Edit tour

Windows Analysis Report
TECHNICAL SPECIFICATIONS.exe

Overview

General Information

Sample name:	TECHNICAL SPECIFICATIONS.exe
Analysis ID:	1570417
MD5:	65feefe926eb3f734b6968b35c23acb3
SHA1:	8fada228f4395476abe8bdbe75abfe8d7c6ef4eb
SHA256:	d1b068b826e3a9527cddd09866886caba895f390af930a9b35c027eb1c2db34c
Tags:	AgentTeslaexeuser-threatcat_ch
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains potential unpacker

.NET source code contains very large strings

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Contains functionality to log keystrokes (.Net Source)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Installs a global keyboard hook

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Powershell Defender Exclusion

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

TECHNICAL SPECIFICATIONS.exe (PID: 6480 cmdline: "C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe" MD5: 65FEEFE926EB3F734B6968B35C23ACB3)

powershell.exe (PID: 7128 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 1868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

TECHNICAL SPECIFICATIONS.exe (PID: 5960 cmdline: "C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe" MD5: 65FEEFE926EB3F734B6968B35C23ACB3)

newapp.exe (PID: 7516 cmdline: "C:\Users\user\AppData\Roaming\newapp\newapp.exe" MD5: 65FEEFE926EB3F734B6968B35C23ACB3)

newapp.exe (PID: 7576 cmdline: "C:\Users\user\AppData\Roaming\newapp\newapp.exe" MD5: 65FEEFE926EB3F734B6968B35C23ACB3)

newapp.exe (PID: 7856 cmdline: "C:\Users\user\AppData\Roaming\newapp\newapp.exe" MD5: 65FEEFE926EB3F734B6968B35C23ACB3)

newapp.exe (PID: 7944 cmdline: "C:\Users\user\AppData\Roaming\newapp\newapp.exe" MD5: 65FEEFE926EB3F734B6968B35C23ACB3)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.ercolina-usa.com", "Username": "ben@ercolina-usa.com", "Password": "nXe0M~WkW&nJ"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.4473961578.000000000324C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.2254086095.00000000030D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.2254086095.00000000030D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000A.00000002.4473839350.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.4473839350.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000002.2190802680.0000000004265000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.2190802680.0000000004265000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.2254086095.00000000030FC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.2288305225.0000000004385000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.2288305225.0000000004385000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.2249780738.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.2249780738.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.4473961578.0000000003221000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.4473961578.0000000003221000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000A.00000002.4473839350.0000000002F8C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000002.2190802680.00000000042E5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.2190802680.00000000042E5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2050105688.0000000003698000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2050105688.0000000003698000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: TECHNICAL SPECIFICATIONS.exe PID: 6480	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: TECHNICAL SPECIFICATIONS.exe PID: 6480	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: TECHNICAL SPECIFICATIONS.exe PID: 6480	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: TECHNICAL SPECIFICATIONS.exe PID: 5960	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: TECHNICAL SPECIFICATIONS.exe PID: 5960	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: newapp.exe PID: 7516	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: newapp.exe PID: 7516	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: newapp.exe PID: 7576	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: newapp.exe PID: 7576	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: newapp.exe PID: 7856	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: newapp.exe PID: 7856	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: newapp.exe PID: 7944	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: newapp.exe PID: 7944	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 27 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.TECHNICAL SPECIFICATIONS.exe.36d55b0.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.TECHNICAL SPECIFICATIONS.exe.36d55b0.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.TECHNICAL SPECIFICATIONS.exe.36d55b0.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33bdc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33c4e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33cd8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33d6a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33dd4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33e46:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33edc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33f6c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.TECHNICAL SPECIFICATIONS.exe.36d55b0.2.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x30dec:$s2: GetPrivateProfileString 0x30472:$s3: get_OSFullName 0x31b69:$s5: remove_Key 0x31d29:$s5: remove_Key 0x32ca1:$s6: FtpWebRequest 0x33bbe:$s7: logins 0x34130:$s7: logins 0x36e41:$s7: logins 0x36ef3:$s7: logins 0x389be:$s7: logins 0x37a8d:$s9: 1.85 (Hash, version 2, native byte-order)
7.2.newapp.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.newapp.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.newapp.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x359dc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x35a4e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35ad8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35b6a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35bd4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x35c46:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x35cdc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x35d6c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.newapp.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x32bec:$s2: GetPrivateProfileString 0x32272:$s3: get_OSFullName 0x33969:$s5: remove_Key 0x33b29:$s5: remove_Key 0x34aa1:$s6: FtpWebRequest 0x359be:$s7: logins 0x35f30:$s7: logins 0x38c41:$s7: logins 0x38cf3:$s7: logins 0x3a7be:$s7: logins 0x3988d:$s9: 1.85 (Hash, version 2, native byte-order)
6.2.newapp.exe.42e5dd0.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.newapp.exe.42e5dd0.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
6.2.newapp.exe.42e5dd0.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33bdc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33c4e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33cd8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33d6a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33dd4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33e46:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33edc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33f6c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
6.2.newapp.exe.42e5dd0.2.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x30dec:$s2: GetPrivateProfileString 0x30472:$s3: get_OSFullName 0x31b69:$s5: remove_Key 0x31d29:$s5: remove_Key 0x32ca1:$s6: FtpWebRequest 0x33bbe:$s7: logins 0x34130:$s7: logins 0x36e41:$s7: logins 0x36ef3:$s7: logins 0x389be:$s7: logins 0x37a8d:$s9: 1.85 (Hash, version 2, native byte-order)
6.2.newapp.exe.4265e58.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.newapp.exe.4265e58.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
6.2.newapp.exe.4265e58.3.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33bdc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33c4e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33cd8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33d6a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33dd4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33e46:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33edc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33f6c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
6.2.newapp.exe.4265e58.3.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x30dec:$s2: GetPrivateProfileString 0x30472:$s3: get_OSFullName 0x31b69:$s5: remove_Key 0x31d29:$s5: remove_Key 0x32ca1:$s6: FtpWebRequest 0x33bbe:$s7: logins 0x34130:$s7: logins 0x36e41:$s7: logins 0x36ef3:$s7: logins 0x389be:$s7: logins 0x37a8d:$s9: 1.85 (Hash, version 2, native byte-order)
9.2.newapp.exe.4385f68.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.newapp.exe.4385f68.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.newapp.exe.4385f68.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x359dc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x35a4e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35ad8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35b6a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35bd4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x35c46:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x35cdc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x35d6c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
9.2.newapp.exe.4385f68.2.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x32bec:$s2: GetPrivateProfileString 0x32272:$s3: get_OSFullName 0x33969:$s5: remove_Key 0x33b29:$s5: remove_Key 0x34aa1:$s6: FtpWebRequest 0x359be:$s7: logins 0x35f30:$s7: logins 0x38c41:$s7: logins 0x38cf3:$s7: logins 0x3a7be:$s7: logins 0x3988d:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.TECHNICAL SPECIFICATIONS.exe.3698390.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.TECHNICAL SPECIFICATIONS.exe.3698390.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.TECHNICAL SPECIFICATIONS.exe.3698390.3.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33bdc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33c4e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33cd8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33d6a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33dd4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33e46:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33edc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33f6c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.TECHNICAL SPECIFICATIONS.exe.3698390.3.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x30dec:$s2: GetPrivateProfileString 0x30472:$s3: get_OSFullName 0x31b69:$s5: remove_Key 0x31d29:$s5: remove_Key 0x32ca1:$s6: FtpWebRequest 0x33bbe:$s7: logins 0x34130:$s7: logins 0x36e41:$s7: logins 0x36ef3:$s7: logins 0x389be:$s7: logins 0x37a8d:$s9: 1.85 (Hash, version 2, native byte-order)
6.2.newapp.exe.4265e58.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.newapp.exe.4265e58.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
6.2.newapp.exe.4265e58.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x359dc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x35a4e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35ad8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35b6a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35bd4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x35c46:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x35cdc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x35d6c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
6.2.newapp.exe.4265e58.3.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x32bec:$s2: GetPrivateProfileString 0x32272:$s3: get_OSFullName 0x33969:$s5: remove_Key 0x33b29:$s5: remove_Key 0x34aa1:$s6: FtpWebRequest 0x359be:$s7: logins 0x35f30:$s7: logins 0x38c41:$s7: logins 0x38cf3:$s7: logins 0x3a7be:$s7: logins 0x3988d:$s9: 1.85 (Hash, version 2, native byte-order)
9.2.newapp.exe.4385f68.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.newapp.exe.4385f68.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.newapp.exe.4385f68.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33bdc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33c4e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33cd8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33d6a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33dd4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33e46:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33edc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33f6c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
9.2.newapp.exe.4385f68.2.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x30dec:$s2: GetPrivateProfileString 0x30472:$s3: get_OSFullName 0x31b69:$s5: remove_Key 0x31d29:$s5: remove_Key 0x32ca1:$s6: FtpWebRequest 0x33bbe:$s7: logins 0x34130:$s7: logins 0x36e41:$s7: logins 0x36ef3:$s7: logins 0x389be:$s7: logins 0x37a8d:$s9: 1.85 (Hash, version 2, native byte-order)
6.2.newapp.exe.42e5dd0.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.newapp.exe.42e5dd0.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
6.2.newapp.exe.42e5dd0.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x359dc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x35a4e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35ad8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35b6a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35bd4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x35c46:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x35cdc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x35d6c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
6.2.newapp.exe.42e5dd0.2.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x32bec:$s2: GetPrivateProfileString 0x32272:$s3: get_OSFullName 0x33969:$s5: remove_Key 0x33b29:$s5: remove_Key 0x34aa1:$s6: FtpWebRequest 0x359be:$s7: logins 0x35f30:$s7: logins 0x38c41:$s7: logins 0x38cf3:$s7: logins 0x3a7be:$s7: logins 0x3988d:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.TECHNICAL SPECIFICATIONS.exe.372a558.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.TECHNICAL SPECIFICATIONS.exe.372a558.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.TECHNICAL SPECIFICATIONS.exe.372a558.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.TECHNICAL SPECIFICATIONS.exe.372a558.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0xb6ffc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xb706e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xb70f8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xb718a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xb71f4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xb7266:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xb72fc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xb738c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.TECHNICAL SPECIFICATIONS.exe.372a558.4.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0xb420c:$s2: GetPrivateProfileString 0xb3892:$s3: get_OSFullName 0xb4f89:$s5: remove_Key 0xb5149:$s5: remove_Key 0xb60c1:$s6: FtpWebRequest 0xb6fde:$s7: logins 0xb7550:$s7: logins 0xba261:$s7: logins 0xba313:$s7: logins 0xbbdde:$s7: logins 0xbaead:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.TECHNICAL SPECIFICATIONS.exe.36d55b0.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.TECHNICAL SPECIFICATIONS.exe.36d55b0.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.TECHNICAL SPECIFICATIONS.exe.36d55b0.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.TECHNICAL SPECIFICATIONS.exe.36d55b0.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x359dc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x10bfa4:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x35a4e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x10c016:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35ad8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x10c0a0:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35b6a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x10c132:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35bd4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x10c19c:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x35c46:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x10c20e:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x35cdc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x10c2a4:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x35d6c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x10c334:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.TECHNICAL SPECIFICATIONS.exe.36d55b0.2.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x32bec:$s2: GetPrivateProfileString 0x1091b4:$s2: GetPrivateProfileString 0x32272:$s3: get_OSFullName 0x10883a:$s3: get_OSFullName 0x33969:$s5: remove_Key 0x33b29:$s5: remove_Key 0x109f31:$s5: remove_Key 0x10a0f1:$s5: remove_Key 0x34aa1:$s6: FtpWebRequest 0x10b069:$s6: FtpWebRequest 0x359be:$s7: logins 0x35f30:$s7: logins 0x38c41:$s7: logins 0x38cf3:$s7: logins 0x3a7be:$s7: logins 0x10bf86:$s7: logins 0x10c4f8:$s7: logins 0x10f209:$s7: logins 0x10f2bb:$s7: logins 0x110d86:$s7: logins 0x3988d:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.TECHNICAL SPECIFICATIONS.exe.3698390.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.TECHNICAL SPECIFICATIONS.exe.3698390.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.TECHNICAL SPECIFICATIONS.exe.3698390.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.TECHNICAL SPECIFICATIONS.exe.3698390.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x359dc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x72bfc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x1491c4:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x35a4e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x72c6e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x149236:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35ad8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x72cf8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x1492c0:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35b6a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x72d8a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x149352:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35bd4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x72df4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x1493bc:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x35c46:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x72e66:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x14942e:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x35cdc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x72efc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x1494c4:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
0.2.TECHNICAL SPECIFICATIONS.exe.3698390.3.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x32bec:$s2: GetPrivateProfileString 0x6fe0c:$s2: GetPrivateProfileString 0x1463d4:$s2: GetPrivateProfileString 0x32272:$s3: get_OSFullName 0x6f492:$s3: get_OSFullName 0x145a5a:$s3: get_OSFullName 0x33969:$s5: remove_Key 0x33b29:$s5: remove_Key 0x70b89:$s5: remove_Key 0x70d49:$s5: remove_Key 0x147151:$s5: remove_Key 0x147311:$s5: remove_Key 0x34aa1:$s6: FtpWebRequest 0x71cc1:$s6: FtpWebRequest 0x148289:$s6: FtpWebRequest 0x359be:$s7: logins 0x35f30:$s7: logins 0x38c41:$s7: logins 0x38cf3:$s7: logins 0x3a7be:$s7: logins 0x72bde:$s7: logins
Click to see the 46 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe", ParentImage: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe, ParentProcessId: 6480, ParentProcessName: TECHNICAL SPECIFICATIONS.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe", ProcessId: 7128, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\newapp\newapp.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe, ProcessId: 5960, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\newapp

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe", ParentImage: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe, ParentProcessId: 6480, ParentProcessName: TECHNICAL SPECIFICATIONS.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe", ProcessId: 7128, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.TECHNICAL SPECIFICATIONS.exe.36d55b0.2.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.ercolina-usa.com", "Username": "ben@ercolina-usa.com", "Password": "nXe0M~WkW&nJ"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe

ReversingLabs: Detection: 65%

Multi AV Scanner detection for submitted file

Source: TECHNICAL SPECIFICATIONS.exe

ReversingLabs: Detection: 65%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: TECHNICAL SPECIFICATIONS.exe

Joe Sandbox ML: detected

Source: TECHNICAL SPECIFICATIONS.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.5:49730 version: TLS 1.2

Source: TECHNICAL SPECIFICATIONS.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: nCItN.pdbSHA256 source: TECHNICAL SPECIFICATIONS.exe, newapp.exe.4.dr
Source:	Binary string: nCItN.pdb source: TECHNICAL SPECIFICATIONS.exe, newapp.exe.4.dr

Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Code function: 4x nop then jmp 0BB40F70h		0_2_0BB4066D
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Code function: 4x nop then jmp 0BB40F70h		0_2_0BB406B1

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.TECHNICAL SPECIFICATIONS.exe.372a558.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TECHNICAL SPECIFICATIONS.exe.36d55b0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TECHNICAL SPECIFICATIONS.exe.3698390.3.raw.unpack, type: UNPACKEDPE

Source: Joe Sandbox View	IP Address: 192.254.225.136 192.254.225.136
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205

Source: Joe Sandbox View

ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: ftp.ercolina-usa.com

Source: TECHNICAL SPECIFICATIONS.exe, 00000004.00000002.4473961578.000000000324C000.00000004.00000800.00020000.00000000.sdmp, TECHNICAL SPECIFICATIONS.exe, 00000004.00000002.4473961578.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, TECHNICAL SPECIFICATIONS.exe, 00000004.00000002.4473961578.00000000033C5000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000007.00000002.2254086095.00000000030FC000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000007.00000002.2254086095.0000000003275000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000A.00000002.4473839350.0000000003105000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000A.00000002.4473839350.0000000002F8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ercolina-usa.com
Source: TECHNICAL SPECIFICATIONS.exe, 00000004.00000002.4473961578.000000000324C000.00000004.00000800.00020000.00000000.sdmp, TECHNICAL SPECIFICATIONS.exe, 00000004.00000002.4473961578.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, TECHNICAL SPECIFICATIONS.exe, 00000004.00000002.4473961578.00000000033C5000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000007.00000002.2254086095.00000000030FC000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000007.00000002.2254086095.0000000003275000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000A.00000002.4473839350.0000000003105000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000A.00000002.4473839350.0000000002F8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ftp.ercolina-usa.com
Source: TECHNICAL SPECIFICATIONS.exe, 00000000.00000002.2048875649.0000000002638000.00000004.00000800.00020000.00000000.sdmp, TECHNICAL SPECIFICATIONS.exe, 00000004.00000002.4473961578.00000000031D9000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000006.00000002.2188312892.0000000003248000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000007.00000002.2254086095.0000000003089000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000009.00000002.2272052838.00000000032EB000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000A.00000002.4473839350.0000000002F1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: TECHNICAL SPECIFICATIONS.exe, 00000000.00000002.2050105688.0000000003698000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000006.00000002.2190802680.0000000004265000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000006.00000002.2190802680.00000000042E5000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000007.00000002.2249780738.0000000000402000.00000040.00000400.00020000.00000000.sdmp, newapp.exe, 00000009.00000002.2288305225.0000000004385000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: TECHNICAL SPECIFICATIONS.exe, 00000000.00000002.2050105688.0000000003698000.00000004.00000800.00020000.00000000.sdmp, TECHNICAL SPECIFICATIONS.exe, 00000004.00000002.4473961578.00000000031D9000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000006.00000002.2190802680.0000000004265000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000006.00000002.2190802680.00000000042E5000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000007.00000002.2249780738.0000000000402000.00000040.00000400.00020000.00000000.sdmp, newapp.exe, 00000007.00000002.2254086095.0000000003089000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000009.00000002.2288305225.0000000004385000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000A.00000002.4473839350.0000000002F1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: TECHNICAL SPECIFICATIONS.exe, 00000004.00000002.4473961578.00000000031D9000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000007.00000002.2254086095.0000000003089000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000A.00000002.4473839350.0000000002F1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: TECHNICAL SPECIFICATIONS.exe, 00000004.00000002.4473961578.00000000031D9000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000007.00000002.2254086095.0000000003089000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000A.00000002.4473839350.0000000002F1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t

Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714

Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.5:49730 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.TECHNICAL SPECIFICATIONS.exe.36d55b0.2.raw.unpack, SKTzxzsJw.cs	.Net Code: KdRT1gFnIpl
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.3698390.3.raw.unpack, SKTzxzsJw.cs	.Net Code: KdRT1gFnIpl
Source: 6.2.newapp.exe.42e5dd0.2.raw.unpack, SKTzxzsJw.cs	.Net Code: KdRT1gFnIpl

Installs a global keyboard hook

Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\newapp\newapp.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\newapp\newapp.exe

Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Window created: window name: CLIPBRDWNDCLASS

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.TECHNICAL SPECIFICATIONS.exe.36d55b0.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.36d55b0.2.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 7.2.newapp.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.newapp.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 6.2.newapp.exe.42e5dd0.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 6.2.newapp.exe.42e5dd0.2.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 6.2.newapp.exe.4265e58.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 6.2.newapp.exe.4265e58.3.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 9.2.newapp.exe.4385f68.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.newapp.exe.4385f68.2.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.3698390.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.3698390.3.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 6.2.newapp.exe.4265e58.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 6.2.newapp.exe.4265e58.3.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 9.2.newapp.exe.4385f68.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.newapp.exe.4385f68.2.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 6.2.newapp.exe.42e5dd0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 6.2.newapp.exe.42e5dd0.2.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.372a558.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.372a558.4.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.36d55b0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.36d55b0.2.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.3698390.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.3698390.3.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen

.NET source code contains very large strings

Source: TECHNICAL SPECIFICATIONS.exe, frmLogin.cs	Long String: Length: 123476
Source: newapp.exe.4.dr, frmLogin.cs	Long String: Length: 123476

Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Code function: 0_2_00C1D584	0_2_00C1D584
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Code function: 0_2_08E8ABE8	0_2_08E8ABE8
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Code function: 0_2_08E8ABC8	0_2_08E8ABC8
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Code function: 0_2_08E8ABDF	0_2_08E8ABDF
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Code function: 0_2_08E8CC58	0_2_08E8CC58
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Code function: 0_2_08E87F8B	0_2_08E87F8B
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Code function: 0_2_08E8B020	0_2_08E8B020
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Code function: 0_2_08E8B447	0_2_08E8B447
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Code function: 0_2_08E8B458	0_2_08E8B458
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Code function: 0_2_08E8D5F8	0_2_08E8D5F8
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Code function: 0_2_08E8D608	0_2_08E8D608
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Code function: 0_2_0BB40330	0_2_0BB40330
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Code function: 0_2_0BB40320	0_2_0BB40320
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Code function: 0_2_0BB42678	0_2_0BB42678
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Code function: 4_2_017C4A68	4_2_017C4A68
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Code function: 4_2_017CADB0	4_2_017CADB0
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Code function: 4_2_017C3E50	4_2_017C3E50
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Code function: 4_2_017C4198	4_2_017C4198
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Code function: 4_2_06DF47A4	4_2_06DF47A4
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Code function: 4_2_06DF6A12	4_2_06DF6A12
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Code function: 4_2_06DF033F	4_2_06DF033F
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Code function: 4_2_06DF1F3F	4_2_06DF1F3F
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Code function: 4_2_06DF5D48	4_2_06DF5D48
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Code function: 4_2_06DF5D42	4_2_06DF5D42
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Code function: 4_2_06E056A8	4_2_06E056A8
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Code function: 4_2_06E07E60	4_2_06E07E60
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Code function: 4_2_06E03568	4_2_06E03568
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Code function: 4_2_06E0C260	4_2_06E0C260
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Code function: 4_2_06E07780	4_2_06E07780
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Code function: 4_2_06E0E750	4_2_06E0E750
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Code function: 4_2_06E00040	4_2_06E00040
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Code function: 4_2_06E0003A	4_2_06E0003A
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 6_2_031AD584	6_2_031AD584
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 6_2_0962ABE8	6_2_0962ABE8
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 6_2_0962ABC8	6_2_0962ABC8
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 6_2_0962CC48	6_2_0962CC48
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 6_2_0962CC58	6_2_0962CC58
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 6_2_0962B020	6_2_0962B020
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 6_2_0962D5F8	6_2_0962D5F8
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 6_2_0962B447	6_2_0962B447
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 6_2_0962B458	6_2_0962B458
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 6_2_0962D608	6_2_0962D608
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 7_2_01264198	7_2_01264198
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 7_2_0126E91D	7_2_0126E91D
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 7_2_01264A68	7_2_01264A68
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 7_2_0126AD50	7_2_0126AD50
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 7_2_0126AC90	7_2_0126AC90
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 7_2_01263E50	7_2_01263E50
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 7_2_06C144EC	7_2_06C144EC
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 7_2_06C16793	7_2_06C16793
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 7_2_06C11C90	7_2_06C11C90
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 7_2_06C15AA3	7_2_06C15AA3
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 7_2_06C15AA8	7_2_06C15AA8
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 7_2_06C118D8	7_2_06C118D8
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 7_2_06C366E0	7_2_06C366E0
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 7_2_06C356B0	7_2_06C356B0
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 7_2_06C37E68	7_2_06C37E68
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 7_2_06C33570	7_2_06C33570
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 7_2_06C3C268	7_2_06C3C268
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 7_2_06C3B318	7_2_06C3B318
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 7_2_06C37788	7_2_06C37788
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 7_2_06C3E498	7_2_06C3E498
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 7_2_06C35DE8	7_2_06C35DE8
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 7_2_06C30040	7_2_06C30040
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 7_2_06C3003E	7_2_06C3003E
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 9_2_0187D584	9_2_0187D584
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 9_2_074DD608	9_2_074DD608
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 9_2_074DD5F8	9_2_074DD5F8
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 9_2_074DB447	9_2_074DB447
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 9_2_074DB458	9_2_074DB458
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 9_2_074DB020	9_2_074DB020
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 9_2_074DCC48	9_2_074DCC48
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 9_2_074DCC58	9_2_074DCC58
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 9_2_074DABC8	9_2_074DABC8
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 9_2_074DABE8	9_2_074DABE8
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 10_2_02CD4A68	10_2_02CD4A68
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 10_2_02CDE91D	10_2_02CDE91D
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 10_2_02CD3E50	10_2_02CD3E50
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 10_2_02CD4198	10_2_02CD4198
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 10_2_02CDAC90	10_2_02CDAC90
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 10_2_069E44EC	10_2_069E44EC
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 10_2_069E6792	10_2_069E6792
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 10_2_069E1C90	10_2_069E1C90
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 10_2_069E5AA8	10_2_069E5AA8
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 10_2_069E5AA2	10_2_069E5AA2
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 10_2_069E18D8	10_2_069E18D8
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 10_2_06A056B0	10_2_06A056B0
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 10_2_06A066E0	10_2_06A066E0
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 10_2_06A07E68	10_2_06A07E68
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 10_2_06A03570	10_2_06A03570
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 10_2_06A0C268	10_2_06A0C268
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 10_2_06A0B307	10_2_06A0B307
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 10_2_06A07788	10_2_06A07788
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 10_2_06A0E498	10_2_06A0E498
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 10_2_06A05DD7	10_2_06A05DD7
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 10_2_06A00040	10_2_06A00040
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 10_2_06A0003F	10_2_06A0003F

Source: TECHNICAL SPECIFICATIONS.exe, 00000000.00000002.2053221424.0000000007760000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs TECHNICAL SPECIFICATIONS.exe
Source: TECHNICAL SPECIFICATIONS.exe, 00000000.00000000.2015444781.0000000000285000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamenCItN.exe< vs TECHNICAL SPECIFICATIONS.exe
Source: TECHNICAL SPECIFICATIONS.exe, 00000000.00000002.2048875649.0000000002638000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename4050351b-3b81-4030-83d1-4403e211abfe.exe4 vs TECHNICAL SPECIFICATIONS.exe
Source: TECHNICAL SPECIFICATIONS.exe, 00000000.00000002.2052417966.00000000067D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs TECHNICAL SPECIFICATIONS.exe
Source: TECHNICAL SPECIFICATIONS.exe, 00000000.00000002.2048069447.0000000000A8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs TECHNICAL SPECIFICATIONS.exe
Source: TECHNICAL SPECIFICATIONS.exe, 00000000.00000002.2050105688.0000000003698000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename4050351b-3b81-4030-83d1-4403e211abfe.exe4 vs TECHNICAL SPECIFICATIONS.exe
Source: TECHNICAL SPECIFICATIONS.exe, 00000000.00000002.2050105688.0000000003698000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs TECHNICAL SPECIFICATIONS.exe
Source: TECHNICAL SPECIFICATIONS.exe, 00000000.00000002.2048875649.00000000026D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs TECHNICAL SPECIFICATIONS.exe
Source: TECHNICAL SPECIFICATIONS.exe, 00000004.00000002.4469900306.0000000000FA9000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs TECHNICAL SPECIFICATIONS.exe
Source: TECHNICAL SPECIFICATIONS.exe, 00000004.00000002.4491447285.0000000006B75000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamenCItN.exe< vs TECHNICAL SPECIFICATIONS.exe
Source: TECHNICAL SPECIFICATIONS.exe, 00000004.00000002.4470238843.0000000001478000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllN vs TECHNICAL SPECIFICATIONS.exe
Source: TECHNICAL SPECIFICATIONS.exe	Binary or memory string: OriginalFilenamenCItN.exe< vs TECHNICAL SPECIFICATIONS.exe

Source: TECHNICAL SPECIFICATIONS.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.TECHNICAL SPECIFICATIONS.exe.36d55b0.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.36d55b0.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 7.2.newapp.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.newapp.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 6.2.newapp.exe.42e5dd0.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 6.2.newapp.exe.42e5dd0.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 6.2.newapp.exe.4265e58.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 6.2.newapp.exe.4265e58.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 9.2.newapp.exe.4385f68.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.newapp.exe.4385f68.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.3698390.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.3698390.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 6.2.newapp.exe.4265e58.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 6.2.newapp.exe.4265e58.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 9.2.newapp.exe.4385f68.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.newapp.exe.4385f68.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 6.2.newapp.exe.42e5dd0.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 6.2.newapp.exe.42e5dd0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.372a558.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.372a558.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.36d55b0.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.36d55b0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.3698390.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.3698390.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload

Source: TECHNICAL SPECIFICATIONS.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: newapp.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.TECHNICAL SPECIFICATIONS.exe.36d55b0.2.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.36d55b0.2.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.36d55b0.2.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.36d55b0.2.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.36d55b0.2.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.36d55b0.2.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.36d55b0.2.raw.unpack, CqSP68Ir.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.36d55b0.2.raw.unpack, CqSP68Ir.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: 0.2.TECHNICAL SPECIFICATIONS.exe.67d0000.5.raw.unpack, jREUtxrgTmZ9ujRnhh.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.67d0000.5.raw.unpack, jREUtxrgTmZ9ujRnhh.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.372a558.4.raw.unpack, TNf7y49lyKa8eHbNQr.cs	Security API names: _0020.SetAccessControl
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.372a558.4.raw.unpack, TNf7y49lyKa8eHbNQr.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.372a558.4.raw.unpack, TNf7y49lyKa8eHbNQr.cs	Security API names: _0020.AddAccessRule
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.372a558.4.raw.unpack, jREUtxrgTmZ9ujRnhh.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.372a558.4.raw.unpack, jREUtxrgTmZ9ujRnhh.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.67d0000.5.raw.unpack, TNf7y49lyKa8eHbNQr.cs	Security API names: _0020.SetAccessControl
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.67d0000.5.raw.unpack, TNf7y49lyKa8eHbNQr.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.67d0000.5.raw.unpack, TNf7y49lyKa8eHbNQr.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@12/9@2/2

Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TECHNICAL SPECIFICATIONS.exe.log

Jump to behavior

Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Mutant created: \Sessions\1\BaseNamedObjects\ikcbybviph
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1868:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_adewuqtv.gbm.ps1

Jump to behavior

Source: TECHNICAL SPECIFICATIONS.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: TECHNICAL SPECIFICATIONS.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: TECHNICAL SPECIFICATIONS.exe

ReversingLabs: Detection: 65%

Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe

File read: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe "C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe"
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe"
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process created: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe "C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe "C:\Users\user\AppData\Roaming\newapp\newapp.exe"
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe "C:\Users\user\AppData\Roaming\newapp\newapp.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe "C:\Users\user\AppData\Roaming\newapp\newapp.exe"
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe "C:\Users\user\AppData\Roaming\newapp\newapp.exe"
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe"	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process created: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe "C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe "C:\Users\user\AppData\Roaming\newapp\newapp.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe "C:\Users\user\AppData\Roaming\newapp\newapp.exe"

Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Section loaded: edputil.dll

Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: TECHNICAL SPECIFICATIONS.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: TECHNICAL SPECIFICATIONS.exe

Static file information: File size 1096704 > 1048576

Source: TECHNICAL SPECIFICATIONS.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: TECHNICAL SPECIFICATIONS.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: nCItN.pdbSHA256 source: TECHNICAL SPECIFICATIONS.exe, newapp.exe.4.dr
Source:	Binary string: nCItN.pdb source: TECHNICAL SPECIFICATIONS.exe, newapp.exe.4.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.TECHNICAL SPECIFICATIONS.exe.67d0000.5.raw.unpack, TNf7y49lyKa8eHbNQr.cs	.Net Code: VIk8ITLepk System.Reflection.Assembly.Load(byte[])
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.372a558.4.raw.unpack, TNf7y49lyKa8eHbNQr.cs	.Net Code: VIk8ITLepk System.Reflection.Assembly.Load(byte[])
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.27cb868.0.raw.unpack, L2.cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.7760000.6.raw.unpack, L2.cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 6.2.newapp.exe.33db82c.0.raw.unpack, L2.cs	.Net Code: System.Reflection.Assembly.Load(byte[])

Source: TECHNICAL SPECIFICATIONS.exe

Static PE information: 0xF7228534 [Sun May 22 19:51:16 2101 UTC]

Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Code function: 0_2_00C147B1 push ebp; ret	0_2_00C14815
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Code function: 0_2_07C0C771 push ebp; ret	0_2_07C0C7CC
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Code function: 4_2_017C0C55 push edi; retf	4_2_017C0C7A
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Code function: 4_2_06DF5350 pushfd ; ret	4_2_06DF5669
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Code function: 4_2_06DF0B6B push eax; retf	4_2_06DF0B7B
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Code function: 4_2_06DF0B16 push eax; retf	4_2_06DF0B17
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Code function: 4_2_06DF0B22 push eax; retf	4_2_06DF0B23
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Code function: 4_2_06DF68E2 push esp; retf	4_2_06DF68E9
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Code function: 4_2_06DF68E0 pushad ; retf	4_2_06DF68E1
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Code function: 4_2_06DF5662 pushfd ; ret	4_2_06DF5669
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Code function: 4_2_06E025DB push ebx; retf	4_2_06E025DA
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Code function: 4_2_06E025BF push ebx; retf	4_2_06E025DA
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 7_2_01260C55 push edi; retf	7_2_01260C7A
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 7_2_06C150B0 pushfd ; ret	7_2_06C153C9
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 7_2_06C16640 pushad ; retf	7_2_06C16641
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 7_2_06C16643 push esp; retf	7_2_06C16649
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 7_2_06C1AC69 push es; ret	7_2_06C1AC70
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 7_2_06C1F2B0 push es; ret	7_2_06C1F2C0
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 7_2_06C153C3 pushfd ; ret	7_2_06C153C9
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 7_2_06C19E31 push ebx; retn 5506h	7_2_06C19E3E
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 10_2_069E50B0 pushfd ; ret	10_2_069E53C9
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 10_2_069E6642 push esp; retf	10_2_069E6649
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 10_2_069E6640 pushad ; retf	10_2_069E6641
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 10_2_069EAC61 push es; ret	10_2_069EAC70
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Code function: 10_2_069E53C2 pushfd ; ret	10_2_069E53C9

Source: TECHNICAL SPECIFICATIONS.exe	Static PE information: section name: .text entropy: 7.211152968650304
Source: newapp.exe.4.dr	Static PE information: section name: .text entropy: 7.211152968650304

