'nFYOsj2rVK'
Source: 0.2.RFQ List and airflight 2024.pif.exe.52593f0.3.raw.unpack, FPyq1432EqidaMglWk.cs	High entropy of concatenated method names: 'mths5Tl3F2', 'wVEsGGvb7C', 'TxWsIhceve', 'oI9suo3Jnk', 'XfYsohUMlX', 'WjtsCP6RUE', 'dZOspBroeg', 'O1is3nqRh1', 'DmcseU0A2R', 'rvuslqZaAR'
Source: 0.2.RFQ List and airflight 2024.pif.exe.52593f0.3.raw.unpack, O1eb6s6MnwekgZ5Y5C.cs	High entropy of concatenated method names: 'xqsC5YH4u8', 'jvkCI8i4NK', 'EutCo6XFJs', 'GoPCp0flY4', 'IyKC3OJf0R', 'bgDojQCroq', 'HQOoY2Fw5T', 'DEToyvi1on', 'eIQoKafIH2', 'ONFoLDBNNb'
Source: 0.2.RFQ List and airflight 2024.pif.exe.52593f0.3.raw.unpack, BWH2Ul7qmafDVg5ZAx.cs	High entropy of concatenated method names: 'NextOWhmnQ', 'B0Otsl4GRo', 'Krst9Xn6EO', 'P84tGbBesd', 'rPKtIc2scH', 'tfStoAuMEd', 'LVWtCXq6a0', 'PjeByl6QGy', 'R1MBKdLxLe', 'w7RBLmKB6K'
Source: 0.2.RFQ List and airflight 2024.pif.exe.52593f0.3.raw.unpack, YVrM3nOsbrghWclksdr.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'qlMrRqU0Hj', 'q3trxwApXT', 'oVnrP12OcG', 'uX0rb2CYDl', 'LoarjFEPtV', 'RqtrYEsmC5', 'A3Ary6tKXm'
Source: 0.2.RFQ List and airflight 2024.pif.exe.52593f0.3.raw.unpack, wxxUsTOJDqqwqoMB0Wv.cs	High entropy of concatenated method names: 'es3tEBKnpd', 'YvHtT0J1fx', 'hqstmYBeQh', 'xpAtqNL9kq', 'SdjtQhbWWk', 'Yc8t21Pn20', 'gSktvAoVoy', 'zBHtk2eE6b', 'A41tXRA3K0', 'pDftc0snVQ'
Source: 0.2.RFQ List and airflight 2024.pif.exe.52593f0.3.raw.unpack, qRET7Wcc4EjFm8ObI8.cs	High entropy of concatenated method names: 'IkGoQuHqAc', 'EaTov60CZE', 'f0yuiFD5Xm', 'ooIunMiCHV', 'VcwuhUvV5y', 'J3auV2jjfU', 'EIhuFbGPsJ', 'UL1uwXPRbc', 'fevuMJ9rXe', 'II4uSS1WGY'
Source: 0.2.RFQ List and airflight 2024.pif.exe.52593f0.3.raw.unpack, AYOBMaXlcy7rKohxcY.cs	High entropy of concatenated method names: 'PwxuqNOI28', 'O1tu2Y2P5Y', 'Iq6ukCh84Y', 'urBuXra8uy', 'vtWuUtAHUc', 'kwDufMCjwy', 'hNQuDhZVag', 'CqVuB4ANAH', 'prcutkE7EA', 'oMqurqS5q3'
Source: 0.2.RFQ List and airflight 2024.pif.exe.52593f0.3.raw.unpack, hjFLkTLlUT1XtX1AKk.cs	High entropy of concatenated method names: 'E3KB6euIXv', 'NudB4TIyVy', 'nQuBi209Nk', 'no7BnsyHWG', 'qmSBRqrtVl', 'Ol2Bh3IqNp', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.RFQ List and airflight 2024.pif.exe.52593f0.3.raw.unpack, lSvUYTI8FEAbM8yb4L.cs	High entropy of concatenated method names: 'Dispose', 'AfwOLWo0jk', 'BRJ0418mnG', 'GhW11ERr3S', 'oCrO7F8lwU', 'g2uOz6owxD', 'ProcessDialogKey', 'B9o0JjFLkT', 'mUT0O1XtX1', 'nKk00QWH2U'
Source: 0.2.RFQ List and airflight 2024.pif.exe.52593f0.3.raw.unpack, rk7SDnuObWBIIGViaI.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'vXC0L8hi9w', 'JtK07hsanm', 'gv70zTgHhN', 'TubsJmZG81', 'MODsOkCH1K', 'bp8s0XDDqG', 'kqNsswWeTs', 'j6nXStoCUpFHNy9GAUF'
Source: 0.2.RFQ List and airflight 2024.pif.exe.52593f0.3.raw.unpack, irF8lwKUI2u6owxD29.cs	High entropy of concatenated method names: 'WnhBGOdvdP', 'NMeBIEWf7k', 'LF1BumkNTW', 'aooBocdp0P', 'FkKBClakKN', 'rsqBp02j98', 'LjuB3YJPp6', 'gXgBe3VpbP', 'mb9Blc1ZtH', 'uqSBAJvGY1'
Source: 0.2.RFQ List and airflight 2024.pif.exe.f100000.9.raw.unpack, xMhtT3bElkcZ7frZEc.cs	High entropy of concatenated method names: 'hqLDlGUukJ', 'qt5DA0Xpre', 'ToString', 'rAXDG2Zji3', 'eXVDIAoVQY', 's93DuxIIQx', 'HZxDobSbqo', 'pHrDCIO5PP', 'jZ2DpiZaNZ', 'YfbD3I6HIf'
Source: 0.2.RFQ List and airflight 2024.pif.exe.f100000.9.raw.unpack, EAMRcfkS0Ve3ROFv7q.cs	High entropy of concatenated method names: 'zaMIRToucu', 'Dc9Ixvg0QO', 'gh6IPGu9CR', 'rE3IblHYuk', 'LDOIjMFek9', 'EaVIYevRW4', 'jEHIyyVZWf', 'fVuIKUHxKF', 'Iy9ILJguDC', 'SJKI7hHmSX'
Source: 0.2.RFQ List and airflight 2024.pif.exe.f100000.9.raw.unpack, MEuWA1P0dpZq5wuiFp.cs	High entropy of concatenated method names: 'ToString', 'oTAf82mIOA', 'ojMf4Fwma2', 'A7Hfia254f', 'KMsfnaHuJY', 'qadfh4HBGY', 'wT3fVUlnGE', 'egLfF8E1rs', 'a52fw7FnjR', 'gV4fM2h90S'
Source: 0.2.RFQ List and airflight 2024.pif.exe.f100000.9.raw.unpack, jN5tT303EhoIGeKiZP.cs	High entropy of concatenated method names: 'JCQm2dQGS', 'yfrqscPRn', 'F872Cr8q9', 'n9LvavGeH', 'kfJXoF6bN', 'NoFcmTrx7', 'iVy1IgFUSKpRa2YY30', 'OQ0Ulpr1QUb6GZ52Aw', 'eaLBOAbQq', 'X3DrmOGo6'
Source: 0.2.RFQ List and airflight 2024.pif.exe.f100000.9.raw.unpack, WJu3cFRnhU2mMf94ZK.cs	High entropy of concatenated method names: 'mYwUSsWx8c', 'ch6UZYcbXf', 'av0UR52HWS', 'IYNUxTlAOj', 'R5bU4UYjim', 'GctUiEAdnD', 'F0gUnOLQEm', 'qoqUhFLlwK', 'IsnUVjhVT0', 'DFaUFBG6dj'
Source: 0.2.RFQ List and airflight 2024.pif.exe.f100000.9.raw.unpack, In0x7DdRcEbFn7NuZr.cs	High entropy of concatenated method names: 'SZgHk1qIsm', 'MDxHXv4vM3', 'CgmH6d9TNL', 'wjBH4AU0NQ', 'kvmHndqRTF', 'sY6HhW1si8', 'IhcHFYrNWc', 'gtQHwl4cnK', 'XyFHSgXZjS', 'YkUH8yGZfL'
Source: 0.2.RFQ List and airflight 2024.pif.exe.f100000.9.raw.unpack, AeMXZkYXZxoiZnJwVH.cs	High entropy of concatenated method names: 'wajDK7ExQE', 'r5TD7GAABi', 'hkbBJZL4AF', 'yeqBOK6tW9', 'U8rD8FUHRO', 'nlNDZGZxHD', 'XdhDdqmPQS', 'nrLDROpBou', 'JLyDxJx7wV', 'IjjDP5k1Eo'
Source: 0.2.RFQ List and airflight 2024.pif.exe.f100000.9.raw.unpack, lLZCoSF4EvbUFbGcKk.cs	High entropy of concatenated method names: 'angpGNMwQM', 'BYUpuFvilX', 'JFDpC17RGM', 'i04C7LU9NY', 'PinCzJsW7F', 'UJppJH5p2T', 'GqqpO4goCK', 'Xp3p0hq16Z', 'GEapsehwVr', 'xdpp9wPN5Y'
Source: 0.2.RFQ List and airflight 2024.pif.exe.f100000.9.raw.unpack, TDcSTNMIidgNCZqVTm.cs	High entropy of concatenated method names: 'C2apEIPLoL', 'MZLpTN4Whs', 'OyfpmOcBMP', 'pZ8pqacPQ8', 'vYBpQwv8LV', 'Ynqp25DHw7', 'SIhpvSci1V', 'fHnpkUjulN', 'z1vpX6xmgy', 'BCspcbiKXv'
Source: 0.2.RFQ List and airflight 2024.pif.exe.f100000.9.raw.unpack, KXFLRp9Q7UotfPuBps.cs	High entropy of concatenated method names: 'KJXOpAMRcf', 'N0VO3e3ROF', 'ulcOly7rKo', 'JxcOAYBRET', 'OObOUI8S1e', 'T6sOfMnwek', 'npkrl0BrY0nu2gu3F3', 'jV5dQPIqYZRp52ZPV3', 'Gt9OOnCOLL', 'nFYOsj2rVK'
Source: 0.2.RFQ List and airflight 2024.pif.exe.f100000.9.raw.unpack, FPyq1432EqidaMglWk.cs	High entropy of concatenated method names: 'mths5Tl3F2', 'wVEsGGvb7C', 'TxWsIhceve', 'oI9suo3Jnk', 'XfYsohUMlX', 'WjtsCP6RUE', 'dZOspBroeg', 'O1is3nqRh1', 'DmcseU0A2R', 'rvuslqZaAR'
Source: 0.2.RFQ List and airflight 2024.pif.exe.f100000.9.raw.unpack, O1eb6s6MnwekgZ5Y5C.cs	High entropy of concatenated method names: 'xqsC5YH4u8', 'jvkCI8i4NK', 'EutCo6XFJs', 'GoPCp0flY4', 'IyKC3OJf0R', 'bgDojQCroq', 'HQOoY2Fw5T', 'DEToyvi1on', 'eIQoKafIH2', 'ONFoLDBNNb'
Source: 0.2.RFQ List and airflight 2024.pif.exe.f100000.9.raw.unpack, BWH2Ul7qmafDVg5ZAx.cs	High entropy of concatenated method names: 'NextOWhmnQ', 'B0Otsl4GRo', 'Krst9Xn6EO', 'P84tGbBesd', 'rPKtIc2scH', 'tfStoAuMEd', 'LVWtCXq6a0', 'PjeByl6QGy', 'R1MBKdLxLe', 'w7RBLmKB6K'
Source: 0.2.RFQ List and airflight 2024.pif.exe.f100000.9.raw.unpack, YVrM3nOsbrghWclksdr.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'qlMrRqU0Hj', 'q3trxwApXT', 'oVnrP12OcG', 'uX0rb2CYDl', 'LoarjFEPtV', 'RqtrYEsmC5', 'A3Ary6tKXm'
Source: 0.2.RFQ List and airflight 2024.pif.exe.f100000.9.raw.unpack, wxxUsTOJDqqwqoMB0Wv.cs	High entropy of concatenated method names: 'es3tEBKnpd', 'YvHtT0J1fx', 'hqstmYBeQh', 'xpAtqNL9kq', 'SdjtQhbWWk', 'Yc8t21Pn20', 'gSktvAoVoy', 'zBHtk2eE6b', 'A41tXRA3K0', 'pDftc0snVQ'
Source: 0.2.RFQ List and airflight 2024.pif.exe.f100000.9.raw.unpack, qRET7Wcc4EjFm8ObI8.cs	High entropy of concatenated method names: 'IkGoQuHqAc', 'EaTov60CZE', 'f0yuiFD5Xm', 'ooIunMiCHV', 'VcwuhUvV5y', 'J3auV2jjfU', 'EIhuFbGPsJ', 'UL1uwXPRbc', 'fevuMJ9rXe', 'II4uSS1WGY'
Source: 0.2.RFQ List and airflight 2024.pif.exe.f100000.9.raw.unpack, AYOBMaXlcy7rKohxcY.cs	High entropy of concatenated method names: 'PwxuqNOI28', 'O1tu2Y2P5Y', 'Iq6ukCh84Y', 'urBuXra8uy', 'vtWuUtAHUc', 'kwDufMCjwy', 'hNQuDhZVag', 'CqVuB4ANAH', 'prcutkE7EA', 'oMqurqS5q3'
Source: 0.2.RFQ List and airflight 2024.pif.exe.f100000.9.raw.unpack, hjFLkTLlUT1XtX1AKk.cs	High entropy of concatenated method names: 'E3KB6euIXv', 'NudB4TIyVy', 'nQuBi209Nk', 'no7BnsyHWG', 'qmSBRqrtVl', 'Ol2Bh3IqNp', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.RFQ List and airflight 2024.pif.exe.f100000.9.raw.unpack, lSvUYTI8FEAbM8yb4L.cs	High entropy of concatenated method names: 'Dispose', 'AfwOLWo0jk', 'BRJ0418mnG', 'GhW11ERr3S', 'oCrO7F8lwU', 'g2uOz6owxD', 'ProcessDialogKey', 'B9o0JjFLkT', 'mUT0O1XtX1', 'nKk00QWH2U'
Source: 0.2.RFQ List and airflight 2024.pif.exe.f100000.9.raw.unpack, rk7SDnuObWBIIGViaI.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'vXC0L8hi9w', 'JtK07hsanm', 'gv70zTgHhN', 'TubsJmZG81', 'MODsOkCH1K', 'bp8s0XDDqG', 'kqNsswWeTs', 'j6nXStoCUpFHNy9GAUF'
Source: 0.2.RFQ List and airflight 2024.pif.exe.f100000.9.raw.unpack, irF8lwKUI2u6owxD29.cs	High entropy of concatenated method names: 'WnhBGOdvdP', 'NMeBIEWf7k', 'LF1BumkNTW', 'aooBocdp0P', 'FkKBClakKN', 'rsqBp02j98', 'LjuB3YJPp6', 'gXgBe3VpbP', 'mb9Blc1ZtH', 'uqSBAJvGY1'

Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe

File created: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gaZNjdzDI" /XML "C:\Users\user\AppData\Local\Temp\tmp2051.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: RFQ List and airflight 2024.pif.exe PID: 7276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 7744, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: gaZNjdzDI.exe PID: 7792, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 8112, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: vbc.exe, 00000009.00000002.2640691641.0000000006C63000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000E.00000002.1782939079.0000000007164000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL0SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE

Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Memory allocated: 1680000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Memory allocated: 3410000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Memory allocated: 31A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Memory allocated: 95B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Memory allocated: A5B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Memory allocated: A7B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Memory allocated: B7B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Memory allocated: BBB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Memory allocated: CBB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Memory allocated: DBB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Memory allocated: F220000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Memory allocated: 10220000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Memory allocated: 11220000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Memory allocated: 12220000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Memory allocated: 6940000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Memory allocated: 6BC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Memory allocated: 6940000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Memory allocated: 1A20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Memory allocated: 3480000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Memory allocated: 1A20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Memory allocated: 9230000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Memory allocated: 7C70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Memory allocated: A230000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Memory allocated: B230000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Memory allocated: B610000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Memory allocated: C610000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Memory allocated: D610000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Memory allocated: EDA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Memory allocated: FDA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Memory allocated: 10DA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Memory allocated: 11DA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Memory allocated: 6F20000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Memory allocated: 70E0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Memory allocated: 90E0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6557	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7675	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 582	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Window / User API: threadDelayed 3396	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Window / User API: threadDelayed 6536	Jump to behavior

Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe TID: 7296	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7632	Thread sleep count: 6557 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7812	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7728	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7816	Thread sleep time: -10145709240540247s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7784	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7828	Thread sleep count: 3396 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7828	Thread sleep count: 6536 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7748	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe TID: 7856	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 8140	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 922337203685477

Source: vbc.exe, 0000000E.00000002.1782939079.0000000007164000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 0VMware\|VIRTUAL\|A M I\|XenDselect * from Win32_ComputerSystem
Source: gaZNjdzDI.exe, 0000000A.00000002.1503090139.000000000916F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: vbc.exe, 0000000E.00000002.1782939079.0000000007164000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual
Source: vbc.exe, 00000009.00000002.2638860913.0000000005156000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllcKey

Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe"
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gaZNjdzDI.exe"
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe"	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gaZNjdzDI.exe"	Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 protect: page execute and read and write			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 value starts with: 4D5A			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 4D4000	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 4D6000	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 76A008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 4D4000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 4D6000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 5013008	Jump to behavior

Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe"	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gaZNjdzDI.exe"	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gaZNjdzDI" /XML "C:\Users\user\AppData\Local\Temp\tmp2051.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gaZNjdzDI" /XML "C:\Users\user\AppData\Local\Temp\tmp33B9.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior

Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Queries volume information: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.DataSetExtensions\v4.0_4.0.0.0__b77a5c561934e089\System.Data.DataSetExtensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Queries volume information: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.DataSetExtensions\v4.0_4.0.0.0__b77a5c561934e089\System.Data.DataSetExtensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe VolumeInformation

Source: C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 14.2.vbc.exe.87b5610.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.vbc.exe.9720000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.vbc.exe.84355b0.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.vbc.exe.83d5570.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.vbc.exe.9720000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.vbc.exe.84355b0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.vbc.exe.83f5590.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.vbc.exe.87b5610.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.vbc.exe.83f5590.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.vbc.exe.83d5570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.1796765181.0000000009720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1786719606.00000000087B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1786719606.00000000080E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 14.2.vbc.exe.87b5610.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.vbc.exe.9720000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.vbc.exe.84355b0.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.vbc.exe.83d5570.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.vbc.exe.9720000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.vbc.exe.84355b0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.vbc.exe.83f5590.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.vbc.exe.87b5610.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.vbc.exe.83f5590.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.vbc.exe.83d5570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.1796765181.0000000009720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1786719606.00000000087B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1786719606.00000000080E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	311 Process Injection	1 Masquerading	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	311 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Software Packing	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
RFQ List and airflight 2024.pif.exe	71%	ReversingLabs	ByteCode-MSIL.Trojan.Taskun
RFQ List and airflight 2024.pif.exe	100%	Avira	TR/AD.Nekark.nctpk
RFQ List and airflight 2024.pif.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	100%	Avira	TR/AD.Nekark.nctpk
C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\gaZNjdzDI.exe	71%	ReversingLabs	ByteCode-MSIL.Trojan.Taskun

Name	Source	Malicious	Reputation
https://github.com/mgravell/protobuf-net	vbc.exe, 0000000E.00000002.1800276763.0000000009B10000.00000004.08000000.00040000.00000000.sdmp, vbc.exe, 0000000E.00000002.1786719606.0000000008A70000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000E.00000002.1782939079.0000000007164000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000E.00000002.1786719606.00000000087B5000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mgravell/protobuf-neti	vbc.exe, 0000000E.00000002.1800276763.0000000009B10000.00000004.08000000.00040000.00000000.sdmp, vbc.exe, 0000000E.00000002.1786719606.0000000008A70000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000E.00000002.1782939079.0000000007164000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000E.00000002.1786719606.00000000087B5000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/14436606/23354	vbc.exe, 0000000E.00000002.1782939079.0000000007164000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000E.00000002.1786719606.00000000087B5000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mgravell/protobuf-netJ	vbc.exe, 00000009.00000002.2646655557.0000000008596000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000E.00000002.1800276763.0000000009B10000.00000004.08000000.00040000.00000000.sdmp, vbc.exe, 0000000E.00000002.1786719606.0000000008A70000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000E.00000002.1782939079.0000000007164000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000E.00000002.1786719606.00000000087B5000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RFQ List and airflight 2024.pif.exe, 00000000.00000002.1445817217.00000000035A4000.00000004.00000800.00020000.00000000.sdmp, gaZNjdzDI.exe, 0000000A.00000002.1495774843.0000000003614000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	RFQ List and airflight 2024.pif.exe, gaZNjdzDI.exe.0.dr	false	high
https://stackoverflow.com/q/11564914/23354;	vbc.exe, 0000000E.00000002.1800276763.0000000009B10000.00000004.08000000.00040000.00000000.sdmp, vbc.exe, 0000000E.00000002.1786719606.0000000008A70000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000E.00000002.1782939079.0000000007164000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000E.00000002.1786719606.00000000087B5000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/2152978/23354	vbc.exe, 0000000E.00000002.1800276763.0000000009B10000.00000004.08000000.00040000.00000000.sdmp, vbc.exe, 0000000E.00000002.1786719606.0000000008A70000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000E.00000002.1786719606.00000000087B5000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/myDatabaseDataSet.xsd	RFQ List and airflight 2024.pif.exe, gaZNjdzDI.exe.0.dr	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.137.22.174	unknown	Netherlands		51447	ROOTLAYERNETNL	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1555605
Start date and time:	2024-11-14 07:51:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	RFQ List and airflight 2024.pif.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@19/16@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 90% Number of executed functions: 393 Number of non-executed functions: 10
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: RFQ List and airflight 2024.pif.exe

Simulations

Behavior and APIs

Time	Type	Description
01:52:00	API Interceptor	2x Sleep call for process: RFQ List and airflight 2024.pif.exe modified
01:52:02	API Interceptor	36x Sleep call for process: powershell.exe modified
01:52:06	API Interceptor	2x Sleep call for process: gaZNjdzDI.exe modified
07:52:02	Task Scheduler	Run new task: gaZNjdzDI path: C:\Users\user\AppData\Roaming\gaZNjdzDI.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
45.137.22.174	Due Invoice 38129337.exe	Get hash	malicious	Snake Keylogger	Browse	45.137.22.174/11.jpg
45.137.22.174	SEPTEMBER ORDER067022.exe	Get hash	malicious	Snake Keylogger	Browse	45.137.22.174/10.png

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ROOTLAYERNETNL	Calyciform.exe	Get hash	malicious	GuLoader	Browse	45.137.22.248
	I5pvP0CU6M.exe	Get hash	malicious	RedLine	Browse	45.137.22.248
	gLsenXDHxP.exe	Get hash	malicious	RedLine	Browse	185.222.58.240
	DEVIS + FACTURE.exe	Get hash	malicious	Remcos, GuLoader	Browse	45.137.22.126
	PZNfhfaj9O.exe	Get hash	malicious	RedLine	Browse	185.222.58.80
	ZxS8mP8uE6.exe	Get hash	malicious	RedLine	Browse	45.137.22.123
	nu28HwzQwC.exe	Get hash	malicious	RedLine	Browse	185.222.58.52
	DKO6uy1Tia.exe	Get hash	malicious	RedLine	Browse	45.137.22.70
	3BOCQ22aUs.ps1	Get hash	malicious	Unknown	Browse	45.137.20.45
	Order Proposal.exe	Get hash	malicious	RedLine	Browse	45.137.22.121

Process:	C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1730
Entropy (8bit):	5.35299682261553
Encrypted:	false
SSDEEP:	48:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HKHKMRbHKnHKU57Uivj:Pq5qHwCYqh3oPtI6eqzxqqMRbqnqU57n
MD5:	B0DF99A47CF8612EF42E4C30907F5CAD
SHA1:	9C53411244A7810D704C743BA3E13DCA77839074
SHA-256:	97B250764E2328216E67001A7C6B207A74BDD90782669639C6469634DAB5DE58
SHA-512:	8A9A273E145414FC578426B6BF7D1A52DAF9842FB81C8886D2200674E4ED8CCDADA5A7259A915A1685BAB5BDACDE2DF2DF0E06B105D60D7A7E5B85305C2E7FC7
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\gaZNjdzDI.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\gaZNjdzDI.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1730
Entropy (8bit):	5.35299682261553
Encrypted:	false
SSDEEP:	48:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HKHKMRbHKnHKU57Uivj:Pq5qHwCYqh3oPtI6eqzxqqMRbqnqU57n
MD5:	B0DF99A47CF8612EF42E4C30907F5CAD
SHA1:	9C53411244A7810D704C743BA3E13DCA77839074
SHA-256:	97B250764E2328216E67001A7C6B207A74BDD90782669639C6469634DAB5DE58
SHA-512:	8A9A273E145414FC578426B6BF7D1A52DAF9842FB81C8886D2200674E4ED8CCDADA5A7259A915A1685BAB5BDACDE2DF2DF0E06B105D60D7A7E5B85305C2E7FC7
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vbc.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	621
Entropy (8bit):	5.345265452111628
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhayoDLI4MWuPrePEniv:ML9E4KlKDE4KhKiKhRAE4KzeR
MD5:	9A0010B54E25DD22EC1D9FA3EA1AE6C2
SHA1:	830D8D4D0BD0544B1F25ECF4303C40479CF677C0
SHA-256:	B3D9F4BEFE0FF83AEC0AA7CCFB542E0B9CED36756FBA1BA863606969F3360F56
SHA-512:	6DEBC5BFC689C19AD8B72264FDD3710C93A2C2E5344E8024502B2D3E7554BC80381CE2A7BB4D560EB8F3E5E0C73195D07839651FE8CEA6E27F9A2674ABFF6691
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379552885213346
Encrypted:	false
SSDEEP:	48:fWSU4xympjgZ9tz4RIoUl8NPZHUl7u1iMugeC/ZM0Uyus:fLHxvCZfIfSKRHmOugw1s
MD5:	236CE6553B5DB20FA0B07F9FEA88F4A4
SHA1:	AEB5B156162EC5CD4E0BC3A0BA0F0D4739D40DBD
SHA-256:	3849E9437770B9804D942D293FFAB3C6449B82BA23C0CD3D48DE2C318938FCAD
SHA-512:	90B07AFD72EE353BEA8E2C7ECBB8CDAFB965C91E1B32C5FFE971F60C69004FDEBF5BA429B4DD455210772D2494A8AD60930A8F01C289D0199998A7CC36050FD6
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2wftb5qv.20p.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f24ifi4h.xta.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hptrfy3z.4r1.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jfcrcbg3.y10.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_msc5cg1n.thl.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n5d3jwdl.stt.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xj3msuqt.gzw.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yqmfcae1.yvc.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp2051.tmp

Download File

Process:	C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1582
Entropy (8bit):	5.11648667287189
Encrypted:	false
SSDEEP:	24:2di4+S2qhtJ12iy1mcrUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtjoxvn:cgeLAYrFdOFzOzN33ODOiDdKrsuTjIv
MD5:	407942018A9ECF8C77A15A81AFF49809
SHA1:	27F15F65E1A9A862CC56994FEEEE4EA45B1BA71A
SHA-256:	124C9430AF885198C25AD205F0553AE1579DBBCCF03BBE7D219CA67137B1A314
SHA-512:	AB62B2DE4166AAEAE18DFDCDFF320F53C29A1AC9C4B14E149C72ECE17B04068C69463732A323C20CE47DE23E214BA482D766A24D5FFA3FFCD1F5C2D7D9D74B9A
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Local\Temp\tmp33B9.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\gaZNjdzDI.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1582
Entropy (8bit):	5.11648667287189
Encrypted:	false
SSDEEP:	24:2di4+S2qhtJ12iy1mcrUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtjoxvn:cgeLAYrFdOFzOzN33ODOiDdKrsuTjIv
MD5:	407942018A9ECF8C77A15A81AFF49809
SHA1:	27F15F65E1A9A862CC56994FEEEE4EA45B1BA71A
SHA-256:	124C9430AF885198C25AD205F0553AE1579DBBCCF03BBE7D219CA67137B1A314
SHA-512:	AB62B2DE4166AAEAE18DFDCDFF320F53C29A1AC9C4B14E149C72ECE17B04068C69463732A323C20CE47DE23E214BA482D766A24D5FFA3FFCD1F5C2D7D9D74B9A
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Roaming\gaZNjdzDI.exe

Download File

Process:	C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1373704
Entropy (8bit):	7.951821153016928
Encrypted:	false
SSDEEP:	24576:7Dmswxjm+q7EtoDNyoRUIDpGZoi6a8pU7bX24kX8O4+v94NJeeds:QKnEtoR1RUIDpAh18pUDksO4uaNJe2s
MD5:	FC3B92BD1D5C64C55CC2EBA9CDD51EA1
SHA1:	1BB9DF21E4DADB8231F940625F1DFD27871792A7
SHA-256:	8E0820FF70C60D33F688098A454E4CBCAF04BAFD4C2489BE8BD91132B963EE63
SHA-512:	594D0BC5AADB993E97D05C4ABFE45A28EF2F802A0FAA3DD4FF10E12E71D3AE0D94549712A50EB8EFAD738CCED25D626A9E4F76627D61D09024053D771797F951
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..............0......0........... ........@.. ....................................@.................................\...O........................6........................................................... ............... ..H............text....x... ...................... ..`.rsrc............ ..................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\gaZNjdzDI.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.951821153016928
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.98% Win32 Executable (generic) a (10002005/4) 49.93% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01%
File name:	RFQ List and airflight 2024.pif.exe
File size:	1'373'704 bytes
MD5:	fc3b92bd1d5c64c55cc2eba9cdd51ea1
SHA1:	1bb9df21e4dadb8231f940625f1dfd27871792a7
SHA256:	8e0820ff70c60d33f688098a454e4cbcaf04bafd4c2489be8bd91132b963ee63
SHA512:	594d0bc5aadb993e97d05c4abfe45a28ef2f802a0faa3dd4ff10e12e71d3ae0d94549712a50eb8efad738cced25d626a9e4f76627d61d09024053d771797f951
SSDEEP:	24576:7Dmswxjm+q7EtoDNyoRUIDpGZoi6a8pU7bX24kX8O4+v94NJeeds:QKnEtoR1RUIDpAh18pUDksO4uaNJe2s
TLSH:	5955222976B49503C0AE96F001D885918BF52C6B7EA2E6EEDCC031CE55F37860686F77
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..............0......0........... ........@.. ....................................@................................

File Icon


Icon Hash:	114d090767596931

Static PE Info

General

Entrypoint:	0x5498ae
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x661715B3 [Wed Apr 10 22:41:55 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/11/2018 01:00:00 09/11/2021 00:59:59
Subject Chain	CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
Version:	3
Thumbprint MD5:	DABD77E44EF6B3BB91740FA46696B779
Thumbprint SHA-1:	5B9E273CF11941FD8C6BE3F038C4797BBE884268
Thumbprint SHA-256:	4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
Serial:	7C1118CBBADC95DA3752C46E47A27438

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
inc ecx
push eax
cmp byte ptr [ecx+56h], al
aaa
inc ecx
inc ecx
inc edi
xor al, 35h
push esi
push ecx
xor al, 47h
inc esi
cmp byte ptr [edi], dh
cmp byte ptr [eax], bh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x14985c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x14a000	0x1710	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x14c000	0x3608
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x14c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x1478cc	0x148000	9d9381763d2e0bb29f5f3eb4ee0578cb	False	0.9626755132907774	data	7.969044230360198	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x14a000	0x1710	0x2000	0dd665ba9e797714f0e27baf8973b812	False	0.245849609375	data	4.927157738136378	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x14c000	0xc	0x1000	6bc456560a9c9293a251b8557e2ad940	False	0.009033203125	data	0.016408464515625623	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x14a160	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 11811 x 11811 px/m	0.2929174484052533
RT_GROUP_ICON	0x14b208	0x14	data	1.1
RT_GROUP_ICON	0x14b21c	0x14	data	1.05
RT_VERSION	0x14b230	0x2f4	data	0.43253968253968256
RT_MANIFEST	0x14b524	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-14T07:52:18.061675+0100	2857938	ETPRO MALWARE Win32/zgRAT CnC Checkin	1	192.168.2.8	49714	45.137.22.174	16057	TCP
2024-11-14T07:52:18.879660+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.109.210.53	443	192.168.2.8	49715	TCP
2024-11-14T07:52:26.561657+0100	2857938	ETPRO MALWARE Win32/zgRAT CnC Checkin	1	192.168.2.8	49717	45.137.22.174	16057	TCP
2024-11-14T07:52:35.061424+0100	2857938	ETPRO MALWARE Win32/zgRAT CnC Checkin	1	192.168.2.8	49718	45.137.22.174	16057	TCP
2024-11-14T07:52:43.705551+0100	2857938	ETPRO MALWARE Win32/zgRAT CnC Checkin	1	192.168.2.8	49719	45.137.22.174	16057	TCP
2024-11-14T07:52:52.189703+0100	2857938	ETPRO MALWARE Win32/zgRAT CnC Checkin	1	192.168.2.8	49720	45.137.22.174	16057	TCP
2024-11-14T07:52:56.560462+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.109.210.53	443	192.168.2.8	49721	TCP
2024-11-14T07:53:00.514982+0100	2857938	ETPRO MALWARE Win32/zgRAT CnC Checkin	1	192.168.2.8	49722	45.137.22.174	16057	TCP
2024-11-14T07:53:09.014564+0100	2857938	ETPRO MALWARE Win32/zgRAT CnC Checkin	1	192.168.2.8	49723	45.137.22.174	16057	TCP
2024-11-14T07:53:17.499653+0100	2857938	ETPRO MALWARE Win32/zgRAT CnC Checkin	1	192.168.2.8	49724	45.137.22.174	16057	TCP
2024-11-14T07:53:26.014674+0100	2857938	ETPRO MALWARE Win32/zgRAT CnC Checkin	1	192.168.2.8	49725	45.137.22.174	16057	TCP
2024-11-14T07:53:34.637807+0100	2857938	ETPRO MALWARE Win32/zgRAT CnC Checkin	1	192.168.2.8	49726	45.137.22.174	16057	TCP
2024-11-14T07:53:43.452037+0100	2857938	ETPRO MALWARE Win32/zgRAT CnC Checkin	1	192.168.2.8	49727	45.137.22.174	16057	TCP
2024-11-14T07:53:52.173409+0100	2857938	ETPRO MALWARE Win32/zgRAT CnC Checkin	1	192.168.2.8	49728	45.137.22.174	16057	TCP
2024-11-14T07:54:00.436255+0100	2857938	ETPRO MALWARE Win32/zgRAT CnC Checkin	1	192.168.2.8	49729	45.137.22.174	16057	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 14, 2024 07:52:04.531722069 CET	49711	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:52:04.536711931 CET	16057	49711	45.137.22.174	192.168.2.8
Nov 14, 2024 07:52:04.536777020 CET	49711	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:52:09.576643944 CET	49711	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:52:09.930212021 CET	49711	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:52:10.155893087 CET	16057	49711	45.137.22.174	192.168.2.8
Nov 14, 2024 07:52:10.155905008 CET	16057	49711	45.137.22.174	192.168.2.8
Nov 14, 2024 07:52:13.041413069 CET	16057	49711	45.137.22.174	192.168.2.8
Nov 14, 2024 07:52:13.041482925 CET	49711	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:52:13.045654058 CET	49711	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:52:13.047220945 CET	49714	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:52:13.051470041 CET	16057	49711	45.137.22.174	192.168.2.8
Nov 14, 2024 07:52:13.053353071 CET	16057	49714	45.137.22.174	192.168.2.8
Nov 14, 2024 07:52:13.053426981 CET	49714	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:52:18.056448936 CET	49714	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:52:18.061614990 CET	16057	49714	45.137.22.174	192.168.2.8
Nov 14, 2024 07:52:18.061675072 CET	49714	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:52:18.066560030 CET	16057	49714	45.137.22.174	192.168.2.8
Nov 14, 2024 07:52:21.537146091 CET	16057	49714	45.137.22.174	192.168.2.8
Nov 14, 2024 07:52:21.537229061 CET	49714	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:52:21.537379980 CET	49714	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:52:21.538467884 CET	49717	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:52:21.542201996 CET	16057	49714	45.137.22.174	192.168.2.8
Nov 14, 2024 07:52:21.543390036 CET	16057	49717	45.137.22.174	192.168.2.8
Nov 14, 2024 07:52:21.543464899 CET	49717	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:52:26.556370020 CET	49717	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:52:26.561563969 CET	16057	49717	45.137.22.174	192.168.2.8
Nov 14, 2024 07:52:26.561656952 CET	49717	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:52:26.566572905 CET	16057	49717	45.137.22.174	192.168.2.8
Nov 14, 2024 07:52:30.036760092 CET	16057	49717	45.137.22.174	192.168.2.8
Nov 14, 2024 07:52:30.036925077 CET	49717	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:52:30.037295103 CET	49717	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:52:30.037786007 CET	49718	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:52:30.042165995 CET	16057	49717	45.137.22.174	192.168.2.8
Nov 14, 2024 07:52:30.042604923 CET	16057	49718	45.137.22.174	192.168.2.8
Nov 14, 2024 07:52:30.042678118 CET	49718	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:52:35.056282997 CET	49718	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:52:35.061368942 CET	16057	49718	45.137.22.174	192.168.2.8
Nov 14, 2024 07:52:35.061424017 CET	49718	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:52:35.066257000 CET	16057	49718	45.137.22.174	192.168.2.8
Nov 14, 2024 07:52:38.518285036 CET	16057	49718	45.137.22.174	192.168.2.8
Nov 14, 2024 07:52:38.519123077 CET	49718	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:52:38.519325018 CET	49718	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:52:38.519953966 CET	49719	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:52:38.524158001 CET	16057	49718	45.137.22.174	192.168.2.8
Nov 14, 2024 07:52:38.524804115 CET	16057	49719	45.137.22.174	192.168.2.8
Nov 14, 2024 07:52:38.525612116 CET	49719	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:52:43.540514946 CET	49719	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:52:43.705370903 CET	16057	49719	45.137.22.174	192.168.2.8
Nov 14, 2024 07:52:43.705550909 CET	49719	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:52:43.710365057 CET	16057	49719	45.137.22.174	192.168.2.8
Nov 14, 2024 07:52:47.007535934 CET	16057	49719	45.137.22.174	192.168.2.8
Nov 14, 2024 07:52:47.007680893 CET	49719	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:52:47.008147001 CET	49719	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:52:47.008630991 CET	49720	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:52:47.012856960 CET	16057	49719	45.137.22.174	192.168.2.8
Nov 14, 2024 07:52:47.013483047 CET	16057	49720	45.137.22.174	192.168.2.8
Nov 14, 2024 07:52:47.013609886 CET	49720	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:52:52.025024891 CET	49720	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:52:52.189609051 CET	16057	49720	45.137.22.174	192.168.2.8
Nov 14, 2024 07:52:52.189702988 CET	49720	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:52:52.194571972 CET	16057	49720	45.137.22.174	192.168.2.8
Nov 14, 2024 07:52:55.496037960 CET	16057	49720	45.137.22.174	192.168.2.8
Nov 14, 2024 07:52:55.496136904 CET	49720	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:52:55.496351004 CET	49720	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:52:55.496984959 CET	49722	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:52:55.501173973 CET	16057	49720	45.137.22.174	192.168.2.8
Nov 14, 2024 07:52:55.501856089 CET	16057	49722	45.137.22.174	192.168.2.8
Nov 14, 2024 07:52:55.501930952 CET	49722	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:53:00.509318113 CET	49722	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:53:00.514676094 CET	16057	49722	45.137.22.174	192.168.2.8
Nov 14, 2024 07:53:00.514981985 CET	49722	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:53:00.519865036 CET	16057	49722	45.137.22.174	192.168.2.8
Nov 14, 2024 07:53:03.991662979 CET	16057	49722	45.137.22.174	192.168.2.8
Nov 14, 2024 07:53:03.991744995 CET	49722	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:53:03.992084980 CET	49722	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:53:03.992479086 CET	49723	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:53:03.996957064 CET	16057	49722	45.137.22.174	192.168.2.8
Nov 14, 2024 07:53:03.997502089 CET	16057	49723	45.137.22.174	192.168.2.8
Nov 14, 2024 07:53:03.997580051 CET	49723	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:53:09.009305000 CET	49723	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:53:09.014486074 CET	16057	49723	45.137.22.174	192.168.2.8
Nov 14, 2024 07:53:09.014564037 CET	49723	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:53:09.019464970 CET	16057	49723	45.137.22.174	192.168.2.8
Nov 14, 2024 07:53:12.481103897 CET	16057	49723	45.137.22.174	192.168.2.8
Nov 14, 2024 07:53:12.481316090 CET	49723	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:53:12.482273102 CET	49723	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:53:12.482274055 CET	49724	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:53:12.487144947 CET	16057	49723	45.137.22.174	192.168.2.8
Nov 14, 2024 07:53:12.487163067 CET	16057	49724	45.137.22.174	192.168.2.8
Nov 14, 2024 07:53:12.487340927 CET	49724	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:53:17.494726896 CET	49724	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:53:17.499507904 CET	16057	49724	45.137.22.174	192.168.2.8
Nov 14, 2024 07:53:17.499653101 CET	49724	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:53:17.504404068 CET	16057	49724	45.137.22.174	192.168.2.8
Nov 14, 2024 07:53:20.993196964 CET	16057	49724	45.137.22.174	192.168.2.8
Nov 14, 2024 07:53:20.993277073 CET	49724	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:53:20.993794918 CET	49724	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:53:20.994335890 CET	49725	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:53:20.998513937 CET	16057	49724	45.137.22.174	192.168.2.8
Nov 14, 2024 07:53:20.999085903 CET	16057	49725	45.137.22.174	192.168.2.8
Nov 14, 2024 07:53:20.999429941 CET	49725	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:53:26.009665966 CET	49725	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:53:26.014523983 CET	16057	49725	45.137.22.174	192.168.2.8
Nov 14, 2024 07:53:26.014673948 CET	49725	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:53:26.019653082 CET	16057	49725	45.137.22.174	192.168.2.8
Nov 14, 2024 07:53:29.489051104 CET	16057	49725	45.137.22.174	192.168.2.8
Nov 14, 2024 07:53:29.489137888 CET	49725	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:53:29.489409924 CET	49725	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:53:29.489789963 CET	49726	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:53:29.494198084 CET	16057	49725	45.137.22.174	192.168.2.8
Nov 14, 2024 07:53:29.494545937 CET	16057	49726	45.137.22.174	192.168.2.8
Nov 14, 2024 07:53:29.494688988 CET	49726	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:53:34.510271072 CET	49726	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:53:34.637574911 CET	16057	49726	45.137.22.174	192.168.2.8
Nov 14, 2024 07:53:34.637806892 CET	49726	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:53:34.642654896 CET	16057	49726	45.137.22.174	192.168.2.8
Nov 14, 2024 07:53:38.427917004 CET	16057	49726	45.137.22.174	192.168.2.8
Nov 14, 2024 07:53:38.428160906 CET	49726	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:53:38.428544998 CET	49726	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:53:38.429389954 CET	49727	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:53:38.431045055 CET	16057	49726	45.137.22.174	192.168.2.8
Nov 14, 2024 07:53:38.431066036 CET	16057	49726	45.137.22.174	192.168.2.8
Nov 14, 2024 07:53:38.431137085 CET	49726	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:53:38.431137085 CET	49726	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:53:38.433445930 CET	16057	49726	45.137.22.174	192.168.2.8
Nov 14, 2024 07:53:38.434381008 CET	16057	49727	45.137.22.174	192.168.2.8
Nov 14, 2024 07:53:38.434499979 CET	49727	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:53:43.447109938 CET	49727	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:53:43.451941967 CET	16057	49727	45.137.22.174	192.168.2.8
Nov 14, 2024 07:53:43.452037096 CET	49727	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:53:43.456849098 CET	16057	49727	45.137.22.174	192.168.2.8
Nov 14, 2024 07:53:46.928539991 CET	16057	49727	45.137.22.174	192.168.2.8
Nov 14, 2024 07:53:46.929971933 CET	49727	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:53:46.929971933 CET	49727	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:53:46.929971933 CET	49728	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:53:46.935143948 CET	16057	49727	45.137.22.174	192.168.2.8
Nov 14, 2024 07:53:46.935157061 CET	16057	49728	45.137.22.174	192.168.2.8
Nov 14, 2024 07:53:46.935333967 CET	49728	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:53:51.947145939 CET	49728	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:53:52.172846079 CET	16057	49728	45.137.22.174	192.168.2.8
Nov 14, 2024 07:53:52.173408985 CET	49728	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:53:52.178296089 CET	16057	49728	45.137.22.174	192.168.2.8
Nov 14, 2024 07:53:55.415030003 CET	16057	49728	45.137.22.174	192.168.2.8
Nov 14, 2024 07:53:55.415137053 CET	49728	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:53:55.415705919 CET	49728	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:53:55.415765047 CET	49729	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:53:55.420576096 CET	16057	49728	45.137.22.174	192.168.2.8
Nov 14, 2024 07:53:55.420591116 CET	16057	49729	45.137.22.174	192.168.2.8
Nov 14, 2024 07:53:55.420691967 CET	49729	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:54:00.431298018 CET	49729	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:54:00.436111927 CET	16057	49729	45.137.22.174	192.168.2.8
Nov 14, 2024 07:54:00.436254978 CET	49729	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:54:00.441025972 CET	16057	49729	45.137.22.174	192.168.2.8
Nov 14, 2024 07:54:03.896728992 CET	16057	49729	45.137.22.174	192.168.2.8
Nov 14, 2024 07:54:03.896805048 CET	49729	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:54:03.896979094 CET	49729	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:54:03.897795916 CET	49730	16057	192.168.2.8	45.137.22.174
Nov 14, 2024 07:54:03.902015924 CET	16057	49729	45.137.22.174	192.168.2.8
Nov 14, 2024 07:54:03.903153896 CET	16057	49730	45.137.22.174	192.168.2.8
Nov 14, 2024 07:54:03.903337955 CET	49730	16057	192.168.2.8	45.137.22.174

Target ID:	0
Start time:	01:51:59
Start date:	14/11/2024
Path:	C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe"
Imagebase:	0xef0000
File size:	1'373'704 bytes
MD5 hash:	FC3B92BD1D5C64C55CC2EBA9CDD51EA1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	01:52:01
Start date:	14/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ List and airflight 2024.pif.exe"
Imagebase:	0x5d0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	01:52:01
Start date:	14/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	01:52:02
Start date:	14/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gaZNjdzDI.exe"
Imagebase:	0x5d0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	01:52:02
Start date:	14/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	01:52:02
Start date:	14/11/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gaZNjdzDI" /XML "C:\Users\user\AppData\Local\Temp\tmp2051.tmp"
Imagebase:	0x670000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	01:52:02
Start date:	14/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	01:52:02
Start date:	14/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Imagebase:	0xc60000
File size:	2'625'616 bytes
MD5 hash:	0A7608DB01CAE07792CEA95E792AA866
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000009.00000002.2646655557.000000000843F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000009.00000002.2640691641.0000000006C63000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	01:52:02
Start date:	14/11/2024
Path:	C:\Users\user\AppData\Roaming\gaZNjdzDI.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\gaZNjdzDI.exe
Imagebase:	0xf50000
File size:	1'373'704 bytes
MD5 hash:	FC3B92BD1D5C64C55CC2EBA9CDD51EA1
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 71%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	01:52:05
Start date:	14/11/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff605670000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	01:52:07
Start date:	14/11/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gaZNjdzDI" /XML "C:\Users\user\AppData\Local\Temp\tmp33B9.tmp"
Imagebase:	0x670000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	01:52:07
Start date:	14/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	01:52:08
Start date:	14/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Imagebase:	0xc60000
File size:	2'625'616 bytes
MD5 hash:	0A7608DB01CAE07792CEA95E792AA866
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000E.00000002.1799584646.0000000009A70000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000E.00000002.1796765181.0000000009720000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000E.00000002.1786719606.00000000087B5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000E.00000002.1786719606.00000000087B5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000E.00000002.1782939079.0000000007164000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000E.00000002.1786719606.00000000080E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	11%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	11.2%
Total number of Nodes:	152
Total number of Limit Nodes:	10

Executed Functions

Function 031EAC6B Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445077154.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31e0000_RFQ List and airflight 2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e29ddbe1a98670fb53c349e8a387ca1e52d9d8cb1d0d82db5019afbc0a6d233
Instruction ID: 9b81ff1955b006ce740873183484b7ec791485aba6a2b9f0076cc26d278395b6
Opcode Fuzzy Hash: 8e29ddbe1a98670fb53c349e8a387ca1e52d9d8cb1d0d82db5019afbc0a6d233
Instruction Fuzzy Hash: A031E638819228CFCB68CF64D9447E8BBB5AF4D305F1590DA980EA3291DB369EC5CF00

Function 031EABEE Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445077154.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31e0000_RFQ List and airflight 2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99689a7fff7e766edf83fd41eb2c1623bf2e1d1628b6e4f9219fa465bc5f6b13
Instruction ID: f013b2888351f46e3cc362d1d26ba49f54010900c398ae96cf55b44402d8c73c
Opcode Fuzzy Hash: 99689a7fff7e766edf83fd41eb2c1623bf2e1d1628b6e4f9219fa465bc5f6b13
Instruction Fuzzy Hash: D221D638859628CFCB68CF65D4447E8BBB8AF0E315F15A496D45EA3291DB325AC5CF00

Function 031EABA3 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445077154.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31e0000_RFQ List and airflight 2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfdc8479c8737224397626fbdf5d54beb8ee03c6a131c14b17cb7b186b5afd49
Instruction ID: 1babde81cd1428e5a6c238e4d2c19398b931ae0914f87f2da4289722180e9d7a
Opcode Fuzzy Hash: bfdc8479c8737224397626fbdf5d54beb8ee03c6a131c14b17cb7b186b5afd49
Instruction Fuzzy Hash: 8F110438819218CFCB68CF65D8447E8BBB4AB4D305F15A596D41EA3291DF31AAC4CF00

Function 031EAF21 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445077154.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31e0000_RFQ List and airflight 2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dbe2e99977a991e41a895044252ab41ab29122abb38a5d721c559e3dc8d91b4
Instruction ID: 07baaa35aa0ca1ae3449030f0ecab2782ef639ce2fe67cda42f6ef6450e23dcd
Opcode Fuzzy Hash: 6dbe2e99977a991e41a895044252ab41ab29122abb38a5d721c559e3dc8d91b4
Instruction Fuzzy Hash: 60D05E78C0D614CFC744EF7494851F4BAF8AF0F205F5A70E6945ADB242EB219A808B18

Function 0168DF18 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0168DF96
GetCurrentThread.KERNEL32 ref: 0168DFD3
GetCurrentProcess.KERNEL32 ref: 0168E010
GetCurrentThreadId.KERNEL32 ref: 0168E069

Memory Dump Source

Source File: 00000000.00000002.1444004949.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1680000_RFQ List and airflight 2024.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 0f46f8d9f1ed30617d71d00990ffad5e896144f73582a54e6e7c5cf9e71ef459
Instruction ID: 6ddb279bfe4691dad50ce3dfdfe63d1046e2bd1001e0b1eed8232fff06504256
Opcode Fuzzy Hash: 0f46f8d9f1ed30617d71d00990ffad5e896144f73582a54e6e7c5cf9e71ef459
Instruction Fuzzy Hash: 805138B09003098FDB14EFA9D948B9EBBF1BF88314F208559D419A73A0DB355984CF65

Function 031E756C Relevance: 1.7, APIs: 1, Instructions: 248
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 031E77AE

Memory Dump Source

Source File: 00000000.00000002.1445077154.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31e0000_RFQ List and airflight 2024.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 22dd96e5d71b1884a6830eb882873c8fa057b0d94c57114e030c825da31b0b63
Instruction ID: cf166e77e9c5cdcc247ccda2fca3a94174460365634e2f1f5e8ce706d41c8460
Opcode Fuzzy Hash: 22dd96e5d71b1884a6830eb882873c8fa057b0d94c57114e030c825da31b0b63
Instruction Fuzzy Hash: DFA15A71D0061ACFEF24DF69C841BEEBBB2BF48314F1485A9D818A7280DB759985CF91

Function 031E7578 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 031E77AE

Memory Dump Source

Source File: 00000000.00000002.1445077154.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31e0000_RFQ List and airflight 2024.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: c3cb1e5f306b222405863afb46dc6e01df9e9d9c1fb02effeceec4a9efa8ccc7
Instruction ID: 90f9c44c214a3f58696ea6ca597bc349ef89390721e9dd86ef4d2c6b2b41acd9
Opcode Fuzzy Hash: c3cb1e5f306b222405863afb46dc6e01df9e9d9c1fb02effeceec4a9efa8ccc7
Instruction Fuzzy Hash: DD915B71D0071ACFEB14DF69C841BEEBBB2BF48314F1481A9D818A7280DB759985CF91

Function 01684514 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 016859A9

Memory Dump Source

Source File: 00000000.00000002.1444004949.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1680000_RFQ List and airflight 2024.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 908e97ca0889588e03f29cc8e8d631728f0ba5bd3bae442aca6ca9b9a16299bf
Instruction ID: 2b55b2f2fda65bf7b2e65647d80022d0dc0ee17d0360c929667e5cc87838d77f
Opcode Fuzzy Hash: 908e97ca0889588e03f29cc8e8d631728f0ba5bd3bae442aca6ca9b9a16299bf
Instruction Fuzzy Hash: 0341F2B0C0071DCFDB24DFA9C884B8EBBB1BF89704F20816AD409AB251DB716985CF90

Function 016858EC Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 016859A9

Memory Dump Source

Source File: 00000000.00000002.1444004949.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1680000_RFQ List and airflight 2024.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 547551ccb198d00796315994fb7d840d59e196fba60c2c62fc43ac77a8a5b1b4
Instruction ID: a9a5845e91cf5264ca6b981481a4df1d7debc2ce1609973f09ba3d901afe521a
Opcode Fuzzy Hash: 547551ccb198d00796315994fb7d840d59e196fba60c2c62fc43ac77a8a5b1b4
Instruction Fuzzy Hash: 4841F1B1C00719CFDB24DFAAC8847DEBBB1BF89704F20816AD419AB251DB756985CF90

Function 031E72E8 Relevance: 1.6, APIs: 1, Instructions: 73
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 031E7380

Memory Dump Source

Source File: 00000000.00000002.1445077154.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31e0000_RFQ List and airflight 2024.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 0a40af59b0c99d617445a3b7d2f5ac4ac5b4e5f4a11e0d8c8690e1b602e3e52e
Instruction ID: 5cd6d05cd2ec804e44db3247ca8d198b45d8881772fd256239de371e433fa446
Opcode Fuzzy Hash: 0a40af59b0c99d617445a3b7d2f5ac4ac5b4e5f4a11e0d8c8690e1b602e3e52e
Instruction Fuzzy Hash: 542135759007099FDB10DFAAC881BDEBBF5FF48310F14882AE918A7280C7799954CFA0

Function 031E72F0 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 031E7380

Memory Dump Source

Source File: 00000000.00000002.1445077154.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31e0000_RFQ List and airflight 2024.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: e68a018b81b3d778595609ff84ffc6cc3fedc94aea38f98cef89b04279e86864
Instruction ID: b39d3712719035d7eb7970fc47b653d828df43173ea2461825ec6c6af91cb7d0
Opcode Fuzzy Hash: e68a018b81b3d778595609ff84ffc6cc3fedc94aea38f98cef89b04279e86864
Instruction Fuzzy Hash: 8B2125759003499FDB10DFAAC885BDEBBF5FF88310F14842AE918A7280C7799954CBA4

Function 031E7151 Relevance: 1.6, APIs: 1, Instructions: 66
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 031E71D6

Memory Dump Source

Source File: 00000000.00000002.1445077154.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31e0000_RFQ List and airflight 2024.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 81bdc1e473325348586562ebc4d8f015bdea58120c62b45044f239a1cccca2fc
Instruction ID: bc76bcb848c664dcba6f1f0e456a739e03c1a831b4603b11d2a9fe04c312a39b
Opcode Fuzzy Hash: 81bdc1e473325348586562ebc4d8f015bdea58120c62b45044f239a1cccca2fc
Instruction Fuzzy Hash: F02139759003098FDB10DFAAC8857AEBBF4EF89320F14842AD559A7281C7789544CFA4

Function 031E73D9 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 031E7460

Memory Dump Source

Source File: 00000000.00000002.1445077154.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31e0000_RFQ List and airflight 2024.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: b173e25e99977da305e4cc8f7dfaaea0ba7ab89de1c62c2449fb16d86bed933d
Instruction ID: ed1aca9acc5ce191903c905b9831a266c51c0510526e51f68aa2baec31b51131
Opcode Fuzzy Hash: b173e25e99977da305e4cc8f7dfaaea0ba7ab89de1c62c2449fb16d86bed933d
Instruction Fuzzy Hash: CC2116718003499FDB10DFAAC881BEEFBF5FF88320F108429E958A7240C7799504DBA0

Function 031E73E0 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 031E7460

Memory Dump Source

Source File: 00000000.00000002.1445077154.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31e0000_RFQ List and airflight 2024.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 2406e50a429745337b013f0ec5596896cf22e9742849c0824ff21f5d5e96db35
Instruction ID: b3abe154b9017bfe1ef231441e50c4b0800063d3b7739eee2a5e2dce742eb60d
Opcode Fuzzy Hash: 2406e50a429745337b013f0ec5596896cf22e9742849c0824ff21f5d5e96db35
Instruction Fuzzy Hash: 842116718003499FDB10DFAAC881BDEFBF5FF48310F508429E558A7240C7799504DBA4

Function 031E7158 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 031E71D6

Memory Dump Source

Source File: 00000000.00000002.1445077154.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31e0000_RFQ List and airflight 2024.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 39e363c7c6d86b88c0ed945cedab348f660e1a2166cca6226a1759cf8b6745a5
Instruction ID: c2e549597dfbdd8eebb445b327dc1312c819afa9a594bab6724404449e602699
Opcode Fuzzy Hash: 39e363c7c6d86b88c0ed945cedab348f660e1a2166cca6226a1759cf8b6745a5
Instruction Fuzzy Hash: 3C213875D003098FDB10DFAAC8857AEFBF4EF88320F148429D519A7280CB789944CFA4

Function 0168E160 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0168E1E7

Memory Dump Source

Source File: 00000000.00000002.1444004949.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1680000_RFQ List and airflight 2024.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e50ebf54700a01030f95f70b00ac4fa52b32b08c26d5941d3f3a1a441744722d
Instruction ID: 61689534d363d65f5b6d3c77068dcd023a00ded77873bba04e51f1195135557f
Opcode Fuzzy Hash: e50ebf54700a01030f95f70b00ac4fa52b32b08c26d5941d3f3a1a441744722d
Instruction Fuzzy Hash: 5821E4B59002099FDB10DFAAD884ADEFBF9FB48320F14841AE954A3350C379A954CFA4

Function 031E7228 Relevance: 1.6, APIs: 1, Instructions: 57
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 031E729E

Memory Dump Source

Source File: 00000000.00000002.1445077154.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31e0000_RFQ List and airflight 2024.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2f4cf1557601eb7c0910b0c04bf46aaf9e2e99d7c6ce66e03e69ed93bef1305b
Instruction ID: 184ed56c07f71c1fdbbf3c6fb54eabdb22fcb3830a2469ed4fb5c57bf5f8722b
Opcode Fuzzy Hash: 2f4cf1557601eb7c0910b0c04bf46aaf9e2e99d7c6ce66e03e69ed93bef1305b
Instruction Fuzzy Hash: 452147718003499FDF10DFAAC885BDEBBF5EF88320F148819E515A7250C775A514DFA0

Function 031E7230 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 031E729E

Memory Dump Source

Source File: 00000000.00000002.1445077154.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31e0000_RFQ List and airflight 2024.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 351bc5af306a5a829d562466fca5d21fbac0713a4a247c48efb8158fab7c1f72
Instruction ID: ffdd14c3a2369e33307b568c52a8cb9f4ffe745e0c1fba3addf25a0928727369
Opcode Fuzzy Hash: 351bc5af306a5a829d562466fca5d21fbac0713a4a247c48efb8158fab7c1f72
Instruction Fuzzy Hash: 1D11267180034A9FDB10DFAAC845BDEBBF5AF88320F148819E515A7250C7759554CFA0

Function 031E70A1 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 031E710A

Memory Dump Source

Source File: 00000000.00000002.1445077154.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31e0000_RFQ List and airflight 2024.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 03021a4cb324797236051de9a1f488c5bb0c6b4c9746aa3c32c389fa7c378f60
Instruction ID: 1663d256b8fef8ef4db2c63afc9ee9642766c8a65326a3996bc9201d1f3383a2
Opcode Fuzzy Hash: 03021a4cb324797236051de9a1f488c5bb0c6b4c9746aa3c32c389fa7c378f60
Instruction Fuzzy Hash: 831149719007498FDB20DFAAC4857EEFBF5AF88714F248819D415A7240CB355504CF94

Function 031E70A8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 031E710A

Memory Dump Source

Source File: 00000000.00000002.1445077154.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31e0000_RFQ List and airflight 2024.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: b604d37755e54d1e2ae2b0e5dc842f947669d687b945d0086c86f7ec64b047c2
Instruction ID: 8cc7fa36263a4dfa6582210a038327e18b06deea46062f37f76e8fda6eac5394
Opcode Fuzzy Hash: b604d37755e54d1e2ae2b0e5dc842f947669d687b945d0086c86f7ec64b047c2
Instruction Fuzzy Hash: D11158719003498FDB10DFAAC84579EFBF4AB88620F148419D419A7240CB796504CFA4

Function 0168BD58 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0168BDBE

Memory Dump Source

Source File: 00000000.00000002.1444004949.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1680000_RFQ List and airflight 2024.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 0a291d00dba540024b87cddf2f761111c034cd19209c23cddb9e62d63138f47d
Instruction ID: dc8a6c68a71309234505bbeed03b842c90237b3494b0cd02a3b213eec96e7cca
Opcode Fuzzy Hash: 0a291d00dba540024b87cddf2f761111c034cd19209c23cddb9e62d63138f47d
Instruction Fuzzy Hash: 04110FB6C002498FDB10DF9AC844A9EFBF4AB88224F10851AD418A7710C379A545CFA1

Function 031E8398 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 031EB9BD

Memory Dump Source

Source File: 00000000.00000002.1445077154.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31e0000_RFQ List and airflight 2024.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: af22fd41515699d44740df4caf5cb4d2e9e17aec1a397f9ff6af0d082bb04792
Instruction ID: d31e5efcc3ff21a8a6399f47aa2b7ba260fa01ee3296bc2890801dcef98268b6
Opcode Fuzzy Hash: af22fd41515699d44740df4caf5cb4d2e9e17aec1a397f9ff6af0d082bb04792
Instruction Fuzzy Hash: 5E11F2B580474D9FDB10DF9AC885BDEFBF8EB48320F10841AE958A7600C375A984CFA5

Function 031EB958 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 031EB9BD

Memory Dump Source

Source File: 00000000.00000002.1445077154.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31e0000_RFQ List and airflight 2024.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: d84eef93cd855013c4e3e5dd06b502111dea33c32883a555c9ca7cf7b9912fa8
Instruction ID: 0d62e64c9e4e78c859c27bd76dce05e246e90d5240a424b1df965bd6b3f14661
Opcode Fuzzy Hash: d84eef93cd855013c4e3e5dd06b502111dea33c32883a555c9ca7cf7b9912fa8
Instruction Fuzzy Hash: 0F11F2B58043499FDB20DF9AD885BDEFBF4FB48320F14881AE958A7640C379A544CFA1

Function 0162D3EC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1442913663.000000000162D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0162D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_162d000_RFQ List and airflight 2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a05ebabfe7ca1c811d0ae5506e2f3fd06a8c47182d56bc90f66793dee23ea51
Instruction ID: 90cbde50b276272898944e3032786785a802fc0f1f79bb3156abe9475e0ef9a2
Opcode Fuzzy Hash: 5a05ebabfe7ca1c811d0ae5506e2f3fd06a8c47182d56bc90f66793dee23ea51
Instruction Fuzzy Hash: CC21F1B1505604EFDB05DF94D9C0B66BB66FB94320F20C669E9090B346C336E456CAA2

Function 0163D294 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1443128627.000000000163D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_163d000_RFQ List and airflight 2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b79505ac040d774f3503f15e8ec9120679622400b7b93c552aa6c5b78e586d5
Instruction ID: 347b34670f870c6658d26cffbc2203c808d72466a64f7a0e57df0bb383bc176f
Opcode Fuzzy Hash: 4b79505ac040d774f3503f15e8ec9120679622400b7b93c552aa6c5b78e586d5
Instruction Fuzzy Hash: 37210075604204DFEB01DFA4D9C0B26BBA1FBC4624F60C56DD94A0B342C33AD806CA61

Function 0163D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1443128627.000000000163D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_163d000_RFQ List and airflight 2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb000c975277ce5399626412bd1402ca8be44a9be6caa406108fbb10b8d0060a
Instruction ID: c2663d576aea282ccca12630d5ccd25cf44e9921884a75abe6808103442680b3
Opcode Fuzzy Hash: fb000c975277ce5399626412bd1402ca8be44a9be6caa406108fbb10b8d0060a
Instruction Fuzzy Hash: 6C2100B5604300DFDB15DF64D884B16FBA5FBC4A14F60C56DE84A0B386C33AD447CA62

Function 0162D3E7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1442913663.000000000162D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0162D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_162d000_RFQ List and airflight 2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
Instruction ID: 54e3e2e52dca55f5b471f2570f31c602c7d513795f42f0c0c62c1135c2702a82
Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
Instruction Fuzzy Hash: 1F11DF76504240CFCB02CF44D9C0B56BF62FB84320F24C6A9D8090B657C33AE45ACFA2

Function 0163D28F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1443128627.000000000163D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_163d000_RFQ List and airflight 2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
Instruction ID: e76cf247041743d8cd256038cfc2e03049e3af88e4bc4d46ed55a05f812ce580
Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
Instruction Fuzzy Hash: 5A11BB79508280CFDB02CF54D9C0B19BFB2FB85224F24C6A9D8494B393C33AD80ACB61

Function 0163D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1443128627.000000000163D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_163d000_RFQ List and airflight 2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
Instruction ID: 1465a6b4782be26002a57f007e80a73d5f0131b09c3cd38c4d433fb1ea1d55ff
Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
Instruction Fuzzy Hash: EF11BE75504280CFCB12CF54D9C4B15FBA2FB84714F24C6A9D8494B796C33AD40ACB61

Function 0162D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1442913663.000000000162D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0162D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_162d000_RFQ List and airflight 2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e221b3913f9bb4637c6d652cefa06f92ea23c93a8e216abb47b7bd3c9a0023f
Instruction ID: a3e0c5ec42f6c90bdcb04be8b892a79f6bc5a3c019881997ecccca061ddf7876
Opcode Fuzzy Hash: 0e221b3913f9bb4637c6d652cefa06f92ea23c93a8e216abb47b7bd3c9a0023f
Instruction Fuzzy Hash: 8501F7710047949AF7105E95CC84B76BF98DF81665F14C51AED084A282C37D9401CFB2

Function 0162D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1442913663.000000000162D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0162D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_162d000_RFQ List and airflight 2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2581f7882ef58f045377059f8cc7cf171b6d930ce1639e6787c3717a5233117
Instruction ID: 7af20e2815253249b854b0774974c0a930c2d9ac799bff474bb540ebabfa72ac
Opcode Fuzzy Hash: a2581f7882ef58f045377059f8cc7cf171b6d930ce1639e6787c3717a5233117
Instruction Fuzzy Hash: 27F062714047949EE7109E59CC84B66FF98EB81735F18C45AED485A386C3799844CFB1

Non-executed Functions

Function 031EC679 Relevance: .4, Instructions: 359COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445077154.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31e0000_RFQ List and airflight 2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d68bc11fad30f55e772275f3d36159bcaf1bd22bc7cf22624caf3f9b7cc3a4c
Instruction ID: 4fe8f97619d8cbe568cdcce7df89525c95887d01b28caa3a77697658a05b7dc8
Opcode Fuzzy Hash: 0d68bc11fad30f55e772275f3d36159bcaf1bd22bc7cf22624caf3f9b7cc3a4c
Instruction Fuzzy Hash: 0CD1AC71A00B058FDB19EF75C950BAEB7F6AF8D700F18446ED1469B2A1DB36E801CB91

Function 031E4968 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445077154.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31e0000_RFQ List and airflight 2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d55ff2e57f41e24ec2d0ea1f4f300c33e8ce4103a0c8ca0f3781559c10cce3f1
Instruction ID: 7bfe9fbddf1b826b6e45e4732185bdd20638baa6f205eb7869382a64027b33d3
Opcode Fuzzy Hash: d55ff2e57f41e24ec2d0ea1f4f300c33e8ce4103a0c8ca0f3781559c10cce3f1
Instruction Fuzzy Hash: 43E10A74E006198FDB14DFA9C580AAEFBB2FF89305F248169D419AB355DB31AD42CF60

Function 031E6880 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445077154.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31e0000_RFQ List and airflight 2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0007a5f9e292c73fbe8868df4118dc379f2187092e2939908989a4abb3913c88
Instruction ID: aec94528a42fd2421375d2bf5309ff5863344644c5f083f9648fda87961b901a
Opcode Fuzzy Hash: 0007a5f9e292c73fbe8868df4118dc379f2187092e2939908989a4abb3913c88
Instruction Fuzzy Hash: 61E10874E006198FDB14DFA9C580AAEFBB2FF89305F248169D419AB355D731AD42CF60