Source: 0.2.TECHNICAL SPECIFICATIONS.exe.67d0000.5.raw.unpack, hWOF1wq8TwGnEeL18pe.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'jTVunec655', 'louuGZQdoX', 'U0XuafC22l', 'DUAuuhpF4Q', 'DS1utwbCoJ', 'SKcupM6KMZ', 'F04ujYjNE7'
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.67d0000.5.raw.unpack, kWIAW0v8S1UL2kEHvx.cs	High entropy of concatenated method names: 'ygsCWfMdg3', 'a0oCkcZkSH', 'aTxChFG2bM', 'O65COHO7il', 'GiMC9xOA9Q', 'NlBh1408fq', 'BSSh6Nsjsd', 'AyMhNXkIhO', 'XakhQadMDP', 'eD5h39KnoS'
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.67d0000.5.raw.unpack, suYabEUCWPeZSqmf7e.cs	High entropy of concatenated method names: 'KSMLeq6IVl', 'UKIL4ShuPo', 'ToString', 'FMOLHHiKEx', 'b0kLkH6I5g', 'DFpLYITFau', 'o8rLhDLbBj', 'fSlLCYSSgX', 'XrrLOWtbw2', 'QkIL9B6cjJ'
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.67d0000.5.raw.unpack, fhjAQ5qqUM8yQLZ5sgb.cs	High entropy of concatenated method names: 'DO4GFBippO', 'fs6GzOZ1Fu', 'KG6alqUWrm', 'bB9aqTOSq5', 'Ibja58hgfu', 'FRBaA08TCX', 'dkka8IsZWj', 'qytaWqPDXe', 'tlEaHuFe4h', 'pKDak4cLr2'
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.67d0000.5.raw.unpack, nWjxCYkuJNRVakHJYU.cs	High entropy of concatenated method names: 'Dispose', 'qrSq3nW7es', 'Pn95ZxFHnE', 'JL2t4eyFtX', 'XJTqFynaYt', 'KaWqzhF0eI', 'ProcessDialogKey', 'mb15lZkW4k', 'GGq5qseKuD', 'Bd955bi23B'
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.67d0000.5.raw.unpack, e1hGVOJlNwTUMAc0FC.cs	High entropy of concatenated method names: 'ToString', 'NPdKEmt864', 'is5KZqMMca', 'Dh3KcuNfhO', 'n9oKsXtfO9', 'lg6KM9Vha8', 'aekKX0PqUr', 'QP4Kg2YggD', 'n9GKbxdeMP', 'dbSKP6IeLV'
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.67d0000.5.raw.unpack, GJW89S66pDjHWZcEEv.cs	High entropy of concatenated method names: 'QaeLQEbTfF', 'cGBLFnoTvJ', 'uDmmlFJdX5', 'k84mqLD4eL', 'l5oLES0bqc', 'nerLxCeviK', 'nhaLy9rZc6', 'pjpLSnA81X', 'RywLd2bpm0', 'm1WLJ5eDoq'
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.67d0000.5.raw.unpack, IshQhKznOsTw8qGH2f.cs	High entropy of concatenated method names: 'XYXGobgAb5', 'uDPGrTgZCc', 'T8eGRb0sgX', 'jiPGvpUyyF', 'oxQGZgoLEo', 'M6hGsphWEK', 'zxyGMXtLaq', 'ACZGjpSdH8', 'RwQGD3fl9I', 'kBEGwtWWmu'
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.67d0000.5.raw.unpack, L1sbZpRd8uXWCharmO.cs	High entropy of concatenated method names: 'XsEY05NHHs', 'ncQYoaHJs0', 'QQqYr4w4GJ', 'oRkYRBIiOp', 'J3LY73drh6', 'moWYKRSSiF', 'N28YLQjFwR', 'MxBYmEyoOA', 'npLYndkddK', 'yheYGyFOUR'
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.67d0000.5.raw.unpack, MwHahQNiSLrSnW7es3.cs	High entropy of concatenated method names: 'mZYn7ndU8M', 'i4wnLrmHRw', 'sU1nnLfvFC', 'UH8na96PT0', 'db8ntCIBkG', 'SMYnj1taSu', 'Dispose', 'wt5mH8dORf', 'ukvmktq6nl', 'Wr7mYZg5Jd'
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.67d0000.5.raw.unpack, lo4tTfy9Js5R3nmhSv.cs	High entropy of concatenated method names: 'ESTVrDBfLA', 'PvJVRbK9RW', 'KLXVvDMaKc', 'kmJVZSmYlt', 'QyMVsmkYHA', 'sJSVMvZpUD', 'gXNVgPLioV', 'dtkVby7XAA', 'JLdVByt8LH', 'EoTVEnumUH'
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.67d0000.5.raw.unpack, LV8kjA5roX4L7TqFCM.cs	High entropy of concatenated method names: 's0QIopDWm', 'itA0xh8jZ', 'J6Voc3dAR', 'cDM2rFOsM', 'EIiR6Wrjn', 'LqlTWgvqL', 'SRNnyP488fb6tZjCAM', 'vRXigfK908X6uWhYBI', 'SoPmIgO2g', 'EF9GR2REd'
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.67d0000.5.raw.unpack, rRQlnBT6uvnPIUupEG.cs	High entropy of concatenated method names: 'aTKhihHpXw', 'MlXh2B0RbB', 'Ub8Ycyfo6w', 'EK6YsO087S', 'E25YMCCjGH', 'cwlYXQ2QAh', 'fUpYgJAjO4', 'z6VYbAYNy5', 'A3EYPeYIIH', 'wxIYBgF79D'
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.67d0000.5.raw.unpack, DdIlOCPvMFdu4tmhoi.cs	High entropy of concatenated method names: 'b97OD4vCq7', 'Q9QOwqMoAg', 'JFLOIMe87u', 'oCGO0LnR7C', 'NZ0Oig2ifA', 'fOKOomMoqK', 'NUTO2FRKYA', 'M9KOrJT9pp', 'JxpORhKB03', 'pchOToGt5H'
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.67d0000.5.raw.unpack, TNf7y49lyKa8eHbNQr.cs	High entropy of concatenated method names: 'IRnAW7FqCc', 'SkSAH1syRj', 'ifHAkybhYA', 'zJTAYVjuSp', 'YryAhw97Xi', 'ITSACnIN3N', 'ATaAOxd1Td', 'z3XA9WKfbD', 'xwCAf6QJe6', 'ExTAeDnKSN'
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.67d0000.5.raw.unpack, UZkW4k3vGqseKuDod9.cs	High entropy of concatenated method names: 'hypnvbHch4', 'fZmnZ8jyYZ', 'Y7GncyHfAx', 'MstnsKiCYE', 'NKSnMd1KUU', 'jTtnX2ZVJh', 'yAYngcpvD5', 'aaKnbAV5EU', 'bV9nP74fTr', 'DAwnBpAy3G'
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.67d0000.5.raw.unpack, HYgbO58wUsaM0469Oa.cs	High entropy of concatenated method names: 'lcOqOREUtx', 'LTmq9Z9ujR', 'vd8qeuXWCh', 'trmq4OmRQl', 'Tupq7EG9WI', 'dW0qK8S1UL', 'Uj8WWG7pM1e3ima9Ix', 'jjCkyEUhO6i2WTBbEN', 'de1qqdZK4F', 'HYNqAA3h3O'
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.67d0000.5.raw.unpack, jREUtxrgTmZ9ujRnhh.cs	High entropy of concatenated method names: 'PKSkSIii7i', 'nsWkdtmOvr', 'muEkJle5xh', 'qtvkUYtvDP', 'DAjk1CNt1c', 'rRwk6XSLyi', 'YcskNUTHTK', 'gWikQpGZmw', 'Poik3bmefW', 'T5okFRl99d'
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.67d0000.5.raw.unpack, vl63b4qlejrmlkOmBYp.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'bKsGEc23SI', 'BRSGxHHHhG', 'vxsGyfUJfy', 'JZtGSjHroX', 'gYwGda85Wo', 'ijQGJmH4g9', 'gO2GUwyrWV'
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.67d0000.5.raw.unpack, QcVSh5S6Dl20iBJhn2.cs	High entropy of concatenated method names: 'x6l7BtQZMY', 'wWw7xx2NnJ', 'eMP7Sn8aSU', 'tTc7dZrSlj', 'FlU7Zta6PE', 'O0j7c443fT', 'Olu7sWGnda', 'Ldm7MyIvYp', 'kkY7XL6uGn', 'rs17grqClb'
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.67d0000.5.raw.unpack, sMNDIUgZWPSB65IaPP.cs	High entropy of concatenated method names: 'AxgOH5a82Q', 'xUCOYNBSt0', 'xPkOCZYojg', 'JvhCFk9hy4', 'Qn4Cz6WxNh', 'GBmOlPJ8Um', 're6OqiYZg0', 'ceZO577o2D', 'pVtOAxhvBX', 'o7oO8bcdBq'
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.67d0000.5.raw.unpack, Li23B1F2TbfLEFgIOp.cs	High entropy of concatenated method names: 'PXBGY70Xlr', 'AkUGhGyMI0', 'sNMGCIZHZ8', 'eYCGOw1OvK', 'bCIGnxuXjQ', 'lShG9mFDKc', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.67d0000.5.raw.unpack, hD8Nd6YU5MDOdxJVxx.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'KWY53JBySB', 'kgx5F3ayvV', 'YNn5z8CJmY', 'GSOAlJHcs2', 'BNxAqYdfpK', 'ftcA5YaiQ2', 'MAPAAl8Zg4', 'bfp4bcDpJSxNZp2QqSE'
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.372a558.4.raw.unpack, hWOF1wq8TwGnEeL18pe.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'jTVunec655', 'louuGZQdoX', 'U0XuafC22l', 'DUAuuhpF4Q', 'DS1utwbCoJ', 'SKcupM6KMZ', 'F04ujYjNE7'
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.372a558.4.raw.unpack, kWIAW0v8S1UL2kEHvx.cs	High entropy of concatenated method names: 'ygsCWfMdg3', 'a0oCkcZkSH', 'aTxChFG2bM', 'O65COHO7il', 'GiMC9xOA9Q', 'NlBh1408fq', 'BSSh6Nsjsd', 'AyMhNXkIhO', 'XakhQadMDP', 'eD5h39KnoS'
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.372a558.4.raw.unpack, suYabEUCWPeZSqmf7e.cs	High entropy of concatenated method names: 'KSMLeq6IVl', 'UKIL4ShuPo', 'ToString', 'FMOLHHiKEx', 'b0kLkH6I5g', 'DFpLYITFau', 'o8rLhDLbBj', 'fSlLCYSSgX', 'XrrLOWtbw2', 'QkIL9B6cjJ'
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.372a558.4.raw.unpack, fhjAQ5qqUM8yQLZ5sgb.cs	High entropy of concatenated method names: 'DO4GFBippO', 'fs6GzOZ1Fu', 'KG6alqUWrm', 'bB9aqTOSq5', 'Ibja58hgfu', 'FRBaA08TCX', 'dkka8IsZWj', 'qytaWqPDXe', 'tlEaHuFe4h', 'pKDak4cLr2'
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.372a558.4.raw.unpack, nWjxCYkuJNRVakHJYU.cs	High entropy of concatenated method names: 'Dispose', 'qrSq3nW7es', 'Pn95ZxFHnE', 'JL2t4eyFtX', 'XJTqFynaYt', 'KaWqzhF0eI', 'ProcessDialogKey', 'mb15lZkW4k', 'GGq5qseKuD', 'Bd955bi23B'
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.372a558.4.raw.unpack, e1hGVOJlNwTUMAc0FC.cs	High entropy of concatenated method names: 'ToString', 'NPdKEmt864', 'is5KZqMMca', 'Dh3KcuNfhO', 'n9oKsXtfO9', 'lg6KM9Vha8', 'aekKX0PqUr', 'QP4Kg2YggD', 'n9GKbxdeMP', 'dbSKP6IeLV'
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.372a558.4.raw.unpack, GJW89S66pDjHWZcEEv.cs	High entropy of concatenated method names: 'QaeLQEbTfF', 'cGBLFnoTvJ', 'uDmmlFJdX5', 'k84mqLD4eL', 'l5oLES0bqc', 'nerLxCeviK', 'nhaLy9rZc6', 'pjpLSnA81X', 'RywLd2bpm0', 'm1WLJ5eDoq'
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.372a558.4.raw.unpack, IshQhKznOsTw8qGH2f.cs	High entropy of concatenated method names: 'XYXGobgAb5', 'uDPGrTgZCc', 'T8eGRb0sgX', 'jiPGvpUyyF', 'oxQGZgoLEo', 'M6hGsphWEK', 'zxyGMXtLaq', 'ACZGjpSdH8', 'RwQGD3fl9I', 'kBEGwtWWmu'
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.372a558.4.raw.unpack, L1sbZpRd8uXWCharmO.cs	High entropy of concatenated method names: 'XsEY05NHHs', 'ncQYoaHJs0', 'QQqYr4w4GJ', 'oRkYRBIiOp', 'J3LY73drh6', 'moWYKRSSiF', 'N28YLQjFwR', 'MxBYmEyoOA', 'npLYndkddK', 'yheYGyFOUR'
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.372a558.4.raw.unpack, MwHahQNiSLrSnW7es3.cs	High entropy of concatenated method names: 'mZYn7ndU8M', 'i4wnLrmHRw', 'sU1nnLfvFC', 'UH8na96PT0', 'db8ntCIBkG', 'SMYnj1taSu', 'Dispose', 'wt5mH8dORf', 'ukvmktq6nl', 'Wr7mYZg5Jd'
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.372a558.4.raw.unpack, lo4tTfy9Js5R3nmhSv.cs	High entropy of concatenated method names: 'ESTVrDBfLA', 'PvJVRbK9RW', 'KLXVvDMaKc', 'kmJVZSmYlt', 'QyMVsmkYHA', 'sJSVMvZpUD', 'gXNVgPLioV', 'dtkVby7XAA', 'JLdVByt8LH', 'EoTVEnumUH'
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.372a558.4.raw.unpack, LV8kjA5roX4L7TqFCM.cs	High entropy of concatenated method names: 's0QIopDWm', 'itA0xh8jZ', 'J6Voc3dAR', 'cDM2rFOsM', 'EIiR6Wrjn', 'LqlTWgvqL', 'SRNnyP488fb6tZjCAM', 'vRXigfK908X6uWhYBI', 'SoPmIgO2g', 'EF9GR2REd'
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.372a558.4.raw.unpack, rRQlnBT6uvnPIUupEG.cs	High entropy of concatenated method names: 'aTKhihHpXw', 'MlXh2B0RbB', 'Ub8Ycyfo6w', 'EK6YsO087S', 'E25YMCCjGH', 'cwlYXQ2QAh', 'fUpYgJAjO4', 'z6VYbAYNy5', 'A3EYPeYIIH', 'wxIYBgF79D'
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.372a558.4.raw.unpack, DdIlOCPvMFdu4tmhoi.cs	High entropy of concatenated method names: 'b97OD4vCq7', 'Q9QOwqMoAg', 'JFLOIMe87u', 'oCGO0LnR7C', 'NZ0Oig2ifA', 'fOKOomMoqK', 'NUTO2FRKYA', 'M9KOrJT9pp', 'JxpORhKB03', 'pchOToGt5H'
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.372a558.4.raw.unpack, TNf7y49lyKa8eHbNQr.cs	High entropy of concatenated method names: 'IRnAW7FqCc', 'SkSAH1syRj', 'ifHAkybhYA', 'zJTAYVjuSp', 'YryAhw97Xi', 'ITSACnIN3N', 'ATaAOxd1Td', 'z3XA9WKfbD', 'xwCAf6QJe6', 'ExTAeDnKSN'
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.372a558.4.raw.unpack, UZkW4k3vGqseKuDod9.cs	High entropy of concatenated method names: 'hypnvbHch4', 'fZmnZ8jyYZ', 'Y7GncyHfAx', 'MstnsKiCYE', 'NKSnMd1KUU', 'jTtnX2ZVJh', 'yAYngcpvD5', 'aaKnbAV5EU', 'bV9nP74fTr', 'DAwnBpAy3G'
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.372a558.4.raw.unpack, HYgbO58wUsaM0469Oa.cs	High entropy of concatenated method names: 'lcOqOREUtx', 'LTmq9Z9ujR', 'vd8qeuXWCh', 'trmq4OmRQl', 'Tupq7EG9WI', 'dW0qK8S1UL', 'Uj8WWG7pM1e3ima9Ix', 'jjCkyEUhO6i2WTBbEN', 'de1qqdZK4F', 'HYNqAA3h3O'
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.372a558.4.raw.unpack, jREUtxrgTmZ9ujRnhh.cs	High entropy of concatenated method names: 'PKSkSIii7i', 'nsWkdtmOvr', 'muEkJle5xh', 'qtvkUYtvDP', 'DAjk1CNt1c', 'rRwk6XSLyi', 'YcskNUTHTK', 'gWikQpGZmw', 'Poik3bmefW', 'T5okFRl99d'
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.372a558.4.raw.unpack, vl63b4qlejrmlkOmBYp.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'bKsGEc23SI', 'BRSGxHHHhG', 'vxsGyfUJfy', 'JZtGSjHroX', 'gYwGda85Wo', 'ijQGJmH4g9', 'gO2GUwyrWV'
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.372a558.4.raw.unpack, QcVSh5S6Dl20iBJhn2.cs	High entropy of concatenated method names: 'x6l7BtQZMY', 'wWw7xx2NnJ', 'eMP7Sn8aSU', 'tTc7dZrSlj', 'FlU7Zta6PE', 'O0j7c443fT', 'Olu7sWGnda', 'Ldm7MyIvYp', 'kkY7XL6uGn', 'rs17grqClb'
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.372a558.4.raw.unpack, sMNDIUgZWPSB65IaPP.cs	High entropy of concatenated method names: 'AxgOH5a82Q', 'xUCOYNBSt0', 'xPkOCZYojg', 'JvhCFk9hy4', 'Qn4Cz6WxNh', 'GBmOlPJ8Um', 're6OqiYZg0', 'ceZO577o2D', 'pVtOAxhvBX', 'o7oO8bcdBq'
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.372a558.4.raw.unpack, Li23B1F2TbfLEFgIOp.cs	High entropy of concatenated method names: 'PXBGY70Xlr', 'AkUGhGyMI0', 'sNMGCIZHZ8', 'eYCGOw1OvK', 'bCIGnxuXjQ', 'lShG9mFDKc', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.TECHNICAL SPECIFICATIONS.exe.372a558.4.raw.unpack, hD8Nd6YU5MDOdxJVxx.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'KWY53JBySB', 'kgx5F3ayvV', 'YNn5z8CJmY', 'GSOAlJHcs2', 'BNxAqYdfpK', 'ftcA5YaiQ2', 'MAPAAl8Zg4', 'bfp4bcDpJSxNZp2QqSE'

Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe

File created: C:\Users\user\AppData\Roaming\newapp\newapp.exe

Jump to dropped file

Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run newapp			Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run newapp			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe

File opened: C:\Users\user\AppData\Roaming\newapp\newapp.exe:Zone.Identifier read attributes | delete

Jump to behavior

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: TECHNICAL SPECIFICATIONS.exe PID: 6480, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Memory allocated: BA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Memory allocated: 25F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Memory allocated: C50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Memory allocated: 8E90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Memory allocated: 69C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Memory allocated: 9E90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Memory allocated: AE90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Memory allocated: 1780000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Memory allocated: 31D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Memory allocated: 30D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: 1920000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: 3200000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: 5200000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: 9630000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: 7590000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: A630000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: B630000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: 1260000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: 3080000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: 2F90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: 1870000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: 32A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: 30E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: 9630000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: 76D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: A630000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: B630000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: 14C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: 2F10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory allocated: 2D40000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 599563	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 599321	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 599184	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 599062	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 598952	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 598734	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 598623	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 598515	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 598406	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 598297	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 598188	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 598078	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 597969	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 597859	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 597750	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 597641	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 597531	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 597422	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 597313	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 597188	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 596953	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 596778	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 596670	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 596550	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 596435	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 596328	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 596219	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 595891	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 595766	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 595641	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 595531	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 595422	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 595313	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 595188	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 595063	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 594844	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 594719	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 594609	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 594500	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 594391	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 594281	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 594172	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 594035	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 593914	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599759	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599516	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599406	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599297	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598938	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598828	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598719	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598469	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598250	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598141	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597813	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597688	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597422	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597304	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597188	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597078	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596969	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596844	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596490	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596204	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596078	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595956	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595719	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595500	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595387	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595277	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595158	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594919	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594813	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594594	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594469	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599875
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599765
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599656
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599546
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599436
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599328
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599219
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599109
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599000
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598890
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598779
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598672
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598562
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598443
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598328
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598218
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598107
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598000
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597890
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597781
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597672
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597562
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597453
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597344
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597233
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597125
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597015
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596906
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596797
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596687
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596578
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596468
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596359
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596250
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596140
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596029
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595922
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595812
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595703
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595594
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595484
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595372
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595265
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595156
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595046
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594937
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594828
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594719
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594609

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6289	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2683	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Window / User API: threadDelayed 2069	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Window / User API: threadDelayed 7773	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Window / User API: threadDelayed 3620	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Window / User API: threadDelayed 5854	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Window / User API: threadDelayed 2013
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Window / User API: threadDelayed 7836

Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe TID: 5428	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7320	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7256	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe TID: 7404	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe TID: 7404	Thread sleep time: -32281802128991695s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe TID: 7404	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe TID: 7404	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe TID: 7424	Thread sleep count: 2069 > 30	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe TID: 7404	Thread sleep time: -599563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe TID: 7404	Thread sleep time: -599321s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe TID: 7404	Thread sleep time: -599184s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe TID: 7404	Thread sleep time: -599062s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe TID: 7424	Thread sleep count: 7773 > 30	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe TID: 7404	Thread sleep time: -598952s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe TID: 7404	Thread sleep time: -598844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe TID: 7404	Thread sleep time: -598734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe TID: 7404	Thread sleep time: -598623s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe TID: 7404	Thread sleep time: -598515s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe TID: 7404	Thread sleep time: -598406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe TID: 7404	Thread sleep time: -598297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe TID: 7404	Thread sleep time: -598188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe TID: 7404	Thread sleep time: -598078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe TID: 7404	Thread sleep time: -597969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe TID: 7404	Thread sleep time: -597859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe TID: 7404	Thread sleep time: -597750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe TID: 7404	Thread sleep time: -597641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe TID: 7404	Thread sleep time: -597531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe TID: 7404	Thread sleep time: -597422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe TID: 7404	Thread sleep time: -597313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe TID: 7404	Thread sleep time: -597188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe TID: 7404	Thread sleep time: -597063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe TID: 7404	Thread sleep time: -596953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe TID: 7404	Thread sleep time: -596778s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe TID: 7404	Thread sleep time: -596670s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe TID: 7404	Thread sleep time: -596550s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe TID: 7404	Thread sleep time: -596435s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe TID: 7404	Thread sleep time: -596328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe TID: 7404	Thread sleep time: -596219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe TID: 7404	Thread sleep time: -596109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe TID: 7404	Thread sleep time: -596000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe TID: 7404	Thread sleep time: -595891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe TID: 7404	Thread sleep time: -595766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe TID: 7404	Thread sleep time: -595641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe TID: 7404	Thread sleep time: -595531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe TID: 7404	Thread sleep time: -595422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe TID: 7404	Thread sleep time: -595313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe TID: 7404	Thread sleep time: -595188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe TID: 7404	Thread sleep time: -595063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe TID: 7404	Thread sleep time: -594953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe TID: 7404	Thread sleep time: -594844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe TID: 7404	Thread sleep time: -594719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe TID: 7404	Thread sleep time: -594609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe TID: 7404	Thread sleep time: -594500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe TID: 7404	Thread sleep time: -594391s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe TID: 7404	Thread sleep time: -594281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe TID: 7404	Thread sleep time: -594172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe TID: 7404	Thread sleep time: -594035s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe TID: 7404	Thread sleep time: -593914s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7536	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7740	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7740	Thread sleep time: -33204139332677172s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7740	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7752	Thread sleep count: 3620 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7740	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7752	Thread sleep count: 5854 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7740	Thread sleep time: -599759s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7740	Thread sleep time: -599641s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7740	Thread sleep time: -599516s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7740	Thread sleep time: -599406s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7740	Thread sleep time: -599297s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7740	Thread sleep time: -599188s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7740	Thread sleep time: -599063s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7740	Thread sleep time: -598938s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7740	Thread sleep time: -598828s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7740	Thread sleep time: -598719s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7740	Thread sleep time: -598578s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7740	Thread sleep time: -598469s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7740	Thread sleep time: -598359s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7740	Thread sleep time: -598250s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7740	Thread sleep time: -598141s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7740	Thread sleep time: -598031s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7740	Thread sleep time: -597922s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7740	Thread sleep time: -597813s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7740	Thread sleep time: -597688s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7740	Thread sleep time: -597547s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7740	Thread sleep time: -597422s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7740	Thread sleep time: -597304s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7740	Thread sleep time: -597188s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7740	Thread sleep time: -597078s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7740	Thread sleep time: -596969s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7740	Thread sleep time: -596844s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7740	Thread sleep time: -596735s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7740	Thread sleep time: -596610s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7740	Thread sleep time: -596490s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7740	Thread sleep time: -596360s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7740	Thread sleep time: -596204s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7740	Thread sleep time: -596078s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7740	Thread sleep time: -595956s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7740	Thread sleep time: -595828s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7740	Thread sleep time: -595719s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7740	Thread sleep time: -595609s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7740	Thread sleep time: -595500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7740	Thread sleep time: -595387s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7740	Thread sleep time: -595277s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7740	Thread sleep time: -595158s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7740	Thread sleep time: -595031s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7740	Thread sleep time: -594919s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7740	Thread sleep time: -594813s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7740	Thread sleep time: -594703s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7740	Thread sleep time: -594594s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7740	Thread sleep time: -594469s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7876	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8044	Thread sleep count: 35 > 30
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8044	Thread sleep time: -32281802128991695s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8044	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8048	Thread sleep count: 2013 > 30
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8044	Thread sleep time: -599875s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8048	Thread sleep count: 7836 > 30
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8044	Thread sleep time: -599765s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8044	Thread sleep time: -599656s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8044	Thread sleep time: -599546s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8044	Thread sleep time: -599436s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8044	Thread sleep time: -599328s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8044	Thread sleep time: -599219s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8044	Thread sleep time: -599109s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8044	Thread sleep time: -599000s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8044	Thread sleep time: -598890s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8044	Thread sleep time: -598779s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8044	Thread sleep time: -598672s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8044	Thread sleep time: -598562s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8044	Thread sleep time: -598443s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8044	Thread sleep time: -598328s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8044	Thread sleep time: -598218s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8044	Thread sleep time: -598107s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8044	Thread sleep time: -598000s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8044	Thread sleep time: -597890s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8044	Thread sleep time: -597781s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8044	Thread sleep time: -597672s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8044	Thread sleep time: -597562s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8044	Thread sleep time: -597453s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8044	Thread sleep time: -597344s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8044	Thread sleep time: -597233s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8044	Thread sleep time: -597125s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8044	Thread sleep time: -597015s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8044	Thread sleep time: -596906s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8044	Thread sleep time: -596797s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8044	Thread sleep time: -596687s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8044	Thread sleep time: -596578s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8044	Thread sleep time: -596468s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8044	Thread sleep time: -596359s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8044	Thread sleep time: -596250s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8044	Thread sleep time: -596140s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8044	Thread sleep time: -596029s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8044	Thread sleep time: -595922s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8044	Thread sleep time: -595812s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8044	Thread sleep time: -595703s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8044	Thread sleep time: -595594s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8044	Thread sleep time: -595484s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8044	Thread sleep time: -595372s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8044	Thread sleep time: -595265s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8044	Thread sleep time: -595156s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8044	Thread sleep time: -595046s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8044	Thread sleep time: -594937s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8044	Thread sleep time: -594828s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8044	Thread sleep time: -594719s >= -30000s
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 8044	Thread sleep time: -594609s >= -30000s

Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 599563	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 599321	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 599184	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 599062	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 598952	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 598734	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 598623	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 598515	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 598406	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 598297	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 598188	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 598078	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 597969	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 597859	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 597750	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 597641	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 597531	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 597422	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 597313	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 597188	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 596953	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 596778	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 596670	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 596550	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 596435	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 596328	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 596219	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 595891	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 595766	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 595641	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 595531	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 595422	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 595313	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 595188	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 595063	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 594844	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 594719	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 594609	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 594500	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 594391	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 594281	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 594172	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 594035	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Thread delayed: delay time: 593914	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599759	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599516	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599406	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599297	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598938	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598828	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598719	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598469	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598250	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598141	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597813	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597688	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597422	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597304	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597188	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597078	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596969	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596844	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596490	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596204	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596078	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595956	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595719	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595500	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595387	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595277	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595158	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594919	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594813	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594594	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594469	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599875
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599765
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599656
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599546
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599436
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599328
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599219
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599109
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 599000
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598890
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598779
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598672
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598562
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598443
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598328
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598218
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598107
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 598000
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597890
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597781
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597672
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597562
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597453
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597344
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597233
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597125
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 597015
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596906
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596797
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596687
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596578
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596468
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596359
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596250
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596140
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 596029
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595922
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595812
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595703
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595594
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595484
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595372
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595265
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595156
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 595046
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594937
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594828
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594719
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Thread delayed: delay time: 594609

Source: TECHNICAL SPECIFICATIONS.exe, 00000000.00000002.2048069447.0000000000AC6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: TECHNICAL SPECIFICATIONS.exe, 00000000.00000002.2048069447.0000000000AC6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: TECHNICAL SPECIFICATIONS.exe, 00000004.00000002.4470238843.000000000150E000.00000004.00000020.00020000.00000000.sdmp, newapp.exe, 00000007.00000002.2252524497.000000000132C000.00000004.00000020.00020000.00000000.sdmp, newapp.exe, 0000000A.00000002.4470697138.00000000011EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe"
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Memory written: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory written: C:\Users\user\AppData\Roaming\newapp\newapp.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Memory written: C:\Users\user\AppData\Roaming\newapp\newapp.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe"	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Process created: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe "C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe "C:\Users\user\AppData\Roaming\newapp\newapp.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe "C:\Users\user\AppData\Roaming\newapp\newapp.exe"

Source: TECHNICAL SPECIFICATIONS.exe, 00000004.00000002.4473961578.00000000033C5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: TECHNICAL SPECIFICATIONS.exe, 00000004.00000002.4473961578.00000000033C5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR]q
Source: TECHNICAL SPECIFICATIONS.exe, 00000004.00000002.4473961578.00000000033E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: <html>Time: 12/28/2024 22:45:27<br>User Name: user<br>Computer Name: 065367<br>OSFullName: Microsoft Windows 10 Pro<br>CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz<br>RAM: 8191.25 MB<br>IP Address: 8.46.123.228<br><hr><b>[ Program Manager]</b> (07/12/2024 06:00:18)<br>{Win}r</html>
Source: TECHNICAL SPECIFICATIONS.exe, 00000004.00000002.4473961578.00000000033C5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $]q3<b>[ Program Manager]</b> (07/12/2024 06:00:18)<br>
Source: TECHNICAL SPECIFICATIONS.exe, 00000004.00000002.4473961578.00000000033C5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $]q8<b>[ Program Manager]</b> (07/12/2024 06:00:18)<br>{Win}THbqd
Source: TECHNICAL SPECIFICATIONS.exe, 00000004.00000002.4473961578.00000000033C5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $]q9<b>[ Program Manager]</b> (07/12/2024 06:00:18)<br>{Win}rTHbqd

Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Queries volume information: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Queries volume information: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Users\user\AppData\Roaming\newapp\newapp.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Users\user\AppData\Roaming\newapp\newapp.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Users\user\AppData\Roaming\newapp\newapp.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Users\user\AppData\Roaming\newapp\newapp.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.TECHNICAL SPECIFICATIONS.exe.36d55b0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.newapp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.newapp.exe.42e5dd0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.newapp.exe.4265e58.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.newapp.exe.4385f68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TECHNICAL SPECIFICATIONS.exe.3698390.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.newapp.exe.4265e58.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.newapp.exe.4385f68.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.newapp.exe.42e5dd0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TECHNICAL SPECIFICATIONS.exe.372a558.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TECHNICAL SPECIFICATIONS.exe.36d55b0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TECHNICAL SPECIFICATIONS.exe.3698390.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4473961578.000000000324C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2254086095.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4473839350.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2190802680.0000000004265000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2254086095.00000000030FC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2288305225.0000000004385000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2249780738.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4473961578.0000000003221000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4473839350.0000000002F8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2190802680.00000000042E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2050105688.0000000003698000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TECHNICAL SPECIFICATIONS.exe PID: 6480, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: TECHNICAL SPECIFICATIONS.exe PID: 5960, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: newapp.exe PID: 7516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: newapp.exe PID: 7576, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: newapp.exe PID: 7856, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: newapp.exe PID: 7944, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe

File opened: C:\FTP Navigator\Ftplist.txt

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Source: Yara match	File source: 0.2.TECHNICAL SPECIFICATIONS.exe.36d55b0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.newapp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.newapp.exe.42e5dd0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.newapp.exe.4265e58.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.newapp.exe.4385f68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TECHNICAL SPECIFICATIONS.exe.3698390.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.newapp.exe.4265e58.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.newapp.exe.4385f68.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.newapp.exe.42e5dd0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TECHNICAL SPECIFICATIONS.exe.372a558.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TECHNICAL SPECIFICATIONS.exe.36d55b0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TECHNICAL SPECIFICATIONS.exe.3698390.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2254086095.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4473839350.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2190802680.0000000004265000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2288305225.0000000004385000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2249780738.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4473961578.0000000003221000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2190802680.00000000042E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2050105688.0000000003698000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TECHNICAL SPECIFICATIONS.exe PID: 6480, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: TECHNICAL SPECIFICATIONS.exe PID: 5960, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: newapp.exe PID: 7516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: newapp.exe PID: 7576, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: newapp.exe PID: 7856, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: newapp.exe PID: 7944, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.TECHNICAL SPECIFICATIONS.exe.36d55b0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.newapp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.newapp.exe.42e5dd0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.newapp.exe.4265e58.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.newapp.exe.4385f68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TECHNICAL SPECIFICATIONS.exe.3698390.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.newapp.exe.4265e58.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.newapp.exe.4385f68.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.newapp.exe.42e5dd0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TECHNICAL SPECIFICATIONS.exe.372a558.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TECHNICAL SPECIFICATIONS.exe.36d55b0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TECHNICAL SPECIFICATIONS.exe.3698390.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4473961578.000000000324C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2254086095.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4473839350.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2190802680.0000000004265000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2254086095.00000000030FC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2288305225.0000000004385000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2249780738.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4473961578.0000000003221000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4473839350.0000000002F8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2190802680.00000000042E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2050105688.0000000003698000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TECHNICAL SPECIFICATIONS.exe PID: 6480, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: TECHNICAL SPECIFICATIONS.exe PID: 5960, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: newapp.exe PID: 7516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: newapp.exe PID: 7576, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: newapp.exe PID: 7856, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: newapp.exe PID: 7944, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	112 Process Injection	1 Deobfuscate/Decode Files or Information	21 Input Capture	24 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	3 Obfuscated Files or Information	1 Credentials in Registry	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	211 Security Software Discovery	Distributed Component Object Model	21 Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	2 Process Discovery	SSH	1 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	141 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	141 Virtualization/Sandbox Evasion	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	112 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Hidden Files and Directories	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
TECHNICAL SPECIFICATIONS.exe	66%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
TECHNICAL SPECIFICATIONS.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\newapp\newapp.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\newapp\newapp.exe	66%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Name	IP	Active	Malicious	Reputation
ercolina-usa.com	192.254.225.136	true	true	unknown
api.ipify.org	104.26.12.205	true	false	high
ftp.ercolina-usa.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://api.ipify.org	TECHNICAL SPECIFICATIONS.exe, 00000000.00000002.2050105688.0000000003698000.00000004.00000800.00020000.00000000.sdmp, TECHNICAL SPECIFICATIONS.exe, 00000004.00000002.4473961578.00000000031D9000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000006.00000002.2190802680.0000000004265000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000006.00000002.2190802680.00000000042E5000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000007.00000002.2249780738.0000000000402000.00000040.00000400.00020000.00000000.sdmp, newapp.exe, 00000007.00000002.2254086095.0000000003089000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000009.00000002.2288305225.0000000004385000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000A.00000002.4473839350.0000000002F1C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://account.dyn.com/	TECHNICAL SPECIFICATIONS.exe, 00000000.00000002.2050105688.0000000003698000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000006.00000002.2190802680.0000000004265000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000006.00000002.2190802680.00000000042E5000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000007.00000002.2249780738.0000000000402000.00000040.00000400.00020000.00000000.sdmp, newapp.exe, 00000009.00000002.2288305225.0000000004385000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.ipify.org/t	TECHNICAL SPECIFICATIONS.exe, 00000004.00000002.4473961578.00000000031D9000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000007.00000002.2254086095.0000000003089000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000A.00000002.4473839350.0000000002F1C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	TECHNICAL SPECIFICATIONS.exe, 00000000.00000002.2048875649.0000000002638000.00000004.00000800.00020000.00000000.sdmp, TECHNICAL SPECIFICATIONS.exe, 00000004.00000002.4473961578.00000000031D9000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000006.00000002.2188312892.0000000003248000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000007.00000002.2254086095.0000000003089000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000009.00000002.2272052838.00000000032EB000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000A.00000002.4473839350.0000000002F1C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://ftp.ercolina-usa.com	TECHNICAL SPECIFICATIONS.exe, 00000004.00000002.4473961578.000000000324C000.00000004.00000800.00020000.00000000.sdmp, TECHNICAL SPECIFICATIONS.exe, 00000004.00000002.4473961578.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, TECHNICAL SPECIFICATIONS.exe, 00000004.00000002.4473961578.00000000033C5000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000007.00000002.2254086095.00000000030FC000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000007.00000002.2254086095.0000000003275000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000A.00000002.4473839350.0000000003105000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000A.00000002.4473839350.0000000002F8C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://ercolina-usa.com	TECHNICAL SPECIFICATIONS.exe, 00000004.00000002.4473961578.000000000324C000.00000004.00000800.00020000.00000000.sdmp, TECHNICAL SPECIFICATIONS.exe, 00000004.00000002.4473961578.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, TECHNICAL SPECIFICATIONS.exe, 00000004.00000002.4473961578.00000000033C5000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000007.00000002.2254086095.00000000030FC000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 00000007.00000002.2254086095.0000000003275000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000A.00000002.4473839350.0000000003105000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000A.00000002.4473839350.0000000002F8C000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
192.254.225.136	ercolina-usa.com	United States		46606	UNIFIEDLAYER-AS-1US	true
104.26.12.205	api.ipify.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1570417
Start date and time:	2024-12-06 23:35:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	TECHNICAL SPECIFICATIONS.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@12/9@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 324 Number of non-executed functions: 31
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: TECHNICAL SPECIFICATIONS.exe

Simulations

Behavior and APIs

Time	Type	Description
17:35:55	API Interceptor	7743306x Sleep call for process: TECHNICAL SPECIFICATIONS.exe modified
17:35:56	API Interceptor	9x Sleep call for process: powershell.exe modified
17:36:09	API Interceptor	6638269x Sleep call for process: newapp.exe modified
23:35:59	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run newapp C:\Users\user\AppData\Roaming\newapp\newapp.exe
23:36:08	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run newapp C:\Users\user\AppData\Roaming\newapp\newapp.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
192.254.225.136	uLFOeGZaJS.exe	Get hash	malicious	AgentTesla	Browse
	RICHIESTA D'OFFERTA.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse
	QUOTATION#09678.exe	Get hash	malicious	AgentTesla	Browse
	PURCHASE SPCIFICIATIONS.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	LISTA DE COTIZACIONES.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	QUOTATION#5400.exe	Get hash	malicious	AgentTesla	Browse
	QUOTATION#2800-QUANTUM MACTOOLS.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	QUOTATION#2800-QUANTUM MACTOOLS.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	2JHGWjmJ46.exe	Get hash	malicious	AgentTesla	Browse
	COTIZACI#U00d3N#08673.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
104.26.12.205	xKvkNk9SXR.exe	Get hash	malicious	TrojanRansom	Browse	api.ipify.org/
	GD8c7ARn8q.exe	Get hash	malicious	TrojanRansom	Browse	api.ipify.org/
	8AbMCL2dxM.exe	Get hash	malicious	RCRU64, TrojanRansom	Browse	api.ipify.org/
	Simple2.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	Ransomware Mallox.exe	Get hash	malicious	Targeted Ransomware	Browse	api.ipify.org/
	Yc9hcFC1ux.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	6706e721f2c06.exe	Get hash	malicious	Remcos	Browse	api.ipify.org/
	perfcc.elf	Get hash	malicious	Xmrig	Browse	api.ipify.org/
	SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	Shipping Documents 72908672134.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	980001672 PPR for 30887217.scr.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	y1rS62yprs.exe	Get hash	malicious	Babadeda	Browse	104.26.13.205
	apilibx64.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
	xKvkNk9SXR.exe	Get hash	malicious	TrojanRansom	Browse	104.26.12.205
	BiXS3FRoLe.exe	Get hash	malicious	TrojanRansom	Browse	104.26.13.205
	lEUy79aLAW.exe	Get hash	malicious	TrojanRansom	Browse	104.26.13.205
	GD8c7ARn8q.exe	Get hash	malicious	TrojanRansom	Browse	104.26.12.205
	8AbMCL2dxM.exe	Get hash	malicious	RCRU64, TrojanRansom	Browse	104.26.12.205
	Simple1.exe	Get hash	malicious	Unknown	Browse	172.67.74.152

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.165.166
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.9
	https://www.scribd.com/document/801519291/Advice-Notification#fullscreen&from_embed	Get hash	malicious	HTMLPhisher	Browse	104.18.11.207
	a9YMw44iQq.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	172.67.19.24
	nlGOh9K5X5.exe	Get hash	malicious	Xmrig	Browse	172.67.19.24
	Fw Your flight has been cancelled.eml	Get hash	malicious	Unknown	Browse	104.17.247.203
	https://login.officeteam.didgim.com/factpath/resources/patch/047620476204762098/?tpj=PlKRhyZP6wwT3cO_YX5-vBD5GuXYTvvU?SehS24G3uU3qw64njI8IZH7gQJoi5rbp7C2uDZbPGel89LOXSbLkxzcBkcMiAnricyOgDlVZzgK16brTMbOGyuYoLIN4U0HH714J	Get hash	malicious	ReCaptcha Phish	Browse	104.16.124.96
	Distribution Agreement -21_12_48-December 6, 2024-be1f31b3a4b24beb88d27adfd723203e.pdf	Get hash	malicious	Unknown	Browse	1.1.1.1
	Doc_21-04-53.js	Get hash	malicious	Matanbuchus	Browse	104.21.40.3
	https://assets-gbr.mkt.dynamics.com/cc57758b-ada1-ef11-8a64-000d3a872ba0/digitalassets/standaloneforms/7608c709-85a2-ef11-8a69-7c1e5279b2dd	Get hash	malicious	Unknown	Browse	104.21.16.114
UNIFIEDLAYER-AS-1US	https://hujalconcretos.com/npp	Get hash	malicious	Unknown	Browse	192.185.131.189
	DHL_734825510.exe	Get hash	malicious	FormBook	Browse	108.179.253.197
	Shipping Documents 72908672134.exe	Get hash	malicious	AgentTesla	Browse	192.254.186.165
	#U25b6#Ufe0fPlayVoiceMessage9266.eml	Get hash	malicious	Unknown	Browse	192.185.77.66
	main_spc.elf	Get hash	malicious	Mirai	Browse	173.254.73.204
	https://track-004.blogspot.com	Get hash	malicious	Unknown	Browse	50.87.184.136
	https://www.dropbox.com/l/AADbLOqftgPkdsTWgBgFyNpmu-iGeYJGM4I	Get hash	malicious	Unknown	Browse	192.254.190.193
	aU1TV97585.exe	Get hash	malicious	AgentTesla	Browse	162.241.62.63
	0wxckB4Iba.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	50.87.144.157
	8JuGuaUaZP.exe	Get hash	malicious	AgentTesla	Browse	50.87.218.140

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	a9YMw44iQq.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	104.26.12.205
	ozgpPwVAu1.exe	Get hash	malicious	XWorm	Browse	104.26.12.205
	https://www.google.ca/url?q=1120091333775300779273902563687390256368&rct=11200913337753007792&sa=t&url=amp/s/elanpro.net/horeca/dispenc#YnJ1bml0YS5kdW5jYW5AcGFydG5lcnNtZ3UuY29t	Get hash	malicious	HTMLPhisher	Browse	104.26.12.205
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.26.12.205
	BGM LAW GROUP - RFP 2024.pdf	Get hash	malicious	Unknown	Browse	104.26.12.205
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	104.26.12.205
	Shipping Documents 72908672134.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	https://app.droplet.io/form/K47rYN	Get hash	malicious	Unknown	Browse	104.26.12.205
	QUOTE_JULQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	QUOTE_JULQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	104.26.12.205

Process:	C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\newapp.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\newapp\newapp.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1172
Entropy (8bit):	5.355024937536926
Encrypted:	false
SSDEEP:	24:3OWSKco4KmZjKbm51s4RPT6moUebIKo+mZ9t7J0gt/NKIl9r+q:eWSU4xymI4RfoUeW+mZ9tK8ND3
MD5:	4FF4EA0534E06DBD3B9C6078779177B5
SHA1:	5DDA708CF64996323E26348C595E866596EE6F71
SHA-256:	D02254F27E815DA15DC98673A240E97983532EC9C4740A6892925B5DE7560DAA
SHA-512:	978C7DE1868842A0E66FC47B1009B841AC82F50954977D639E9CE6DD7F09A2272F8C9196CB4EE2260CBEEB5A99CD0A7C1C2CAB7552A45181B827120525E74E39
Malicious:	false
Reputation:	low
Preview:	@...e................................................@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_adewuqtv.gbm.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i3ayo3bm.3qa.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qfx2nr3o.uew.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tdegadgi.w0u.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\newapp\newapp.exe

Download File

Process:	C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1096704
Entropy (8bit):	7.245281471012076
Encrypted:	false
SSDEEP:	12288:epZsSSGFEQeafqAJZABam0MKEFrDHtApfhXBtERZyzsk7CYv3X3uO:ezseeNAEBa/nCUhxSry7CYv3X3N
MD5:	65FEEFE926EB3F734B6968B35C23ACB3
SHA1:	8FADA228F4395476ABE8BDBE75ABFE8D7C6EF4EB
SHA-256:	D1B068B826E3A9527CDDD09866886CABA895F390AF930A9B35C027EB1C2DB34C
SHA-512:	CF8ABEE2981F5A27360B2CAA653AEA9D53272F69D432510B5AB62258094D5ED1EED27205A744A6135CE4B798E429E55FE3EDFA044A12D7D91FE2372239D59FA8
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 66%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...4."...............0.............z;... ...@....@.. ....................................@.................................(;..O....@.............................. "..p............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc..............................@..B................\;......H........x..l.......7....~...............................................0.............o.....8.....o....t.......u.........,@..t......o....r...po....-..o....r...po....+......,....o.......+&.u...........,...t........o....(........o....:t......u........,...o......*...................0...........#........}.....#........}.....#........}.....#.....L.@}......}......}.....s....}.....s....}.....sG...}.....sM...}......}......}.....(.......(.......{....(.......{!...(.......{....(.......

C:\Users\user\AppData\Roaming\newapp\newapp.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.245281471012076
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	TECHNICAL SPECIFICATIONS.exe
File size:	1'096'704 bytes
MD5:	65feefe926eb3f734b6968b35c23acb3
SHA1:	8fada228f4395476abe8bdbe75abfe8d7c6ef4eb
SHA256:	d1b068b826e3a9527cddd09866886caba895f390af930a9b35c027eb1c2db34c
SHA512:	cf8abee2981f5a27360b2caa653aea9d53272f69d432510b5ab62258094d5ed1eed27205a744a6135ce4b798e429e55fe3edfa044a12d7d91fe2372239d59fa8
SSDEEP:	12288:epZsSSGFEQeafqAJZABam0MKEFrDHtApfhXBtERZyzsk7CYv3X3uO:ezseeNAEBa/nCUhxSry7CYv3X3N
TLSH:	E035073D29BD162BF175C6B78BEBE427F138886F3114AC6498D347A94346E4634C326E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...4."...............0.............z;... ...@....@.. ....................................@................................