Function 031E4530 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445077154.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31e0000_RFQ List and airflight 2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b24090a72efa52d60700a2e2106e3baeaa6759d98c53d60493856c3ae804580
Instruction ID: d70ae6c3f8c47fbaef44618e5fea8ddc7837f98446acdcef9978da646585f19b
Opcode Fuzzy Hash: 8b24090a72efa52d60700a2e2106e3baeaa6759d98c53d60493856c3ae804580
Instruction Fuzzy Hash: BDE12B74E006198FDB14DF99C580AAEFBB2FF89304F248169D419AB355DB31AD42CFA0

Function 031E4DA0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445077154.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31e0000_RFQ List and airflight 2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3dc82431cac9a5566aa5462b6fac3c4e1c181a43d152677ef00cce622000dfa
Instruction ID: 4f5cf38a236318072a6543dfb958af8db094bb2ed3705f531916d2b74369a2d8
Opcode Fuzzy Hash: d3dc82431cac9a5566aa5462b6fac3c4e1c181a43d152677ef00cce622000dfa
Instruction Fuzzy Hash: 7FE12C74E006198FDB14DF99C580AAEFBB2FF89305F248159E419AB355DB31AD42CF60

Function 031E6448 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445077154.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31e0000_RFQ List and airflight 2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07dbbab1b25061a9f0a48dff4ad71d72ccf89b1b2316b3d39e02a98a1ea15b43
Instruction ID: f701315821ea8a4838901b781e7fb109402697a6315bb995cedff5c3fc026704
Opcode Fuzzy Hash: 07dbbab1b25061a9f0a48dff4ad71d72ccf89b1b2316b3d39e02a98a1ea15b43
Instruction Fuzzy Hash: E0E11974E006198FDB14DFA9C580AAEFBB2FF89305F248169D419AB355DB31AD42CF60

Function 031EE0D0 Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1445077154.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31e0000_RFQ List and airflight 2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a03e26bac3a3d486ce084474ece5e6a72e73f9ab1a7dcac2c69217a355d2f364
Instruction ID: a0ea62d66c76616f70f196b9e49496389b50072f036925ea4882b4c7fa59ea85
Opcode Fuzzy Hash: a03e26bac3a3d486ce084474ece5e6a72e73f9ab1a7dcac2c69217a355d2f364
Instruction Fuzzy Hash: CDD19535A00605CFDB18DF69C598AA9B7F2BF4D701F2980A9E505EB361DB32AD41CF60

Analysis Process: vbc.exePID: 7744, Parent PID: 7276COMMON

Execution Graph

Execution Coverage:	13.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	14
Total number of Limit Nodes:	0

Executed Functions

Function 09364690 Relevance: 7.3, Strings: 5, Instructions: 1098COMMON

Download Yara Rule

Strings

jJ), xrefs: 09365468
,D(, xrefs: 09364B23
4, xrefs: 09365065
,D(, xrefs: 09365024
,D(, xrefs: 09364AAF

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID: ,D($,D($,D($4$jJ)
API String ID: 0-1002410534
Opcode ID: cefd95254b917564e6ac07f98ef7e39e94afa7dcb42530f67647e3bfed7bc7d9
Instruction ID: 875fb7cffaa2bc050f928b3075323df769999c2c030bde837754c4a1d244eac4
Opcode Fuzzy Hash: cefd95254b917564e6ac07f98ef7e39e94afa7dcb42530f67647e3bfed7bc7d9
Instruction Fuzzy Hash: E7B2E834A00218DFDB14CF94D898BADB7B6FF88701F1581A9E905AB3A9DB709D85CF50

Function 093649B7 Relevance: 6.7, Strings: 5, Instructions: 495COMMON

Download Yara Rule

Strings

jJ), xrefs: 09365468
,D(, xrefs: 09364B23
4, xrefs: 09365065
,D(, xrefs: 09365024
,D(, xrefs: 09364AAF

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID: ,D($,D($,D($4$jJ)
API String ID: 0-1002410534
Opcode ID: fd38e0a5a0a568489f01d6a13e167fba71680b678a6e3d92129b6fc4ec6cb56e
Instruction ID: e7b862673ff038c73c982e06f94de1dc194c4655e478c722ee928aa719231729
Opcode Fuzzy Hash: fd38e0a5a0a568489f01d6a13e167fba71680b678a6e3d92129b6fc4ec6cb56e
Instruction Fuzzy Hash: 0722EC34A00214CFDB14DFA4D998BADB7B6FF88301F1481A5E909AB2A9DB719D81CF50

Function 09775D70 Relevance: 2.7, Strings: 2, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

b%?, xrefs: 09775F95
;|G, xrefs: 09775E80

Memory Dump Source

Source File: 00000009.00000002.2649763356.0000000009760000.00000040.00000800.00020000.00000000.sdmp, Offset: 09760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9760000_vbc.jbxd

Similarity

API ID:
String ID: ;|G$b%?
API String ID: 0-93144283
Opcode ID: bcdf43dffae7138e77d2e6194d5cc850905debe0c5398dd365708bc5d520cae9
Instruction ID: 686bbb2c4f7ac2adc138a8d26f440f9c4cef2dffccd2de17b7ad5ab9df680538
Opcode Fuzzy Hash: bcdf43dffae7138e77d2e6194d5cc850905debe0c5398dd365708bc5d520cae9
Instruction Fuzzy Hash: 16811971A10249EFCB44CFA8E4A9AAEBBF2FB4D301F108469E416EB350DB759941CF41

Function 09367B08 Relevance: 1.9, Strings: 1, Instructions: 641
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,D(, xrefs: 09367E31

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID: ,D(
API String ID: 0-2561866888
Opcode ID: 30f0d2feecc82390c9b5254a4a27ef33955788b51c1be3383b62f3919739934d
Instruction ID: 4e421fe137ace6914c08569b0c4be9352568aa9c71e5c89910d996e39d24911f
Opcode Fuzzy Hash: 30f0d2feecc82390c9b5254a4a27ef33955788b51c1be3383b62f3919739934d
Instruction Fuzzy Hash: 61421430B002088FDB18DF29C498A6A77F6BF89755B6584A9E906CB379DB31EC41CF51

Function 09565418 Relevance: .6, Instructions: 566COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dccdaf06731ed2f4a0540f5819b73c4da37f00f1485c25a99fda9d4b3f9ac7e
Instruction ID: 349e836e3993bdcc81af7fb14cf86b9618db6c1b220565193d49ce515c61d47a
Opcode Fuzzy Hash: 8dccdaf06731ed2f4a0540f5819b73c4da37f00f1485c25a99fda9d4b3f9ac7e
Instruction Fuzzy Hash: EE226C70B013158FDB19DF6AC49866EBBF2FF89300F248529E556D7391DB34A902CB91

Function 0956ACC8 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0195c6c5d158a3649d4eecf9ff5b68182624a29e6388ca95cc2f13fb766a3288
Instruction ID: 51495eb876bbc9da770b9f8a2c9aff85a84c9fd59ec979bf49a49929cd445c4c
Opcode Fuzzy Hash: 0195c6c5d158a3649d4eecf9ff5b68182624a29e6388ca95cc2f13fb766a3288
Instruction Fuzzy Hash: DAD14970A01248CFDB24CF99D694B9AB7F2FB88302F21D5A5E405AB365C778ED85CB41

Function 0956ACD8 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a133d57a6a9d748cf93ed242ac4bd44adbe8f1d98f6017e58300f2955d691a8e
Instruction ID: 8e83d697e3e735cfe9e715cbd22fa42f5ed8591be6d4709d206651a6a937033c
Opcode Fuzzy Hash: a133d57a6a9d748cf93ed242ac4bd44adbe8f1d98f6017e58300f2955d691a8e
Instruction Fuzzy Hash: F1D12870A01248CFDB24CF99D694B9AB7F2FB88302F21D5A5E405AB365C778ED85CB41

Function 0956A188 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5d139e7aae2d7bd4002f796e10f6bf4dba240677cde80033a6a2514ff815155
Instruction ID: e1788849b6b1fd933f76b6cd6140adee6b13f3cca4e5d92d2e39f47ec6650334
Opcode Fuzzy Hash: e5d139e7aae2d7bd4002f796e10f6bf4dba240677cde80033a6a2514ff815155
Instruction Fuzzy Hash: D561AF30B00158CFDB14CF56E895BAE77B2FB88301F64C069E402FB6A4CB75A985CB51

Function 0936736F Relevance: 6.8, Strings: 5, Instructions: 547
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

_, xrefs: 093673B3
to(, xrefs: 09367A0D
to(, xrefs: 093679BA
to(, xrefs: 093679C5
to(, xrefs: 09367A02

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID: _$to($to($to($to(
API String ID: 0-1076848572
Opcode ID: fa45ad71facd7829edccacaa1291649b21a31307f595f375ad23637871a136e6
Instruction ID: 7851ea68c5fe8e32176609a34b161a86ddd3c2c5b5b08fc471a040f7f31d4461
Opcode Fuzzy Hash: fa45ad71facd7829edccacaa1291649b21a31307f595f375ad23637871a136e6
Instruction Fuzzy Hash: A0227D31A102049FDB14DF68D494AAEBBB6BF88304F54C169E906DB3A9CB71ED40CF91

Function 0936A4F0 Relevance: 6.6, Strings: 5, Instructions: 344
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d, xrefs: 0936A751
h.), xrefs: 0936A54D
8x(, xrefs: 0936A87D
8x(, xrefs: 0936A871
x.), xrefs: 0936A5DD

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID: 8x($8x($d$h.)$x.)
API String ID: 0-207234385
Opcode ID: 5cbea17c51a95e863eca6df52de6ffd627865c3ccd1667c886c40211b9622996
Instruction ID: 373949a313aacb8a6ad5266edc582c90a0ea177d60f5662d9481fa8c763dc7b3
Opcode Fuzzy Hash: 5cbea17c51a95e863eca6df52de6ffd627865c3ccd1667c886c40211b9622996
Instruction Fuzzy Hash: 82D134346006028FCB14DF68C484A6ABBF6FF88310B65C969E55ADB265DB30FC46CF94

Function 0936D9E0 Relevance: 5.7, Strings: 4, Instructions: 677
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Th(, xrefs: 0936DCBA
Th(, xrefs: 0936DCD9
\{(, xrefs: 0936DD3A
Th(, xrefs: 0936DC98

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID: Th($Th($Th($\{(
API String ID: 0-4244768014
Opcode ID: a2e682ef94abe08484cd4e5f29f136255fec6475cace55ddebc41f1958b21c3b
Instruction ID: 37ba5598cb96df55ff776f362320556b53f280b6a2874e4b7236bf780f037596
Opcode Fuzzy Hash: a2e682ef94abe08484cd4e5f29f136255fec6475cace55ddebc41f1958b21c3b
Instruction Fuzzy Hash: 02521B75A002288FDB64DF68C954BDDBBF6BF88300F1581D9E509AB3A5DA309D81CF61

Function 09362EF8 Relevance: 4.0, Strings: 3, Instructions: 219
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8x(, xrefs: 093630A0
8x(, xrefs: 09362F4D
8x(, xrefs: 09362F59

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID: 8x($8x($8x(
API String ID: 0-3300459573
Opcode ID: dbd6f8ff3b2515fce238801da4f11431a7be2d6c80f6c46d99372f6f2f738181
Instruction ID: e1356866eb42bba19fa74927a7d87b4667bb2143a1258c80d7fa6676bec4c20a
Opcode Fuzzy Hash: dbd6f8ff3b2515fce238801da4f11431a7be2d6c80f6c46d99372f6f2f738181
Instruction Fuzzy Hash: 25816035A022449FDB05DFA4E458AAEBBF6EF88711F248069E811DB3A4CB35D945CF50

Function 0936AE40 Relevance: 3.0, Strings: 2, Instructions: 482
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,D(, xrefs: 0936B248
LE(, xrefs: 0936B428

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID: ,D($LE(
API String ID: 0-1125496921
Opcode ID: f02e18def2bf4d636388dba16b6679da773d9694738cf25770bb0c00a09e3a79
Instruction ID: 788d1baaa618246b5b3ca450f650572118bba729c223e749d1f4694491d9cbd9
Opcode Fuzzy Hash: f02e18def2bf4d636388dba16b6679da773d9694738cf25770bb0c00a09e3a79
Instruction Fuzzy Hash: A5126C31A002049FDB15EFA5D4946AEB7F6FF88300F24C529E4069B3A8DB31AC46CF91

Function 09560CD0 Relevance: 2.9, Strings: 2, Instructions: 437
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\{(, xrefs: 095610E3
\{(, xrefs: 09560FD2

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID: \{($\{(
API String ID: 0-2444731736
Opcode ID: 3b37b6e2cb4a56bcb077c8f588b98fbc1cf2f0a8540fc847420f9a348e8774ea
Instruction ID: 0cca1e60bacd97f3cde821ea6ebc97ef68c58963def74a83d7c953647e57b01a
Opcode Fuzzy Hash: 3b37b6e2cb4a56bcb077c8f588b98fbc1cf2f0a8540fc847420f9a348e8774ea
Instruction Fuzzy Hash: A612EB34A006198FCB14EF65C894BADB7B2BF89300F5195A8E54AAB365DF30ED85CF50

Function 095613AF Relevance: 2.9, Strings: 2, Instructions: 365
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,D(, xrefs: 09561466
,D(, xrefs: 095613EF

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID: ,D($,D(
API String ID: 0-2045846893
Opcode ID: c0d12498d1f0fb33c0af7959f2cec6fab3142f110f15c8938be02a6af7f29ad7
Instruction ID: 3bcbac316205224b94e9de488a865b41e463d945de572e451c1bb79774f257f8
Opcode Fuzzy Hash: c0d12498d1f0fb33c0af7959f2cec6fab3142f110f15c8938be02a6af7f29ad7
Instruction Fuzzy Hash: 7DF13F34A016099FCB14EFA5D4949AEBBB2FF89300F10C569E446AB364DB34AC46CF91

Function 09362788 Relevance: 2.7, Strings: 2, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

h.), xrefs: 0936283F
x.), xrefs: 093628AA

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID: h.)$x.)
API String ID: 0-99035107
Opcode ID: 403f4a0b3b145b50f0bee6dbfede734be990ba80f972b44c4869fb27fab47747
Instruction ID: 24a949546294941ca52b8c4c0d38b90afb742751755e2ec626eaca2d9d515f15
Opcode Fuzzy Hash: 403f4a0b3b145b50f0bee6dbfede734be990ba80f972b44c4869fb27fab47747
Instruction Fuzzy Hash: E3510331A012468FCB01CF68D884AAAFBB1FF86320B16869AE565DB255D730FC51CBD1

Function 093655F8 Relevance: 2.6, Strings: 2, Instructions: 77
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8x(, xrefs: 09365633
8x(, xrefs: 09365627

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID: 8x($8x(
API String ID: 0-2830478366
Opcode ID: 8ced3d78f09035b823cac9b5d7914ce3837a2fdba8904fa77f7df799481efaf2
Instruction ID: d9842ddc1f754e7c7452bc3c81ceaf2939070cc970150cb666b47f5a98a977be
Opcode Fuzzy Hash: 8ced3d78f09035b823cac9b5d7914ce3837a2fdba8904fa77f7df799481efaf2
Instruction Fuzzy Hash: 0221A232B012158F8B109EB9E8854AEBBF9FBC4361B149476F419D7268EB30DC11CBA1

Function 09361104 Relevance: 2.6, Strings: 2, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,D(, xrefs: 0936114C
,D(, xrefs: 0936112B

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID: ,D($,D(
API String ID: 0-2045846893
Opcode ID: 022590272f9fa657f776360d42e0544d5a235d9336f7a193ff77ad9b4f4aa5f4
Instruction ID: b3c7d9beb3662b6f6c40ecf381174e4c24ffa39f9022908547287ba785597dfe
Opcode Fuzzy Hash: 022590272f9fa657f776360d42e0544d5a235d9336f7a193ff77ad9b4f4aa5f4
Instruction Fuzzy Hash: D121CF307113059FE714EBA8E8187AF7BEAFFC8700F008528D40ACB698DF7199068B91

Function 09362930 Relevance: 2.6, Strings: 2, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8x(, xrefs: 09362979
8x(, xrefs: 09362985

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID: 8x($8x(
API String ID: 0-2830478366
Opcode ID: 2802236416408cdf03978fee439abb86477a1c9211171f4f8a760442824f8969
Instruction ID: 8bbd902023c75488d039746b57276c564d18c052672477e78d95e03e3d39772c
Opcode Fuzzy Hash: 2802236416408cdf03978fee439abb86477a1c9211171f4f8a760442824f8969
Instruction Fuzzy Hash: 3B11AC31B002059FCB24EF689854BBB7BF6ABC9701F158029E955DB398EA74C801CBA1

Function 09365F80 Relevance: 2.5, Strings: 2, Instructions: 23
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8x(, xrefs: 09365FAE
8x(, xrefs: 09365FA2

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID: 8x($8x(
API String ID: 0-2830478366
Opcode ID: f473bbb1662dbedc87e97b067ab204c8abe80b3e7459b8ea539e62622fa92675
Instruction ID: 2d07323d9599aaf9dd16531e81588ac7652a0974061a4b626bc829741eda856d
Opcode Fuzzy Hash: f473bbb1662dbedc87e97b067ab204c8abe80b3e7459b8ea539e62622fa92675
Instruction Fuzzy Hash: 7FE08631301304D7D610B56C4801756729DDB85751F64C475B6059F2E4DA61D841CBE1

Function 0936D580 Relevance: 2.5, Strings: 2, Instructions: 7
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

)ls, xrefs: 0936D589
), xrefs: 0936D580

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID: )$)ls
API String ID: 0-111715371
Opcode ID: f45bea26a0c20063dba888963bb982171b03b6b8561c72e17e2fb5ce65731f41
Instruction ID: 75fad0786ceafc1ab446c7f11a5532719c851d40bbc9000973e18f3ce7a166ef
Opcode Fuzzy Hash: f45bea26a0c20063dba888963bb982171b03b6b8561c72e17e2fb5ce65731f41
Instruction Fuzzy Hash: 02B01246C0A3C42FEA13373014073907F801B03D00FB590C78C50868A37018981DC6A3

Function 0936CB08 Relevance: 1.6, Strings: 1, Instructions: 370COMMON

Download Yara Rule

Strings

@;(, xrefs: 0936CEB9

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID: @;(
API String ID: 0-3069156190
Opcode ID: c1dceda50a145550cd3d74d4ae36cbc15d8294f517a1fb2265de5d5757947469
Instruction ID: a54148071fc9ef4a40cd19f0b4adb9d57a748a1e97d69eeec90cabfec419b74a
Opcode Fuzzy Hash: c1dceda50a145550cd3d74d4ae36cbc15d8294f517a1fb2265de5d5757947469
Instruction Fuzzy Hash: E5F1F934A10218CFDB18DFA4D998A9DBBB2FF89300F119159E545AB3A5DB70EC46CF41

Function 069E8F20 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 069E8F94

Memory Dump Source

Source File: 00000009.00000002.2640112892.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_69e0000_vbc.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: abd1077bf25ab54263c0f78bbb649b6c07b2e0ce07bd82bde97135e726ad6e0e
Instruction ID: 228d025350f986e59d9552811f85fa94a6bb8c3f94d4df37aa0c836d9d293f0f
Opcode Fuzzy Hash: abd1077bf25ab54263c0f78bbb649b6c07b2e0ce07bd82bde97135e726ad6e0e
Instruction Fuzzy Hash: 9D11F771D003499FDB10DFAAC844B9EFBF5BF48220F148829D519A7250C7799544CFA1

Function 09568BC0 Relevance: 1.6, Strings: 1, Instructions: 303COMMON

Download Yara Rule

Strings

8x(, xrefs: 09568EFC

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID: 8x(
API String ID: 0-1790451892
Opcode ID: bb92264e882a0816842f27f00c1ef77b69e5e2d705644e5273a1f31e40562d3a
Instruction ID: 51f92dfb8fa6d140046314dd7cfbb58939d8e688af022be815f69bb51e6eedb3
Opcode Fuzzy Hash: bb92264e882a0816842f27f00c1ef77b69e5e2d705644e5273a1f31e40562d3a
Instruction Fuzzy Hash: 4AA124317053004FDB1AAB79A86066F7BA6EFC6710B1485AAD506CF3E1DE359C02C7A2

Function 09567360 Relevance: 1.4, Strings: 1, Instructions: 145COMMON

Download Yara Rule

Strings

tJ2, xrefs: 095673A4

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID: tJ2
API String ID: 0-750259220
Opcode ID: 282c5d43290c5f800dcff0873d0f5d79c660cbc3c890a5435d81f30187861571
Instruction ID: d9f74cf256316d695dbcf69cb2f2743f362a485c7f0cc4f02902a640666fbfa6
Opcode Fuzzy Hash: 282c5d43290c5f800dcff0873d0f5d79c660cbc3c890a5435d81f30187861571
Instruction Fuzzy Hash: 2951AF307002508FD711DF29E45ABAE7BA6FB8D309F61C669C8058B394CB749A068B86

Function 09561948 Relevance: 1.4, Strings: 1, Instructions: 136COMMON

Download Yara Rule

Strings

@;(, xrefs: 095619FA

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID: @;(
API String ID: 0-3069156190
Opcode ID: e997ea697d56d8c363663fe4c9ee3179aecf150399b53c0248d242bfd5352225
Instruction ID: ec29155b0c1cfe466266f7aba47433736fd5ae1c708cfde6b3950e7133515385
Opcode Fuzzy Hash: e997ea697d56d8c363663fe4c9ee3179aecf150399b53c0248d242bfd5352225
Instruction Fuzzy Hash: 93419C303057408FD7299F75C594B3A7BA2BF8A700F24856DE1468B7A5CB36EC82CB81

Function 09567350 Relevance: 1.4, Strings: 1, Instructions: 135COMMON

Download Yara Rule

Strings

tJ2, xrefs: 095673A4

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID: tJ2
API String ID: 0-750259220
Opcode ID: 7430db95d0af0fd756d9efb1dcbb376a59b4858524a867108b5fd70aebffd722
Instruction ID: 5ea199b74f17bc445429d7ffd22a674e2f6f685fefc3bd3d1f5d09ef7b68b7b6
Opcode Fuzzy Hash: 7430db95d0af0fd756d9efb1dcbb376a59b4858524a867108b5fd70aebffd722
Instruction Fuzzy Hash: 0E51BE317003508FD711DF29E45A7AE3BA6FB8E309F15C569C8059B3A4DB349A068B86

Function 0956758B Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

tJ2, xrefs: 095673A4

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID: tJ2
API String ID: 0-750259220
Opcode ID: 9ba575357838f4dc5884b6bfcaceb99aac33bb986e015b06adf57e037895fdbc
Instruction ID: 82cb5893e72623b00ab31d77b6bc336e6b1c88ef6937bda9546ac40cead4f2db
Opcode Fuzzy Hash: 9ba575357838f4dc5884b6bfcaceb99aac33bb986e015b06adf57e037895fdbc
Instruction Fuzzy Hash: 5751C3307002508FD315DF29E46A7AE77A6FBCD309F55D669C8058B3A4CB749E068BC6

Function 0956B934 Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

c8, xrefs: 0956B958

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID: c8
API String ID: 0-2195919974
Opcode ID: bde377053d63573f30e11052a10f657eeabe7e637d744bc06ba0b4a56a2c9b73
Instruction ID: de8aacfc9181abaf484b27e27d0fdf31555f1ffbf053c1469fa6fc75a2026e67
Opcode Fuzzy Hash: bde377053d63573f30e11052a10f657eeabe7e637d744bc06ba0b4a56a2c9b73
Instruction Fuzzy Hash: 7B418830A09214CFEB20DB56D055BAD73B2FB89316F22C5B4E405DB2A5C378AE85CB81

Function 093633A8 Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

dG6, xrefs: 093633BF

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID: dG6
API String ID: 0-269815260
Opcode ID: 1a8e2e26453d361330420446819179db2f429b268241025747f2ce9bf4d07d9c
Instruction ID: 7759f2cfce7828b2d22cfc256f65e8910fec2dcf77c5082a660b0c4033a61beb
Opcode Fuzzy Hash: 1a8e2e26453d361330420446819179db2f429b268241025747f2ce9bf4d07d9c
Instruction Fuzzy Hash: CC419832A012158FDF12CFA5D845AAFBBB5FF88311F10802AE916E72A4D734D905CB91

Function 09568218 Relevance: 1.3, Strings: 1, Instructions: 91COMMON

Download Yara Rule

Strings

C:, xrefs: 09568292

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID: C:
API String ID: 0-4184429032
Opcode ID: c3e0d7e0a54bb43f596307caba5cf23e00d167936156d9b4eb6b0d8c81e92504
Instruction ID: 6dcea08bdff3fca57b86e59f6e6f05757e8f8f1d9b3263151bd3446b53cff742
Opcode Fuzzy Hash: c3e0d7e0a54bb43f596307caba5cf23e00d167936156d9b4eb6b0d8c81e92504
Instruction Fuzzy Hash: CD316F30A00608DFDB54CFA9D855BAEBBF5FB8D301F148469E606E7690C734A844CF52

Function 09568228 Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

C:, xrefs: 09568292

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID: C:
API String ID: 0-4184429032
Opcode ID: 968df7f11106997d86c58b7316d83febd65b50e0073f57ded90017574d3d3ed3
Instruction ID: 57a7d7668bd348cc38f7f80185959a97b3fd7e8314a034f26f417419581709d6
Opcode Fuzzy Hash: 968df7f11106997d86c58b7316d83febd65b50e0073f57ded90017574d3d3ed3
Instruction Fuzzy Hash: C9315E30A00608DFDB54CFA9D855BAEBBF6FB8D301F108429E605E7790D734A944CB56

Function 09361F7B Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

@)(, xrefs: 09362033

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID: @)(
API String ID: 0-2840456256
Opcode ID: ead49812a763521477a1208453ef781ea79f77b61e7f0b0b403ca0220e410efe
Instruction ID: fe9b00fe349398b08571ee371b4e8c2e6de324d58a1d2044d567439f9dfc21fc
Opcode Fuzzy Hash: ead49812a763521477a1208453ef781ea79f77b61e7f0b0b403ca0220e410efe
Instruction Fuzzy Hash: 57219235A01248DFDB058FA8D4489DE7BF6FF8C320F149529E411A73A4DB759845CF91

Function 09362EDC Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

8x(, xrefs: 09362F4D

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID: 8x(
API String ID: 0-1790451892
Opcode ID: 108ed16fe81016ec28ec737fbab927b4084ed5ab17e4579d1f62df9cfd302e49
Instruction ID: a35bdd0705e7a55c0a597e813f6c8b612d8811b998f5b33e0f01e2a8a6ce5287
Opcode Fuzzy Hash: 108ed16fe81016ec28ec737fbab927b4084ed5ab17e4579d1f62df9cfd302e49
Instruction Fuzzy Hash: 7611B1356023459FC715CF68E58498ABBF5FF49300B1180A9E411DB364C731DD41CB60

Function 069E90F0 Relevance: 1.3, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE ref: 069E9152

Memory Dump Source

Source File: 00000009.00000002.2640112892.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_69e0000_vbc.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: c976c7c4ee93ff225c2930683abd713691b7258e878dd6d87ddcf6debb1ff21d
Instruction ID: 00965f4ec2c1e9b9270ff362ff22d9d77878ae33e987e126a5153f230c64e517
Opcode Fuzzy Hash: c976c7c4ee93ff225c2930683abd713691b7258e878dd6d87ddcf6debb1ff21d
Instruction Fuzzy Hash: C6112571D003498FDB20DFAAC8457DEFBF9AB88620F248819D519A7240CB79A944CBA4

Function 0936D599 Relevance: 1.3, Strings: 1, Instructions: 30COMMON

Download Yara Rule

Strings

), xrefs: 0936D599

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID: )
API String ID: 0-2084779440
Opcode ID: 7245decb7f60a24455a479140ef3098568de6d391ab2d00c7746f760353b0980
Instruction ID: 6c9baa86b97454dee2c2ecb585288eca8679bc1f5bc2acb4187f06b18eaad4b6
Opcode Fuzzy Hash: 7245decb7f60a24455a479140ef3098568de6d391ab2d00c7746f760353b0980
Instruction Fuzzy Hash: 46F0A7307007404FD7259B35E46916E7BD2ABC5304B14406DD54AC76A9EF24DD038B83

Function 09361090 Relevance: 1.3, Strings: 1, Instructions: 27COMMON

Download Yara Rule

Strings

LE(, xrefs: 093610A9

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID: LE(
API String ID: 0-2723570108
Opcode ID: b2da89c3e025d6142589550e69eb95c1ac259ecffd50d2f2d803ab4243915a1e
Instruction ID: 61f00224825e83c54f2ce7925b9c103fe6f6f371f0511e52f980872be2b73e31
Opcode Fuzzy Hash: b2da89c3e025d6142589550e69eb95c1ac259ecffd50d2f2d803ab4243915a1e
Instruction Fuzzy Hash: F0F02B30A06348AFD706DBB0E81179D7F75DF42200F1081DFD804CF292D9351E058782

Function 09360C41 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

D@(, xrefs: 09360C59

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID: D@(
API String ID: 0-1630112696
Opcode ID: 1eaeb03771b261f01d98efb609e723c2c82a76995ad5f08b933918a79eefd407
Instruction ID: dc0be84a048a04e693d05f697286e9fc48b6a7b23cdff306470e7a57c11b945b
Opcode Fuzzy Hash: 1eaeb03771b261f01d98efb609e723c2c82a76995ad5f08b933918a79eefd407
Instruction Fuzzy Hash: C7F06530516389DFD702EB74D91569E7FB4EF46304F1055D9C445CB292E6351E01CB92

Function 09566D80 Relevance: 1.3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

Strings

862, xrefs: 09566D9E

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID: 862
API String ID: 0-2693888677
Opcode ID: ad504f2b99d5d5635c552c3610f765a70359bdc466f3babcd64b5f7153bf0650
Instruction ID: f5c35868aeca3d4e7debba9ef6f58793977dfd4958673483790fd107edd70d2c
Opcode Fuzzy Hash: ad504f2b99d5d5635c552c3610f765a70359bdc466f3babcd64b5f7153bf0650
Instruction Fuzzy Hash: A7E0863180A358EFC746DFB0881049EBFFCAF87604B1004EEC185DB662D932AA04DB91

Function 095683B0 Relevance: 1.3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

Strings

13, xrefs: 095683B0

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID: 13
API String ID: 0-1465879329
Opcode ID: 3d2bdcb2cc8d39c3ccd6f9c350159ba2b65cf80c54bd3c8f4e834a3756f6d28a
Instruction ID: 1711242a5e4ebc7906c709aa2c051f032dd6f1b138deea6fd53a1d624d031278
Opcode Fuzzy Hash: 3d2bdcb2cc8d39c3ccd6f9c350159ba2b65cf80c54bd3c8f4e834a3756f6d28a
Instruction Fuzzy Hash: 15E012325042586FDF029F94DC11CAA7F65EF49314714C09AFD5486212D673DD22EF91

Function 093610A0 Relevance: 1.3, Strings: 1, Instructions: 18COMMON

Download Yara Rule

Strings

LE(, xrefs: 093610A9

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID: LE(
API String ID: 0-2723570108
Opcode ID: 9b0319e9e197cc7601d054692fcea37633fbde35a9b1244e65bfd1679c1886a7
Instruction ID: c2a4317e89b759aa529bb8c5f1ff3fb56952ab30fb76e736c820788323f723fb
Opcode Fuzzy Hash: 9b0319e9e197cc7601d054692fcea37633fbde35a9b1244e65bfd1679c1886a7
Instruction Fuzzy Hash: 18E01270B02209EFDB00EFB4E9557AEB7B9EB94200F50D599D804DB294DA316E159B81

Function 09360C50 Relevance: 1.3, Strings: 1, Instructions: 17COMMON

Download Yara Rule

Strings

D@(, xrefs: 09360C59

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID: D@(
API String ID: 0-1630112696
Opcode ID: 8de04c7fc79da2b7f5592ecf2a70bd6e7d7edaeeacd370b6abf8dbb8e5887322
Instruction ID: c091274faadfd69ce253575fbfd2bf3a1fa727191b456a7d4c074d33977c7c70
Opcode Fuzzy Hash: 8de04c7fc79da2b7f5592ecf2a70bd6e7d7edaeeacd370b6abf8dbb8e5887322
Instruction Fuzzy Hash: 57E01230A12209EFDB00EFA4E90569F77F9EB44205F109598D808D7385DA316E009B91

Function 09566D90 Relevance: 1.3, Strings: 1, Instructions: 15COMMON

Download Yara Rule

Strings

862, xrefs: 09566D9E

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID: 862
API String ID: 0-2693888677
Opcode ID: aebe5eef2dbf8af6d06db6069f1c23ffe227320f0a80846ee873b070828a05a0
Instruction ID: 02ed6d2457d96d463e347fa0f06f372905eb50e41537b39ba228ba5708b61927
Opcode Fuzzy Hash: aebe5eef2dbf8af6d06db6069f1c23ffe227320f0a80846ee873b070828a05a0
Instruction Fuzzy Hash: 8BD0C971D0220CEF8B85EFF489004DEBBFDEFCA901B5045E69518A7610EE319A149BD2

Function 06BA1468 Relevance: 1.2, Instructions: 1245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2640629076.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ba0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f7e3458ae9f3f19d3a7924c14ddf85b4ed58b178e5d09e7636d34618859eef8
Instruction ID: 9f9becb37d59885ddaab154efa08a8a6d0ccc0bbdf596580b7fc8c9bee085562
Opcode Fuzzy Hash: 1f7e3458ae9f3f19d3a7924c14ddf85b4ed58b178e5d09e7636d34618859eef8
Instruction Fuzzy Hash: 3382DAB4F2A3248F9BF46A7D581823F65DADBD4A41F5855AAC903D73C8DE308C4187D2

Function 093667A8 Relevance: .5, Instructions: 516COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3e14656fa4a8235cea13937881957e9a33d86eeab726628ad997cbcde253c56
Instruction ID: 2566fc75efb48e5cfd0abcdf7aa473edc846dd6004a75e5acf9f0dbaa7771574
Opcode Fuzzy Hash: f3e14656fa4a8235cea13937881957e9a33d86eeab726628ad997cbcde253c56
Instruction Fuzzy Hash: 17227035A002198FCB15CFA4D856AEEBBB2FF48744F14C015E851AB2A8DB78AD45CF91

Function 09369A6B Relevance: .5, Instructions: 485COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da5b6a0443a0229fff7e91fb0f72f36b202713cec6822aa7e90b37f063752ba0
Instruction ID: c73b649a7fc8866006f78cfce9edba69f997a4cc6ea0ab65b8dba4bc7e5a1d4b
Opcode Fuzzy Hash: da5b6a0443a0229fff7e91fb0f72f36b202713cec6822aa7e90b37f063752ba0
Instruction Fuzzy Hash: EB12FF347106058FDB04DF29C884AAA77F6BF89751B2184A8E906DB3B5DB31EC41CFA0

Function 09368C80 Relevance: .4, Instructions: 414COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0bf5a67a605f2fdcc81fd56f346cce835e8f33d21261e084778b1d3cdac9678
Instruction ID: 9ceb12f1bb909df4c019be68e9d334b7d3c79bdeaca9d180d148593511767b03
Opcode Fuzzy Hash: a0bf5a67a605f2fdcc81fd56f346cce835e8f33d21261e084778b1d3cdac9678
Instruction Fuzzy Hash: 37F1C231711202CFDB159F29D4187AFBAE6EF99300F24D569E582DB3E9CA34C840CBA1

Function 09561AD0 Relevance: .4, Instructions: 377COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1025c8287ee9b1cc2b458c17b7dec66feab72a648dfbc4cfa67256c956d43f3
Instruction ID: 40629b83c17cccd80cd739ea4aed8bce2881328c585182f8711540971b2d9d4f
Opcode Fuzzy Hash: b1025c8287ee9b1cc2b458c17b7dec66feab72a648dfbc4cfa67256c956d43f3
Instruction Fuzzy Hash: 90E18B35B146049FCB19DF69D858AADBBB6FF89710B1580A9E506DB3B1CB34DC02CB90

Function 06BA2D50 Relevance: .4, Instructions: 363COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2640629076.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ba0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 457fd22de3d7e6de5dda0a9ab145a7af87aefdbe6a54c91805868d1636f85a0b
Instruction ID: b1ddbaab0dfba5f7348354fef3e4d34c3385c762c53c36ca13439630084e87c8
Opcode Fuzzy Hash: 457fd22de3d7e6de5dda0a9ab145a7af87aefdbe6a54c91805868d1636f85a0b
Instruction Fuzzy Hash: 98C153707193818BE7586BA9849872BE6EFABD4701F10447DA217C72D4CFA19C49CBA2

Function 09569C78 Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8750443591252a6265d2dcee4f1413b0a55ee383f663ef3f3e94bd4a0e61bbb
Instruction ID: 842a5b4c78970a3f7681242e5ced8bffbd945340e84fab31ef07fd8b84436b3f
Opcode Fuzzy Hash: e8750443591252a6265d2dcee4f1413b0a55ee383f663ef3f3e94bd4a0e61bbb
Instruction Fuzzy Hash: EAC10E307052198FE705DF65C865BAEBBB2FF89300F11C5A9E506DB6A0CB389D40CB91

Function 09369318 Relevance: .3, Instructions: 346COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 182eb3038112b39ef6bafc5109e993f84790f6c1101c51b4465c7e545d0be788
Instruction ID: 4d7132a159fae1d5102a975e46dabd2283a73f6122cb919d1a6db81adc00c198
Opcode Fuzzy Hash: 182eb3038112b39ef6bafc5109e993f84790f6c1101c51b4465c7e545d0be788
Instruction Fuzzy Hash: 66C1F1327043518FDB19DF69E8547AE7BA6EFC5710B2484AAE805CB3A5CB35DC02CB91

Function 09562DA0 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d265763208115b5ebc5128fe6b3457b9afbfc58eabfd94649da558d6430ff2b8
Instruction ID: ce44d43867521571cffc08a69051003306c76f2060ca0273cafcfa8cbcf79b48
Opcode Fuzzy Hash: d265763208115b5ebc5128fe6b3457b9afbfc58eabfd94649da558d6430ff2b8
Instruction Fuzzy Hash: 73C1C674A00218CFCB08DFA5D994AADB7B6FF89300F509168E505AB3A5DB31EC42CF90

Function 06BA2460 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2640629076.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ba0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c338150e824c2f8444c47a3e9383606a5a02bc6876b04ca009118ecd0e71e21b
Instruction ID: 22e6bdbd66a6b65a417e911f3979fc1d16f4ada03154d395a43f9f87a26800d7
Opcode Fuzzy Hash: c338150e824c2f8444c47a3e9383606a5a02bc6876b04ca009118ecd0e71e21b
Instruction Fuzzy Hash: A4915B78F2A2A08B8B6A2764702C17F2597DBC8651748A55AD803D77CDDF388E0287D7

Function 09562D9C Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d1e895ec4f3a338d5e4fe08c0f6e5c27b3a73f3798f96486c125fbe762fe10d
Instruction ID: 0e42f1e8df22c66b6e149ef21db848f95605ba9d8283d97a8ef944e4f64375fa
Opcode Fuzzy Hash: 2d1e895ec4f3a338d5e4fe08c0f6e5c27b3a73f3798f96486c125fbe762fe10d
Instruction Fuzzy Hash: F6B1B874A00218DFCB08DFA5D994A9DB7B6FF89300F509168E505AB3A5DB31EC46CF90

Function 09563D38 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bdd58c397e15b139df699dcd427bf16dd199f09eb87a65f1b614d1a085d5cb8
Instruction ID: 130ac76d5c1ffceed9555915547edd44ee675751f9a909d28e41aa02facbfdfe
Opcode Fuzzy Hash: 1bdd58c397e15b139df699dcd427bf16dd199f09eb87a65f1b614d1a085d5cb8
Instruction Fuzzy Hash: 66A14B34B006188FCB09EF64D454AAE7BB2EF89700F109658E5469B3A8DF35AD46CF91

Function 09562D91 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51b72a1ceffde9c0a97ae01ce5e4cf6ca829b58689291bb7eec6d3918346b082
Instruction ID: 450d77de751bbda858c7a3d0ad774178f9b6da2ddb1708c41b78acfada64ed76
Opcode Fuzzy Hash: 51b72a1ceffde9c0a97ae01ce5e4cf6ca829b58689291bb7eec6d3918346b082
Instruction Fuzzy Hash: 82B19674B00218DFDB08DFA5D994AADB7B2BF89300F519568E506AB3A5DB31EC42CF50

Function 09776100 Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649763356.0000000009760000.00000040.00000800.00020000.00000000.sdmp, Offset: 09760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9760000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c76fe8fb640acc5f6b93bab2aaa4208ca25f46854b8f25e4b0aadc8f7e33f435
Instruction ID: 057f436c05d84e5f2df0a281a82680d4b4802cf4005612f5d3176fa86b85bc86
Opcode Fuzzy Hash: c76fe8fb640acc5f6b93bab2aaa4208ca25f46854b8f25e4b0aadc8f7e33f435
Instruction Fuzzy Hash: E5A18731B006048FDB14EF68D595A9EBBF2FF89310F1585A9E405EB3A5CB31AC01CB91

Function 09560CC0 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55fa22e7cf84d2a3225a7ee8f3ee0965add5044c4f075c5501dee980e40f31b6
Instruction ID: ea9e014ee7cbb46011a23135695d2ce3a7bd697a0ec8037252941a34511a831a
Opcode Fuzzy Hash: 55fa22e7cf84d2a3225a7ee8f3ee0965add5044c4f075c5501dee980e40f31b6
Instruction Fuzzy Hash: 3CA1F834B002158FDB14DF65C894BADBBB2BF89300F5195A8E54AAB3A5DF31AD85CF40

Function 0977BD60 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649763356.0000000009760000.00000040.00000800.00020000.00000000.sdmp, Offset: 09760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9760000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7287db7f8f2294f17405602a000f8eafe94cc30852b23daa60e7f5a2d16fb982
Instruction ID: 39c273ebad0aead41ebe5e2476f2edc04b0e7c00cd17e9630fb17e545d777bf8
Opcode Fuzzy Hash: 7287db7f8f2294f17405602a000f8eafe94cc30852b23daa60e7f5a2d16fb982
Instruction Fuzzy Hash: 27719833A043D29FFF219B25CA0469DFBA1FF01BE1F498265E4258B191D731E41687EA

Function 0936CAF8 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57b20f3927d68ddd8478153247a8a450545662ad3ad828aaa558a0bf8e876a3f
Instruction ID: 216a9bc4b82680d0d60160959737adc1bb2e34bf0c71db44d467be3f46ec85dd
Opcode Fuzzy Hash: 57b20f3927d68ddd8478153247a8a450545662ad3ad828aaa558a0bf8e876a3f
Instruction Fuzzy Hash: 02A1DA34A10218DFCB18DFA4D898A9DBBB2FF89300F15D159E585AB365DB70AC46CF41

Function 093697E8 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d1c3c77176306ec116ea21ce382cc28405dbd5da3ef4ab1890a14f450a7e566
Instruction ID: 46b19098d9d74a2b0587692b55a9e7c018ac94eded42daac0e880ed53f967bad
Opcode Fuzzy Hash: 1d1c3c77176306ec116ea21ce382cc28405dbd5da3ef4ab1890a14f450a7e566
Instruction Fuzzy Hash: C6810335A00618CFCB14DF68C484A9EB7F9BF88711B1585A9E856AB374DB30ED42CF91

Function 09565150 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e80bcc7df1f90bfe51d8aeeac4faf933d0906956be318700b04c1d1692fa8ba
Instruction ID: e56284d634c62a7619840cb878df381a820e7d8c9a6974eb88b9c525120356bd
Opcode Fuzzy Hash: 9e80bcc7df1f90bfe51d8aeeac4faf933d0906956be318700b04c1d1692fa8ba
Instruction Fuzzy Hash: 9F7192317453418FDB298F39D06862A7BA2FB85710F29865DF087CB2A2DA74DC43D745

Function 09563A50 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a108e547430a0c649b9f9db8b96afa46dcaae8d4b1bd4e6e09c45618e678bbc
Instruction ID: aab1d5afb43cb598c2adaae15a386275f24ac9f4e03a4ac1c8e7ba67e6c53056
Opcode Fuzzy Hash: 1a108e547430a0c649b9f9db8b96afa46dcaae8d4b1bd4e6e09c45618e678bbc
Instruction Fuzzy Hash: 2B813934B006098FCB14EF69C454BADBBB6BF89700F109569E4429B3B5CB75AD86CF81

Function 09367B00 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c3605960f4ad3bf60be74bc14331356c71337263aa74046a5b3d2945de82bc1
Instruction ID: 12a2f625c00c784fae3740842042b50f41ab97831030ab0e4d22b8daf6422bd5
Opcode Fuzzy Hash: 7c3605960f4ad3bf60be74bc14331356c71337263aa74046a5b3d2945de82bc1
Instruction Fuzzy Hash: 7471E034B002148FDB14DF28C484AAA7BF6BF89714F6185A5E516CB2B9DB70EC41CFA1

Function 095679FF Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aaad120925d356371256c5777c28a565d063edc05c76b989518a2686ffb388e
Instruction ID: 1793abce5a2b9413aa8e9fb3c27d1588c7fe18bc23ae3c3125c5a4179d9811dc
Opcode Fuzzy Hash: 2aaad120925d356371256c5777c28a565d063edc05c76b989518a2686ffb388e
Instruction Fuzzy Hash: 6F618930704254CFE7158FA5E459BAE77B2FB88315F50C469E802DB7A4CB78AD85CB82

Function 09567A10 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b1e864b022a227644deaa0d46fe445cdd26a0db244ad422b910d8e68240c4cb
Instruction ID: 67c4a1201664913f7098710e93cac296970a4751ffa4ed331340ef5524474418
Opcode Fuzzy Hash: 5b1e864b022a227644deaa0d46fe445cdd26a0db244ad422b910d8e68240c4cb
Instruction Fuzzy Hash: 48618A30700204CFE7118F99E459BAE73B6FB8C315F51C465E802DB7A4CB78AE858B82

Function 09563A43 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15a008964c01f4a04153222e0f79ba785b312d6ca133ec97ce4309aa18bc590e
Instruction ID: a2350eef1a255bebb339c95e2f1bf4fcdae62c62ca56383cabf9bb0c4de9242a
Opcode Fuzzy Hash: 15a008964c01f4a04153222e0f79ba785b312d6ca133ec97ce4309aa18bc590e
Instruction Fuzzy Hash: 07618C34B006098FCB14EF69C058BADBBB2BF89300F109569E442977B4DB75AD86CF81

Function 0956A198 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1da8f7c4b6257a1d5f57e1d3b7932f010429da60bbf57fce5e752860bbbf64ee
Instruction ID: 2590329ebf58f7b90bb35093612d9b0b50feb89f25ddc5a3609f9e0574b60792
Opcode Fuzzy Hash: 1da8f7c4b6257a1d5f57e1d3b7932f010429da60bbf57fce5e752860bbbf64ee
Instruction Fuzzy Hash: 00619C30B00158CFDB14CF96E855BAE77B2FB88301F64C068E402FB6A4DB78A985CB51

Function 0977AD90 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649763356.0000000009760000.00000040.00000800.00020000.00000000.sdmp, Offset: 09760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9760000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db9a6b41ab98a2a24ead277728b07ef1c2e1dc16c21a27cc6e8b6b84f5e32d49
Instruction ID: ff770617c6155e0d1f60c36b31e2ccc10d07ec64530701f56bf0dd33620a226d
Opcode Fuzzy Hash: db9a6b41ab98a2a24ead277728b07ef1c2e1dc16c21a27cc6e8b6b84f5e32d49
Instruction Fuzzy Hash: 3D51B2317052548FEB59DB64E06A7AFB7B2EBC9341F50D165C8028F78DCB789D068B82

Function 09567C0F Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93be35dc936a996f3450551d1828e986373f686f975407cfb0ad2f0ddce14c01
Instruction ID: 4ad4fee502896ccbf36ef653172230169d1fe84cd88a56028534e20afdf7fce3
Opcode Fuzzy Hash: 93be35dc936a996f3450551d1828e986373f686f975407cfb0ad2f0ddce14c01
Instruction Fuzzy Hash: E3516A30744204CFE7158F95E459BAE73B2FB8C315F51C465E802DB7A4CB78AE858B82

Function 093613D0 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04f8c89b548b0522e3a055fea7e01ad13ce7bf1736455d57a187b105a3cfde2c
Instruction ID: d33bfae32a32aa842d4bd43b59a85b3a9ea905f425ea66d6ac92bb71e57a2212
Opcode Fuzzy Hash: 04f8c89b548b0522e3a055fea7e01ad13ce7bf1736455d57a187b105a3cfde2c
Instruction Fuzzy Hash: 6A515F76600104EFDB4A9FA8D815D697BF3FF8D3147198099E2099B272CB32DC21EB51

Function 0936C110 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fba563ec2804ae508a28e8bcfd21e161001753c26fcd9fe253b654de676e7b92
Instruction ID: 4398c14d37294e63ad0759c8619c28ae0b8a15d1164ad5d447d1815a0b74d5d8
Opcode Fuzzy Hash: fba563ec2804ae508a28e8bcfd21e161001753c26fcd9fe253b654de676e7b92
Instruction Fuzzy Hash: D8519130B003058FDB49DBA9D4507AFBBE6BFC8600F148968C54A9B295DF35AD059BE1

Function 0936C6D8 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cd4ec748704de28d3093f44d6a2d2e9e80d9ef986debd92541733c650876ec1
Instruction ID: 270d4d49e9b460fd5a7df5f9c67a3bbb5ec19d827e0415780a8865761a59dcc3
Opcode Fuzzy Hash: 3cd4ec748704de28d3093f44d6a2d2e9e80d9ef986debd92541733c650876ec1
Instruction Fuzzy Hash: A2514F34B00609DFDB18DF64E498AADBBBAFF89701F108119E5129B364DF34A946CF91

Function 09560A90 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81a29b787da0d31437e9b4ac45c16f127ee3bf7ee5f28787730e3a4bc01cf930
Instruction ID: 7e37b8b1c462926bc86c792ac53def199739d7e61586ca8ce06bd417c33c2af8
Opcode Fuzzy Hash: 81a29b787da0d31437e9b4ac45c16f127ee3bf7ee5f28787730e3a4bc01cf930
Instruction Fuzzy Hash: 32419530B102148FCB14EB65D894AAEB7B7AFC9700F10E41ED546AB3A4DF749C468F91

Function 0956B770 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 971a63aaaf998693fd9783ffcde0cbaf4bf82c0755414fdb34c5687211be544c
Instruction ID: 3449404474eee03254b3dafcefb921257c1ad084bb1745de1d808c090784d3a6
Opcode Fuzzy Hash: 971a63aaaf998693fd9783ffcde0cbaf4bf82c0755414fdb34c5687211be544c
Instruction Fuzzy Hash: 5651BB30A0A144CFE720DB5AE445BA977B2FB88352F22C5B4E405DB6A5C778AD85CB41

Function 0956BA98 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be2896266c05b08fc048b40c123efc52555be579625f14041133a72f05519e84
Instruction ID: d51d4516e908b0789d71d3cf60895c2af0b1d9d0569e94e1b92ee7086bec4c49
Opcode Fuzzy Hash: be2896266c05b08fc048b40c123efc52555be579625f14041133a72f05519e84
Instruction Fuzzy Hash: D9519C30A09154CFEB20CB56D059BA933F3FB88356F26C4B4E805DB6A6C378AD85CB41

Function 0936C100 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1feef54fd34eae20290a5d97d370f2e4ad9ff81e800baa198b0c6602847e8f0
Instruction ID: 869c3496db77599311aea0de3db8952b479da6396081fdb9506488ee8823b77b
Opcode Fuzzy Hash: e1feef54fd34eae20290a5d97d370f2e4ad9ff81e800baa198b0c6602847e8f0
Instruction Fuzzy Hash: A641B0306003059FDB19DBA9C8506AFBBE6BFC8300F14892CC9899B655DB75A9068BA1

Function 0956A35D Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d21816bc04d265439285eea1419e0abd7d54e639d5cc785897d0080b0d86e880
Instruction ID: d733e346913a61b585baaafc29141ce646dea2c8906a5280f2268e08f43bc2c3
Opcode Fuzzy Hash: d21816bc04d265439285eea1419e0abd7d54e639d5cc785897d0080b0d86e880
Instruction Fuzzy Hash: 10419F30700245CFE710CF56E995BAE77B2FB88301F64D068E402FB6A4D7B9A985CB42

Function 09561F40 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11dad5fda72b5c2ad8887a03195debd5c8e75de3399774cf27a482c996d70aa4
Instruction ID: 8ceda76977c90a9fea2c36882718734cd21919c363677f424c81f2590091998b
Opcode Fuzzy Hash: 11dad5fda72b5c2ad8887a03195debd5c8e75de3399774cf27a482c996d70aa4
Instruction Fuzzy Hash: 76417135A00209DFDB15DF66D859AEEBBB5FF89310F148065E415EB2A0CB355D05CBA0

Function 0936E9F8 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34e78693b7be0a2652f298392ff19216a9320db3b27ed0e3744e0df8299f3e49
Instruction ID: 99666d8d8b47d501e8460433f8730dc3a93ce85518278456935099f170b4a38d
Opcode Fuzzy Hash: 34e78693b7be0a2652f298392ff19216a9320db3b27ed0e3744e0df8299f3e49
Instruction Fuzzy Hash: 2F31E5366101089FCB15CF58D888E99BBB6FF48320B1680A8F50A9B372C731ED55CF80

Function 0936BB70 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd5dca20ed7acc0d288e9cdcbab1fa3ffdd529a2125db8849fc4c4bdeb79f9a5
Instruction ID: 23aee9a00642ce7198d31997555e3f8480d18f6edc4dc8f76af27762c3b0fd7f
Opcode Fuzzy Hash: fd5dca20ed7acc0d288e9cdcbab1fa3ffdd529a2125db8849fc4c4bdeb79f9a5
Instruction Fuzzy Hash: 0F319135600214DFDB098FA4D85899EBBBAEF89310F1580A9E9069B371DB31EC56CF91

Function 09565EE0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8628f2cb22ad63f8914e3b03ebd99c1e285eb81bc3a5144fef577a46341a149e
Instruction ID: a291d927e088a86bf1df33d3b3a9348c70db1c18d3988065d41d012f1c312dbb
Opcode Fuzzy Hash: 8628f2cb22ad63f8914e3b03ebd99c1e285eb81bc3a5144fef577a46341a149e
Instruction Fuzzy Hash: 7221BD717047108FC7259B69E8585ABBBFAFFC5720724845EE146C7B90DB35A802CB91

Function 093634E0 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac614245fabb0368ee9e8fb6032806d6b457c532457dda4712801dcfaf2c1972
Instruction ID: 137cf4d54d961d254f1be3839ab9b3156a4e519c35ee76d58f739577afe12b26
Opcode Fuzzy Hash: ac614245fabb0368ee9e8fb6032806d6b457c532457dda4712801dcfaf2c1972
Instruction Fuzzy Hash: 96312531B052148FC715DF79D4949AEBFB4EF8A710B1480AAE641DB326DB30DC05CBA1

Function 0936468F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfd2c4f993f9687fc607477174f1a1feb904daa0bcad9cb4138b08d5de4879e5
Instruction ID: b2ed0a993bb51db8eb0bc1afadddacc176c9a700bdb34b27c673d619b5773bdb
Opcode Fuzzy Hash: bfd2c4f993f9687fc607477174f1a1feb904daa0bcad9cb4138b08d5de4879e5
Instruction Fuzzy Hash: 9C310734E112288FEB24DF24C895F99B7B1BB49311F1181D9EA09AB3A5CA31ED81CF50

Function 09369308 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a124adcd5503eff7e47fcaec1f3661f3e2abd3ca622e07378cdecd6e22d9a4e
Instruction ID: e0fa47048968594fe90b6a6f6caba1650728646984744cfc4c4682a45433b416
Opcode Fuzzy Hash: 6a124adcd5503eff7e47fcaec1f3661f3e2abd3ca622e07378cdecd6e22d9a4e
Instruction Fuzzy Hash: 34316B312002049FDB15CF65D884BAA7BA6FF88315F2581A9F8098B2B5CB75D891CF91

Function 0936D478 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1133e176e521441953eb398dcfa28518a4a908e3177601bbb300aa531b1d5aa
Instruction ID: efa18c2384cd12ab5e7128f37b148974b81030f3ad7b96b29696c19356e86886
Opcode Fuzzy Hash: c1133e176e521441953eb398dcfa28518a4a908e3177601bbb300aa531b1d5aa
Instruction Fuzzy Hash: 3521A3323053004FD7359A69E884A6BBBE5DFC1325B19C0BEE109CB6A5DB25EC428B51

Function 09364168 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 540a311b1a957016f66a65757c6a0ea3bc2d8ed898871712af63320b2c7cd00b
Instruction ID: 7ca9e4c17f9e380160be7ac70b05aa871b13f6ceab563deef80fcc5365cc9804
Opcode Fuzzy Hash: 540a311b1a957016f66a65757c6a0ea3bc2d8ed898871712af63320b2c7cd00b
Instruction Fuzzy Hash: A2311774B04615CFD744DFA5D888A6A77B5BF88754B208468E902CB379EB31EC02CF50

Function 093666CF Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d32d23ccbdab376a22ee78ad87ce3eb314a244df2e47c2e3ebbb5036dd27d458
Instruction ID: 2834a8155a2a57baa2b60f0eb837dba7616bd30ef27da2708162766166f7f5a7
Opcode Fuzzy Hash: d32d23ccbdab376a22ee78ad87ce3eb314a244df2e47c2e3ebbb5036dd27d458
Instruction Fuzzy Hash: 89318D742042849FDB06CF29D845AAA7FE5AF8A344F1980AAF845CB2B1D735DC41CF20

Function 0936FAD0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c49655358c0d9b730dcdebe33d7b4c1107d367474f7f1f2cf8204913f82c9339
Instruction ID: b778add907439c7d7c6259b63391e7f0cb2148e30826d91e1215fadea6cf88b7
Opcode Fuzzy Hash: c49655358c0d9b730dcdebe33d7b4c1107d367474f7f1f2cf8204913f82c9339
Instruction Fuzzy Hash: 0E218734B106098FCB04EF64C55456EB7F5EF8A700B10911AD546A7324EF70AA46CF92

Function 09369788 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83616e142df2f39653df1d76ff2ce8b12bc2ab0bbe248047d53a206c2a0b9399
Instruction ID: c060015ff70c19a6b6ba11680d1d1603eecf002c1169950c41f04fe6f7c21c53
Opcode Fuzzy Hash: 83616e142df2f39653df1d76ff2ce8b12bc2ab0bbe248047d53a206c2a0b9399
Instruction Fuzzy Hash: E421A771905248DFCB1ADFA5D4449CEBFF8EF49310B1480ABE545DB261D630A905CBA1

Function 09365BE0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a734b4372cba9ad2173a06e538b2e20ef7ab142e0d85a1da66b1b874f5e1fa1
Instruction ID: a2ec895d1e557b942fd1ef5143dccc1c371237cf0f2da7a3c66a7d2251d3877c
Opcode Fuzzy Hash: 8a734b4372cba9ad2173a06e538b2e20ef7ab142e0d85a1da66b1b874f5e1fa1
Instruction Fuzzy Hash: DF213636A00209DFDB10DEB4C804BAEBBF5AB44380F50C076E519DB2A4E734CA50CF91

Function 0500D3EC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2638358286.000000000500D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0500D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_500d000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f491095859306f6dfbda1927540f041ab5356fd582cd73e0f3e4545c5d853b0f
Instruction ID: e2e4a43f8429552d38258085af1b591aba7ff433b9614180dd43ff8c7c2f9897
Opcode Fuzzy Hash: f491095859306f6dfbda1927540f041ab5356fd582cd73e0f3e4545c5d853b0f
Instruction Fuzzy Hash: FB21F472504204DFEB44DF54E9C0B2ABBA6FB84320F20C569ED090F286C336E456C6B2

Function 093697A1 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 616adf4ab4846ad4189070a95ed8acca12941c123390f345a5a4e8c0e44ccbb4
Instruction ID: 9a1e22696dcc4341c1a8f9f78abb77ad173ebe7cd42ee4b117f3e07b0acd5278
Opcode Fuzzy Hash: 616adf4ab4846ad4189070a95ed8acca12941c123390f345a5a4e8c0e44ccbb4
Instruction Fuzzy Hash: A8218172A05208DFCB1ADFA5D8449DEBBF9FF89310F00856AE545DB360DA30AD05CBA1

Function 09561937 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7cf532219208fd9d3252f6b23495be45bcda51893e4ab0cac6c7e035e5c31d9
Instruction ID: c9f95a927322e37e096886a58dff9097b7788c440acd400c5f8d8c8b73868c53
Opcode Fuzzy Hash: c7cf532219208fd9d3252f6b23495be45bcda51893e4ab0cac6c7e035e5c31d9
Instruction Fuzzy Hash: B521D4303046408FD7258F36D580B7A7BA2FFC5700F19816DE1468B2A1DA72EC82CBC0

Function 0936E9F4 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e531c94c7ad5032d32ad4806bba4ba42a93fca334888403b3bc3c99d3cf3293a
Instruction ID: f897c5c3dca0bfd2619304ca6a900a600dc22fe6bd998d548575d30f9069fb31
Opcode Fuzzy Hash: e531c94c7ad5032d32ad4806bba4ba42a93fca334888403b3bc3c99d3cf3293a
Instruction Fuzzy Hash: 0721DB366001089FCB09CF99D988D99BBB6FF49310B1580A9F6199B372D731ED25DF41

Function 0936FAC0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b780d138da3bf7e7b486241091911e6c435d3d89331abcd96425079d9acb2380
Instruction ID: 654c31055f5c72b50e04c0a2ca97d6a860a1fa75e0ddc2d03bdf2f7a6a182b2d
Opcode Fuzzy Hash: b780d138da3bf7e7b486241091911e6c435d3d89331abcd96425079d9acb2380
Instruction Fuzzy Hash: 96218634A006098FCB05EF74C4509AEBBF5EF8A700B10916AD546E7374EB749A46CFA1

Function 0936A908 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a45bb43d66232f88df08cd7f6668b5689673dbfeff776c0679afcb0bdda3226
Instruction ID: 4860184cf2695dfecf7256721a32d64ae599da0ff5284ecefb35043e63ac0f09
Opcode Fuzzy Hash: 6a45bb43d66232f88df08cd7f6668b5689673dbfeff776c0679afcb0bdda3226
Instruction Fuzzy Hash: 2E211735A002098FDF04DF98D545ADEB7F2BF89301F2181A5E405BB269CB76AD44CFA1

Function 0936E858 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a04fee05e456990732228ab808744f76c768c111a55d98c1250496b40c5f3117
Instruction ID: 4db7685b4b9df8d9aaf9ac43fc57ce025f10c682e57bd0aaafaf6106f2115b24
Opcode Fuzzy Hash: a04fee05e456990732228ab808744f76c768c111a55d98c1250496b40c5f3117
Instruction Fuzzy Hash: F5115B307082004FE719ABA9E49456F3BD6EFC6B00B14C469E50ACF3D2CE249C0687E7

Function 09561888 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45ffbb0ab7595141a6ca9c1e9050f41955bd7afb8808e3ec6a0a42550a1ab257
Instruction ID: f55c24ed97cc435dae4c7b24a587133dbf080be718fc4b9f2e1d5e4df6c3f638
Opcode Fuzzy Hash: 45ffbb0ab7595141a6ca9c1e9050f41955bd7afb8808e3ec6a0a42550a1ab257
Instruction Fuzzy Hash: 5121A1347006048FC715DF35D854AAABBF2EF8A310B24846AE5859B361DB70AD06CB91

Function 0936BA00 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1fb400ee104c88ee4148597212a80ff0d0f832049b5af62d1eaa8f617b4cd9e
Instruction ID: 82a1da572ec3166d19e7a78bfcc8004fad699afb23f8cd6dcac3266b3dcf8bc9
Opcode Fuzzy Hash: b1fb400ee104c88ee4148597212a80ff0d0f832049b5af62d1eaa8f617b4cd9e
Instruction Fuzzy Hash: 53212030A08616DFCB15CF68C8809A9FBB5FF80304F12C16AE405DB62AC735A856CFC2

Function 09568030 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58fe61123c6c7dc61824018e8c66379bef96612479d7b5c863536a17f217e545
Instruction ID: 64b76e20c9ffaeb4053580ddbe72d25465bba5964555e33e175780e3e073e353
Opcode Fuzzy Hash: 58fe61123c6c7dc61824018e8c66379bef96612479d7b5c863536a17f217e545
Instruction Fuzzy Hash: A021C330A01209CFDB10DFAAE4157AE77F2FB88311F60C869D619D7394D7789949CB82

Function 06BA144D Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2640629076.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ba0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f91196dc5eb7459a2d8dd1582339ef90c4b204085ccc95012be179b7c7f792c2
Instruction ID: 816b1633db553c8d6bba4fd7b12860e66cf53050016d642e8ee3ba48a2090334
Opcode Fuzzy Hash: f91196dc5eb7459a2d8dd1582339ef90c4b204085ccc95012be179b7c7f792c2
Instruction Fuzzy Hash: 3D11E270E0E3648FCBA65B689C181BFBB75EB45211F0840ABD851A7281CF385D06CBD1

Function 09567820 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b457937622632b936329d6409b7c29425c77056f1b2b6767522c539a2ff4a57
Instruction ID: d447286729cb84a6db3b37a7d17e80a9a4eed0d02ce01d5027c5522a57fd6c2a
Opcode Fuzzy Hash: 8b457937622632b936329d6409b7c29425c77056f1b2b6767522c539a2ff4a57
Instruction Fuzzy Hash: DE11BF357002508BD3358B66E0597BE33A3E7CD356F65C164D8018B798CB78AC86CBC6

Function 0500D3E7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2638358286.000000000500D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0500D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_500d000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
Instruction ID: 0f281e675fe8b4862967874b5dbed3a051cf32a6ce9a5cf3904b280f74e33135
Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
Instruction Fuzzy Hash: A211DF76504244DFDB41CF40D9C0B2ABFA2FB84320F24C5A9DC090B696C33AE45ACBA2

Function 093626A1 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 312463daf87d8349fee3ad929f5d2b99bcaa27c7bf77e987dda9565f5b35f69e
Instruction ID: aa148d5f07e3aa03fdaa64e5a34d8076e6f38e396f47a669dd26ed4162e5eab1
Opcode Fuzzy Hash: 312463daf87d8349fee3ad929f5d2b99bcaa27c7bf77e987dda9565f5b35f69e
Instruction Fuzzy Hash: F2218E78A02259AFDB04CFA8E594EAEB7B2BF49700F214158E901EB365CB70AD01CF50

Function 0956C0A8 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 271239840416c618eb81b00a6b3345a2913f3c5b649cdb17fa2c78950c39a591
Instruction ID: d2641d68d63782ce3d4e484eb5a03c7a0da79ee252cf4015cedc6fd999da27dc
Opcode Fuzzy Hash: 271239840416c618eb81b00a6b3345a2913f3c5b649cdb17fa2c78950c39a591
Instruction Fuzzy Hash: 2F1156758002498FDB10CFAAC845BEEBBF5FF88320F14882EE559A7650CB399554CFA0

Function 09363EF0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f71292623ab00a73a02c0e4b9d49f01008d38336a25eb8e67f7b44a2bc06c87a
Instruction ID: 566141b118379d99a08bddfb795fc3ed78508ea7a1b22ea134ffe3c979f8258d
Opcode Fuzzy Hash: f71292623ab00a73a02c0e4b9d49f01008d38336a25eb8e67f7b44a2bc06c87a
Instruction Fuzzy Hash: EC01B5326042586FD754DE9CE840BDABFF4EB55220F14C0ABF484CB2A4D631D990CB50

Function 0956C0B0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 904f484aeb84df6f282a2a3110d16c9cb10f35f3d8b697f6231ec3a4cc5ba267
Instruction ID: 318474f8837b770bd8b8cdcf7bf4ce5b609e04d9fd384fba7a0f0e8a41110f2a
Opcode Fuzzy Hash: 904f484aeb84df6f282a2a3110d16c9cb10f35f3d8b697f6231ec3a4cc5ba267
Instruction Fuzzy Hash: 191179718003098FDB10DFAAC845BEEBBF5FF88320F148819D559A7250D7399540CFA0

Function 09362580 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd1fefafa47fedb102ebcc6f6078f7459334e908801467562487d5d697f0735e
Instruction ID: e43b8c98356745922f1bb611ffcb8674fb6fdba859bc6f015c9b652622903ec3
Opcode Fuzzy Hash: cd1fefafa47fedb102ebcc6f6078f7459334e908801467562487d5d697f0735e
Instruction Fuzzy Hash: D001AC36340214AFD7108F59EC94FABB7A9FFC9B20F10802AFA14CB390D671D8048B50