File Icon


Icon Hash:	333333ab693b9b98

Static PE Info

General

Entrypoint:	0x4e3b7a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xF7228534 [Sun May 22 19:51:16 2101 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xe3b28	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe4000	0x29a18	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x10e000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xe2220	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xe1b80	0xe1c00	4200651fbfc9ee4ab7a912126b63e373	False	0.7552861987818383	data	7.211152968650304	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xe4000	0x29a18	0x29c00	714aab8ddc4fe920520b190ee0f4da56	False	0.6747286676646707	data	7.095562079137227	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x10e000	0xc	0x200	b6a7bc7ffd6bd9f095eea2d388600031	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xe4220	0x10d8b	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9989130907351854
RT_ICON	0xf4fac	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536	0.42335561339169525
RT_ICON	0x1057d4	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384	0.5058455361360416
RT_ICON	0x1099fc	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	0.5346473029045643
RT_ICON	0x10bfa4	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	0.6055347091932458
RT_ICON	0x10d04c	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	0.7225177304964538
RT_GROUP_ICON	0x10d4b4	0x5a	Targa image data - Map 65536 x 3467 x 1	0.7333333333333333
RT_VERSION	0x10d510	0x31c	data	0.43844221105527637
RT_MANIFEST	0x10d82c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 6, 2024 23:35:57.673979044 CET	49707	443	192.168.2.5	104.26.12.205
Dec 6, 2024 23:35:57.674030066 CET	443	49707	104.26.12.205	192.168.2.5
Dec 6, 2024 23:35:57.674104929 CET	49707	443	192.168.2.5	104.26.12.205
Dec 6, 2024 23:35:57.681401968 CET	49707	443	192.168.2.5	104.26.12.205
Dec 6, 2024 23:35:57.681418896 CET	443	49707	104.26.12.205	192.168.2.5
Dec 6, 2024 23:35:58.905495882 CET	443	49707	104.26.12.205	192.168.2.5
Dec 6, 2024 23:35:58.905714989 CET	49707	443	192.168.2.5	104.26.12.205
Dec 6, 2024 23:35:58.909634113 CET	49707	443	192.168.2.5	104.26.12.205
Dec 6, 2024 23:35:58.909645081 CET	443	49707	104.26.12.205	192.168.2.5
Dec 6, 2024 23:35:58.909935951 CET	443	49707	104.26.12.205	192.168.2.5
Dec 6, 2024 23:35:58.955223083 CET	49707	443	192.168.2.5	104.26.12.205
Dec 6, 2024 23:35:58.999340057 CET	443	49707	104.26.12.205	192.168.2.5
Dec 6, 2024 23:35:59.346889019 CET	443	49707	104.26.12.205	192.168.2.5
Dec 6, 2024 23:35:59.346946001 CET	443	49707	104.26.12.205	192.168.2.5
Dec 6, 2024 23:35:59.347424984 CET	49707	443	192.168.2.5	104.26.12.205
Dec 6, 2024 23:35:59.354918957 CET	49707	443	192.168.2.5	104.26.12.205
Dec 6, 2024 23:36:00.728358984 CET	49709	21	192.168.2.5	192.254.225.136
Dec 6, 2024 23:36:00.848273993 CET	21	49709	192.254.225.136	192.168.2.5
Dec 6, 2024 23:36:00.848355055 CET	49709	21	192.168.2.5	192.254.225.136
Dec 6, 2024 23:36:00.852031946 CET	49709	21	192.168.2.5	192.254.225.136
Dec 6, 2024 23:36:00.886213064 CET	49710	21	192.168.2.5	192.254.225.136
Dec 6, 2024 23:36:00.972145081 CET	21	49709	192.254.225.136	192.168.2.5
Dec 6, 2024 23:36:00.972223997 CET	49709	21	192.168.2.5	192.254.225.136
Dec 6, 2024 23:36:01.006196976 CET	21	49710	192.254.225.136	192.168.2.5
Dec 6, 2024 23:36:01.006298065 CET	49710	21	192.168.2.5	192.254.225.136
Dec 6, 2024 23:36:01.006678104 CET	49710	21	192.168.2.5	192.254.225.136
Dec 6, 2024 23:36:01.009130001 CET	49711	21	192.168.2.5	192.254.225.136
Dec 6, 2024 23:36:01.126842976 CET	21	49710	192.254.225.136	192.168.2.5
Dec 6, 2024 23:36:01.126909971 CET	49710	21	192.168.2.5	192.254.225.136
Dec 6, 2024 23:36:01.129195929 CET	21	49711	192.254.225.136	192.168.2.5
Dec 6, 2024 23:36:01.129282951 CET	49711	21	192.168.2.5	192.254.225.136
Dec 6, 2024 23:36:01.129512072 CET	49711	21	192.168.2.5	192.254.225.136
Dec 6, 2024 23:36:01.131228924 CET	49712	21	192.168.2.5	192.254.225.136
Dec 6, 2024 23:36:01.249721050 CET	21	49711	192.254.225.136	192.168.2.5
Dec 6, 2024 23:36:01.249792099 CET	49711	21	192.168.2.5	192.254.225.136
Dec 6, 2024 23:36:01.250997066 CET	21	49712	192.254.225.136	192.168.2.5
Dec 6, 2024 23:36:01.251079082 CET	49712	21	192.168.2.5	192.254.225.136
Dec 6, 2024 23:36:01.251399040 CET	49712	21	192.168.2.5	192.254.225.136
Dec 6, 2024 23:36:01.371771097 CET	21	49712	192.254.225.136	192.168.2.5
Dec 6, 2024 23:36:01.371839046 CET	49712	21	192.168.2.5	192.254.225.136
Dec 6, 2024 23:36:10.261471987 CET	49714	443	192.168.2.5	104.26.12.205
Dec 6, 2024 23:36:10.261526108 CET	443	49714	104.26.12.205	192.168.2.5
Dec 6, 2024 23:36:10.261609077 CET	49714	443	192.168.2.5	104.26.12.205
Dec 6, 2024 23:36:10.264657974 CET	49714	443	192.168.2.5	104.26.12.205
Dec 6, 2024 23:36:10.264671087 CET	443	49714	104.26.12.205	192.168.2.5
Dec 6, 2024 23:36:11.479096889 CET	443	49714	104.26.12.205	192.168.2.5
Dec 6, 2024 23:36:11.479362011 CET	49714	443	192.168.2.5	104.26.12.205
Dec 6, 2024 23:36:11.492018938 CET	49714	443	192.168.2.5	104.26.12.205
Dec 6, 2024 23:36:11.492034912 CET	443	49714	104.26.12.205	192.168.2.5
Dec 6, 2024 23:36:11.492228031 CET	443	49714	104.26.12.205	192.168.2.5
Dec 6, 2024 23:36:11.556608915 CET	49714	443	192.168.2.5	104.26.12.205
Dec 6, 2024 23:36:11.861814976 CET	49714	443	192.168.2.5	104.26.12.205
Dec 6, 2024 23:36:11.907331944 CET	443	49714	104.26.12.205	192.168.2.5
Dec 6, 2024 23:36:12.187927008 CET	443	49714	104.26.12.205	192.168.2.5
Dec 6, 2024 23:36:12.187995911 CET	443	49714	104.26.12.205	192.168.2.5
Dec 6, 2024 23:36:12.188052893 CET	49714	443	192.168.2.5	104.26.12.205
Dec 6, 2024 23:36:12.190810919 CET	49714	443	192.168.2.5	104.26.12.205
Dec 6, 2024 23:36:12.749927044 CET	49716	21	192.168.2.5	192.254.225.136
Dec 6, 2024 23:36:12.869736910 CET	21	49716	192.254.225.136	192.168.2.5
Dec 6, 2024 23:36:12.869834900 CET	49716	21	192.168.2.5	192.254.225.136
Dec 6, 2024 23:36:12.871603012 CET	49716	21	192.168.2.5	192.254.225.136
Dec 6, 2024 23:36:12.900700092 CET	49718	21	192.168.2.5	192.254.225.136
Dec 6, 2024 23:36:12.991385937 CET	21	49716	192.254.225.136	192.168.2.5
Dec 6, 2024 23:36:12.991450071 CET	49716	21	192.168.2.5	192.254.225.136
Dec 6, 2024 23:36:13.021578074 CET	21	49718	192.254.225.136	192.168.2.5
Dec 6, 2024 23:36:13.021648884 CET	49718	21	192.168.2.5	192.254.225.136
Dec 6, 2024 23:36:13.021908998 CET	49718	21	192.168.2.5	192.254.225.136
Dec 6, 2024 23:36:13.023273945 CET	49719	21	192.168.2.5	192.254.225.136
Dec 6, 2024 23:36:13.141694069 CET	21	49718	192.254.225.136	192.168.2.5
Dec 6, 2024 23:36:13.141765118 CET	21	49718	192.254.225.136	192.168.2.5
Dec 6, 2024 23:36:13.141936064 CET	49718	21	192.168.2.5	192.254.225.136
Dec 6, 2024 23:36:13.143023014 CET	21	49719	192.254.225.136	192.168.2.5
Dec 6, 2024 23:36:13.143140078 CET	49719	21	192.168.2.5	192.254.225.136
Dec 6, 2024 23:36:13.143400908 CET	49719	21	192.168.2.5	192.254.225.136
Dec 6, 2024 23:36:13.144932985 CET	49720	21	192.168.2.5	192.254.225.136
Dec 6, 2024 23:36:13.264826059 CET	21	49720	192.254.225.136	192.168.2.5
Dec 6, 2024 23:36:13.264838934 CET	21	49719	192.254.225.136	192.168.2.5
Dec 6, 2024 23:36:13.264925957 CET	49720	21	192.168.2.5	192.254.225.136
Dec 6, 2024 23:36:13.264957905 CET	49719	21	192.168.2.5	192.254.225.136
Dec 6, 2024 23:36:13.265155077 CET	49720	21	192.168.2.5	192.254.225.136
Dec 6, 2024 23:36:13.385334969 CET	21	49720	192.254.225.136	192.168.2.5
Dec 6, 2024 23:36:13.385421991 CET	49720	21	192.168.2.5	192.254.225.136
Dec 6, 2024 23:36:18.584037066 CET	49730	443	192.168.2.5	104.26.12.205
Dec 6, 2024 23:36:18.584091902 CET	443	49730	104.26.12.205	192.168.2.5
Dec 6, 2024 23:36:18.584260941 CET	49730	443	192.168.2.5	104.26.12.205
Dec 6, 2024 23:36:18.587124109 CET	49730	443	192.168.2.5	104.26.12.205
Dec 6, 2024 23:36:18.587152004 CET	443	49730	104.26.12.205	192.168.2.5
Dec 6, 2024 23:36:19.797250032 CET	443	49730	104.26.12.205	192.168.2.5
Dec 6, 2024 23:36:19.797355890 CET	49730	443	192.168.2.5	104.26.12.205
Dec 6, 2024 23:36:19.800555944 CET	49730	443	192.168.2.5	104.26.12.205
Dec 6, 2024 23:36:19.800570011 CET	443	49730	104.26.12.205	192.168.2.5
Dec 6, 2024 23:36:19.800808907 CET	443	49730	104.26.12.205	192.168.2.5
Dec 6, 2024 23:36:19.846246958 CET	49730	443	192.168.2.5	104.26.12.205
Dec 6, 2024 23:36:19.849814892 CET	49730	443	192.168.2.5	104.26.12.205
Dec 6, 2024 23:36:19.891334057 CET	443	49730	104.26.12.205	192.168.2.5
Dec 6, 2024 23:36:20.244281054 CET	443	49730	104.26.12.205	192.168.2.5
Dec 6, 2024 23:36:20.244345903 CET	443	49730	104.26.12.205	192.168.2.5
Dec 6, 2024 23:36:20.244388103 CET	49730	443	192.168.2.5	104.26.12.205
Dec 6, 2024 23:36:20.247693062 CET	49730	443	192.168.2.5	104.26.12.205
Dec 6, 2024 23:36:20.795828104 CET	49736	21	192.168.2.5	192.254.225.136
Dec 6, 2024 23:36:20.915585041 CET	21	49736	192.254.225.136	192.168.2.5
Dec 6, 2024 23:36:20.915678024 CET	49736	21	192.168.2.5	192.254.225.136
Dec 6, 2024 23:36:20.917264938 CET	49736	21	192.168.2.5	192.254.225.136
Dec 6, 2024 23:36:20.941431046 CET	49737	21	192.168.2.5	192.254.225.136
Dec 6, 2024 23:36:21.037013054 CET	21	49736	192.254.225.136	192.168.2.5
Dec 6, 2024 23:36:21.037111044 CET	49736	21	192.168.2.5	192.254.225.136
Dec 6, 2024 23:36:21.061091900 CET	21	49737	192.254.225.136	192.168.2.5
Dec 6, 2024 23:36:21.061220884 CET	49737	21	192.168.2.5	192.254.225.136
Dec 6, 2024 23:36:21.061398029 CET	49737	21	192.168.2.5	192.254.225.136
Dec 6, 2024 23:36:21.062974930 CET	49738	21	192.168.2.5	192.254.225.136
Dec 6, 2024 23:36:21.181337118 CET	21	49737	192.254.225.136	192.168.2.5
Dec 6, 2024 23:36:21.181538105 CET	49737	21	192.168.2.5	192.254.225.136
Dec 6, 2024 23:36:21.182774067 CET	21	49738	192.254.225.136	192.168.2.5
Dec 6, 2024 23:36:21.182904005 CET	49738	21	192.168.2.5	192.254.225.136
Dec 6, 2024 23:36:21.183274984 CET	49738	21	192.168.2.5	192.254.225.136
Dec 6, 2024 23:36:21.184283018 CET	49739	21	192.168.2.5	192.254.225.136
Dec 6, 2024 23:36:21.303242922 CET	21	49738	192.254.225.136	192.168.2.5
Dec 6, 2024 23:36:21.303992033 CET	21	49739	192.254.225.136	192.168.2.5
Dec 6, 2024 23:36:21.304073095 CET	49739	21	192.168.2.5	192.254.225.136
Dec 6, 2024 23:36:21.304075003 CET	49738	21	192.168.2.5	192.254.225.136
Dec 6, 2024 23:36:21.305116892 CET	49739	21	192.168.2.5	192.254.225.136
Dec 6, 2024 23:36:21.424822092 CET	21	49739	192.254.225.136	192.168.2.5
Dec 6, 2024 23:36:21.424922943 CET	49739	21	192.168.2.5	192.254.225.136
Dec 6, 2024 23:37:37.795244932 CET	49906	21	192.168.2.5	192.254.225.136
Dec 6, 2024 23:37:37.915024042 CET	21	49906	192.254.225.136	192.168.2.5
Dec 6, 2024 23:37:37.915116072 CET	49906	21	192.168.2.5	192.254.225.136
Dec 6, 2024 23:37:37.915328979 CET	49906	21	192.168.2.5	192.254.225.136
Dec 6, 2024 23:37:38.035274029 CET	21	49906	192.254.225.136	192.168.2.5
Dec 6, 2024 23:37:38.035330057 CET	49906	21	192.168.2.5	192.254.225.136

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 6, 2024 23:35:56.890068054 CET	50003	53	192.168.2.5	1.1.1.1
Dec 6, 2024 23:35:57.029311895 CET	53	50003	1.1.1.1	192.168.2.5
Dec 6, 2024 23:35:59.913775921 CET	52467	53	192.168.2.5	1.1.1.1
Dec 6, 2024 23:36:00.726567984 CET	53	52467	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 6, 2024 23:35:56.890068054 CET	192.168.2.5	1.1.1.1	0x2a08	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Dec 6, 2024 23:35:59.913775921 CET	192.168.2.5	1.1.1.1	0xc4db	Standard query (0)	ftp.ercolina-usa.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 6, 2024 23:35:57.029311895 CET	1.1.1.1	192.168.2.5	0x2a08	No error (0)	api.ipify.org		104.26.12.205	A (IP address)	IN (0x0001)	false
Dec 6, 2024 23:35:57.029311895 CET	1.1.1.1	192.168.2.5	0x2a08	No error (0)	api.ipify.org		172.67.74.152	A (IP address)	IN (0x0001)	false
Dec 6, 2024 23:35:57.029311895 CET	1.1.1.1	192.168.2.5	0x2a08	No error (0)	api.ipify.org		104.26.13.205	A (IP address)	IN (0x0001)	false
Dec 6, 2024 23:36:00.726567984 CET	1.1.1.1	192.168.2.5	0xc4db	No error (0)	ftp.ercolina-usa.com	ercolina-usa.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 6, 2024 23:36:00.726567984 CET	1.1.1.1	192.168.2.5	0xc4db	No error (0)	ercolina-usa.com		192.254.225.136	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49707	104.26.12.205	443	5960	C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-06 22:35:58 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-12-06 22:35:59 UTC	424	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 22:35:59 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin cf-cache-status: DYNAMIC Server: cloudflare CF-RAY: 8edfc08edefb0f3a-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1690&min_rtt=1690&rtt_var=634&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2821&recv_bytes=769&delivery_rate=1723730&cwnd=164&unsent_bytes=0&cid=c290f49c1eb91675&ts=453&x=0"
2024-12-06 22:35:59 UTC	12	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 32 32 38 Data Ascii: 8.46.123.228

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49714	104.26.12.205	443	7576	C:\Users\user\AppData\Roaming\newapp\newapp.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-06 22:36:11 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-12-06 22:36:12 UTC	424	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 22:36:12 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin cf-cache-status: DYNAMIC Server: cloudflare CF-RAY: 8edfc0df1bde78e7-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1991&min_rtt=1980&rtt_var=764&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2819&recv_bytes=769&delivery_rate=1411309&cwnd=234&unsent_bytes=0&cid=eee5c4b7b56858e3&ts=712&x=0"
2024-12-06 22:36:12 UTC	12	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 32 32 38 Data Ascii: 8.46.123.228

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49730	104.26.12.205	443	7944	C:\Users\user\AppData\Roaming\newapp\newapp.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-06 22:36:19 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-12-06 22:36:20 UTC	424	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 22:36:20 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin cf-cache-status: DYNAMIC Server: cloudflare CF-RAY: 8edfc1117e1f42a5-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1699&min_rtt=1692&rtt_var=650&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2819&recv_bytes=769&delivery_rate=1664766&cwnd=229&unsent_bytes=0&cid=ddf18da861f1b701&ts=451&x=0"
2024-12-06 22:36:20 UTC	12	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 32 32 38 Data Ascii: 8.46.123.228

Target ID:	0
Start time:	17:35:54
Start date:	06/12/2024
Path:	C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe"
Imagebase:	0x180000
File size:	1'096'704 bytes
MD5 hash:	65FEEFE926EB3F734B6968B35C23ACB3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2050105688.0000000003698000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2050105688.0000000003698000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	17:35:55
Start date:	06/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe"
Imagebase:	0x5b0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	17:35:55
Start date:	06/12/2024
Path:	C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\TECHNICAL SPECIFICATIONS.exe"
Imagebase:	0xd10000
File size:	1'096'704 bytes
MD5 hash:	65FEEFE926EB3F734B6968B35C23ACB3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.4473961578.000000000324C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.4473961578.0000000003221000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.4473961578.0000000003221000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	17:35:55
Start date:	06/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	17:36:08
Start date:	06/12/2024
Path:	C:\Users\user\AppData\Roaming\newapp\newapp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\newapp\newapp.exe"
Imagebase:	0xe10000
File size:	1'096'704 bytes
MD5 hash:	65FEEFE926EB3F734B6968B35C23ACB3
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2190802680.0000000004265000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2190802680.0000000004265000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2190802680.00000000042E5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2190802680.00000000042E5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 66%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	17:36:09
Start date:	06/12/2024
Path:	C:\Users\user\AppData\Roaming\newapp\newapp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\newapp\newapp.exe"
Imagebase:	0xb40000
File size:	1'096'704 bytes
MD5 hash:	65FEEFE926EB3F734B6968B35C23ACB3
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2254086095.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2254086095.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2254086095.00000000030FC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2249780738.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2249780738.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	17:36:16
Start date:	06/12/2024
Path:	C:\Users\user\AppData\Roaming\newapp\newapp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\newapp\newapp.exe"
Imagebase:	0xe20000
File size:	1'096'704 bytes
MD5 hash:	65FEEFE926EB3F734B6968B35C23ACB3
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2288305225.0000000004385000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2288305225.0000000004385000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	17:36:17
Start date:	06/12/2024
Path:	C:\Users\user\AppData\Roaming\newapp\newapp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\newapp\newapp.exe"
Imagebase:	0xa50000
File size:	1'096'704 bytes
MD5 hash:	65FEEFE926EB3F734B6968B35C23ACB3
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.4473839350.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.4473839350.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.4473839350.0000000002F8C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	11.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	4.1%
Total number of Nodes:	197
Total number of Limit Nodes:	18

Executed Functions

Function 0BB40330 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054352856.000000000BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb40000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f1c29dced5810eba31bdde81924e4ebeadae947c7919de544cc9d651a07d6e5
Instruction ID: 9ac1f2ee4642003f56f6aaa062953bd5474b2569f210795bd746ddc707c86666
Opcode Fuzzy Hash: 5f1c29dced5810eba31bdde81924e4ebeadae947c7919de544cc9d651a07d6e5
Instruction Fuzzy Hash: 55711671E45229CBDB68DF6AC8407E9BBB6BF89300F10C1EAC51CA6250EB741A85DF40

Function 08E87F8B Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2053441893.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e80000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f131ab20df42537c9fd697559d5805af4721f099b3ac9e193faae982590ae502
Instruction ID: fc1211ede0a71528c8d585bc3d68a05f7bd6f464a7f34d1d8305f9220e9d8728
Opcode Fuzzy Hash: f131ab20df42537c9fd697559d5805af4721f099b3ac9e193faae982590ae502
Instruction Fuzzy Hash: 9E410572D04219CBDB14DFAAC8406EEFBF6AF89311F14D46AD40D7B251DB3429498F90

Function 0BB406B1 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054352856.000000000BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb40000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0feedae39536bba2beefe20bce0723bbf0b7ff6f1c2f7bfeac7127ca3a59e890
Instruction ID: ec38152ed20db9d747a0d5a91acae5f4afaf8508bb537ae8a097540d4dfd9913
Opcode Fuzzy Hash: 0feedae39536bba2beefe20bce0723bbf0b7ff6f1c2f7bfeac7127ca3a59e890
Instruction Fuzzy Hash: 10F01279D4D258DBCB10EB94A8401FCB7B8BB4B755F4430D2CA1DA7702D3304A845F55

Function 0BB4066D Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054352856.000000000BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb40000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 681e6aeffaadb2d16eae986320dfa46fc651f5da7b4f8bf4e784be8925d7cdde
Instruction ID: 61cd8524d13d7ccb13e89eb93bcd3cd1f603f7aa9a62228890d03bacffc961fe
Opcode Fuzzy Hash: 681e6aeffaadb2d16eae986320dfa46fc651f5da7b4f8bf4e784be8925d7cdde
Instruction Fuzzy Hash: A6E0B639D4D198CBCB50EF94E8445FCB7B8BB8AB12F4030E1CA2EA7311D7309994AE01

Function 00C1D5B9 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00C1D646
GetCurrentThread.KERNEL32 ref: 00C1D683
GetCurrentProcess.KERNEL32 ref: 00C1D6C0
GetCurrentThreadId.KERNEL32 ref: 00C1D719

Memory Dump Source

Source File: 00000000.00000002.2048588738.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: b92a77d1fe5e501c288477c45ce575067b68933b96bc73b7f0070e614658655a
Instruction ID: e4ab0608357e707d63308f85018a44adbb9fa9fb6090dacf3d4980bf3c1792ca
Opcode Fuzzy Hash: b92a77d1fe5e501c288477c45ce575067b68933b96bc73b7f0070e614658655a
Instruction Fuzzy Hash: 6F5166B0900349CFDB14DFAAE548BDEBBF1EF89304F208459E419A73A0C7755985CB65

Function 00C1D5C8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00C1D646
GetCurrentThread.KERNEL32 ref: 00C1D683
GetCurrentProcess.KERNEL32 ref: 00C1D6C0
GetCurrentThreadId.KERNEL32 ref: 00C1D719

Memory Dump Source

Source File: 00000000.00000002.2048588738.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 3d732bd335d0866512b8f065ae579fc77c9834136f5845e57dbdff3084b4a95a
Instruction ID: d26ac307b1f9750aaf99bf1482bc7f63cab6378e5dab39d5de6c4d6a59ad7e64
Opcode Fuzzy Hash: 3d732bd335d0866512b8f065ae579fc77c9834136f5845e57dbdff3084b4a95a
Instruction Fuzzy Hash: 6E5166B09003098FDB14DFAAD548BDEBBF1EF88304F208459E419A7360D7756985CB65

Function 07C01398 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 248
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Haq, xrefs: 07C0163C
Haq, xrefs: 07C01609

Memory Dump Source

Source File: 00000000.00000002.2053369550.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c00000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID: Haq$Haq
API String ID: 0-4016896955
Opcode ID: 847fb59b86db4408068a06efa76b44062bd881b2ddb67d1a7fa1740b1cc6bfe9
Instruction ID: c97723b07f5ca7ed55d30030883dbb8e65cc1bdb425a49a196071fda5643ae36
Opcode Fuzzy Hash: 847fb59b86db4408068a06efa76b44062bd881b2ddb67d1a7fa1740b1cc6bfe9
Instruction Fuzzy Hash: BD917174A002198FCB14DFA9C595AADB7F2FF89310F2440A9E405AB3A1DB35ED45CFA1

Function 08E8E17C Relevance: 1.7, APIs: 1, Instructions: 248
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 08E8E3BE

Memory Dump Source

Source File: 00000000.00000002.2053441893.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e80000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 094c26807884f22314f8a25e3ec28e32ce99d951719b4a2274a528702f7f79b1
Instruction ID: 04a6b696335fc0821fcea2599a2a1328e56e2f0a374bcbe5c1ebda9dc45b1c35
Opcode Fuzzy Hash: 094c26807884f22314f8a25e3ec28e32ce99d951719b4a2274a528702f7f79b1
Instruction Fuzzy Hash: 3AA17E72D0021ACFEB24DFA8C8417DDBBB2BF49315F148569E81DA7280DB749985CF92

Function 08E8E188 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 08E8E3BE

Memory Dump Source

Source File: 00000000.00000002.2053441893.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e80000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: a25b52fa459291c7ab5e84ac5aba7b0024f7c3a52a3b196e340b18eac2ab1280
Instruction ID: 40781eb7bbd0c0da568eee8e7f39976e419886ae45aee037cab88c4d164b90fa
Opcode Fuzzy Hash: a25b52fa459291c7ab5e84ac5aba7b0024f7c3a52a3b196e340b18eac2ab1280
Instruction Fuzzy Hash: C0917E72D0021ACFEB24DFA8C8417DDBBB2BF49315F148569E80DA7240DB749985CF92

Function 00C1AF27 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00C1B17E

Memory Dump Source

Source File: 00000000.00000002.2048588738.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 600e704b86d404b3aad2bd80f9ec54da90f381bc8cd7f9f2472e095fd533433d
Instruction ID: 529d711c1ce04b9434c1f0d28d1826d1fc07983f3a82b747b73cdc2ed2a42579
Opcode Fuzzy Hash: 600e704b86d404b3aad2bd80f9ec54da90f381bc8cd7f9f2472e095fd533433d
Instruction Fuzzy Hash: AB7145B0A00B058FD724CF69C04179ABBF1FF89300F108A2DE49AD7A50D775E98ADB91

Function 07C05CC1 Relevance: 1.6, APIs: 1, Instructions: 104
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 07C05DEF

Memory Dump Source

Source File: 00000000.00000002.2053369550.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c00000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: a85a71d874e9e75c2aa148b304cb63ce86e8f16788de42851258f94a8d76ec8a
Instruction ID: 222feac2944a57698ac22bfc4a6460872642ed6b952764f39aac4765e7a8e2d1
Opcode Fuzzy Hash: a85a71d874e9e75c2aa148b304cb63ce86e8f16788de42851258f94a8d76ec8a
Instruction Fuzzy Hash: 1B4178B5D0438A8FCB01CFA9D884ADEBFB4EF49320F14815AE424A7291D730A655CFA1

Function 00C1590C Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00C159C9

Memory Dump Source

Source File: 00000000.00000002.2048588738.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 143f792f0147011f8c6f6c643f24996ec4fcec2c85297656cc555d5993698fd9
Instruction ID: 7822d8a77e17eaffb1c559831605d8d849c0eb7db0cba09a5fd09a9e95098994
Opcode Fuzzy Hash: 143f792f0147011f8c6f6c643f24996ec4fcec2c85297656cc555d5993698fd9
Instruction Fuzzy Hash: D941E1B0D00719CBDB24CFA9C884BDDBBB5BF89304F20815AD408AB251DB75698ACF91

Function 00C1449C Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00C159C9

Memory Dump Source

Source File: 00000000.00000002.2048588738.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 0fac64c9cf5fbedfe13c517bcd97d6a681646c61996200243ba4e34737d3f65e
Instruction ID: ed3be52904eb59a04874f8e49bf5c15d0b805f5bef31d622237c7fcb680478ff
Opcode Fuzzy Hash: 0fac64c9cf5fbedfe13c517bcd97d6a681646c61996200243ba4e34737d3f65e
Instruction Fuzzy Hash: 2941C1B0D0071DCBDB24DFA9C884BDDBBB5BF89304F20816AD408AB251DB756986DF91

Function 08E8DAF8 Relevance: 1.6, APIs: 1, Instructions: 74injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 08E8DB90

Memory Dump Source

Source File: 00000000.00000002.2053441893.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e80000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: d3a998a6373c5c687dfbc44027154cba347d51f0af5224f100e4bd5518360def
Instruction ID: d23182c2a211264f36ca8f984b50fd82a8252e709ea81100d7a95ce8a142ebd9
Opcode Fuzzy Hash: d3a998a6373c5c687dfbc44027154cba347d51f0af5224f100e4bd5518360def
Instruction Fuzzy Hash: 8D2148B1D003499FDB10DFA9C885BEEBBF5FF88314F108429E959A7240D7789941CBA1

Function 08E8D528 Relevance: 1.6, APIs: 1, Instructions: 72threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 08E8D5AE

Memory Dump Source

Source File: 00000000.00000002.2053441893.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e80000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 5ee832800e7bad8e0fcd32620a12af87ee662e53479f26a2b1f1a2f779086b5d
Instruction ID: a1bb279b845067fb1403382fff29c2a6091c75c68a07a0006a071c60ff74ba7c
Opcode Fuzzy Hash: 5ee832800e7bad8e0fcd32620a12af87ee662e53479f26a2b1f1a2f779086b5d
Instruction Fuzzy Hash: 6F216872D00349CFCB10DFAAC8457AEBBF4EF99215F10842ED459A7281D7789545CBA1

Function 07C05D50 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 07C05DEF

Memory Dump Source

Source File: 00000000.00000002.2053369550.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c00000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 06b01e857efc54bbb8e0c018f21e79f81c87ea4dcc7fd9f725e4e5db05d9241a
Instruction ID: 3e9e855fb487ac7eece692b57dfc2e7ae2ed749b386486732b1cf81a32438c12
Opcode Fuzzy Hash: 06b01e857efc54bbb8e0c018f21e79f81c87ea4dcc7fd9f725e4e5db05d9241a
Instruction Fuzzy Hash: D431E0B5D0134A9FDB10CF9AD984ADEFBF5FB48320F14842AE819A7250D374A654CFA0

Function 00C1D808 Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00C1D897

Memory Dump Source

Source File: 00000000.00000002.2048588738.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2c08990593bfd890d49828242ff8c1fed659c8cc4254ae2be4d20e4fa0428ec0
Instruction ID: f941e104128752e74483fca249da406a8a1f8f91bab3ceae578773f8eab950a7
Opcode Fuzzy Hash: 2c08990593bfd890d49828242ff8c1fed659c8cc4254ae2be4d20e4fa0428ec0
Instruction Fuzzy Hash: 0B3137B5C0024A9FDB10CFA9D484ADEFFF4EB49320F14855AE964A7350C374A945DFA1

Function 08E8DB00 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 08E8DB90

Memory Dump Source

Source File: 00000000.00000002.2053441893.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e80000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 32b02e1a7903695facda3ef43c6329ea45e5767a4690ff7e6aab82a3d787f30f
Instruction ID: f7417c85d7e6bb310d78ff6b57c5837753db6a16a6ecde26ab8adf2606a96d42
Opcode Fuzzy Hash: 32b02e1a7903695facda3ef43c6329ea45e5767a4690ff7e6aab82a3d787f30f
Instruction Fuzzy Hash: 372127B6D003499FCB10DFA9C885BDEBBF5FF48314F10842AE919A7240D7789955CBA1

Function 07C05D58 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 07C05DEF

Memory Dump Source

Source File: 00000000.00000002.2053369550.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c00000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: b24c069350bfe36e820dde022b2454c11bc9485e643483a3cc0fcbd7fdd5468a
Instruction ID: 25a858ce2ee7d03b7d0502c34a38fba896cd0e3b29c7fe30d83149f7e1cd816b
Opcode Fuzzy Hash: b24c069350bfe36e820dde022b2454c11bc9485e643483a3cc0fcbd7fdd5468a
Instruction Fuzzy Hash: 3321D2B5D0034A9FDB10CF9AD884A9EFBF5FB48310F14842AE819A7250D375AA54CFA0

Function 08E8DBE8 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 08E8DC70

Memory Dump Source

Source File: 00000000.00000002.2053441893.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e80000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 6d281e4cb7ac58bc2d1bdfdf7f93bf7b370fe1bc73c0240001eeb7b276a357fd
Instruction ID: 0a2cd60d18cc2640bfc056c0bb257b649df91fedb96ea0611fa67385414668fd
Opcode Fuzzy Hash: 6d281e4cb7ac58bc2d1bdfdf7f93bf7b370fe1bc73c0240001eeb7b276a357fd
Instruction Fuzzy Hash: 7A2139B1D003499FCB10DFAAC885ADEFBF4FF48310F10842AE559A7240C7749551DBA1

Function 08E8DBF0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 08E8DC70

Memory Dump Source

Source File: 00000000.00000002.2053441893.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e80000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 3ce128f56510a063226f887b555536f2ade062282e92e7f5b0e24698a5c171dd
Instruction ID: 20c307e28ac824bfad6df59054f0f455dad5c499e336910b7e7194f926838363
Opcode Fuzzy Hash: 3ce128f56510a063226f887b555536f2ade062282e92e7f5b0e24698a5c171dd
Instruction Fuzzy Hash: 5B2139B1D003499FCB10DFAAC885ADEFBF5FF48310F10842AE519A7240C7789551DBA1

Function 08E8D530 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 08E8D5AE

Memory Dump Source

Source File: 00000000.00000002.2053441893.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e80000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: f801f19d81b3cb5997032216efb0c0ef748a336349f857b5cf9b639f493b43f1
Instruction ID: d59f5af8a829d7ddcebd342c769833697dc224a3dcad1f434acfe5aaf46154b0
Opcode Fuzzy Hash: f801f19d81b3cb5997032216efb0c0ef748a336349f857b5cf9b639f493b43f1
Instruction Fuzzy Hash: DC211871D003098FDB10DFAAC485BEEBBF4EF89315F14842AD559A7280DB78A945CFA1

Function 00C1D810 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00C1D897

Memory Dump Source

Source File: 00000000.00000002.2048588738.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: aa58976cb6f8154ad8b2678dbe00f3f6fc537f4a2a87e56bdb2374b00003cee8
Instruction ID: 2543bc37f67e4ea8901f79aa9a72184293bd90401373ea99591ed461ab015f85
Opcode Fuzzy Hash: aa58976cb6f8154ad8b2678dbe00f3f6fc537f4a2a87e56bdb2374b00003cee8
Instruction Fuzzy Hash: EB21E2B5D002499FDB10CFAAD884ADEBBF8FB48310F14841AE918A3350D378A944CFA1

Function 08E8DA38 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 08E8DAAE

Memory Dump Source

Source File: 00000000.00000002.2053441893.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e80000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 068ed755ebb8afc556a4bfbabd62646f3151569e46789afae6b8bf61a812916f
Instruction ID: a67af53aceeb9c05e6c475ed083741782842059f8fdc9c84eb96aef084514986
Opcode Fuzzy Hash: 068ed755ebb8afc556a4bfbabd62646f3151569e46789afae6b8bf61a812916f
Instruction Fuzzy Hash: EB214A769002499FCB10DFAAC845AEFBFF5EF88314F208419E559A7250C7759541CBA1

Function 08E8DA40 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 08E8DAAE

Memory Dump Source

Source File: 00000000.00000002.2053441893.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e80000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: fd28da8c96d4c26ef6e9f8a4ca806bc53bbe9e56e4ebc33fdb5632325ca4cfb4
Instruction ID: 0a833f3c40326ac525d3af6eaa0b885b26f7f931922806e6462b0735a3f25b6f
Opcode Fuzzy Hash: fd28da8c96d4c26ef6e9f8a4ca806bc53bbe9e56e4ebc33fdb5632325ca4cfb4
Instruction Fuzzy Hash: 41116772D002499FCB10DFAAC845ADFBFF5EF88324F208419E519A7250C775A541CFA1

Function 08E8D478 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 08E8D4E2

Memory Dump Source

Source File: 00000000.00000002.2053441893.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e80000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: d4aceff5ae2a96d2b40d1ef469b857e9b617c0aa7a15c4e0edf4cc4507fa7eec
Instruction ID: 5733f91362ae55b5f4c50b0060c0f70c67d5a0b172e259a2bcfbb44457b95e40
Opcode Fuzzy Hash: d4aceff5ae2a96d2b40d1ef469b857e9b617c0aa7a15c4e0edf4cc4507fa7eec
Instruction Fuzzy Hash: 4F1146B1D002898EDB24DFAAC8457DFFFF4AB88324F24841ED459A7240C775A545CBA1