Function 09568B18 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebf8e616f418ce3fc6474354232f0492c5c5216a0a5f8bbd92364a111e40ca2c
Instruction ID: 263aa25b82b3a0232383ec8442c5d91f4cc2c1de4e5ff21d4ca9e5b3571a6266
Opcode Fuzzy Hash: ebf8e616f418ce3fc6474354232f0492c5c5216a0a5f8bbd92364a111e40ca2c
Instruction Fuzzy Hash: 2811C431601254DBCB199F35D8296AF7BB6EB89700F10845EE902A73A0CF725D05CF91

Function 09362550 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71d7b715e9fa4fb4211c122f403fe7e722ef2fd8336af319bf23033b934d55a6
Instruction ID: cdecae02c1a2146c0cf426e63b829898cedc871cd7a967c7cf29c50605234418
Opcode Fuzzy Hash: 71d7b715e9fa4fb4211c122f403fe7e722ef2fd8336af319bf23033b934d55a6
Instruction Fuzzy Hash: C90192722093C08FC3079F35D8688467FB4EF8761431640EFE950CF272E6659919CB62

Function 0936BAB0 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98cb2359ebd039878448eb8062af33a66626256059a6b5df2d0a6d5674d65ce2
Instruction ID: 5ce9d9c973cf1b6f12eb68a618aca8bd5d9c8f4afa6dbda3cbefc461fabb10b1
Opcode Fuzzy Hash: 98cb2359ebd039878448eb8062af33a66626256059a6b5df2d0a6d5674d65ce2
Instruction Fuzzy Hash: 52F0F43230F3904FC7170A396C641867FB89F87210B5C42EEE885CB266C1244C06CBA3

Function 0936F920 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11b54632bab9bb63733b2eaf6d03d5d1e228d0467707696f8ae09ed66db21483
Instruction ID: 4d40702a638a82113a8ba479211d0042d73e322d53d52823a4cfe07f65d5919d
Opcode Fuzzy Hash: 11b54632bab9bb63733b2eaf6d03d5d1e228d0467707696f8ae09ed66db21483
Instruction Fuzzy Hash: 60F046227082141FE7292A39A42037F37DB8FC2A40F10C12AD446CB3D8CE2C8C078BD6

Function 0936F428 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afa4223ef9889f3a9da574ba19e21bc33b464bccca08c513462133b11c5c1b84
Instruction ID: 7d60498988482b533f1b6845a3f627252c469b206eab040674fc1eb15dd81eb0
Opcode Fuzzy Hash: afa4223ef9889f3a9da574ba19e21bc33b464bccca08c513462133b11c5c1b84
Instruction Fuzzy Hash: BB019E383006609FC31A9B35D028A1A7BE6EF8E711F1081A9E5568B3A0DB75ED42CF91

Function 09565560 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fe358ef870a7510b23808c24c2ff847a53b4e0925c267178bc5a3ade89ef9b1
Instruction ID: 1a311235f006b5ad521eddfdaa7dbdf8da223fb7efe510a627ccf647f9870485
Opcode Fuzzy Hash: 8fe358ef870a7510b23808c24c2ff847a53b4e0925c267178bc5a3ade89ef9b1
Instruction Fuzzy Hash: 70116D31E04659DFCB01DFB9D50859EBBF5FF8A310B1045AAE145E7220EB349A05CB92

Function 09568AE9 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aadfe0b130d39167ee7916a05120ec7875f34a81a77b5d2d2ac93f770d147072
Instruction ID: 2ec7138be2a35b610eb0a8dc78e66f543d25ac5980c9a11553d820287d294e59
Opcode Fuzzy Hash: aadfe0b130d39167ee7916a05120ec7875f34a81a77b5d2d2ac93f770d147072
Instruction Fuzzy Hash: DD11E170601280DFDB168F21D4286AE7FB2FF89700F24809EE942CB261CF365942CB91

Function 0936E7F4 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6f2822df1bf6c44366b4684a321b49a213753770c85d59dc2283f46ce77652d
Instruction ID: 39c461597c5231ecafd5fbac19ecc338f45d3f5e371df801cb526f4fb5cbcb73
Opcode Fuzzy Hash: f6f2822df1bf6c44366b4684a321b49a213753770c85d59dc2283f46ce77652d
Instruction Fuzzy Hash: BB0126707093400FE30AEB78D4A559E3FA2EFC6600B11886AD106CF2E2CA149C4A8766

Function 09568B28 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6405d6fb186d19231692d16437dcc9b6a7506d9f74a05933d0f23bef83edd9a2
Instruction ID: a63fad29530f5df7d3a6ee5e64d81cdd034232683b878507404840f8609fffa4
Opcode Fuzzy Hash: 6405d6fb186d19231692d16437dcc9b6a7506d9f74a05933d0f23bef83edd9a2
Instruction Fuzzy Hash: 100175316002149BDB195F65D8286AE7BB6EBCC710F10846DE902A7350CF755D05CF91

Function 0936F1B0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a620d6d3ff757e9831655efde9b420ddd2a9c659755d5d40af36acfe03951eb
Instruction ID: 01e1c35f516dbcd022214c224082fe3975c9cd8133abf7b62c4fc8eff809fc61
Opcode Fuzzy Hash: 0a620d6d3ff757e9831655efde9b420ddd2a9c659755d5d40af36acfe03951eb
Instruction Fuzzy Hash: 520169353403409FC3198B25D854A2A7BBAEFCA310B1580AEE556CB371CA319C02CF50

Function 0936C6C8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c166c8d4bdee3ed8b53194d7af86d2b9ddaa846aaa5e25732642f045de9bcf0b
Instruction ID: 716593ee4766fe4e57c561c6f99f695a21450852fed3e05cfe4f4ab95446e4a7
Opcode Fuzzy Hash: c166c8d4bdee3ed8b53194d7af86d2b9ddaa846aaa5e25732642f045de9bcf0b
Instruction Fuzzy Hash: 5EF02835700108ABDB059A39D4548AABBA9EF89310F04807AF955D7370DF359807CB81

Function 0936F438 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c83abf5a8927f95777906d2149f7e1e4190476f66e530a7a09e427fb0a12fa00
Instruction ID: aad1786850ed223a2f93e3ba952b90e52b69c2d4e657071946e3baaa0de0b097
Opcode Fuzzy Hash: c83abf5a8927f95777906d2149f7e1e4190476f66e530a7a09e427fb0a12fa00
Instruction Fuzzy Hash: 4701F6393006209FC3199B25D068A1EB7E6EBCD711B108168E91A8B794DF35EC42CBD1

Function 09760E53 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649763356.0000000009760000.00000040.00000800.00020000.00000000.sdmp, Offset: 09760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9760000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e834f514ac5916d570d9d0e0ee7f4421eb264d778d3dc84ade0edf3e9e4ea416
Instruction ID: 04eb77c9e7504287762dc8775dc371de913fc15eb302885506fc60c9d17785ed
Opcode Fuzzy Hash: e834f514ac5916d570d9d0e0ee7f4421eb264d778d3dc84ade0edf3e9e4ea416
Instruction Fuzzy Hash: B3115B39E042289FDBA5DF54E8996AD77B1FB49350F0041E5DC0EA7750CB386E808F42

Function 09565570 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5510e3d8ce97db0588a587865653f43178a5c08ecf648d02f4f09d6d630cf0d8
Instruction ID: b3c77ba4695bfd9176b090c52716d8a4d29d131be82cdd3ff0ee569de8baf895
Opcode Fuzzy Hash: 5510e3d8ce97db0588a587865653f43178a5c08ecf648d02f4f09d6d630cf0d8
Instruction Fuzzy Hash: D8014B71E00619DFCB00EFAAD50899EBBF5FF89711F108569E519E3320EB30AA05CB91

Function 093619B8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a3cab5e955e8daa7ec02155491a968cfa33fb532a4554616f1ec05d421703f5
Instruction ID: 7d24522652f751e6c078348266ac26634aadd691db6acf286bc131d12035e574
Opcode Fuzzy Hash: 3a3cab5e955e8daa7ec02155491a968cfa33fb532a4554616f1ec05d421703f5
Instruction Fuzzy Hash: 0EF0E932F086655FE3148A59980472BF7EAEFC9710F14806AE5499B394CB72FC4187C4

Function 09361A10 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab99df13efa9bb096c8a30e8eb8f25516a9a5fc4149b443de5d3ca2eb60968b7
Instruction ID: be9e8b7752dd04137da00bef469fd50f2cc44d7620e73bd3cf20720d6e85efa5
Opcode Fuzzy Hash: ab99df13efa9bb096c8a30e8eb8f25516a9a5fc4149b443de5d3ca2eb60968b7
Instruction Fuzzy Hash: 70F0E222F0E2A15FE31206A5581537AABE29BC6701F0484ABD4868F2B5DA56E84687D1

Function 09366021 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02a2627d8646746b0b7a4a1fa3c441750696988a7f088c8be2f7eed350be472a
Instruction ID: f805f0165999ce3df5ff354879a89f1971a12c728ec8c4881b0fc48653138663
Opcode Fuzzy Hash: 02a2627d8646746b0b7a4a1fa3c441750696988a7f088c8be2f7eed350be472a
Instruction Fuzzy Hash: B3F049329092189BDB09DFB5C81D6DEBBB1EF89304F24846ED0417B3A4DB761901CFA2

Function 09364580 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0b58930d72d13bedbf096c0f6a41988565e453b0f364027eba019bdeafe6e10
Instruction ID: 71426c1c967e0e488619c50425442897f5acc1d1832795fb7a721d5f96fea96d
Opcode Fuzzy Hash: a0b58930d72d13bedbf096c0f6a41988565e453b0f364027eba019bdeafe6e10
Instruction Fuzzy Hash: A2F04931A0A394AFCB0ADF74945C6AD7FB29B86314F1980DAD0059B2A5C7744A85CB85

Function 0936BB1F Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fdf47159aa1b45e0da21178fe9fa59b21f9e2b8299b9f46ea69d19dc9fabfca
Instruction ID: 8f1f1df6254310528e076af4011c5ff217e51f2d2d346c2b823c29a9297edccf
Opcode Fuzzy Hash: 6fdf47159aa1b45e0da21178fe9fa59b21f9e2b8299b9f46ea69d19dc9fabfca
Instruction Fuzzy Hash: 6CF0E9302053404FD7215F3ADC4484ABF59EEC1221314867ED4298B165DA70980E8791

Function 09765F91 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649763356.0000000009760000.00000040.00000800.00020000.00000000.sdmp, Offset: 09760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9760000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7d938ec6fbc215c566717f2e9a303419407e06a5a442deb3529321f0d76e2c2
Instruction ID: 5fd255f2d8be7e9d7006fa30303e331692f80c04bdd0f2fc20f607d38e61c906
Opcode Fuzzy Hash: b7d938ec6fbc215c566717f2e9a303419407e06a5a442deb3529321f0d76e2c2
Instruction Fuzzy Hash: AD011635A002198FDB64DF14D8957AEB7B1EB49341F4080A6EC5AA7794CB349E80CF42

Function 0956AAE9 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d49660d9ae8a9bf499a1d4b550d43be195d61b3fae8b78bf2f066844649520c
Instruction ID: 6927a94fb762f8b2b1b498892d0827ba64796668a7da0fe98f35428c424be2c2
Opcode Fuzzy Hash: 8d49660d9ae8a9bf499a1d4b550d43be195d61b3fae8b78bf2f066844649520c
Instruction Fuzzy Hash: 32F0FE316082449FC349CF79D862866BBA5EF9621432584EFD84ADF262CA33AC02CA50

Function 0936F1C0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ca386d5b035ea6dd380db9e9b668ff837ab8fad856f778b0b67df0b998f2a9f
Instruction ID: f1d9086832b2ba11e308bd9efb2fc6aedb0059cbd43a55b8f5462c848754a364
Opcode Fuzzy Hash: 4ca386d5b035ea6dd380db9e9b668ff837ab8fad856f778b0b67df0b998f2a9f
Instruction Fuzzy Hash: 7FF03A393402009FC3189B19D894E2A77AAFFC8721F14806AEA568B370CA31EC02CB90

Function 09760EA6 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649763356.0000000009760000.00000040.00000800.00020000.00000000.sdmp, Offset: 09760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9760000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42a92b593d2cad3bf8b014523af33a4ba280916adb04f52c35b5153bbe3b5a93
Instruction ID: 690e26884e875d5fadb7bedee0edb79ef3f35223947fdb97c0b68a481ba7d64c
Opcode Fuzzy Hash: 42a92b593d2cad3bf8b014523af33a4ba280916adb04f52c35b5153bbe3b5a93
Instruction Fuzzy Hash: 5D01D338E042589FDBA6DF58E89569DBBB1FB48340F0051E9D80DA7744CB386E81CF42

Function 0936F91E Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90c0325edc715043df1098b866c01afc7710f176e8392d9ac35de8a0b9ef16e1
Instruction ID: e46c166c4772a8f2ad4a20aa95f8a479e50a0f71536915b0241e1107c22d37ca
Opcode Fuzzy Hash: 90c0325edc715043df1098b866c01afc7710f176e8392d9ac35de8a0b9ef16e1
Instruction Fuzzy Hash: 35E02B3730022423C7142529A42077F76CF4BC2B50F10D02EE545C7258CE758C024BD5

Function 09764DFA Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649763356.0000000009760000.00000040.00000800.00020000.00000000.sdmp, Offset: 09760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9760000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86c2806ef60f8fd6825a616bbfcd8b156df9f42c12315bd083e55532c0fdd963
Instruction ID: 6864ff227c1600e3401a9f34d56d6c3e9393c713cb0675a8ded6ca236c78a5e0
Opcode Fuzzy Hash: 86c2806ef60f8fd6825a616bbfcd8b156df9f42c12315bd083e55532c0fdd963
Instruction Fuzzy Hash: E4014834B012588FE755CF58D895ADEB7B1FB4A300F0590E5D80AEBB84CA34AE81CF52

Function 09764D8A Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649763356.0000000009760000.00000040.00000800.00020000.00000000.sdmp, Offset: 09760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9760000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0acb22e596d4227191f84327524d07b13388d9c6ba08aba5ee43c78ab7315b31
Instruction ID: 115192705bd0aff8517a8d9a61c81c708f9fe341f8d8a9e790a1e43e377f34d6
Opcode Fuzzy Hash: 0acb22e596d4227191f84327524d07b13388d9c6ba08aba5ee43c78ab7315b31
Instruction Fuzzy Hash: 1B019A31B012988FD785CF18D899A9DBBB1FB4A300F1440E9DC0AAB785CA345E85CF56

Function 09776450 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649763356.0000000009760000.00000040.00000800.00020000.00000000.sdmp, Offset: 09760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9760000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b390a1174b5d99afc9ac9c66f8e248df120e92b9627a18e2383945161862d3e
Instruction ID: 6800088d98d7bd3bacfa07e08a732565aecfff210f564ad7cad27062313d4d83
Opcode Fuzzy Hash: 0b390a1174b5d99afc9ac9c66f8e248df120e92b9627a18e2383945161862d3e
Instruction Fuzzy Hash: 2FE0482130021817E70D666F6C54BBFE98FEBC9A51F54D53EA50DC7395CD618C0113E4

Function 0956A560 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c493d1052d67a23cd0439da460947d33387cefdab4717751bc2055a9a0bd64bb
Instruction ID: 49f7cbc367aae461d66ed45f0d678b0472ecfe593883dc3eb33b9f8abaf61c54
Opcode Fuzzy Hash: c493d1052d67a23cd0439da460947d33387cefdab4717751bc2055a9a0bd64bb
Instruction Fuzzy Hash: F7F0A2312082445FC749DA75D8618767BA59F86714325C0EFE449CB262DA33AC52CA55

Function 09764C1F Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649763356.0000000009760000.00000040.00000800.00020000.00000000.sdmp, Offset: 09760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9760000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 082b085a2fdc0202ead5771bd07e0a7aa096f6da8294f741bd2c60d656a75b07
Instruction ID: 900fc0044ddb77918f9a8e962c4af83d1919c0d9ac1e1a0305862a588b1326a1
Opcode Fuzzy Hash: 082b085a2fdc0202ead5771bd07e0a7aa096f6da8294f741bd2c60d656a75b07
Instruction Fuzzy Hash: 88F08731B002188FD746DF54D98469E73B5EF8E340F8040A4EC4AA7785CB349E40CB13

Function 09565ECF Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56a4e392c20703bcc49802ca5e53e258995a171cd2d75896ed8d7322b0b61925
Instruction ID: a3f1865e7cf4c171e40192c7b24ee8492d829f9c25222062682baf2d1f11b9aa
Opcode Fuzzy Hash: 56a4e392c20703bcc49802ca5e53e258995a171cd2d75896ed8d7322b0b61925
Instruction Fuzzy Hash: 46E0927520A3509FD7269739E8568637FF9EEC636431800AFF045C7261DD269801C791

Function 095650FC Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a154cb90025b6c1a9c269f9a203b9c9fe48512fe3d1a5f30500c4734672556e9
Instruction ID: 375655ec72377e3e62c04c2716fb4f52ed335a53961a3f08aa64bdde2413584a
Opcode Fuzzy Hash: a154cb90025b6c1a9c269f9a203b9c9fe48512fe3d1a5f30500c4734672556e9
Instruction Fuzzy Hash: EBF06572B04B004BC764CA2EE454196F7E2EFC4320708C52EE58AC7B54EA30F8418B40

Function 0936BB30 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94402cb97fe1a1701395ff08f1a0704d3041b4e7dabee344b837e0095e24bbb2
Instruction ID: ceadf53b75e1063898023d07dc4e6665b689f81f5d6b670be84bc48c72c768cf
Opcode Fuzzy Hash: 94402cb97fe1a1701395ff08f1a0704d3041b4e7dabee344b837e0095e24bbb2
Instruction Fuzzy Hash: E8E092313003054BD7149A1AE884C4BFB9AEFC0621700C539A51A87125CA70AC098B91

Function 09567F91 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4432e5ce5c7bae279cbf3a50202ac8df4a3630d2cbbbbcca0086ffa095226875
Instruction ID: 51e39d5510e418511a7ed1c785110c35fc317c5c38019f3196a0c7cfa0c7886e
Opcode Fuzzy Hash: 4432e5ce5c7bae279cbf3a50202ac8df4a3630d2cbbbbcca0086ffa095226875
Instruction Fuzzy Hash: F4E0E6311082946FD705DB68D861C72BF79DF4B264329C4DFE895CB252CA73AC11C790

Function 0956B16E Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d7d012e45c3842765c19bc18a51af8decee02f25a2b1156f2d2edf1797188dc
Instruction ID: f7664fd5c9faa4b3e44781bfc583b0e74285c266685d5b7adf620abded400f5d
Opcode Fuzzy Hash: 6d7d012e45c3842765c19bc18a51af8decee02f25a2b1156f2d2edf1797188dc
Instruction Fuzzy Hash: 2FE06D30608148DFE710CB66E4A6B297773FBC9342F20C070D402C73A5CA74A849CB12

Function 0956C1D0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a97df5ba0ef20954ace3f5c880866ad530a044236056013a00a6dbd8fa0c935
Instruction ID: fccea8195072e234f9187a28f9828a377c1140bfe7976c0f5361e0819ebc2295
Opcode Fuzzy Hash: 7a97df5ba0ef20954ace3f5c880866ad530a044236056013a00a6dbd8fa0c935
Instruction Fuzzy Hash: E0E08631204004CFC718CB99E462A6673D5E749361F05C06FDA8FC3251CB71AC41CB40

Function 0956AC90 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bf671ad493ad3b7b61d7788c470124e9a7d578619980c1444b55ebf4c8b2845
Instruction ID: 032126b1c3de71b9e3bf683839a792fa7b33cb316ebca33c916cb5dd44ade1b6
Opcode Fuzzy Hash: 3bf671ad493ad3b7b61d7788c470124e9a7d578619980c1444b55ebf4c8b2845
Instruction Fuzzy Hash: 1BE01A35209284AFCB06CFA4D8918A57F75EF8A214714809FE8458B263C6B29C22EB90

Function 0977BA58 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649763356.0000000009760000.00000040.00000800.00020000.00000000.sdmp, Offset: 09760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9760000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27907ab60a9519eff3455e4881f7346261a4bdd87aa7b1887fbd05b77cb6815f
Instruction ID: 3abfb568a51ca01da48ff7ea99381507eaa36808c7fd058235c9b08847508840
Opcode Fuzzy Hash: 27907ab60a9519eff3455e4881f7346261a4bdd87aa7b1887fbd05b77cb6815f
Instruction Fuzzy Hash: FCD01772A0520DEBCB10DEB099018AEB3ACEB05201B1009E9EC09C3200EA32DA1096A1

Function 09567DC9 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de8dc6f4f119086b408da6d77af2e8b974329a080fede3269a8173e65b248d10
Instruction ID: 3946499b12fe7fd09c95c7519fe551e11050b5ea33dc713c7c54e49f8dd90a2b
Opcode Fuzzy Hash: de8dc6f4f119086b408da6d77af2e8b974329a080fede3269a8173e65b248d10
Instruction Fuzzy Hash: 96D05B316082445FC705CEB5C825852FFF5DF86654714C0ADE844CB211E972BD03C650

Function 09569C40 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8258a34859fe033443f488c3822d6a05d64e85c566b53d52cdba1429d8ceac81
Instruction ID: 75f10a0bb92d0caaccd2176490cbbb5557aac733cfe3bd7ce854c92ac388afe4
Opcode Fuzzy Hash: 8258a34859fe033443f488c3822d6a05d64e85c566b53d52cdba1429d8ceac81
Instruction Fuzzy Hash: 76E012742082845FD305DB79D8618627FB49F5A60432590DED555CB362D922BC12CB50

Function 0956AC21 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7975ec31704c7c3700b7b29116bc0ed7c9cbdf69a469b2fa1356a572556a2f9
Instruction ID: b89901d87352d71475c0532f3e0d326f083a7df0dc8a783b6590ea77e984185e
Opcode Fuzzy Hash: d7975ec31704c7c3700b7b29116bc0ed7c9cbdf69a469b2fa1356a572556a2f9
Instruction Fuzzy Hash: B3E0EC35614250AFD30ACB58D8518B5BF79FF9A310315C09BF885CB262CA72AD26DBD0

Function 0956A141 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 739fde3e46891c380d9f091b7c8e768915249eb6a746523d3bbb03f000212083
Instruction ID: 008669545e866370d6b6e654c1460eeb0b49d7c4656cf7ed98ee5e9224dedf1b
Opcode Fuzzy Hash: 739fde3e46891c380d9f091b7c8e768915249eb6a746523d3bbb03f000212083
Instruction Fuzzy Hash: 49D09E3510D2885FC30ACB74D861822BB659F47618365C1DFD89A8B1A3CE336806D795

Function 09567D60 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbc80774e651400580e7ecda08ca3668e836d1af8a88d396d4666eaf51142ced
Instruction ID: d7f80b4c4688d545eb26f758ec60c122fbc5a5e7a7b4a66d381ee5e87f08c4de
Opcode Fuzzy Hash: dbc80774e651400580e7ecda08ca3668e836d1af8a88d396d4666eaf51142ced
Instruction Fuzzy Hash: 20E012352083845FC305CB79C8618627FB59F9E614314D0DEE899CB262D922ED02CB60

Function 0956B7AD Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12246f2fc059af0d4b2400e3bc53b2658916ecaa9b7f2e991e2a3b0ae4af3e6a
Instruction ID: cf73e752a0b1399cbc8128ff8ec5785ae1ec41ffca3a8b9448283fdc39884ed6
Opcode Fuzzy Hash: 12246f2fc059af0d4b2400e3bc53b2658916ecaa9b7f2e991e2a3b0ae4af3e6a
Instruction Fuzzy Hash: B0E08C3030C0848FDB64CB16E05536A3323FFC9381F66C464D402CBAA8C7385942D702

Function 0936F188 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da67c4f88dab2348995a5007232cf3a083cbde57b4cc63359c9e027c3f682cc1
Instruction ID: 3718356a8c9bac4c71635ebc84889a431ea1ecb94d2f05f549a806dc24ebc88e
Opcode Fuzzy Hash: da67c4f88dab2348995a5007232cf3a083cbde57b4cc63359c9e027c3f682cc1
Instruction Fuzzy Hash: 5ED012310453889FC3035B72D4188803F74DF0732431550D6E0448F632D6265956DB55

Function 095679E0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dc429d9ff2bf9a887d039c52735265348997d266505547e2df27484cac8efbe
Instruction ID: 386879aec3044f6480a894a48169e326a2aab1a10dbf8771c8d37e0bf852ef3b
Opcode Fuzzy Hash: 7dc429d9ff2bf9a887d039c52735265348997d266505547e2df27484cac8efbe
Instruction Fuzzy Hash: 49D09E3510C3955FD746DB74D8618657BB49F4730832494DED489CF1A3CA33A806D756

Function 09567330 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78e4536431136066ee94cb1ae1cda3de8a2d0a6b7633c0ff38f480108266f826
Instruction ID: c331c7669de151a95a5579c1d4e473b360d058426399148a21d6f1f749d0e52e
Opcode Fuzzy Hash: 78e4536431136066ee94cb1ae1cda3de8a2d0a6b7633c0ff38f480108266f826
Instruction Fuzzy Hash: 90D0C73904A3845FC307C774D855C517F749F8710831544DFD8454B973E6637916C751

Function 0956B331 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95ed2a9f7eba59487d592c4ef95a1e252648ecef21da1ddcc55c03db1fcde681
Instruction ID: 432c51454b95f3d25576997c30a1b5b250f4a7be5c1ff8d9a44587351df256a6
Opcode Fuzzy Hash: 95ed2a9f7eba59487d592c4ef95a1e252648ecef21da1ddcc55c03db1fcde681
Instruction Fuzzy Hash: 54D09E3010D2945FC346DBB5D8618227B74AE47618365C0DFD45ACB163CA23A806C755

Function 097730C0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649763356.0000000009760000.00000040.00000800.00020000.00000000.sdmp, Offset: 09760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9760000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68ed6faf8aca5bcafd23cffe2bfb0322793b58df2de81a0c5c2f7d6adcbfef2c
Instruction ID: b829f137d804d4120f886b19878edc7c8c089407c10cd3be70334261454b8ac6
Opcode Fuzzy Hash: 68ed6faf8aca5bcafd23cffe2bfb0322793b58df2de81a0c5c2f7d6adcbfef2c
Instruction Fuzzy Hash: 7DD0C971D0120CEF8B81EFF099004DEBBEDEF8A501B5045E6D518A7650EE319B1097D1

Function 09779C98 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649763356.0000000009760000.00000040.00000800.00020000.00000000.sdmp, Offset: 09760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9760000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0feb8998af50728205c3f23a2a24e0035cb847d35667123d08b63feb498272ea
Instruction ID: 974e76e683c38559e08df80e81f5fed6f8ee27572b2beed91dfcd77d3a96e168
Opcode Fuzzy Hash: 0feb8998af50728205c3f23a2a24e0035cb847d35667123d08b63feb498272ea
Instruction Fuzzy Hash: 95D0C971D0520CEFCB81EFF4890149EBBEDEF8A501B5045E69519E7610EE319A509BD1

Function 09779A28 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649763356.0000000009760000.00000040.00000800.00020000.00000000.sdmp, Offset: 09760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9760000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e2c17407845658353ec51aca30631e0310980e34f7ff5f2b458d48ff7770a25
Instruction ID: 04a2bb1b4294673d5e03b3267ddf588cce044b1e5ee307381176ffb619821b3d
Opcode Fuzzy Hash: 0e2c17407845658353ec51aca30631e0310980e34f7ff5f2b458d48ff7770a25
Instruction Fuzzy Hash: C1D0C971D0130CEF8B81EFF0990049EBBEDEFCA501B5045E69919A7610EE319A1097D2

Function 09568551 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d4cbdc82fe71a2ad7dc3749e620cc4f811f02403a04fbf31882b05007d9fa5e
Instruction ID: 38af016e23ea6445db607ecfc193a05d77d757ff26314053316c60ef0c6c9b6f
Opcode Fuzzy Hash: 1d4cbdc82fe71a2ad7dc3749e620cc4f811f02403a04fbf31882b05007d9fa5e
Instruction Fuzzy Hash: B9D0523000C2904FC38A8AB88861821BFA49B43208368A0EED849CF562CA22A802CA80

Function 095677F0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6af15a61403ec83c801e1a287aa523f66d67f4b63a7a4fc028eb7f8115e58f8
Instruction ID: fa8e35cee516230be3bc52a699650cb1d7c4f0fdd62857ddc15d0a34bcf5ae4f
Opcode Fuzzy Hash: d6af15a61403ec83c801e1a287aa523f66d67f4b63a7a4fc028eb7f8115e58f8
Instruction Fuzzy Hash: CAD05E3010C2804FC346D778D4918207B75AF4A10831880DFD40A8F263CA23E812C751

Function 09566A71 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a868d3bca182a0ee39a620dcafaff12a9eea97be29315ed735628fcdbc0909b0
Instruction ID: 20ec53baa23429490c7a5cfeb079389852c47658a7149171eb37a33d4d3683ad
Opcode Fuzzy Hash: a868d3bca182a0ee39a620dcafaff12a9eea97be29315ed735628fcdbc0909b0
Instruction Fuzzy Hash: B4D0A93004D3408FCB0A8AB09451440BFE49B8330831490EED089CB122D632A903DB50

Function 09566EC0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74039e3523a4a40e0bbdc257416c71c3712fafc0119d88974b3bd581f9cdda4b
Instruction ID: 2a8240e6fefa1c79c63f18e29beb2d01c900970a2887be00b99c02bd538efef7
Opcode Fuzzy Hash: 74039e3523a4a40e0bbdc257416c71c3712fafc0119d88974b3bd581f9cdda4b
Instruction Fuzzy Hash: 12D0C93074D6C14FD74AC7B89891550BFE29F8A11431D80EA945DCB7B6EAAA8C038741

Function 09568F32 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11f33d5be98dfdbd9fe37cbfc772554a84996be129292a56e2b6d372bf372cbc
Instruction ID: 685e88ca7ce86b8d5b856b8e86eb5de78e2540256b06adb8f730f1bab68d494d
Opcode Fuzzy Hash: 11f33d5be98dfdbd9fe37cbfc772554a84996be129292a56e2b6d372bf372cbc
Instruction Fuzzy Hash: 1DD09E3550A2909FC307CB70C5A5890BF61AF5720471C84DFD5494F563CA339C56DB52

Function 0936F8E8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01edc4a2aa253f4494a03a8a150ec5004e0bcd926299321c2b472b91abb58e0d
Instruction ID: c09a93b5b889fb1cd9da12378ab802c01ed86ff186915073bfff39cff3b6e05e
Opcode Fuzzy Hash: 01edc4a2aa253f4494a03a8a150ec5004e0bcd926299321c2b472b91abb58e0d
Instruction Fuzzy Hash: F2D0923100A3809FCB0B8B30A5294857F72EF43315B2A54EED1858B662C27A5997EB17

Function 097771D0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649763356.0000000009760000.00000040.00000800.00020000.00000000.sdmp, Offset: 09760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9760000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbcef5c395f5c673d87ed76c55c2f1c93d814102d17bdb09fc090918b690f88a
Instruction ID: 58c7e918dc9fc6e739d0296992eb27fcb8a7bf4254ad48f247067e0340e6a738
Opcode Fuzzy Hash: dbcef5c395f5c673d87ed76c55c2f1c93d814102d17bdb09fc090918b690f88a
Instruction Fuzzy Hash: A6C012313402095BD304CA88C842A22B3AADBC8614B14C079A808C7746DE36EC028694

Function 09773820 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649763356.0000000009760000.00000040.00000800.00020000.00000000.sdmp, Offset: 09760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9760000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction ID: 89f7625bcd3042e5662e2b0f59687678129b36ffb3fe7dec0c562e4284fda470
Opcode Fuzzy Hash: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction Fuzzy Hash: 05C04C753042085F9344DA9DD851C26F7E9DBD8614714C06DA90DC7351EA72FD13C694

Function 097708A0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649763356.0000000009760000.00000040.00000800.00020000.00000000.sdmp, Offset: 09760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9760000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction ID: 89f7625bcd3042e5662e2b0f59687678129b36ffb3fe7dec0c562e4284fda470
Opcode Fuzzy Hash: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction Fuzzy Hash: 05C04C753042085F9344DA9DD851C26F7E9DBD8614714C06DA90DC7351EA72FD13C694

Function 09778B60 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649763356.0000000009760000.00000040.00000800.00020000.00000000.sdmp, Offset: 09760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9760000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b3cf73ecc0437b7ba418ab1aa0e16a313d668e98a5c47dae4f63aedb3a58e83
Instruction ID: 1559b7bb1d66cdfc4324202593fed40f7269f97be06a62174427e62a94373c76
Opcode Fuzzy Hash: 6b3cf73ecc0437b7ba418ab1aa0e16a313d668e98a5c47dae4f63aedb3a58e83
Instruction Fuzzy Hash: 8DC00235280208AFD7109A55DC46F457B68AB15B50F554091F7045F6A1C6A2E8109A98

Function 0956BEE0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction ID: 89f7625bcd3042e5662e2b0f59687678129b36ffb3fe7dec0c562e4284fda470
Opcode Fuzzy Hash: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction Fuzzy Hash: 05C04C753042085F9344DA9DD851C26F7E9DBD8614714C06DA90DC7351EA72FD13C694

Function 09564FB8 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9959b02ac109c94350ab04d5c473cd3af88cbf04d5fa45a52dfc463b3b203f6b
Instruction ID: 22201d581f2be2e9ebec43af260de38ccf7d7f57be136c15c327b99c17a2aa2e
Opcode Fuzzy Hash: 9959b02ac109c94350ab04d5c473cd3af88cbf04d5fa45a52dfc463b3b203f6b
Instruction Fuzzy Hash: 56D012B66061409BC306DB70C684800BB61EF96318728C8DEA4080B222EB339D03EF80

Function 09568200 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b890a1878f21bb7f09d862592a755ed2ce311562f5f1a0304c6abbbdd52873e
Instruction ID: 19d07928bc24b9474f7e59cbdd8b8e0d3deed1c7a519eb3c8c8690cf2c067a2b
Opcode Fuzzy Hash: 6b890a1878f21bb7f09d862592a755ed2ce311562f5f1a0304c6abbbdd52873e
Instruction Fuzzy Hash: C5C092303082084B8748D69DE851825F3DA9BCC618328C0BDA80DC7352EE23FC038684

Function 09566ED0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b890a1878f21bb7f09d862592a755ed2ce311562f5f1a0304c6abbbdd52873e
Instruction ID: 19d07928bc24b9474f7e59cbdd8b8e0d3deed1c7a519eb3c8c8690cf2c067a2b
Opcode Fuzzy Hash: 6b890a1878f21bb7f09d862592a755ed2ce311562f5f1a0304c6abbbdd52873e
Instruction Fuzzy Hash: C5C092303082084B8748D69DE851825F3DA9BCC618328C0BDA80DC7352EE23FC038684

Function 09365BB1 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c83316a910610077488671860465ab108f4c8cc734cafc300def8dc4fbfa613
Instruction ID: 80aa7180e259551a976b7f1f533f3d9a7b8cb56149dd5e5c87889ed6d2fac0ab
Opcode Fuzzy Hash: 0c83316a910610077488671860465ab108f4c8cc734cafc300def8dc4fbfa613
Instruction Fuzzy Hash: B6D0127060E3C15FC7078B30D619045BF31BF8770031541EBD0458A177C2364862C716

Function 0977FD78 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649763356.0000000009760000.00000040.00000800.00020000.00000000.sdmp, Offset: 09760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9760000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9360f6c3753071abd6b5a8e86689413885372535260cb3c19a445abdef9116e5
Instruction ID: 740b9759760942d22b17a3cca9430a66c5404184698edbd653c299f37843b55b
Opcode Fuzzy Hash: 9360f6c3753071abd6b5a8e86689413885372535260cb3c19a445abdef9116e5
Instruction Fuzzy Hash: ECC04C39140108EFCB419F55D844C45BBA9FF19770741C051F9494B632C732E960DB50

Function 0936F198 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
Instruction ID: a5ced1602b898661de329531365079a034e3d75a808f59c5ffcbefa728424f66
Opcode Fuzzy Hash: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
Instruction Fuzzy Hash: 58C0927A140208EFC700DF69E848C85BBB8EF1977171180A1FA088B332C732EC60DA94

Function 09772750 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649763356.0000000009760000.00000040.00000800.00020000.00000000.sdmp, Offset: 09760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9760000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Function 09775340 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649763356.0000000009760000.00000040.00000800.00020000.00000000.sdmp, Offset: 09760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9760000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Function 09775B10 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649763356.0000000009760000.00000040.00000800.00020000.00000000.sdmp, Offset: 09760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9760000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Function 09779680 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649763356.0000000009760000.00000040.00000800.00020000.00000000.sdmp, Offset: 09760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9760000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Function 0956C1B0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Function 095681A0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Function 09561C40 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af8e06a732ca707132f27ef7a83e288a845aad2dfe2584e40d54ff240b01922d
Instruction ID: 2ad57114494cc740969b95bee8f444b209d5990da35e5c480c7824bf6c3857fe
Opcode Fuzzy Hash: af8e06a732ca707132f27ef7a83e288a845aad2dfe2584e40d54ff240b01922d
Instruction Fuzzy Hash: B7C09276140208EFC700DF69E844C45BBB8FF1976071180A1FA088B332C732E820DA94

Function 09568010 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Function 09561C3F Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 090ce345bf0b1eb001351c84dfc054526634ace245ae6465b040bc3e078f7aef
Instruction ID: 6043e9e45a8ffc398bb19e2f591742ab14970176147559ddf1f4de39d43c6d02
Opcode Fuzzy Hash: 090ce345bf0b1eb001351c84dfc054526634ace245ae6465b040bc3e078f7aef
Instruction Fuzzy Hash: A8C04C75550204DFC744CF64E445CA97BB4FF5935071181A6F5058B231C332D810DE00

Function 09566B60 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Function 09566A80 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Function 0977BD40 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649763356.0000000009760000.00000040.00000800.00020000.00000000.sdmp, Offset: 09760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9760000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4e2839fb080d70fd9d5ab266c8ff45246f4c7246a28781672dbb782ec4b6ef3
Instruction ID: cfd3c94acb28e12ede7e7a80c62375d018fe088f1f186957f4485c32e65079b3
Opcode Fuzzy Hash: f4e2839fb080d70fd9d5ab266c8ff45246f4c7246a28781672dbb782ec4b6ef3
Instruction Fuzzy Hash: 6CB092301602088F82009A59E448C0137ACAF08A0434100D0E1088B632C621F8008A51

Function 09567340 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649419146.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9560000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00fb257517fa66d8d82df2fc559de156622b6f4f3f56d113648c417e124a9b6c
Instruction ID: bde584bcc0a20163e1d20aefd562f14664055d751c7398f878511897cdc0a054
Opcode Fuzzy Hash: 00fb257517fa66d8d82df2fc559de156622b6f4f3f56d113648c417e124a9b6c
Instruction Fuzzy Hash: DFB012301042084B8100D6C8D841810F39CDB84518314C099980C47302CA23FC038580

Function 0977FA90 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649763356.0000000009760000.00000040.00000800.00020000.00000000.sdmp, Offset: 09760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9760000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86b2ccc37be792618060cb8295c3a77edbd94e9be6eb86bebb73515ea1ebe1c2
Instruction ID: 6cde79d3e82a324b6dc03cb076f450cac1c7c214c4bd1bc7b28c00edcf41e078
Opcode Fuzzy Hash: 86b2ccc37be792618060cb8295c3a77edbd94e9be6eb86bebb73515ea1ebe1c2
Instruction Fuzzy Hash: A7A02230002B0C82C2A232F02A00020338E088000838000B88B0C08F20C833E0A08088

Function 09775D50 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649763356.0000000009760000.00000040.00000800.00020000.00000000.sdmp, Offset: 09760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9760000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2cd516d311349823dddacc0ab2887ee5a47e1d336d9c1ff8f034e2387c8cca9
Instruction ID: f66cf0a764c0193b08375aa25e79dd8aa4189f9df237934831ecbf37aff1bf45
Opcode Fuzzy Hash: b2cd516d311349823dddacc0ab2887ee5a47e1d336d9c1ff8f034e2387c8cca9
Instruction Fuzzy Hash: C790023124464DAB554027D57609565775C99585157800051AD0E415019A5964544597

Function 0977FC60 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649763356.0000000009760000.00000040.00000800.00020000.00000000.sdmp, Offset: 09760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9760000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e75cad19a607ffcced03f11df8306d6eea1f8fb418999ccaf486ebb95ccd1733
Instruction ID: 0258468f32463bd30dfe5cc0d39bd6bcdf9ec8ce6289ddc14168476ed9c6097a
Opcode Fuzzy Hash: e75cad19a607ffcced03f11df8306d6eea1f8fb418999ccaf486ebb95ccd1733
Instruction Fuzzy Hash: 1C90043514474DFF554037D5770D5557F5DD54C5157C00051FD0D41501DF55745045D7

Function 0977FAD0 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2649763356.0000000009760000.00000040.00000800.00020000.00000000.sdmp, Offset: 09760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9760000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1b8131ee09eec18b6220df6409427f2f3e057b9751cd1b3b98e87cf92f5fe6e
Instruction ID: 3ce617a12024db1603bff2189d277228709a0ebc1d3e796d10a9a53fada27538
Opcode Fuzzy Hash: c1b8131ee09eec18b6220df6409427f2f3e057b9751cd1b3b98e87cf92f5fe6e
Instruction Fuzzy Hash: 8F90223000820C8B03802380300C082338CC0002223802000A00C000020B0020200082

Non-executed Functions

Function 0936D9D3 Relevance: 5.3, Strings: 4, Instructions: 289COMMON

Download Yara Rule

Strings

Th(, xrefs: 0936DCBA
Th(, xrefs: 0936DCD9
\{(, xrefs: 0936DD3A
Th(, xrefs: 0936DC98

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID: Th($Th($Th($\{(
API String ID: 0-4244768014
Opcode ID: 8e605a68cd6a30a0770e9533f2bebe7d3e56102ab488ac6f15ee09529786cda6
Instruction ID: c4d6d50d1bde4b46432042e765d0e52cfb13743681a5091f9c137614bd5ccb00
Opcode Fuzzy Hash: 8e605a68cd6a30a0770e9533f2bebe7d3e56102ab488ac6f15ee09529786cda6
Instruction Fuzzy Hash: 80C14075B002189FDB19DB68C945BDEBBF6EF88700F158099E509AB3A4CB309D41CFA1

Function 0936D9AA Relevance: 5.3, Strings: 4, Instructions: 287COMMON

Download Yara Rule

Strings

Th(, xrefs: 0936DCBA
Th(, xrefs: 0936DCD9
\{(, xrefs: 0936DD3A
Th(, xrefs: 0936DC98

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID: Th($Th($Th($\{(
API String ID: 0-4244768014
Opcode ID: 53edcca5b53e49a87cb96f0686dc855f5227ddadc50c3a9ee76a0db5bbe120e8
Instruction ID: 01a853ba970dfd0460efaffd06ba38e95aa5a831892f5d99d8fcff806316c057
Opcode Fuzzy Hash: 53edcca5b53e49a87cb96f0686dc855f5227ddadc50c3a9ee76a0db5bbe120e8
Instruction Fuzzy Hash: 94C15075B002188FDB19DB68C945BDDBBF6AF88700F158099E509AB3A5CB309D85CFA1

Function 0936D845 Relevance: 5.0, Strings: 4, Instructions: 32COMMON

Download Yara Rule

Strings

_, xrefs: 0936D86B
_, xrefs: 0936D84B
_, xrefs: 0936D873
_, xrefs: 0936D863

Memory Dump Source

Source File: 00000009.00000002.2648994693.0000000009360000.00000040.00000800.00020000.00000000.sdmp, Offset: 09360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9360000_vbc.jbxd

Similarity

API ID:
String ID: _$_$_$_
API String ID: 0-738436413
Opcode ID: a18d2a6e54c2efbe14f9db644b4245a314addd143285a55751706cf619bbe27b
Instruction ID: b1b6e9e48ccb07e101ba88d689aed6841a1a80a0dd0f6ff4f8748fc90727f5af
Opcode Fuzzy Hash: a18d2a6e54c2efbe14f9db644b4245a314addd143285a55751706cf619bbe27b
Instruction Fuzzy Hash: C4E0689264830C5ED710622C9CC497D330D5590531F44037BC8214FEABF981498A46A1

Analysis Process: gaZNjdzDI.exePID: 7792, Parent PID: 660COMMON

Execution Graph

Execution Coverage:	10.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	165
Total number of Limit Nodes:	12

Executed Functions

Function 01B1DF18 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 01B1DF96
GetCurrentThread.KERNEL32 ref: 01B1DFD3
GetCurrentProcess.KERNEL32 ref: 01B1E010
GetCurrentThreadId.KERNEL32 ref: 01B1E069

Memory Dump Source

Source File: 0000000A.00000002.1494860774.0000000001B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b10000_gaZNjdzDI.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: aeb79f6659114ef811df8aa7142f85e163879736df7e0bcdbaf5d18e81b07b68
Instruction ID: 2f89f8aa608b788476910c0a4c28cbcb2df158a4a0e312b31230ca1f7502919e
Opcode Fuzzy Hash: aeb79f6659114ef811df8aa7142f85e163879736df7e0bcdbaf5d18e81b07b68
Instruction Fuzzy Hash: 9F5137B090130ACFDB18DFAAD548B9EBBF1FF88310F208459E409A7265D7759944CF66

Function 01A6756C Relevance: 1.7, APIs: 1, Instructions: 247
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 01A677AE

Memory Dump Source

Source File: 0000000A.00000002.1494732529.0000000001A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a60000_gaZNjdzDI.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: e704fd11f9e6c7a3af39a36805209356366378acde99ada9aa51a30ff87df701
Instruction ID: 2f74bb4b733a134895ea435439fd17d095f07701a2b90e924ad4ef15555aa902
Opcode Fuzzy Hash: e704fd11f9e6c7a3af39a36805209356366378acde99ada9aa51a30ff87df701
Instruction Fuzzy Hash: E5A17C71D1021ACFEF15DFA9C841BEEBBB6BF44314F1481A9E818A7280DB749985CF91

Function 01A67578 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 01A677AE

Memory Dump Source

Source File: 0000000A.00000002.1494732529.0000000001A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a60000_gaZNjdzDI.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 1e1520d03f489c8765d3e58c21fb6feaeb9782122c34bb332ab01098fb082db4
Instruction ID: f5e05d660147ef40754dc5f78a4437cb73deafbb1f2dc31d377793b010c0c551
Opcode Fuzzy Hash: 1e1520d03f489c8765d3e58c21fb6feaeb9782122c34bb332ab01098fb082db4
Instruction Fuzzy Hash: 0A916B71D1061ACFEB15DFA9C840BEDBBB6BF48314F1481A9E818A7280DB749985CF91

Function 01B158EC Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 01B159A9

Memory Dump Source

Source File: 0000000A.00000002.1494860774.0000000001B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b10000_gaZNjdzDI.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: d9f7baa3ef6c1f9f24c92515d83a1b873fda1910aa2738ea9454f25385e82578
Instruction ID: 424a6ce00c9d0d9374bcff1a8cc15e8b79e0caa3888b7217b90a7543781f6b61
Opcode Fuzzy Hash: d9f7baa3ef6c1f9f24c92515d83a1b873fda1910aa2738ea9454f25385e82578
Instruction Fuzzy Hash: F041F0B1C00719CFDB24DFA9C8847DEBBB1BF89704F20816AD408AB255DB716946CF90

Function 01B14514 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 01B159A9

Memory Dump Source

Source File: 0000000A.00000002.1494860774.0000000001B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b10000_gaZNjdzDI.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 3e8e833c62065634492ba47ddcce13ba8746b39f9f1a4641b28ac9af5fe54009
Instruction ID: 6931377f22c3c3622c93a33c9d41988278068883de859c15bd454a396759df88
Opcode Fuzzy Hash: 3e8e833c62065634492ba47ddcce13ba8746b39f9f1a4641b28ac9af5fe54009
Instruction Fuzzy Hash: 8441E271C0071DCFDB24DFA9C88478EBBB5BF89704F6081AAE508AB255DB716945CF90

Function 01A672E8 Relevance: 1.6, APIs: 1, Instructions: 71
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 01A67380

Memory Dump Source

Source File: 0000000A.00000002.1494732529.0000000001A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a60000_gaZNjdzDI.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 16b1f3dfa4925088ddd16378d11ff94a2b70521ad386bd6db49086fe77dd2486
Instruction ID: 8351bca7fe37845b64f36fa6dfc7c8665a4ab019539bf5951de3fc44b85e2f1b
Opcode Fuzzy Hash: 16b1f3dfa4925088ddd16378d11ff94a2b70521ad386bd6db49086fe77dd2486
Instruction Fuzzy Hash: 9A2127759003499FDF10DFAAC885BDEBBF5FF48314F108429E958A7240D7789954CBA4

Function 01A672F0 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 01A67380

Memory Dump Source

Source File: 0000000A.00000002.1494732529.0000000001A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a60000_gaZNjdzDI.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: bb3a92f08f7e9ae4da7ad2b8931b9bb2a602d8b51712c73680330c6ccb2c7864
Instruction ID: 4e1646742cd2e00f4a973725326bbce2691c8bb5022e63d8750105bfd19a71aa
Opcode Fuzzy Hash: bb3a92f08f7e9ae4da7ad2b8931b9bb2a602d8b51712c73680330c6ccb2c7864
Instruction Fuzzy Hash: 632125759003499FDF10DFAAC881BDEBBF5FF88314F10842AE918A7240D7789944CBA0

Function 01A67151 Relevance: 1.6, APIs: 1, Instructions: 64
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 01A671D6

Memory Dump Source

Source File: 0000000A.00000002.1494732529.0000000001A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a60000_gaZNjdzDI.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: cf5259bbd231fb11633a0e490e5aa77e1c3af25907ea90e5b0d8e7e9ebf27f97
Instruction ID: 7d51cc7eb47e33e1d8341d892d4f9f4b56e662758ef306fc98c34370a02bcf30
Opcode Fuzzy Hash: cf5259bbd231fb11633a0e490e5aa77e1c3af25907ea90e5b0d8e7e9ebf27f97
Instruction Fuzzy Hash: 612157719003098FDB10DFAAC8857AEBBF9EF88314F54842AD918A7240CB789945CFA0

Function 01A673D9 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 01A67460

Memory Dump Source

Source File: 0000000A.00000002.1494732529.0000000001A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a60000_gaZNjdzDI.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 66c061de3db2d2686c4eca9d8b444aaeb61e3e232b0cab8f7f9ab17610c2bdf5
Instruction ID: 5739dda5bd30307bde0bdbdd1010d8faa1fc3cbcf8a51af6ef0d75c2bb4524f4
Opcode Fuzzy Hash: 66c061de3db2d2686c4eca9d8b444aaeb61e3e232b0cab8f7f9ab17610c2bdf5
Instruction Fuzzy Hash: 2E2116718003499FDB10DFAAC885BEEBBF5FF48310F50842DE958A7241DB799554CBA1

Function 01A67158 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 01A671D6

Memory Dump Source

Source File: 0000000A.00000002.1494732529.0000000001A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a60000_gaZNjdzDI.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: afa1173fd1da1e11bab88c6b9f801aad34a279e851a39b4c95899510ba97b761
Instruction ID: d1fad1e13b7589ebda91ca5ca1c93dbca9d4e964a6db9e7e3c55df5a511d0fcc
Opcode Fuzzy Hash: afa1173fd1da1e11bab88c6b9f801aad34a279e851a39b4c95899510ba97b761
Instruction Fuzzy Hash: E62138719003098FDB14DFAAC8857AEBBF9EF88314F54842AD519A7240CB789944CFA0

Function 01A673E0 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 01A67460

Memory Dump Source

Source File: 0000000A.00000002.1494732529.0000000001A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a60000_gaZNjdzDI.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 581b5238afc66f2cafe954e7d07ba5dbaddff4f5f857ea6427667b7a5502c03b
Instruction ID: 58eb522dc841074f8650b7133b02ca48fff8880b8b706fd720275f8e3b552da3
Opcode Fuzzy Hash: 581b5238afc66f2cafe954e7d07ba5dbaddff4f5f857ea6427667b7a5502c03b
Instruction Fuzzy Hash: E42125718003499FDB10DFAAC885BEEBBF5FF88310F50842AE958A7240D7789904CBA0

Function 01B1E160 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01B1E1E7

Memory Dump Source

Source File: 0000000A.00000002.1494860774.0000000001B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b10000_gaZNjdzDI.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 3cdbee17d65e9fcc17c01babf04651e172ac1c70fb09a90489dc0e570d19dfaf
Instruction ID: ac7f7600855ec8ce274d914486bdc736627ff63b59a96ec840a3c150fe65f1f3
Opcode Fuzzy Hash: 3cdbee17d65e9fcc17c01babf04651e172ac1c70fb09a90489dc0e570d19dfaf
Instruction Fuzzy Hash: 8121E4B590020D9FDB10CFAAD884ADEBBF9FB48310F14805AE914A3350D374A954CFA0

Function 01A67228 Relevance: 1.6, APIs: 1, Instructions: 55
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 01A6729E

Memory Dump Source

Source File: 0000000A.00000002.1494732529.0000000001A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a60000_gaZNjdzDI.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 75afb6a6e05e90ea710e8a47d2570cfba36acb6cf1cb528f0e4247b14fb44b64
Instruction ID: 9da4a1dd65dd2dc27555bc46d76f2c27012338156433102b42c6cb9be8723aa5
Opcode Fuzzy Hash: 75afb6a6e05e90ea710e8a47d2570cfba36acb6cf1cb528f0e4247b14fb44b64
Instruction Fuzzy Hash: 541159718003499FDF10DFAAC845BDEBBF5EF88314F148419E515A7250CB759510CFA0

Function 01A67230 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 01A6729E

Memory Dump Source

Source File: 0000000A.00000002.1494732529.0000000001A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a60000_gaZNjdzDI.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 54147d55691562574c8a99ea6821ea5cf4b0102169f5d98ce5c10add0d8735c7
Instruction ID: 1912605cd722b03f86ebe14ca5f6729b6ff86b7bcf825811900e5ed8db548066
Opcode Fuzzy Hash: 54147d55691562574c8a99ea6821ea5cf4b0102169f5d98ce5c10add0d8735c7
Instruction Fuzzy Hash: C21126718003499FDB10DFAAC845BDEBBF9EF88724F148419E515A7250C7759540CFA0

Function 01A670A1 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 01A6710A

Memory Dump Source

Source File: 0000000A.00000002.1494732529.0000000001A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a60000_gaZNjdzDI.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 0edd95f80735de7e317d8b616a4faa6749190f64cceaf7b66b93cda6becf0956
Instruction ID: bd37c778ac6b46ec5154f41bb3842b25ccd785cf2867dc082dd543517eabcd7b
Opcode Fuzzy Hash: 0edd95f80735de7e317d8b616a4faa6749190f64cceaf7b66b93cda6becf0956
Instruction Fuzzy Hash: FC112B719003498FDB14DFAAC44579EFBF9EF88614F148419D519A7240CB796544CF94

Function 01A670A8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 01A6710A

Memory Dump Source

Source File: 0000000A.00000002.1494732529.0000000001A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a60000_gaZNjdzDI.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 7ce5d012085f4c99ecc8c7918e3273ab6a39c903b8c33709db584b1d68dd1985
Instruction ID: 1d473237cfb360bcb22148a24b4aa49b2efd7ba7a04571e6f0d184ddd4bfb4ce
Opcode Fuzzy Hash: 7ce5d012085f4c99ecc8c7918e3273ab6a39c903b8c33709db584b1d68dd1985
Instruction Fuzzy Hash: C8113A719003498FDB14DFAAC8457DEFBF9EF88624F14841AD519A7240CB796944CFA4

Function 01A683C8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 01A6ACA5

Memory Dump Source

Source File: 0000000A.00000002.1494732529.0000000001A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a60000_gaZNjdzDI.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 60ed0d5aa6b6ad6f6a760325e2060e4f804a33191b722fd957ff6f91f69f6012
Instruction ID: 485c0e1c061ecd4f5cbd4ad221ab1a864f97e716d2652cb9bb89e77ba0e9b578
Opcode Fuzzy Hash: 60ed0d5aa6b6ad6f6a760325e2060e4f804a33191b722fd957ff6f91f69f6012
Instruction Fuzzy Hash: 3411F2B580034D9FDB10DF9AC985BEEBBF8FB48321F10841AE918A7240C375A944CFA5

Function 01B1BD58 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 01B1BDBE

Memory Dump Source

Source File: 0000000A.00000002.1494860774.0000000001B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 01B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b10000_gaZNjdzDI.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 052cccf8fa46ef9267c9f9880504e55e82d9ceb131bc1df289aa48fd636e882b
Instruction ID: b260bfe9d382fcffcd59df9bcc5b0df340aa455cb245f0c075a873e69a83a9ee
Opcode Fuzzy Hash: 052cccf8fa46ef9267c9f9880504e55e82d9ceb131bc1df289aa48fd636e882b
Instruction Fuzzy Hash: 891110B6C003498FDB18DF9AC544BDEFBF4EF88220F11845AD528A7610C379A545CFA1

Function 01A6AC41 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 01A6ACA5

Memory Dump Source

Source File: 0000000A.00000002.1494732529.0000000001A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1a60000_gaZNjdzDI.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 2b370c7bf6e48799b8941a658a5b67f3380ff13dd774cbe433f567576eefd2ee
Instruction ID: 09627029927376b65bb71bb9653bdb348fa9a35972cad97d765e07c32bc946f9
Opcode Fuzzy Hash: 2b370c7bf6e48799b8941a658a5b67f3380ff13dd774cbe433f567576eefd2ee
Instruction Fuzzy Hash: 431103B58003499FDB10DF9AC989BEEFBF8FB48324F108419E918A7600C375A554CFA1

Function 0187D4D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1494014177.000000000187D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_187d000_gaZNjdzDI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70a037cebf0b21ac898e19ec5c248813b528f8ce4a6e2390215122a3142c2cf2
Instruction ID: 0dea1fee4baf2612775830cad40409e751f48eac4b8e18af75a74744b0820846
Opcode Fuzzy Hash: 70a037cebf0b21ac898e19ec5c248813b528f8ce4a6e2390215122a3142c2cf2
Instruction Fuzzy Hash: A02133B1604304DFDB01DF94D9C0B16BF65FF88328F248269E8098B256C336D546CBA2

Function 0188D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1494060854.000000000188D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0188D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_188d000_gaZNjdzDI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c2b2c5931190f572151e088eaa66e7c3bd7b9806e89ff8c6cd45edc1ea7dc4f
Instruction ID: 67090dc8f344f12426d6c6264042bc96596517629f488da6c4c7253e14097180
Opcode Fuzzy Hash: 2c2b2c5931190f572151e088eaa66e7c3bd7b9806e89ff8c6cd45edc1ea7dc4f
Instruction Fuzzy Hash: 9121F275604304DFDB15EF94D9C4B16BB65FB84328F20C66DD84A8B386C33AD947CA62

Function 0188D294 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1494060854.000000000188D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0188D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_188d000_gaZNjdzDI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88504d55a39d568261965555c9bd5216c06ff21ab5a5e61667142dd29773aa41
Instruction ID: c94dcbbd4b4c2ad747daffd98922a2cfad83671a2338bd3427916faf47879f09
Opcode Fuzzy Hash: 88504d55a39d568261965555c9bd5216c06ff21ab5a5e61667142dd29773aa41
Instruction Fuzzy Hash: 74212575604304DFDB05EF54D9C0B15BBA1FB84724F20C66DD8498B282C33AD806CB61

Function 0187D4D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1494014177.000000000187D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_187d000_gaZNjdzDI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
Instruction ID: 2c05f5cadb601f82abce9d801bf37d336887be07b6af81fabde4dd5ec15ad044
Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
Instruction Fuzzy Hash: FA11AF76504240CFCB16CF54D5C4B16BF72FB84328F2486A9E9094B257C33AD556CBA1

Function 0188D28F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1494060854.000000000188D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0188D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_188d000_gaZNjdzDI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
Instruction ID: b8c6c46db79e7fae6d8579de88a2e2f5f6f901fde2d139a667d6877431b8c09e
Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
Instruction Fuzzy Hash: E811A979548280DFCB06DF54D5C0B15BBA2FB84324F24C6A9D8498B293C33AD40ACB61

Function 0188D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1494060854.000000000188D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0188D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_188d000_gaZNjdzDI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
Instruction ID: 8b60714eb1ad47cccb03987142723acacf2226245f4d39d39278dad3f2e341d0
Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
Instruction Fuzzy Hash: 5D11BE75504284CFDB12DF54D5C4B15BB62FB44314F24C6A9D8498B697C33AD50BCB61

Function 0187D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1494014177.000000000187D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_187d000_gaZNjdzDI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eab656c468e4cd46557171f648a3f13401add692f8173ba9d6e893fd51612863
Instruction ID: ca53fd471943af3294245fd3ade3462c1df8285fd25e23665c7b7c2c3c480bdf
Opcode Fuzzy Hash: eab656c468e4cd46557171f648a3f13401add692f8173ba9d6e893fd51612863
Instruction Fuzzy Hash: 6301F7710043889AE7105A59CDC4B27FF98DF817A9F18C61AED088E282C639D900CBB1

Function 0187D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1494014177.000000000187D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_187d000_gaZNjdzDI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0954187088043deae163e39c45e2a23eafec93090408dc0259bef2004c157e83
Instruction ID: 220b407a83ff36707d429b357315a38f8b393dd3a9b093967239d58e9ca1b023
Opcode Fuzzy Hash: 0954187088043deae163e39c45e2a23eafec93090408dc0259bef2004c157e83
Instruction Fuzzy Hash: CEF062714043849EE7109E19C984B62FF98EF91775F18C55AED089A286C2799944CBB1

Analysis Process: vbc.exePID: 8112, Parent PID: 7792COMMON

Execution Graph

Execution Coverage:	12.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	14
Total number of Limit Nodes:	0

Executed Functions

Function 09D75D70 Relevance: 2.7, Strings: 2, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

;|G, xrefs: 09D75E80
b%?, xrefs: 09D75F95

Memory Dump Source

Source File: 0000000E.00000002.1801361765.0000000009D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9d60000_vbc.jbxd

Similarity

API ID:
String ID: ;|G$b%?
API String ID: 0-93144283
Opcode ID: 40d2f10b77f6f727dfd7932f736c7bc968ad31d7c1842c1e4e20cdf242073485
Instruction ID: bd52cf23426fcb649218b6375d15ecd67ff7a6f22812783a11eccb83b3c73f8b
Opcode Fuzzy Hash: 40d2f10b77f6f727dfd7932f736c7bc968ad31d7c1842c1e4e20cdf242073485
Instruction Fuzzy Hash: 6A814E70A01609EFCB44CFA8E898BAEBBF1FB49301F508469E416EB351DB759944CF46

Function 09964690 Relevance: 2.3, Strings: 1, Instructions: 1098COMMON

Download Yara Rule

Strings

4, xrefs: 09965065

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID: 4
API String ID: 0-4088798008
Opcode ID: 7aefe8bf06eedc97737e348c21c5805ff9a69344dc7867b91e998b0d8e3726d4
Instruction ID: 89707e2bf21d1118f0ac21032c125ad03f692ab2de6eea379fac0c7e0839f4a2
Opcode Fuzzy Hash: 7aefe8bf06eedc97737e348c21c5805ff9a69344dc7867b91e998b0d8e3726d4
Instruction Fuzzy Hash: 68B2F834A00218DFDB14CFA8C894BADB7B6FF88701F158599E505AB3A5DB70AD81CF51

Function 099649B7 Relevance: 1.7, Strings: 1, Instructions: 495COMMON

Download Yara Rule

Strings

4, xrefs: 09965065

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID: 4
API String ID: 0-4088798008
Opcode ID: ec20599a8a6f144ef2ac312b7e31261f01b6a53ccfacd1ea66b5098a88c3921e
Instruction ID: edd27bacf5ab7858f573c31454f633e7fb4790c1b2c7f93c1becd9b30837ca2b
Opcode Fuzzy Hash: ec20599a8a6f144ef2ac312b7e31261f01b6a53ccfacd1ea66b5098a88c3921e
Instruction Fuzzy Hash: 1A22F934A00214CFDB24DFA8C884BADB7B6FF88701F1581A9E509AB3A5DB719D81CF51

Function 09967B08 Relevance: .7, Instructions: 653
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc130342b99dc660852ec148daf20af11c3e00199366eeeb749fced58ba7795d
Instruction ID: ff0443af8b09ce1dea620509f867740eaeb8f270b53da3012b51e55ff7b8e9ea
Opcode Fuzzy Hash: bc130342b99dc660852ec148daf20af11c3e00199366eeeb749fced58ba7795d
Instruction Fuzzy Hash: 78425830B00209CFDB14DF69C894A6A7BF6BF89755B1584A9E846CB371DB31EC81CB61

Function 09B65658 Relevance: .6, Instructions: 554
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.1800836837.0000000009B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9b60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc609f71c1af5593dc23fcc31c49d3175cb9b89fac49e0bb9021cdf91e9515de
Instruction ID: 0ce773b0fa5f396bdfffd71fd6fe77bb5f31ec93fce74ff0abdbd3bd05e3c24f
Opcode Fuzzy Hash: dc609f71c1af5593dc23fcc31c49d3175cb9b89fac49e0bb9021cdf91e9515de
Instruction Fuzzy Hash: DA226970B017158FCB28DF69C49462EFBF2FB88310F248969E55AD7390DB74A811CBA5

Function 09D7B218 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1801361765.0000000009D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09e8f8f130827bd5c7e2a151ba22be884b497058c4bdf330462baf4902336d9a
Instruction ID: a595f5940cdefcfbe40fb9a89f0f7bcfebcc7522dc85a9eba1a95db7f58471fb
Opcode Fuzzy Hash: 09e8f8f130827bd5c7e2a151ba22be884b497058c4bdf330462baf4902336d9a
Instruction Fuzzy Hash: 73A18130A42644CFEB04CFA5E8487AEF7B2FB88301F54C16AE401AF655EB7C9985CB55

Function 0996A4F0 Relevance: 1.6, Strings: 1, Instructions: 344
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d, xrefs: 0996A751

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 68ece6c4733f390f3ca9a6a11fcff2b45c5c7391f2d4129aa5e338fdbcb24ff1
Instruction ID: af51006afd0757a4ce0b79504f1132d51d427a737b412dc03f55c1c2830825df
Opcode Fuzzy Hash: 68ece6c4733f390f3ca9a6a11fcff2b45c5c7391f2d4129aa5e338fdbcb24ff1
Instruction Fuzzy Hash: 0CD158347016028FCB14DF68C484A6AB7FAFF88314B55C969E95A9B361DB30FC46CB94

Function 06F28F20 Relevance: 1.6, APIs: 1, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 06F28F94

Memory Dump Source

Source File: 0000000E.00000002.1782527414.0000000006F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6f20000_vbc.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: f91a7d43a31b671c131867db8751d0fc4829007150cdb6a3919b366597c23ded
Instruction ID: 9172c144d7408c0907afbf71f256682c7c72ba3eb10e5f9138706b0fb88a3980
Opcode Fuzzy Hash: f91a7d43a31b671c131867db8751d0fc4829007150cdb6a3919b366597c23ded
Instruction Fuzzy Hash: 4411E375D0034A9FDB10DFAAC884B9EFBF5AF88220F14842AE519A7240C7799944CFA0

Function 06F290F0 Relevance: 1.3, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNELBASE ref: 06F29152

Memory Dump Source

Source File: 0000000E.00000002.1782527414.0000000006F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6f20000_vbc.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 0ac3d1016cb90363ce7095e1691bce4fbade95b04b849132a5a905e81bf91b84
Instruction ID: ee5acf2842156a0f9d6c8521fc9ab40c049a3bd4199a6e963294a06017011156
Opcode Fuzzy Hash: 0ac3d1016cb90363ce7095e1691bce4fbade95b04b849132a5a905e81bf91b84
Instruction Fuzzy Hash: DF113675D003498FDB24DFAAC8857DEFBF9EF88620F248419D519A7240CB79A944CFA4

Function 09851468 Relevance: 1.2, Instructions: 1245COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1798573823.0000000009850000.00000040.00000800.00020000.00000000.sdmp, Offset: 09850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9850000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be048d640367ff69d21a604da9d2d49e17e75e5d6db59a4abc055addcc33837a
Instruction ID: f99d6a8b7d3f104f952f4a3051c2849551d1966bdd4384286e14ae67a86db3e7
Opcode Fuzzy Hash: be048d640367ff69d21a604da9d2d49e17e75e5d6db59a4abc055addcc33837a
Instruction Fuzzy Hash: 42827330B082558B8B256A79485C33F65DA9BE8B91B54492EEE07D7344EF31CC4E87B2

Function 0996D9E0 Relevance: .7, Instructions: 677
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 326241abaa1ffd23563d398c64ffcc621e2be5559d702be8f96edc0854c4a987
Instruction ID: c796b8ae081073d4ac88fae564de6a0393c56ff59df2785d6d76b69587d64228
Opcode Fuzzy Hash: 326241abaa1ffd23563d398c64ffcc621e2be5559d702be8f96edc0854c4a987
Instruction Fuzzy Hash: 29521975A002288FDB64DF68C984BDDBBF6BF88300F1585D9E549AB361DA309D81CF61

Function 0996736F Relevance: .6, Instructions: 555
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dcaeb1c20b87c5404e833503d3a4dc19826d634ecbacbab0f5d8f9e052a8d18
Instruction ID: 39d5ea0428053e7b4207b1724a80e91f72e561753ca2d03b566c4701a661e852
Opcode Fuzzy Hash: 0dcaeb1c20b87c5404e833503d3a4dc19826d634ecbacbab0f5d8f9e052a8d18
Instruction Fuzzy Hash: 2D227E31B002049FDB05DFA8D494AAEBBB6FF88304F148569E905DB3A1DB75ED41CBA1

Function 099667A8 Relevance: .5, Instructions: 516
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bc71dcb02b2e38e19d2006c1263bb3aa83778b63701651bf192da85471813c2
Instruction ID: 6f860ee7bfb8c4d4746ab9a256d9cef201f34c79319208b5d82fef6fd4056d3f
Opcode Fuzzy Hash: 9bc71dcb02b2e38e19d2006c1263bb3aa83778b63701651bf192da85471813c2
Instruction Fuzzy Hash: BB227131A002598FCF15CFA4D851AAEBBB5FF48700F148019F851AB3A1DB79AD46CFA1

Function 09969A6B Relevance: .5, Instructions: 485
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2257f65f6f3be2747e1fc8f169b50fcc95edaea08a32096429aff22173f7c20
Instruction ID: e1332562502e1c5c080f8a9cec9fc8e5b3d1e87b393df4f38840fa0aef0912ac
Opcode Fuzzy Hash: f2257f65f6f3be2747e1fc8f169b50fcc95edaea08a32096429aff22173f7c20
Instruction Fuzzy Hash: 241200347006058FDB14DF29C984A6A77F6FF89750B2584A8E906DB3B1DB35EC41CBA0

Function 0996AE40 Relevance: .5, Instructions: 482
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fa0874da5bc06d8b13602c3a6db86a97c591a23744f3eff1b2128dc27fa5f0d
Instruction ID: 61e7839fdd6d03a9cea17aa8ccdc2ffd07267450a9e2f916ea8cd4fafcfd4cea
Opcode Fuzzy Hash: 1fa0874da5bc06d8b13602c3a6db86a97c591a23744f3eff1b2128dc27fa5f0d
Instruction Fuzzy Hash: 0C123A31B002059FCB15EFA9D494A6EB7F6BF88300F14892DE546DB365DB31AC46CBA1

Function 09B60CD0 Relevance: .4, Instructions: 437
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.1800836837.0000000009B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9b60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a715b5824bdcaf61f2bc73f0ac5129c7b63cd1a7884649a2db8196d0514f41d
Instruction ID: 746151e28e376099b3419044684e8b9b5b951881a588a93e31bf50b09e8393ea
Opcode Fuzzy Hash: 8a715b5824bdcaf61f2bc73f0ac5129c7b63cd1a7884649a2db8196d0514f41d
Instruction Fuzzy Hash: 32122A34A002198FCB14EF68C894B9DB7B2FF89310F5185A8E54AAB365DB35ED85CF50

Function 09968C80 Relevance: .4, Instructions: 407
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef52d55538726dd3886b285779218b3a47ecb7f75433ad69c64c1131b2dc4636
Instruction ID: ed512489e21e599851d6ad2f6df122b021011b5a73f4dcbc2bda70b150fe5879
Opcode Fuzzy Hash: ef52d55538726dd3886b285779218b3a47ecb7f75433ad69c64c1131b2dc4636
Instruction Fuzzy Hash: 26E1C3707002028FDB159F69C45877EBAF6EF99300F25486DE582DB3A1DA34C885C7B2

Function 0996C110 Relevance: .4, Instructions: 406
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8d221249b958b0ff646a495029d02ceae288390e728c2f1d83779cae99113dc
Instruction ID: 1c039bdcecb3bec72ac4989368a6cebf394bf9377c2630470c313359f3620b12
Opcode Fuzzy Hash: b8d221249b958b0ff646a495029d02ceae288390e728c2f1d83779cae99113dc
Instruction Fuzzy Hash: 73D14E32A00214DFDB09CFA4C844E9ABBB6FF88310F058498E649AB272D731ED55DF91

Function 099616E1 Relevance: .4, Instructions: 397COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cd810f10345eff52c359e42cdf82e044712670b69a3a2feea22388888bb1d38
Instruction ID: 90ee36cedeee1b952b72296f0b8ddb9ba6edfecaf5ee7c3b410abe23c405dd3b
Opcode Fuzzy Hash: 1cd810f10345eff52c359e42cdf82e044712670b69a3a2feea22388888bb1d38
Instruction Fuzzy Hash: FF01A231B097905FE3168B65A85075ABFB4DF8B710F0544ABD4889F3A2C6659C41C390

Function 0996CB08 Relevance: .4, Instructions: 370COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4d49d5e81a931dcaeab32de58e9a277f934a3c2893af84c36faeef2a46ba53c
Instruction ID: be22d101a814d33bbcc696fe971f14e25ec83434cf202a6c2d2f63d4aa7223a6
Opcode Fuzzy Hash: e4d49d5e81a931dcaeab32de58e9a277f934a3c2893af84c36faeef2a46ba53c
Instruction Fuzzy Hash: 9FF1C734A00218DFCB08DFA4D994E9DB7B2FF89301F518159E985AB3A5DB71EC42CB91

Function 09B613AF Relevance: .4, Instructions: 363COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1800836837.0000000009B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9b60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1270a31c695cc9021147ced98919da5cb159a032b528de812038bab9705acec5
Instruction ID: 250b165cc86aae443268a27ff25f2473c66ff29cdcd3f4d8f59fbd971cb01d67
Opcode Fuzzy Hash: 1270a31c695cc9021147ced98919da5cb159a032b528de812038bab9705acec5
Instruction Fuzzy Hash: E3E13F34B01209DFCB04EFA4D49499EBBB2FFC9310F108569E906AB364DB35AD46CB91

Function 09969318 Relevance: .3, Instructions: 344COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 724e99ef691cf943a1e9c39f745effc4ec81ef769c6388e16321d72714869d19
Instruction ID: 2928110f344db3a723281bd463e8bde51caa545793349fbf10e243057a5d30c8
Opcode Fuzzy Hash: 724e99ef691cf943a1e9c39f745effc4ec81ef769c6388e16321d72714869d19
Instruction Fuzzy Hash: 79C1E1327043518FDB15DF69E844BAE7BA6EFC5710B14846AE845CB3A1CB35DC02CBA1

Function 09B62DA0 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1800836837.0000000009B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9b60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54b7058ad13074efb4c51e945a8fe475a857abaef87c0ad125ff1d4cfad0414c
Instruction ID: 09131c73c86f5b330eaa4fc9853a29179f8b5c78876acefbfee3f8bab2920912
Opcode Fuzzy Hash: 54b7058ad13074efb4c51e945a8fe475a857abaef87c0ad125ff1d4cfad0414c
Instruction Fuzzy Hash: 5BC1C774B00218DFDB04DFA4D994AADB7B6FF89700F508568E506AB3A5DB31EC42CB90

Function 09852460 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1798573823.0000000009850000.00000040.00000800.00020000.00000000.sdmp, Offset: 09850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9850000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a04e08f8ac8b3b8f84d3166344f3cb418fb41d7341a64cbbec0ae8a22ed008e7
Instruction ID: bb1c2c01b53b15b33b0d3c0d920f3f8230b3378c9ac82fa0cc7f5ef4d2b8bde6
Opcode Fuzzy Hash: a04e08f8ac8b3b8f84d3166344f3cb418fb41d7341a64cbbec0ae8a22ed008e7
Instruction Fuzzy Hash: B0918038B041A08B8E29B768906C13F759B9BD8795754491EEC13D7794EF288C0B87F7

Function 09B61948 Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1800836837.0000000009B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9b60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3a1ba0b3217be1c943fc0b97db4207dcf21aa3ae84043e782b83936d124773e
Instruction ID: 1f6772ac543ef9874f7eb2bcbe443facf2dd079bebaa538c68fa1db454ecabe5
Opcode Fuzzy Hash: e3a1ba0b3217be1c943fc0b97db4207dcf21aa3ae84043e782b83936d124773e
Instruction Fuzzy Hash: 69A1A0317042409FD7199F68D854B2A7BB2EFC9710B1985ADE1468F3B2CB36EC42DB91

Function 09B62D9C Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1800836837.0000000009B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9b60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c38d406976146a08a3803685efaa9282b313eeb3d7c30165dd851ddf5a623252
Instruction ID: 34a10ea321db06f19e72b5685ac8690e9166a72e22cda1bbc5f40a7e6b308e58
Opcode Fuzzy Hash: c38d406976146a08a3803685efaa9282b313eeb3d7c30165dd851ddf5a623252
Instruction Fuzzy Hash: 5BB1C874B00218CFDB08DFA4D994AADB7B6FF89300F504168E506AB3A5DB31EC42CB90

Function 09B63D38 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1800836837.0000000009B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9b60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3787a864c34f4664764c6a63dc38359c4d8311e3088f37b099bf94483afaf860
Instruction ID: b0ef874d9469dba29da8b7682668b38bea6bddf7e582c317ae932f60f791c8ac
Opcode Fuzzy Hash: 3787a864c34f4664764c6a63dc38359c4d8311e3088f37b099bf94483afaf860
Instruction Fuzzy Hash: D1A14A34B006148FCB08EF68C550AAE7BB2EFC9700F109658E5469B3B5DF36AD46CB91

Function 09D76100 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1801361765.0000000009D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a606936f2f8c061f3698cc4dfa3582b7f4a558e898003c0e7b0e663719059e7b
Instruction ID: fa2cc294cb1355bb11bd98da10353c7e9941a7094ad14de2804b80d6aea39152
Opcode Fuzzy Hash: a606936f2f8c061f3698cc4dfa3582b7f4a558e898003c0e7b0e663719059e7b
Instruction Fuzzy Hash: DCA1AB30B00A148FD704DF69D984A5EBBF2FF89710F5585A9E405AB7A1EB31EC01CBA5

Function 09B60CC0 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1800836837.0000000009B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9b60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f15253e119c039bcb91390296fd10343d7fed040c445c74dab2ac258bfdb1af
Instruction ID: cbaa40fc8963a0e9cccf2923c09050e407f4d82a6eea592decd35855d1cd5fe7
Opcode Fuzzy Hash: 8f15253e119c039bcb91390296fd10343d7fed040c445c74dab2ac258bfdb1af
Instruction Fuzzy Hash: F7A12834B002198FCB14DF69C894BA9B7B2FF89310F5185A8E54AAB365DB35ED85CF40

Function 0996CAF8 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c61e0f47ef168ae834ae959eb5ba88a5a39fb221f928438afa1cddd7713801c
Instruction ID: 8d0518323c35d6bffa8541d7fe253adfc0fe9b9db0fe56e50e6265a8b2f6f63c
Opcode Fuzzy Hash: 8c61e0f47ef168ae834ae959eb5ba88a5a39fb221f928438afa1cddd7713801c
Instruction Fuzzy Hash: 7FA10C34A10218CFCB04DFA4D894A9DBBB2FF89300F558159E985AB371EB71EC46CB91

Function 09B61C68 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1800836837.0000000009B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9b60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a26eb8cc9a5340104c02e5e7c0b39bb001bcd766150fe033e0fda299f2999f4
Instruction ID: 207ed1d3519df003c5c475620b30c937169efd8f24f2f207578d289474b0b968
Opcode Fuzzy Hash: 8a26eb8cc9a5340104c02e5e7c0b39bb001bcd766150fe033e0fda299f2999f4
Instruction Fuzzy Hash: AE913934B14214CFCB14DF68D498AADBBB6EF89710F1080A9E5469B3B1DB35EC45CB91

Function 09962EF8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3ac0471bf47081167889ec3b16fbf849644af37ae4cd59f3794d5d91a1e8366
Instruction ID: 400b5cce3852881fe4cdbf7c6abaf3552d8272fce543d1c7f544eedbb2d746db
Opcode Fuzzy Hash: e3ac0471bf47081167889ec3b16fbf849644af37ae4cd59f3794d5d91a1e8366
Instruction Fuzzy Hash: 3381AD31B012459FCB15DFA8D845AAEBBF6EF89701F208469E801EB3A0CB35CD41CB60

Function 099697E8 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc84f9c50081ba99ca6e31f7a7d4587dbb7d49b161952022ae0ce8a6496fb5a8
Instruction ID: f09180b0369dc57a2c55eeab7d95f5f88aa5f4d610a913212acc2778856114d9
Opcode Fuzzy Hash: dc84f9c50081ba99ca6e31f7a7d4587dbb7d49b161952022ae0ce8a6496fb5a8
Instruction Fuzzy Hash: 8F810335A00618CFDB14DF68C484A9EB7F9BF88711B1585A9E856AB370DB30ED42CB90

Function 09B63A50 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1800836837.0000000009B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9b60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a15f8cd14a9b2b985fc63001ee5e7b0c408dc3b44799b44d3820c245d99825d0
Instruction ID: 80bf82eb26013b55cf313e7224f70d53758602c6e8b040bccfb462003ae81f10
Opcode Fuzzy Hash: a15f8cd14a9b2b985fc63001ee5e7b0c408dc3b44799b44d3820c245d99825d0
Instruction Fuzzy Hash: 0C816D30B006098FCB14EF68C454BADB7F2EF89700F1085A9E442973B1DB75AD86CB90

Function 09B65EE0 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1800836837.0000000009B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9b60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5a85ae86077450e95d0d9c9b9000cba0ae79e92851c3d45e4b4e351f37f19b9
Instruction ID: 422e3b9c7691bc884d586c42655be85baf0677c7e0628f18351d570d14d25d30
Opcode Fuzzy Hash: a5a85ae86077450e95d0d9c9b9000cba0ae79e92851c3d45e4b4e351f37f19b9
Instruction Fuzzy Hash: D251B132B047109FC7259B69E8546AFBBEAFFC4720B14847EE10AC7791DA75A8028791

Function 09965D70 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a98490f4b05140bdd30a3eedea42637d14ebce79acfc7e18a4278c8b7f05eb79
Instruction ID: 0f1fd0e542f47fcedb67c7cd68e75dc70c45963222e966db394b5a668664600c
Opcode Fuzzy Hash: a98490f4b05140bdd30a3eedea42637d14ebce79acfc7e18a4278c8b7f05eb79
Instruction Fuzzy Hash: 0C517F30B003018FDB19AF78D45466E77B6AF85710B25486DE546CB3A1CF35DC46CBA2

Function 09B61C5C Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1800836837.0000000009B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9b60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 654aeaae8beb96e0d24bcbe5227f5b670c10ecfc1f31c3c88f6020ac9495dcd0
Instruction ID: 0924a6faa55445845b550dceeed9c2bab879429f3ccda7530e57b4655fb05a22
Opcode Fuzzy Hash: 654aeaae8beb96e0d24bcbe5227f5b670c10ecfc1f31c3c88f6020ac9495dcd0
Instruction Fuzzy Hash: 7B61F234B106149FCB08DF68D898AADB7B6FF89710F1481A9E5069B3B5DB35EC41CB90

Function 09B63A43 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1800836837.0000000009B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9b60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1aca04140217b2929a5d5ba4188aedd7f4510239a074f9721a73a2387cd27662
Instruction ID: dc1b7576b2724d071a712dacf7f9b658b5bb628e2e5be9f6b5626f72528c696f
Opcode Fuzzy Hash: 1aca04140217b2929a5d5ba4188aedd7f4510239a074f9721a73a2387cd27662
Instruction Fuzzy Hash: 94618E34B006098FCB14EF68C454BADB7F2EF89710F1085A9E442973B0DB75AD86CB91

Function 09965D31 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b17c0f81ad084e102595e3dd9c18936f1ceea6765edef08a73dce6f6d42f893c
Instruction ID: f023de891d40860286765c3dfde7dc4bf5929103b4859f29274e324a9527bff8
Opcode Fuzzy Hash: b17c0f81ad084e102595e3dd9c18936f1ceea6765edef08a73dce6f6d42f893c
Instruction Fuzzy Hash: E7519F307043018FD716AF38D45466E7BB6AF86700B2548ADE546CB3A1CF35DC06CBA2

Function 09D7AD90 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1801361765.0000000009D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ed8140f4aa9f14eae8d146e4f2ac93e00cdea21d98663b8f8fe9524a1f337a0
Instruction ID: dc95e165db8c241c344f4c5ba768329e7cc8ce557c639f286599f369b9ce5e03
Opcode Fuzzy Hash: 1ed8140f4aa9f14eae8d146e4f2ac93e00cdea21d98663b8f8fe9524a1f337a0
Instruction Fuzzy Hash: D95181307066408BD755DF68D4587BFB3A2EB85701F50862DD402AF789EB389C46CBDA

Function 099613D0 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27ede6cf1267b82dc998822224264da62a51b4c4ada145f39587cd6e3d955eb1
Instruction ID: 831f420a6b3d9aa02eb6f7fda672cdf33a0784554e990c10952f209e064e1a04
Opcode Fuzzy Hash: 27ede6cf1267b82dc998822224264da62a51b4c4ada145f39587cd6e3d955eb1
Instruction Fuzzy Hash: 97512C76600104AFCB499FA8C914D59BBB7FF8D3147198498E2099B372DB36D821EB91

Function 09962788 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a95a9766ed609555f86e718e57126fb412bd978aa2bbbd007fb7a60ca73809d
Instruction ID: 0a7b0f4a6f69611eb2b33e376c2de2b7693c33327311ffbcc1928efe40aa90bd
Opcode Fuzzy Hash: 3a95a9766ed609555f86e718e57126fb412bd978aa2bbbd007fb7a60ca73809d
Instruction Fuzzy Hash: 0351E131A012468FDB11CF68C880A6EFBB5FF86320B15859AE565DB362C730F855CBD1

Function 0996C6D8 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40b1545f6355b1eed6d10a5c60d58097f6151096621070204e7bbde3dfc5ae5a
Instruction ID: 615aa1af005f1a2d2769eb48a76e4a21017de4e258afa1e0d3a4c1fba845a2ac
Opcode Fuzzy Hash: 40b1545f6355b1eed6d10a5c60d58097f6151096621070204e7bbde3dfc5ae5a
Instruction Fuzzy Hash: 8E513D34B006099FCB15DF64E498AAE77B6FFC9701F10811AE5429B364DF34A946CB91

Function 09B60A90 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1800836837.0000000009B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9b60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 141aeae6b8164374dc2b9949c480a95a52c14742cd3a71a1c0a32b1ef37872fe
Instruction ID: 70b0adc6954b31e6db60ef5957a38622ec63402b64ce9f9883d0356b4669db8f
Opcode Fuzzy Hash: 141aeae6b8164374dc2b9949c480a95a52c14742cd3a71a1c0a32b1ef37872fe
Instruction Fuzzy Hash: 0D419330B102148FCB04FB65C894A6EB7B7AFC9700F50941EE546AB3A4DF75AC46CB91

Function 09D7BD60 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1801361765.0000000009D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b12d3173bdf458dea50843ec681c6454d79e95d13c449872505119d0336162e6
Instruction ID: 32043cf1659ee36bb49c045314d07bacf81b57d4207e6c7d8839ae20694fd80a
Opcode Fuzzy Hash: b12d3173bdf458dea50843ec681c6454d79e95d13c449872505119d0336162e6
Instruction Fuzzy Hash: 2D414631F053688FD7148B64D40A29AFFE5EF46721F0582BBE452CB2B0E77588428BD6

Function 09B64FE8 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1800836837.0000000009B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9b60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c2b000f51d3bdcd59a06f72af8ce7b9a5e624c0d7d93e1c0b62ea10cf8e00cf
Instruction ID: 9ec2f10aefd0630375d0e7f723e906e7228421c6cae73ca8ce9ff22ba90c6505
Opcode Fuzzy Hash: 3c2b000f51d3bdcd59a06f72af8ce7b9a5e624c0d7d93e1c0b62ea10cf8e00cf
Instruction Fuzzy Hash: CF419831B00B148FCB74DB68D55429AB7F1EF85B20F0488AEE05AC7A90EA74F951CB91

Function 09B65418 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1800836837.0000000009B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9b60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02c9f72960ce02c230d4735f9ff30de34dc3db0ff8c3d711b5aeb7d7bcffea6c
Instruction ID: c4e33f41bc8bc15fdebd6160068edbb723832f4db89df6e517acb68c4c19c480
Opcode Fuzzy Hash: 02c9f72960ce02c230d4735f9ff30de34dc3db0ff8c3d711b5aeb7d7bcffea6c
Instruction Fuzzy Hash: F051AC71A047449FCB21CF69C944A6ABBF2FF88310F18899DE58687A65D774F804CF61

Function 0996C100 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68fad6cea6c5a231b631b5d2784ce401ae4e6eb151ceec206d88891b7f200a3f
Instruction ID: ddaf8f2a95a82213636531f958fa7594cdeb066218e2c02969f7acce7e6ad339
Opcode Fuzzy Hash: 68fad6cea6c5a231b631b5d2784ce401ae4e6eb151ceec206d88891b7f200a3f
Instruction Fuzzy Hash: 8441C430A003059FDB55DFA8C8407AEBBF6BFC8300F14892DD9899B351DB75A906CBA1

Function 09B65560 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1800836837.0000000009B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9b60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02184be0fce7f8f7d003b173028c43001f6a4d39b270888b33726d7ec519749c
Instruction ID: 99b8ec43e91370c7a35cebfc00ab8b26205662cc30f557f33e294cab179774a3
Opcode Fuzzy Hash: 02184be0fce7f8f7d003b173028c43001f6a4d39b270888b33726d7ec519749c
Instruction Fuzzy Hash: 0741D330B043459FCB259F68C84879EBBF6EF85710F1085A9F545DB390DB70A905CB91

Function 09B61F78 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1800836837.0000000009B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9b60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f150b6f2c6d05dc6112b2e2885944fee8e7cb30f98b7124f2406f5eddab872a
Instruction ID: 1f706c112308d8d409fc4546aeefd7e7c753e63429dc11262e2af1d36db2c1d9
Opcode Fuzzy Hash: 4f150b6f2c6d05dc6112b2e2885944fee8e7cb30f98b7124f2406f5eddab872a
Instruction Fuzzy Hash: EB414E35A00118DFDB04DF64D855AEEB7B2FF88721F108069E916AB360CB35AD05CB90

Function 0996E9F8 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c7470c18d91a34dc40a482353fb498f1650888214e461e3998270414d7bb8ea
Instruction ID: d4f77c69ac6952b830ea5d2d87a1265171a51ba57a932a513c59347ac356c9c6
Opcode Fuzzy Hash: 8c7470c18d91a34dc40a482353fb498f1650888214e461e3998270414d7bb8ea
Instruction Fuzzy Hash: 2B31E83A6001049FCB05DF98D988EA9BBB6FF49320B1640A8F50A9F372C731ED55DB80

Function 0996467F Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b36426241f1e5ebb0b3afa073d609536110044331a3857d170435e9d9606375
Instruction ID: 251c9506eb2859f71b63d9ee944ec063babe62324b01aeca840e2b3c02c16a65
Opcode Fuzzy Hash: 1b36426241f1e5ebb0b3afa073d609536110044331a3857d170435e9d9606375
Instruction Fuzzy Hash: B4411734A112288FEB24DF64C891FA9B7B5FB99311F1141E9E909AB3A0C6329D81CF50

Function 099633A8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9f4bae21507af21a5e343984462fd8d293cea7d93e6cfe5115d2fd697487ab6
Instruction ID: e178279db12d11b822a82295e80e1777794eb5cc2a26c812791a4317efe57aab
Opcode Fuzzy Hash: b9f4bae21507af21a5e343984462fd8d293cea7d93e6cfe5115d2fd697487ab6
Instruction Fuzzy Hash: 4941AE32A002168FCF11CF65C846AAFBBF5FF88351F00842AE545D72A1D734D945CB91

Function 09963397 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4125b052d4a095797b6a3aab7da48df4c741f54a9189b2801fe051ab3e493609
Instruction ID: 70b825db681cd14631f28b733f9c32b95e533ee860123e5df2cae5882dc9cc9c
Opcode Fuzzy Hash: 4125b052d4a095797b6a3aab7da48df4c741f54a9189b2801fe051ab3e493609
Instruction Fuzzy Hash: 6A315D31A003168FCF14DF69D886AAEBBB5FF88754F008529E806EB361D7759845CBA0

Function 0996BB70 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3fccdc2c4c4c35217cf80cb65cfc8113dc5c35316521656752c6ab3ddd4fb7c
Instruction ID: ac334e2274bcaa160f563d3d604ac20b8b7ea7e4e4925115018f0cabcb79f0f5
Opcode Fuzzy Hash: c3fccdc2c4c4c35217cf80cb65cfc8113dc5c35316521656752c6ab3ddd4fb7c
Instruction Fuzzy Hash: 30318031700214DFDB059F64C894E5ABBB6FF88310F1540A9E9059B371DB72EC52CB91

Function 099634E0 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b33ff7fd6cab986ce49302472327b3ec06213ec33c58ef444b04d3637d9c3eb5
Instruction ID: 3be0c5dba96f3b0cf379ddfdedb49023f094f92e68f69793f5652dee7ec05b27
Opcode Fuzzy Hash: b33ff7fd6cab986ce49302472327b3ec06213ec33c58ef444b04d3637d9c3eb5
Instruction Fuzzy Hash: E831F571B042158FC715DF69C89596EBBB9EF8A710B1480AEE545DB322DB30DC05C7A2

Function 09969308 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f0c633c17e6eb4c9309e7a07d6eb0bb6ac5963d2101a387a407b55d902935a2
Instruction ID: f6781260ab448d78f3bcbdb820d10c8f4f9986ce1581907c9d0871ff4c2840fa
Opcode Fuzzy Hash: 5f0c633c17e6eb4c9309e7a07d6eb0bb6ac5963d2101a387a407b55d902935a2
Instruction Fuzzy Hash: 27316B312003059FDB15CF69D884BAA7BB6FF88355F14816AF8498B2B1CB75D881CB90

Function 09B60A80 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1800836837.0000000009B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9b60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7174dfde9887daa3781512fa99b21ac3db6246b1e084679d770b02c538757ee7
Instruction ID: 02af3445466484cf292104b02e2ed3789328fe74fd627ad6ff73246505ed670a
Opcode Fuzzy Hash: 7174dfde9887daa3781512fa99b21ac3db6246b1e084679d770b02c538757ee7
Instruction Fuzzy Hash: 0A21D530B003148FCB08AF6688A47BEB7A7AFC4710F10846EE106EB3A4DE756C02C795

Function 0996D478 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6b86d64627a38a9368d22aa154e8f540ea2c0e8d2ff349d324313ac050ab960
Instruction ID: a89ee4aa74a660a5dd283cd7b13615757e0320410aece3e251eb7205f0ba92bc
Opcode Fuzzy Hash: c6b86d64627a38a9368d22aa154e8f540ea2c0e8d2ff349d324313ac050ab960
Instruction Fuzzy Hash: FD21AE323053008FD7249E69A884A66BBAAEFC5325B1984BEE559CB6A1C731FC468750

Function 09964168 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 127d0f92cba9eb859c802571a21691107d6f4214d90fd0daeefea10692e3e49f
Instruction ID: debf8b17e13064d3f0352682db7c69a13394a1e8c78d0ce62263c342365fd0a3
Opcode Fuzzy Hash: 127d0f92cba9eb859c802571a21691107d6f4214d90fd0daeefea10692e3e49f
Instruction Fuzzy Hash: FF312674704615CFDB44DFA5D884A2A77B9FF88754B2144A8E902CB371EB31EC42CB50

Function 0996FAD0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d479162e8b25830cd8052b61ece6dcea8d22d5869fbdc0e1dcf5a7ca1430ec22
Instruction ID: 5294522f41618c5188de8ba191f6c4458438a541e8eb4669f026e14268ea97ff
Opcode Fuzzy Hash: d479162e8b25830cd8052b61ece6dcea8d22d5869fbdc0e1dcf5a7ca1430ec22
Instruction Fuzzy Hash: 0021AB34B00609CFCB00EF64C55496EB7B5FFCA700B10851AE646A7320EF30AA46CBA1

Function 099666CF Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d646b7e65f25fac02b4aac8bc19caabba96f1e3a5f45214bccfb566708341c57
Instruction ID: c4138002e2de7843806ed1ebad8a1bbf01a84a86e73c00f8a40e37b5bbdb6677
Opcode Fuzzy Hash: d646b7e65f25fac02b4aac8bc19caabba96f1e3a5f45214bccfb566708341c57
Instruction Fuzzy Hash: 78217F753042949FDB05CF29D840AAA7BF9AF8A340F1940AAF895CB3B1D735DC41CB20

Function 099655F8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75d283013789102deb0695736dd710020253aec021d6343f6134c9e55969602d
Instruction ID: f5121235962855750d9449bf0261e39060ba713d694d50c42c6e9f4d0b48e96f
Opcode Fuzzy Hash: 75d283013789102deb0695736dd710020253aec021d6343f6134c9e55969602d
Instruction Fuzzy Hash: 37219032B012158F8B109EBDD8814AEBBF9FBC4361B154866F459D7360EB31DC45C762

Function 09965BE0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d5f861b33479d28c0e9806e6645109dbd8b6d5e5b03a22d1a01db64f715117a
Instruction ID: bcb392834236c532811c8b2ed45b48ec6230e85c3ddd0ea869ea5b9d8dd738f6
Opcode Fuzzy Hash: 1d5f861b33479d28c0e9806e6645109dbd8b6d5e5b03a22d1a01db64f715117a
Instruction Fuzzy Hash: 14215C71A00209DFDB10DFB4C804BAEBBF9AF44380F518466E555DB2A0E73ACA50CB92

Function 09969788 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 596ed157c198c0dd5a7f759d93129450857d09e61052d2aa385dc4208f94c950
Instruction ID: 35182a9ac4d0055eb1cc5ce60a3a11bb236b1d37697a0f9b85b324ab52af5afe
Opcode Fuzzy Hash: 596ed157c198c0dd5a7f759d93129450857d09e61052d2aa385dc4208f94c950
Instruction Fuzzy Hash: 5721C872A05248DFCB1ADF94D444CCEFBF9EF49310F0484AAE545DB321D630A905CBA1

Function 09961F7B Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 698957e3e0112349b55a2fd4bb75b3446c32673a39fdc63d86c796f55a894918
Instruction ID: 5c6f525ec5e542778faff6b384f271cdcc3cea5033d5fd05ee0e3499404386e2
Opcode Fuzzy Hash: 698957e3e0112349b55a2fd4bb75b3446c32673a39fdc63d86c796f55a894918
Instruction Fuzzy Hash: E1219031A00248EFCB058FA8C8449DE7FB6FB8C320F148529E911A73A0DB719845CFA1

Function 0996E84F Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1240edc6a4c4d9ac5350e6b3daa1d0949f334a1fdf33c0c60d8de8d0808bfb4
Instruction ID: 12ee7e58a662cf8178a0f7d347ecda3ab2373795fae057359bf9b5fa1fa88ab6
Opcode Fuzzy Hash: e1240edc6a4c4d9ac5350e6b3daa1d0949f334a1fdf33c0c60d8de8d0808bfb4
Instruction Fuzzy Hash: E41136317082400FE745ABA9E48856F7BD7AFC6610B54886DE506CF391CE25AC06C3F6

Function 0996E9F4 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ce4cbff4ca5452713e8481992b0ade8e1af7ea9698212ce7af5fa0a934e9531
Instruction ID: b604eb690bea76fa263599623da40cbefb4166d59c014e11cf4589eee595e2bf
Opcode Fuzzy Hash: 1ce4cbff4ca5452713e8481992b0ade8e1af7ea9698212ce7af5fa0a934e9531
Instruction Fuzzy Hash: E221EA36600104AFCB05CF99D988D99BBB6FF49320B1644A9F6099B372D731ED55DB40

Function 0996FAC0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 973ed9e2d886a10a56643a0cd1107eeaac3755895dbc9fe38882f805e7fd8e0b
Instruction ID: 3e043d33ee7bebeeaa1af3048f0f70559b6410fc1c53b7f1d3c7a72a756bc319
Opcode Fuzzy Hash: 973ed9e2d886a10a56643a0cd1107eeaac3755895dbc9fe38882f805e7fd8e0b
Instruction Fuzzy Hash: B821AA74A00649CFCB04EF74C4509AEBBB5FFCA300B10416AE546E7370EB319A46CBA1

Function 099697A1 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeebf7cff652e469f76af95289c94d344c4f0d734570b11c6d9a32b2aa30f6e8
Instruction ID: 2cb54829a9aa6b2a59cb793004150dc19f7bb96029e68309d9c116f2bc87f0c9
Opcode Fuzzy Hash: aeebf7cff652e469f76af95289c94d344c4f0d734570b11c6d9a32b2aa30f6e8
Instruction Fuzzy Hash: A6214F76A04208DFCB19DF99D8449DEFBF9EF89310F01456AE545DB360DA30A905CBA1

Function 0996A908 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce6a2604e06ea2e85d9b609fc184794dbdcc9ff6e74fc6baaef731a6c843bba7
Instruction ID: 2e61a4bf695efb28f03f546a6b8365626f0f509dfc599124f655c8516751ec23
Opcode Fuzzy Hash: ce6a2604e06ea2e85d9b609fc184794dbdcc9ff6e74fc6baaef731a6c843bba7
Instruction Fuzzy Hash: 01211535A002098FDF04DF98C581ADEB7F2BF89301F2141A5E545BB3A5CB72AD44CBA1

Function 09B61937 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1800836837.0000000009B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9b60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c30874e48b1d8b536bc4566a3a96c3a83efd90662ebd84db2dde52e00e89406
Instruction ID: e87f6ec69c33d2480933bb2f5753e0e720d8afe05a03f786e04b830878dff35d
Opcode Fuzzy Hash: 5c30874e48b1d8b536bc4566a3a96c3a83efd90662ebd84db2dde52e00e89406
Instruction Fuzzy Hash: 7821D5343002449FD7259F69C584B2AB7A2FFC5710F1882ADE6454B3A1DA76F882CB91

Function 09961104 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c50619d4149dea3b5bec5a8068c663334b038a3cd458457cab282d97279d9ba4
Instruction ID: cf4a80cdf94be03a0abcd0b8f351845333db4a4b8e13f67677654b44571ba1ba
Opcode Fuzzy Hash: c50619d4149dea3b5bec5a8068c663334b038a3cd458457cab282d97279d9ba4
Instruction Fuzzy Hash: 31219230B003055FD714AB7CD8487AFBBEAEBC4714F008A2DD006D7795DB7559058BA1

Function 09B61888 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1800836837.0000000009B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9b60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db82cb4a2b1fecfca3fd512247582123e524d6cf1e02d9c634bef84f346c135a
Instruction ID: 41fc234406afcc768f808850fee68212202618e389c1b092af175c2b65110a0b
Opcode Fuzzy Hash: db82cb4a2b1fecfca3fd512247582123e524d6cf1e02d9c634bef84f346c135a
Instruction Fuzzy Hash: C82193347002048FC715DF38D854AAAB7F2EFCA310B14446AE5459B371DB75ED06CBA1

Function 0996BA00 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e420cf66536da43bc4c103861e15de4e1d280d5e702bacb8bcdbeb1d2d35f52f
Instruction ID: e99efe35730bd38ff3d5409e9a76c5b19719421035903850d28baa5d527b0032
Opcode Fuzzy Hash: e420cf66536da43bc4c103861e15de4e1d280d5e702bacb8bcdbeb1d2d35f52f
Instruction Fuzzy Hash: 3021CD71A08616DFCB05CF68C9809A9FBF5FF84304F52C16AD44ADB665E331A856CBC0

Function 0985144C Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1798573823.0000000009850000.00000040.00000800.00020000.00000000.sdmp, Offset: 09850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9850000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a9f0fd22949619fae2abf59ded62a5c1bb46650627f24ee90c494aac21c5a41
Instruction ID: 96043dc73b007219cb689ec49e784a67fc7dadc5d56dfa34a9d4724cf6c336d9
Opcode Fuzzy Hash: 0a9f0fd22949619fae2abf59ded62a5c1bb46650627f24ee90c494aac21c5a41
Instruction Fuzzy Hash: 8D11D330E092998FCF259B6498182BEBB72EF86351F0445AED813E7350CB344C4ADBA1

Function 09964580 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dab7840b34abee87715ce15aacb90c8e8722cb9fdfa3d6d1357f67668ea9105
Instruction ID: 99e387c9ad352b8935c89048e9d3d04583dc9062f99cd54bbc36b93a5d2404b3
Opcode Fuzzy Hash: 9dab7840b34abee87715ce15aacb90c8e8722cb9fdfa3d6d1357f67668ea9105
Instruction Fuzzy Hash: DF11CE71A0424AAFCB06DFA8D4845EEBFB1EB85310F1484AED00AEB3A1C7304946CB91

Function 09962930 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 580bd410f77e1aa2b4c37bf48c81554853c469db96a25504991388dcfd7c9a0c
Instruction ID: b568ede73e490e3cdb70b6f28fbfb49f2ec17fd9334edf35119745a3069b7dfb
Opcode Fuzzy Hash: 580bd410f77e1aa2b4c37bf48c81554853c469db96a25504991388dcfd7c9a0c
Instruction Fuzzy Hash: 5A117031B002059FCB64AF6C9854BBF7BF6ABC9702F144429E955D7390DA75C901CBA1

Function 099626A1 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1dad0e17aa7df27936f779fe60951ea2df5a7dddc4b5d636421e011f0f0d071
Instruction ID: 23ce7fbb952e67f9abef6a5bbadf076a48fb8c895b3a037a229089e22d989b5f
Opcode Fuzzy Hash: c1dad0e17aa7df27936f779fe60951ea2df5a7dddc4b5d636421e011f0f0d071
Instruction Fuzzy Hash: 2B216F79A02259EFDB04CFA8E594EADB7F2BF89700F204159E905EB361CB74AD41CB50

Function 09963EF0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7960ccef404f84ff3432dbf4496d0572380dbc64c2490ca0cd541f1daadd93e
Instruction ID: 675a6823be66eecfbc9791066db96a045d9daad82ed9af894d9abb511eb78fd4
Opcode Fuzzy Hash: d7960ccef404f84ff3432dbf4496d0572380dbc64c2490ca0cd541f1daadd93e
Instruction Fuzzy Hash: 0401B1326042586FEB54DEACE841BDABFF8EB55260F24C0ABF488C72A0D631D990C750

Function 09962580 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 003878cb60543779276b27816de1076cd005b4ed6238345b95429245ee8fe8f6
Instruction ID: b54f350e8e81095ca31d8a8ebd331304406c8c416c0eac3b1818556d0eee5db5
Opcode Fuzzy Hash: 003878cb60543779276b27816de1076cd005b4ed6238345b95429245ee8fe8f6
Instruction Fuzzy Hash: 5E014476340255AFDB108F59DC94FAFB7A9EBC9B21F10806AFA15CB390D6B1D9108760

Function 0996BAB0 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45a981e1abb3f7dd360898ff86772b959d980cd67e71f124b923b4349d62e00f
Instruction ID: 03d6c135c1270248277e1703795b16e0237ee9d50ba595e3990f4a013e00e3a5
Opcode Fuzzy Hash: 45a981e1abb3f7dd360898ff86772b959d980cd67e71f124b923b4349d62e00f
Instruction Fuzzy Hash: B0F0227130F3C04FC7170A385C201867FA89F8365075802EEE988CF362D1254C0AC7B2

Function 0996F920 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43aa3dbf8e4450e9f1988884a810bcef1d9a4be1b4e47cdaa8299564ab9244f4
Instruction ID: d703abbd896cbb8e23c2a068855ff4a53475cae3aa141e0685104a170c0de8b0
Opcode Fuzzy Hash: 43aa3dbf8e4450e9f1988884a810bcef1d9a4be1b4e47cdaa8299564ab9244f4
Instruction Fuzzy Hash: E6F046227086101FE7192A39A42473E779B8FC2B41F10C02AE546CB394CE298C0783E6

Function 0996F428 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5ae511fc6a98bdaaca96fe5ba735b704f494490832a944a785add6852f77aae
Instruction ID: 16da68d8326b5b0a72c8d2c7af9456f4553b8f1141187c64aa064a549440fe6c
Opcode Fuzzy Hash: d5ae511fc6a98bdaaca96fe5ba735b704f494490832a944a785add6852f77aae
Instruction Fuzzy Hash: 3D01B534305650DFC3169B34D414A1A7BE6EFCE711B108168E5168B3A1CB71DD42CB91

Function 0996E7FF Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5c08e4ff4a161b1f4d23caf3ec07f8f68ae57b6bea110ab6378ba86b9c5b12c
Instruction ID: 9a05378d7bb199392a37eab9e7f65f3c621820da65018bcacdf876dc3b7b0cad
Opcode Fuzzy Hash: c5c08e4ff4a161b1f4d23caf3ec07f8f68ae57b6bea110ab6378ba86b9c5b12c
Instruction Fuzzy Hash: 250128307083004FD345EB75D49455E3BE3AFC6200B10887AD106CF3A2CE259C4AC776

Function 0996F1B0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 710895eff887b56fc81ec1221a73665d11a908ef901928677d24cda73ed9a38e
Instruction ID: 96db77aa01ee5cb964c11f380213bed6fa5250303aa8fd128e1d2adf8db81185
Opcode Fuzzy Hash: 710895eff887b56fc81ec1221a73665d11a908ef901928677d24cda73ed9a38e
Instruction Fuzzy Hash: 04013C353443409FC3199B25D854A6A7BAAFFCA710B1544AAE545CB771CA32EC02CB90

Function 0996C6C8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa539bf01ae3f1f26b6a3f3343138b658b5961afbe36abaddf24b5d623bbf21c
Instruction ID: 8092517d93c325a5d144947e4c18225184972d5e4f74e4c135f6d1b4b861026e
Opcode Fuzzy Hash: aa539bf01ae3f1f26b6a3f3343138b658b5961afbe36abaddf24b5d623bbf21c
Instruction Fuzzy Hash: 29F0F435710108ABC7099E29D4448AEBBAAEFC4310F04807AF959C7370DB3198068B80

Function 0996F438 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a69027cb741ee4203a58d4325143664ccd88cc83faf609a46c20a1dd98a6918b
Instruction ID: faa94ba3dd3de2dd610f59d5b268ad4a03acab8224446fe11ccbf0e20c8d8dd6
Opcode Fuzzy Hash: a69027cb741ee4203a58d4325143664ccd88cc83faf609a46c20a1dd98a6918b
Instruction Fuzzy Hash: 11016935300A209FC3199B25D018A1EB7E6EFCDB11B108128E90A8B390CF32EC42CBD1

Function 09961A10 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55bdfe97669cb450ae5430a4751a7f6c727ec07c55dd57d5cd822676cf282570
Instruction ID: c4ef9cbe747bfacd491fb44151f1f12d5b23f1f75bdd6ea8ada0ca61e3c06d68
Opcode Fuzzy Hash: 55bdfe97669cb450ae5430a4751a7f6c727ec07c55dd57d5cd822676cf282570
Instruction Fuzzy Hash: 0AF0B462B0D2D19FE32207356811329AFA19FD7602F1848DFD0C28F2B2DA56D8468361

Function 099619B8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8d3a6a691fce36560112a7dd3212fbbf3a9043d5e7c5d99745c1eb95b1b50fa
Instruction ID: 89a18e8b86a7e9ed3b89786eedc325e8f1182194f501aa872c8c63dee301673d
Opcode Fuzzy Hash: b8d3a6a691fce36560112a7dd3212fbbf3a9043d5e7c5d99745c1eb95b1b50fa
Instruction Fuzzy Hash: F8F0E931F086655FE3248A19A80072FF7A9EBC9B11F14446EE5499B391CB72EC4183D4

Function 09962570 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6cfa72b7d3b63a6ad0e815048ba51ef02f96db141f1a839cf70f1a6ccd89c21
Instruction ID: 3f8777605bfdfb3af1cccc16bd9030b823b432aa817bdc970e24cd7bad1e7d2b
Opcode Fuzzy Hash: f6cfa72b7d3b63a6ad0e815048ba51ef02f96db141f1a839cf70f1a6ccd89c21
Instruction Fuzzy Hash: 66F0CD753002809FC3058F29D898D4A7BA8FF8A61431040AEF804CB322EA71D811CB60

Function 09966021 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0493722ffe0dffa69967d21f80fed15d532827cb52301de3b1bc645fc8833e4d
Instruction ID: 4809aae51896b7b8f7aeda36392e11c2532595cf8c485286833f437f18845baa
Opcode Fuzzy Hash: 0493722ffe0dffa69967d21f80fed15d532827cb52301de3b1bc645fc8833e4d
Instruction Fuzzy Hash: EAF049729192189BDB09DFA9C8156DEBBF5EB89300F20446ED001BB360CBB61901CBA1

Function 0996BB1F Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 435af47f20289462efb6fddd7cef61f2c794e597454e391c8e5711acc33d0135
Instruction ID: b971e92f01268259de903284f05b8a7f9aafac7c102f888e815f9caab901d35f
Opcode Fuzzy Hash: 435af47f20289462efb6fddd7cef61f2c794e597454e391c8e5711acc33d0135
Instruction Fuzzy Hash: 26F027302053814FC7129F2AEC4484ABFA6FEC2221310867AE4198B276DA709C0AC791

Function 09D65F91 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1801361765.0000000009D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59920973485d717ed313d13ea62fc796f2eb38d2a6f751cc4de0cb978ba5ee8a
Instruction ID: 772c5718e44f22f940c9b01119ae7a810718e41123f42daa23daf0201aac07c5
Opcode Fuzzy Hash: 59920973485d717ed313d13ea62fc796f2eb38d2a6f751cc4de0cb978ba5ee8a
Instruction Fuzzy Hash: BE012C34E456198FD720DF18C8907AEB7B1FF49341F4040A9D849AB794CB389E80CF92

Function 0996F1C0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 293c5b03c68b1df8af83b77bb55cacb5c852b8f6741ca81bf21eed0242e97ef1
Instruction ID: 150e16d3cfca07ac8d2f8fb7ff00b12bfd67336c090f94af3620d9211db64214
Opcode Fuzzy Hash: 293c5b03c68b1df8af83b77bb55cacb5c852b8f6741ca81bf21eed0242e97ef1
Instruction Fuzzy Hash: 5BF0FE393406009FC718DB19D894E2A77AAFFC9721B15846AFA468B770CA71EC42CB94

Function 09D60EA6 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1801361765.0000000009D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a79251545357a17290688a685123420bd20721fa81c4d7950c465e7b7c56df2
Instruction ID: fbab714c5a5f3e009711c6a8f725c99a989394af8d842fe4eac81e20508f4f8c
Opcode Fuzzy Hash: 2a79251545357a17290688a685123420bd20721fa81c4d7950c465e7b7c56df2
Instruction Fuzzy Hash: F4010878E092588FCBA5DF58D88469DB7B1FB48300F0051E9D50DAB344DB38AE81CF55

Function 09B65ECF Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1800836837.0000000009B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9b60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e73560c3304c342583aafc34bfa4ad8b2bf4fc5f7996bb9eff3fb327894d6968
Instruction ID: 219e91c466e83b7d647c0d4e6044119b9099e41d073444f8023cb26cefe254dc
Opcode Fuzzy Hash: e73560c3304c342583aafc34bfa4ad8b2bf4fc5f7996bb9eff3fb327894d6968
Instruction Fuzzy Hash: C9E092312453546FC3264939AC458973BEDDAC267431404BDF004C7211D965AC06C6F0

Function 0996F91E Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 381f6f7902391d179b230207cd5b9d9bd62eb89d401cc39a3e17f2367148c0b0
Instruction ID: d11a8efdcc5db32e38aec0f49a3f1bb1429ec831e09500f11b6a13de2a04c9cf
Opcode Fuzzy Hash: 381f6f7902391d179b230207cd5b9d9bd62eb89d401cc39a3e17f2367148c0b0
Instruction Fuzzy Hash: E9E022323006206BDB282928A41077F729A8BC2B82F00C13FE946C72A4CF768C0383D4

Function 09D64DFA Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1801361765.0000000009D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09ee132f67743671af7cf1bca5afd62bb668f1d4ae74a428ba9ac5d3e57b0702
Instruction ID: d99edba614aee8c686665692249945386fdac9dd8598ba28ae50d55c78876288
Opcode Fuzzy Hash: 09ee132f67743671af7cf1bca5afd62bb668f1d4ae74a428ba9ac5d3e57b0702
Instruction Fuzzy Hash: 85011674B022588FD755DF58C884A9EB7B1FB4A300F1590E9E809EB784CA349E81CF96

Function 09D64D8A Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1801361765.0000000009D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4b7244b02a3d68e6e73f34c4aa40e3e3544bbc25942977aeb9b19b1e45f32a7
Instruction ID: e4fef260a2e45c2d25ab8ed36f06610adf71ac5cb8e9651c1c74b67ceac34793
Opcode Fuzzy Hash: b4b7244b02a3d68e6e73f34c4aa40e3e3544bbc25942977aeb9b19b1e45f32a7
Instruction Fuzzy Hash: EF017C71B02298CFD795CF18C898A99B7B1FB4A304F1440E9D80DAB795CA344E85CF96

Function 09D76450 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1801361765.0000000009D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67276d276bc746c5c3c489b295828b0bb391fa773c5edbda9daac67e4f4a8a29
Instruction ID: 09ccae221f1bd54773792add6434e4c2d2ea7430b4a0b060a0cddd19b928866b
Opcode Fuzzy Hash: 67276d276bc746c5c3c489b295828b0bb391fa773c5edbda9daac67e4f4a8a29
Instruction Fuzzy Hash: B3E0483170021817E70C266F5C54B2BE98FEBC5A51F54843EA50DCB395CD618C0153F5

Function 0996D599 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a8a7db590ee760349a282d011260b374781044c0f938607733720ae316154e1
Instruction ID: d49dc16acc756cd43a09705380c45b0b4fa57b5d7802157cb30c70194f05d19c
Opcode Fuzzy Hash: 0a8a7db590ee760349a282d011260b374781044c0f938607733720ae316154e1
Instruction Fuzzy Hash: 72F0A0307047408FE7269B39E46417E7BE3ABC5308B1084ADD84AC77A9EF30DD028782

Function 09D64C1F Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1801361765.0000000009D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f034d7096b16fb546e33eae333d220b9872c21216854e5fe5969fa5690a7b2d5
Instruction ID: d36cb3cecbb428b800ceade769a0bca4aa386e228c3c12ad95ee42730c9c367a
Opcode Fuzzy Hash: f034d7096b16fb546e33eae333d220b9872c21216854e5fe5969fa5690a7b2d5
Instruction Fuzzy Hash: 43F03734B052648FD705DF58C980A9AB3B9EF4E340F4040A8E949AB755CB349E41CF67

Function 09961090 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53d3fe23132f79127bda2eaccc2905eafb162f02a592590ac2dd288cf1dea0ce
Instruction ID: 9ce11d53613b7eb4f611941018c1c379326df157b270b88c07273518fa95b06f
Opcode Fuzzy Hash: 53d3fe23132f79127bda2eaccc2905eafb162f02a592590ac2dd288cf1dea0ce
Instruction Fuzzy Hash: 4CF0E571A06344AFD705EFB498106A97B75EB46340F1144DEC804CF352D9311A0587A1

Function 0996BB30 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1be6a41e94cd1bc07d7822455d17a4945677e76e99ffecaafaf6de8f2016e9e1
Instruction ID: e86f3f5b95d272c00e3e4b3d77703247c614857896a9f33a33035530e2365091
Opcode Fuzzy Hash: 1be6a41e94cd1bc07d7822455d17a4945677e76e99ffecaafaf6de8f2016e9e1
Instruction Fuzzy Hash: 23E0DF313003054BD7209A2AEC84C4BFF9AFFC0621300CA3AE90E87229CF70AC0AC791

Function 09960C41 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31bb16455c80ff36ee6aba12f4981d5104a965d2959bab61874de2a136aff638
Instruction ID: c41823686b3a3096b9f82cf3188b17c4e81745866862a5cd5f6edf154811e20d
Opcode Fuzzy Hash: 31bb16455c80ff36ee6aba12f4981d5104a965d2959bab61874de2a136aff638
Instruction Fuzzy Hash: 4EF03030905389DFC702DF78980155ABFB4EB47205B1006DDC448CB392D6351E05CBA2

Function 09965F80 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f802e03704585b896abe020af866479c4ba4f9952147de1a399c1aa21b1e6bb
Instruction ID: 559b4cb4522dcb8b44a4ff7af46c3ca6420126c7ccbb141773b61773701e402d
Opcode Fuzzy Hash: 0f802e03704585b896abe020af866479c4ba4f9952147de1a399c1aa21b1e6bb
Instruction Fuzzy Hash: F3E08C31300305DBDA20BA6C4801B6A76999BC9751F614469BA459B3E0DA62E842C7A6

Function 09B66D80 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1800836837.0000000009B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9b60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f599e4eb79252c62c1af86a47bc9e5d0f78c944ff66291b60a4e64f4da584fb8
Instruction ID: 7abc03f1b5fb2bc8504266efb0f07ea38d26f16522823c438f84b1e40bcc1156
Opcode Fuzzy Hash: f599e4eb79252c62c1af86a47bc9e5d0f78c944ff66291b60a4e64f4da584fb8
Instruction Fuzzy Hash: 17E04F70945359AFCB8ADFB48C020DD7FF8EF86500B1445FA8149DB1A1EA3549059F80

Function 09D7BA58 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1801361765.0000000009D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aabe849b4e4d880eec5334358f33ecef7af3763e9bde05431eb4d37ccc50d379
Instruction ID: d6924d1d0e9920a5414542e2790d2a5267210b1423ea54b3eb1a303accf37780
Opcode Fuzzy Hash: aabe849b4e4d880eec5334358f33ecef7af3763e9bde05431eb4d37ccc50d379
Instruction Fuzzy Hash: 01D05E72A0520CEBCB10DEB4DD018AEB3ACEB05205B1009FAEC0DD3600FA32DE20D7A1

Function 099610A0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2f037a0a4549d5fe1232c3ad40242263d05f73ff7f9279f0bee319cc6d90371
Instruction ID: 967bfad2d567fd10c0f42957ae850c882d4ac1e06f8cd46d504268cbac3b5d50
Opcode Fuzzy Hash: b2f037a0a4549d5fe1232c3ad40242263d05f73ff7f9279f0bee319cc6d90371
Instruction Fuzzy Hash: 9BE01271B01209EFDB00DFB4DD5176EB7B9EB85604F10899DD904DB351DA315E049BA1

Function 09960C50 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b478f7e62cd043ff911ebceb5e4a26419a944fdb4cfa26b5f3686c1fe90cc9c
Instruction ID: 61df5df96d6abc1de0a9d7feb97442da08e154c568edf8eed6e20a57130377c0
Opcode Fuzzy Hash: 7b478f7e62cd043ff911ebceb5e4a26419a944fdb4cfa26b5f3686c1fe90cc9c
Instruction Fuzzy Hash: F7E01230A00209EFCB40EFB8D90165FB7B9EB45605F10459DD908D7341DA315E009BA2

Function 0996F188 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e49b603cdad1635ac8f74e00d9ab56c8a955330f85672bae4e2f6373cb0fc30
Instruction ID: 204f75d656cb6d6cc48beb94cfca753e39f08d2a14d4baf998b3476df014e6f3
Opcode Fuzzy Hash: 4e49b603cdad1635ac8f74e00d9ab56c8a955330f85672bae4e2f6373cb0fc30
Instruction Fuzzy Hash: 81D0177504A3889FC3039B75D4148803F74AF0732432688EAE0848F732D636985ADB65

Function 09D730C0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1801361765.0000000009D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f927995d1762cbe8c324714294833a1afa2026fa46d4f9cb06180c9dfa7781e4
Instruction ID: 9f4f24a500a6546fd27a041a1cbf06c8c359c6d478a6a13f82f7ed879fa1ee85
Opcode Fuzzy Hash: f927995d1762cbe8c324714294833a1afa2026fa46d4f9cb06180c9dfa7781e4
Instruction Fuzzy Hash: F1D09E71901218EB8B40EBA18D0159D7BEDAA46501B5045A595149B250E9319A145BD5

Function 09D79C98 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1801361765.0000000009D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a532291a502a346f2fba0149c7bdbc0f11bc93ed8e6080374a74c65c2f4baf2c
Instruction ID: e8776c278fc92595af63213f4b6a3c9ba36e7e5e6a5c1d71ae5e46b222bfb63d
Opcode Fuzzy Hash: a532291a502a346f2fba0149c7bdbc0f11bc93ed8e6080374a74c65c2f4baf2c
Instruction Fuzzy Hash: C7D05231801208AF8B80EFA08C0148EBBECAA8A100B0085AA8608AB250EA318A109BC1

Function 09D79A28 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1801361765.0000000009D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8380076a5262bc52e804ad796c261ff5bb5d0f5a5e490a32a97bc7685bdd3f9b
Instruction ID: 40d79e6263611693ee52739490a7b59261f215cdbce46739564c808e0140c56a
Opcode Fuzzy Hash: 8380076a5262bc52e804ad796c261ff5bb5d0f5a5e490a32a97bc7685bdd3f9b
Instruction Fuzzy Hash: 85D05E31801208AF8B40EBA08C0048D7BECAE46101B1005A595049B250ED318A105BC2

Function 09B66D90 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1800836837.0000000009B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9b60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bc345732d368b785c80c3a129bacc8b10798fb847aa837eb60089391da51b56
Instruction ID: f71ab9482109dbb7c532aa9f8ffe6340a7c4444ac117951be0b966520c9b44cb
Opcode Fuzzy Hash: 8bc345732d368b785c80c3a129bacc8b10798fb847aa837eb60089391da51b56
Instruction Fuzzy Hash: 9CD0927190221CAB8B80EBA58D0249EBBEDAB8A901B5045A69518AB250EA319A149BD5

Function 09962900 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abc0ba6e33d74e66eb4f0604a02a142838c97929621e60f79d92950ea9510e78
Instruction ID: c09aaff441cbf22cdf542c5345f476d88d1b0d4b340c76e54add7e94b9843765
Opcode Fuzzy Hash: abc0ba6e33d74e66eb4f0604a02a142838c97929621e60f79d92950ea9510e78
Instruction Fuzzy Hash: DBD0127009F7C08FEB070B348C06B403F60AB03B09F2410EBA280CE2A2C2A60486CF77

Function 09B66B50 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1800836837.0000000009B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9b60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5d6fc1359b195ff7f400b978d40c514a56f3c9ab20ff03ee7b58dd138f497ba
Instruction ID: d5b232d28aae5c33c10edb313adfd254bd2a6a18d605809c4e2e1e83b96b5b5e
Opcode Fuzzy Hash: d5d6fc1359b195ff7f400b978d40c514a56f3c9ab20ff03ee7b58dd138f497ba
Instruction Fuzzy Hash: 8CD0C9306883945FC78ACBA89C96859BFE09F96214319C0FFD40DCF2A3C62299078B40

Function 09B66E40 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1800836837.0000000009B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9b60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccc5e125f5aa921ac4d818def8781025110146b51803a4397cc70da537208eb9
Instruction ID: bee0ebf949cc05375cd13d39a1fcdb1810c2cc2e32786d6716a453e158b07d04
Opcode Fuzzy Hash: ccc5e125f5aa921ac4d818def8781025110146b51803a4397cc70da537208eb9
Instruction Fuzzy Hash: CBD0C9303482506FC74DDAAC9891956BBEB9F89114B19C4FEA80DCB3A7D6A2D8068794

Function 0996F8E8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e820d03113f1772a9133eb37dabfb3116a75096e69331006e170a1d63e2f3fa
Instruction ID: 4f3ebf52a0d6517d22c81fa34af3ae9f23fb3b4348259a4715a206a22da88bb5
Opcode Fuzzy Hash: 7e820d03113f1772a9133eb37dabfb3116a75096e69331006e170a1d63e2f3fa
Instruction Fuzzy Hash: 66D0927000A3849FDB079F3099294857F72EF43315B2648EED0844F262C27A4893EB12

Function 09D771D0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1801361765.0000000009D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbcef5c395f5c673d87ed76c55c2f1c93d814102d17bdb09fc090918b690f88a
Instruction ID: 58c7e918dc9fc6e739d0296992eb27fcb8a7bf4254ad48f247067e0340e6a738
Opcode Fuzzy Hash: dbcef5c395f5c673d87ed76c55c2f1c93d814102d17bdb09fc090918b690f88a
Instruction Fuzzy Hash: A6C012313402095BD304CA88C842A22B3AADBC8614B14C079A808C7746DE36EC028694

Function 09D708A0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1801361765.0000000009D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction ID: 89f7625bcd3042e5662e2b0f59687678129b36ffb3fe7dec0c562e4284fda470
Opcode Fuzzy Hash: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction Fuzzy Hash: 05C04C753042085F9344DA9DD851C26F7E9DBD8614714C06DA90DC7351EA72FD13C694

Function 09D73820 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1801361765.0000000009D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction ID: 89f7625bcd3042e5662e2b0f59687678129b36ffb3fe7dec0c562e4284fda470
Opcode Fuzzy Hash: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction Fuzzy Hash: 05C04C753042085F9344DA9DD851C26F7E9DBD8614714C06DA90DC7351EA72FD13C694

Function 09D78B60 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1801361765.0000000009D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b3cf73ecc0437b7ba418ab1aa0e16a313d668e98a5c47dae4f63aedb3a58e83
Instruction ID: 1559b7bb1d66cdfc4324202593fed40f7269f97be06a62174427e62a94373c76
Opcode Fuzzy Hash: 6b3cf73ecc0437b7ba418ab1aa0e16a313d668e98a5c47dae4f63aedb3a58e83
Instruction Fuzzy Hash: 8DC00235280208AFD7109A55DC46F457B68AB15B50F554091F7045F6A1C6A2E8109A98

Function 09B64FAF Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1800836837.0000000009B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9b60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36a3c3ebe70427107a1bc368915ab8a5bab5335d9efe800a0d05b8832eb7f112
Instruction ID: a490bb53a4ae37917a6b0ca6ae1518667c41edf472c4da24bf9697f3d5e6996c
Opcode Fuzzy Hash: 36a3c3ebe70427107a1bc368915ab8a5bab5335d9efe800a0d05b8832eb7f112
Instruction Fuzzy Hash: A9C012355500C04FD709CF248196B80BB56EF9120CF1884FDC4495D103D627D513CB14

Function 09B66E50 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1800836837.0000000009B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9b60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b890a1878f21bb7f09d862592a755ed2ce311562f5f1a0304c6abbbdd52873e
Instruction ID: 19d07928bc24b9474f7e59cbdd8b8e0d3deed1c7a519eb3c8c8690cf2c067a2b
Opcode Fuzzy Hash: 6b890a1878f21bb7f09d862592a755ed2ce311562f5f1a0304c6abbbdd52873e
Instruction Fuzzy Hash: C5C092303082084B8748D69DE851825F3DA9BCC618328C0BDA80DC7352EE23FC038684

Function 09965BB1 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8370ec2f77bf1a096386dd028bf36ea629e16970ae1090dbb6546da6174b366
Instruction ID: 711a260c65dae66fdf62ad067d53e546efd8415e0d9c65478516668c28bbbdb2
Opcode Fuzzy Hash: d8370ec2f77bf1a096386dd028bf36ea629e16970ae1090dbb6546da6174b366
Instruction Fuzzy Hash: D4D0127050E7C29FD3078B348A06449FF70BF8270032581FBE08A8B272C2360852DB22

Function 09D7FD78 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1801361765.0000000009D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9360f6c3753071abd6b5a8e86689413885372535260cb3c19a445abdef9116e5
Instruction ID: 740b9759760942d22b17a3cca9430a66c5404184698edbd653c299f37843b55b
Opcode Fuzzy Hash: 9360f6c3753071abd6b5a8e86689413885372535260cb3c19a445abdef9116e5
Instruction Fuzzy Hash: ECC04C39140108EFCB419F55D844C45BBA9FF19770741C051F9494B632C732E960DB50

Function 0996F198 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
Instruction ID: a5ced1602b898661de329531365079a034e3d75a808f59c5ffcbefa728424f66
Opcode Fuzzy Hash: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
Instruction Fuzzy Hash: 58C0927A140208EFC700DF69E848C85BBB8EF1977171180A1FA088B332C732EC60DA94

Function 09D72750 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1801361765.0000000009D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Function 09D75340 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1801361765.0000000009D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Function 09D75B10 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1801361765.0000000009D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Function 09D79680 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1801361765.0000000009D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Function 09B66B60 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1800836837.0000000009B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9b60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Function 09B61C3F Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1800836837.0000000009B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9b60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 090ce345bf0b1eb001351c84dfc054526634ace245ae6465b040bc3e078f7aef
Instruction ID: 6043e9e45a8ffc398bb19e2f591742ab14970176147559ddf1f4de39d43c6d02
Opcode Fuzzy Hash: 090ce345bf0b1eb001351c84dfc054526634ace245ae6465b040bc3e078f7aef
Instruction Fuzzy Hash: A8C04C75550204DFC744CF64E445CA97BB4FF5935071181A6F5058B231C332D810DE00

Function 09B61C40 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1800836837.0000000009B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9b60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af8e06a732ca707132f27ef7a83e288a845aad2dfe2584e40d54ff240b01922d
Instruction ID: 2ad57114494cc740969b95bee8f444b209d5990da35e5c480c7824bf6c3857fe
Opcode Fuzzy Hash: af8e06a732ca707132f27ef7a83e288a845aad2dfe2584e40d54ff240b01922d
Instruction Fuzzy Hash: B7C09276140208EFC700DF69E844C45BBB8FF1976071180A1FA088B332C732E820DA94

Function 0996D580 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1799275925.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9960000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a5b567abcdbf11e01bb1dbf3aa1ea851a7b88c7c6ed882c87e4c100d906f4db
Instruction ID: 224d8c0450ec8c5c234bf8f7220f391898cca093b39eb02ae12d0c1838bb0685
Opcode Fuzzy Hash: 9a5b567abcdbf11e01bb1dbf3aa1ea851a7b88c7c6ed882c87e4c100d906f4db
Instruction Fuzzy Hash: E2B09241C0A2C08EEA12366420022A0BB400B53845FA990C78C900A6A3A40A981982A3

Function 09D7BD40 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1801361765.0000000009D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4e2839fb080d70fd9d5ab266c8ff45246f4c7246a28781672dbb782ec4b6ef3
Instruction ID: cfd3c94acb28e12ede7e7a80c62375d018fe088f1f186957f4485c32e65079b3
Opcode Fuzzy Hash: f4e2839fb080d70fd9d5ab266c8ff45246f4c7246a28781672dbb782ec4b6ef3
Instruction Fuzzy Hash: 6CB092301602088F82009A59E448C0137ACAF08A0434100D0E1088B632C621F8008A51

Function 09D7FA90 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1801361765.0000000009D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f421a7c91ea02b70c2beee12324d7692dcffd2be49a983a149aacf8868d04a2
Instruction ID: 975153bc4bf87e2c526ba7c5ef14341d3af96a9f5d61a204cbdf64d543947f44
Opcode Fuzzy Hash: 4f421a7c91ea02b70c2beee12324d7692dcffd2be49a983a149aacf8868d04a2
Instruction Fuzzy Hash: 37A02230002B0C82C28032B02C00020338C280020838000B88B2C08B20C833E0A08888

Function 09D75D50 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1801361765.0000000009D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5ecf66f2d9cb241931aba87758528c789510fd238a9664b7a3284bb718b1686
Instruction ID: 1ecefc58fab09c8a60cd78e17b49aa23df963bb2122937f67caacfda2a0016c8
Opcode Fuzzy Hash: c5ecf66f2d9cb241931aba87758528c789510fd238a9664b7a3284bb718b1686
Instruction Fuzzy Hash: A790023604464C8B454127D97509565775C95685157801091E50E456025A5964354597

Function 09D7FC60 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1801361765.0000000009D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb94cbf373d7cb67b392dfa6eda7652aed27450953f6a8ee5daa1375f3f56e44
Instruction ID: c3810c888efda915c93b6fe15fb479f3ce81d0d8af7e54008334af22937ca68a
Opcode Fuzzy Hash: fb94cbf373d7cb67b392dfa6eda7652aed27450953f6a8ee5daa1375f3f56e44
Instruction Fuzzy Hash: 5A90023A04464C8B45402799B51D555775C9558515B801091E50D456025A5564214597

Function 09D7FAD0 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1801361765.0000000009D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c5da17c68c050f09c9d0ed7d4e9e13ed28b3bea31d002998de11ed2f070d15a
Instruction ID: 05990b6ce0402b42672eddebb869552353f5ccdbb9982be0401d2b7865d47018
Opcode Fuzzy Hash: 6c5da17c68c050f09c9d0ed7d4e9e13ed28b3bea31d002998de11ed2f070d15a
Instruction Fuzzy Hash: F290023114864C8B57803799741D5A6779CD5446267801155A50E416055F55645145A6

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report RFQ List and airflight 2024.pif.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ List and airflight 2024.pif.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\gaZNjdzDI.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vbc.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2wftb5qv.20p.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f24ifi4h.xta.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hptrfy3z.4r1.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jfcrcbg3.y10.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_msc5cg1n.thl.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n5d3jwdl.stt.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xj3msuqt.gzw.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yqmfcae1.yvc.psm1

C:\Users\user\AppData\Local\Temp\tmp2051.tmp

C:\Users\user\AppData\Local\Temp\tmp33B9.tmp

C:\Users\user\AppData\Roaming\gaZNjdzDI.exe

C:\Users\user\AppData\Roaming\gaZNjdzDI.exe:Zone.Identifier

Windows Analysis Report
RFQ List and airflight 2024.pif.exe