Function 08E8D480 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 08E8D4E2

Memory Dump Source

Source File: 00000000.00000002.2053441893.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e80000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: a7f9c2609c83f3d5dd0f9543ad8d8f6fd24b79bb0741a9dcb74119d8c7780e90
Instruction ID: 7034d472e01af6227028694cd9ed064152144fd9a951869e395b4cc2302f393e
Opcode Fuzzy Hash: a7f9c2609c83f3d5dd0f9543ad8d8f6fd24b79bb0741a9dcb74119d8c7780e90
Instruction Fuzzy Hash: 44113AB1D003498FCB20DFAAC4457DEFBF4EB88325F20841AD419A7240CB75A545CBA1

Function 0BB41468 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0BB414CD

Memory Dump Source

Source File: 00000000.00000002.2054352856.000000000BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb40000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 178f5c282146ad5621c378b70ca0e391bfb63bee120a582badacee8f0c1006ac
Instruction ID: 36d66b8b66260ccc60afa032bf963ceb9258dc26f02d74a1bfdab750201042da
Opcode Fuzzy Hash: 178f5c282146ad5621c378b70ca0e391bfb63bee120a582badacee8f0c1006ac
Instruction Fuzzy Hash: 7411E0B58002499FCB20DF9AD989BDEBFF8EB48310F10845AE559A7210C375A584CFA1

Function 00C1B118 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00C1B17E

Memory Dump Source

Source File: 00000000.00000002.2048588738.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: ea4130beeec153c6c9acd479586279393ab06e3057517f44a98d87ca2dc64345
Instruction ID: aa705dca34986b9c9feaa0c1bcf33e662a52ecd3000da9269dab47957936637e
Opcode Fuzzy Hash: ea4130beeec153c6c9acd479586279393ab06e3057517f44a98d87ca2dc64345
Instruction Fuzzy Hash: 1111F5B5C003499FCB10CF9AD444ADEFBF4EF89314F21841AD429A7210C379A945CFA1

Function 0BB41470 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0BB414CD

Memory Dump Source

Source File: 00000000.00000002.2054352856.000000000BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb40000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 83dbef027fcbadae660200108461790f7be9fe5a2cfad90f6cde7ec12d556a3e
Instruction ID: 41245b48aeccbe7cf2a6b087f456ba86f27b192a7076c11d538cd980e349eab6
Opcode Fuzzy Hash: 83dbef027fcbadae660200108461790f7be9fe5a2cfad90f6cde7ec12d556a3e
Instruction Fuzzy Hash: 2211C2B58003499FDB10DF9AD585BDEBBF8FB48310F10845AD559A7240C375A584CFA1

Function 00A4D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2047736120.0000000000A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a4d000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02c49ca13edab5a07e821e9b29719a19e4462683b771aae589233e73f9d9538c
Instruction ID: 916749c77cb1bf8db4d2c099399bf08665e0e2e1464c915eb8d4e03d08b74f8c
Opcode Fuzzy Hash: 02c49ca13edab5a07e821e9b29719a19e4462683b771aae589233e73f9d9538c
Instruction Fuzzy Hash: E521F5B9504244EFDB05DF14D9C0B26BF65FBD8324F24C56DE90A0B256C33AE856CAA2

Function 00A5D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2047837905.0000000000A5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a5d000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d140e29d535c53b8b9ff278167ecf8de5e753ea2d75999ff1eb0e69169db3f4
Instruction ID: eca34e531236440331dbcd1ee6688842ee8963dc83c7672e3ab68d18ca1bdb4a
Opcode Fuzzy Hash: 8d140e29d535c53b8b9ff278167ecf8de5e753ea2d75999ff1eb0e69169db3f4
Instruction Fuzzy Hash: 7B2104B1504200EFDB25DF14D9C0B2ABBA5FB84315F34CA6DEC094B292C376D84ACA61

Function 00A5D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2047837905.0000000000A5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a5d000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6352fdd4a5cac29c838f021a4c4f54ede080104a8c0e1743f9616b42098fb1f
Instruction ID: fa252a3a327c67e4d87e57e1b3d7f617ca06adaac41849875b86859a680de1d1
Opcode Fuzzy Hash: f6352fdd4a5cac29c838f021a4c4f54ede080104a8c0e1743f9616b42098fb1f
Instruction Fuzzy Hash: 8D21F2B1604240EFDB24DF14D9C4B26BBA5FB84315F34C96DDC0A4B296C33AD80BCA61

Function 00A5D005 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2047837905.0000000000A5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a5d000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9b7cd732772bd0efa4d901215ddd4ad698eab71e876464662fce5f2f7bf0d67
Instruction ID: a7fe0a0ec6eb67f872513c9e0b3be0b59b4fb96c2b1c5dd60c275d91cb7692be
Opcode Fuzzy Hash: f9b7cd732772bd0efa4d901215ddd4ad698eab71e876464662fce5f2f7bf0d67
Instruction Fuzzy Hash: E42162755093808FDB16CF24D994715BF71FB46314F28C5DAD8498B6A7C33A980ACB62

Function 00A4D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2047736120.0000000000A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a4d000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
Instruction ID: 3a400fd8d9828da98dcc89236e9adb5bd66c7b41aa54dde818a2a5514e01d617
Opcode Fuzzy Hash: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
Instruction Fuzzy Hash: F2112676404240CFCB02CF10D5C4B16BF71FBD4324F24C2A9D8090B656C33AE85ACBA1

Function 00A5D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2047837905.0000000000A5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a5d000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
Instruction ID: acf887e7acc9ce004de3608735eebc073c0c9f0d292a6aaf9d958851ef7245dd
Opcode Fuzzy Hash: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
Instruction Fuzzy Hash: 6711BB75904280DFCB12CF10D5C4B19BBA1FB84314F24C6ADDC494B696C33AD84ACB61

Function 00A4D731 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2047736120.0000000000A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a4d000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc0ef4ed4333dc30053279711be9f13bb5933d14051c8687158b504fa63ff37c
Instruction ID: 7260aa90f58bef38c046189bccf1e9e319ebec925128ffee32e23dcadd8ebb8d
Opcode Fuzzy Hash: cc0ef4ed4333dc30053279711be9f13bb5933d14051c8687158b504fa63ff37c
Instruction Fuzzy Hash: 9B0126754053449AE7108B29CDC4767FFE8EFC0364F28C81AEC090A282C3789C40C6B1

Function 00A4D730 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2047736120.0000000000A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a4d000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff8e8d55ea1576d091f2ebebe708992cb8465391e0e89cb7351ddb741670bc23
Instruction ID: 874d155bcc957ce15bd8915ff87086c516e8325546a359e8b83f0811c1f9b1a1
Opcode Fuzzy Hash: ff8e8d55ea1576d091f2ebebe708992cb8465391e0e89cb7351ddb741670bc23
Instruction Fuzzy Hash: 33F0CD76405344AEE7108B1ADDC4B62FFE8EB90374F28C45AED080E286C3789844CAB0

Non-executed Functions

Function 0BB42678 Relevance: .4, Instructions: 379COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054352856.000000000BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb40000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7af0f5d3d7cfc9ae3135c02f2d910279dd0bdfae9a83786cc7e21a4c46f3372d
Instruction ID: f3297f606b694a146dcaa28f277019265e5b5e6c874e1fcb6dcb7b05ace38f24
Opcode Fuzzy Hash: 7af0f5d3d7cfc9ae3135c02f2d910279dd0bdfae9a83786cc7e21a4c46f3372d
Instruction Fuzzy Hash: A2D16A717116048FDB29EB79C450BAEB7E6BF89700F1484A9E246CB391DF34E841EB52

Function 08E8ABE8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2053441893.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e80000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89f800ec0c54273945a16c0737e49f700c191caf87225ddee69d0c27166d9497
Instruction ID: 5fc8a3ba66680d3f6650b1c0c86ae985f9bd67bfb19d0ef46291376bbca09a58
Opcode Fuzzy Hash: 89f800ec0c54273945a16c0737e49f700c191caf87225ddee69d0c27166d9497
Instruction Fuzzy Hash: 06E11A74E01159CFCB14DFA9C5809AEFBB2FF89305F24816AD418AB355D730A982CFA1

Function 08E8CC58 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2053441893.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e80000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a63c622f4274fb2f4df8c391d20b21f787e610ce31e1a6816127a00a8e0f5af
Instruction ID: 7a142f6a1cb6b82fe6db8b0eac59416f7b846b947bd27140ba903a74575f35a4
Opcode Fuzzy Hash: 6a63c622f4274fb2f4df8c391d20b21f787e610ce31e1a6816127a00a8e0f5af
Instruction Fuzzy Hash: 43E10774E01119CFCB14EFA8C5809AEFBB2FF89305F249169D418AB355D731A942DFA1

Function 08E8B020 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2053441893.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e80000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73379e5722274a7327f1a1c5090d3731511ea1747b4c8c73c33179b000b50710
Instruction ID: ef5337304dbba1a4ec9ea2cf8c063c5df187954fbdc2743ee7cbdea289710153
Opcode Fuzzy Hash: 73379e5722274a7327f1a1c5090d3731511ea1747b4c8c73c33179b000b50710
Instruction Fuzzy Hash: 09E12874E00119CFCB14DFA9C5809AEFBB2FF89315F249169D418AB355D730A942CFA1

Function 08E8B458 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2053441893.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e80000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53bd01d955909afb1a4ddf1786c510790059408fc5dbbc242c9dec115f3ef9c1
Instruction ID: 8c705f4a80b1b5cc0876ad20ae52550b88ad6b35fb5d32abfa39ab223701bb1b
Opcode Fuzzy Hash: 53bd01d955909afb1a4ddf1786c510790059408fc5dbbc242c9dec115f3ef9c1
Instruction Fuzzy Hash: 46E11674E01219CFCB14DFA9C5809AEFBB2FF89315F249169D818AB315D731A942CFA1

Function 08E8D608 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2053441893.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e80000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d6ec72d48796de8cdca72ac1ea60543c691c80d9be13463261c6417dabf7fbb
Instruction ID: f89b95c962a4a75a761d804a3f8062a7d0f060f3d70371c65e741f6d17b47817
Opcode Fuzzy Hash: 5d6ec72d48796de8cdca72ac1ea60543c691c80d9be13463261c6417dabf7fbb
Instruction Fuzzy Hash: 52E11974E01119CFCB14DFA9C9809AEFBB2FF89305F249169D818AB355D731A942CFA1

Function 00C1D584 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2048588738.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a59834180269fd5bfbdf2be011ed17ac9102ec37ad91cb931008d0d284ac99b1
Instruction ID: f1736139d73d117249b53edfa2ca11bd3c670fdee9c732a6bfd94a89f26b369d
Opcode Fuzzy Hash: a59834180269fd5bfbdf2be011ed17ac9102ec37ad91cb931008d0d284ac99b1
Instruction Fuzzy Hash: A8A15C36A002099FCF05DFB5C8405DEB7B2FF86300B25857AE815AB261DB71E996DB80

Function 08E8ABC8 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2053441893.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e80000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5aed583311b42f3e5e43de9fb5c8dac65bc5512d78a4f2b4a80afb0b6a557163
Instruction ID: 83312a063e0bc0a35c3bd0340e2ebac0877277b7721ca8b333d397e6d251ff8d
Opcode Fuzzy Hash: 5aed583311b42f3e5e43de9fb5c8dac65bc5512d78a4f2b4a80afb0b6a557163
Instruction Fuzzy Hash: 57514B71E042298FCB14DFA9C9809AEFBF2EF89305F24816AD418AB355D7305942CFA1

Function 08E8D5F8 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2053441893.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e80000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 606a4ffd6d5fd1d369bf7f590ee2cbb9e1c62f96340f9266a2bc676fb2a57762
Instruction ID: 2554b8bfc591240958a6e8fb0ba02a6e0ad7bb6cebd8165031c4d22105c54628
Opcode Fuzzy Hash: 606a4ffd6d5fd1d369bf7f590ee2cbb9e1c62f96340f9266a2bc676fb2a57762
Instruction Fuzzy Hash: AB515A70E002198FCB14DFA9C9405AEFBF2FF89304F24816AD858AB356D7319942CFA1

Function 08E8B447 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2053441893.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e80000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed6842927700f4bcb16120afd68873182f823bca342279fa8d84ca3662899b28
Instruction ID: 3c7fbd7b236123d39b8f3d3b57ffc421f7c053bb6bbe981d63d27e58d9123140
Opcode Fuzzy Hash: ed6842927700f4bcb16120afd68873182f823bca342279fa8d84ca3662899b28
Instruction Fuzzy Hash: B85107B1E012198FCB14DFA9C5819AEFBF2EF89315F24816AD458AB315D7309942CFA1

Function 08E8ABDF Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2053441893.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e80000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa482a596cb475e64ce3dfc678eea52c6bc69248d01438aa27d65c215ccd9f7b
Instruction ID: 8f80eb3d758eb6b0c6917e95a04ec05a8248ba28ee40773debf8710dd5befc67
Opcode Fuzzy Hash: fa482a596cb475e64ce3dfc678eea52c6bc69248d01438aa27d65c215ccd9f7b
Instruction Fuzzy Hash: AB51E671E012298FDB14DFA9C5809AEFBF2FF89305F24816AD418AB355D7319942CFA1

Function 0BB40320 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054352856.000000000BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb40000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: add9b966a1bdeb373b4526926d9e664b607f7f6c181e151f48019e6c1d676b8f
Instruction ID: 4ea496558a457afbfb220e83d8af275b9f90849b6ff97aa76e4cc7c77e16f508
Opcode Fuzzy Hash: add9b966a1bdeb373b4526926d9e664b607f7f6c181e151f48019e6c1d676b8f
Instruction Fuzzy Hash: 7931B471D097288BEB28DF6B99043DABAF7AFC9300F04C0AA8558A6265DB340985DE41

Analysis Process: TECHNICAL SPECIFICATIONS.exePID: 5960, Parent PID: 6480COMMON

Execution Graph

Execution Coverage:	13.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	188
Total number of Limit Nodes:	17

Executed Functions

Function 06E03568 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 06E03C90
$]q, xrefs: 06E03C73
$]q, xrefs: 06E03CC0
$]q, xrefs: 06E03C67
$]q, xrefs: 06E03CB4
$]q, xrefs: 06E03C9C

Memory Dump Source

Source File: 00000004.00000002.4493193297.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e00000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-3723351465
Opcode ID: ba9bf72df4fa87477970dd83a02c71acce97f3a112e9821db0c10202f163f655
Instruction ID: 7ed6eb8c98821fae189c5d11a9ed7da5e2164a03c188ca6d1de860c5c0f8ff5b
Opcode Fuzzy Hash: ba9bf72df4fa87477970dd83a02c71acce97f3a112e9821db0c10202f163f655
Instruction Fuzzy Hash: 84323C31E1071A8FDB14DF79D89459DB7B2FFC9304F2096AAD409AB254EB30AD85CB90

Function 06E07E60 Relevance: 3.0, Strings: 2, Instructions: 474
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 06E081CF
$]q, xrefs: 06E081C3

Memory Dump Source

Source File: 00000004.00000002.4493193297.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e00000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: 2229cc95e379393a30bca880ccc9296c2cc6e3e5a2d813965e7bb15747a25137
Instruction ID: 737c9ddc454bbbd01dbd3c68f1ec41aef4eb16ef514d0a41790b45d95f82d4dd
Opcode Fuzzy Hash: 2229cc95e379393a30bca880ccc9296c2cc6e3e5a2d813965e7bb15747a25137
Instruction Fuzzy Hash: 22029131B002069FEF54DB69D8946AEB7F6FF84304F249569D815AB380DB35EC86CB81

Function 06E0C260 Relevance: .6, Instructions: 643COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4493193297.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e00000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7801533e45d5c3ba1fc41f33bf4966237d23c744d2f3288ca97bf640dc6758f9
Instruction ID: 69dffff1f4e084b74781d1c8d71cdda73e8f4d7854adc4302b05e53d7e8dddfc
Opcode Fuzzy Hash: 7801533e45d5c3ba1fc41f33bf4966237d23c744d2f3288ca97bf640dc6758f9
Instruction Fuzzy Hash: 2C328175B112059FEB54DF68D484BADB7B2FB88714F209629E405E7381DB34EC82CB91

Function 06E056A8 Relevance: .6, Instructions: 570COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4493193297.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e00000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a31853c1ecf37da44b455c44c47c3d3aaf504eff2ddbc768edfcd954cd777923
Instruction ID: 9932dc04766a0f79b7b7399349ddb5c41e87aa7676017ef921c88b7e6389ea4d
Opcode Fuzzy Hash: a31853c1ecf37da44b455c44c47c3d3aaf504eff2ddbc768edfcd954cd777923
Instruction Fuzzy Hash: F112E135F003058FEF60DBA4D9846AEB7B2EB85324F249469D8599B385DB34DC82CF90

Function 06E0ADA8 Relevance: 10.4, Strings: 8, Instructions: 390
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 06E0AF1C
$]q, xrefs: 06E0AF74
$]q, xrefs: 06E0AEC9
$]q, xrefs: 06E0AED5
$]q, xrefs: 06E0AF4B
$]q, xrefs: 06E0AF28
$]q, xrefs: 06E0AF80
$]q, xrefs: 06E0AF57

Memory Dump Source

Source File: 00000004.00000002.4493193297.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e00000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-1273862796
Opcode ID: edbd38e3536d30f50419436d9f7ec46545b92ee00f818a346482c82a05c57271
Instruction ID: 981d998a107ac9c04229fcf3446349d82a23dfc052bc5cab16d0a719bc6e62b7
Opcode Fuzzy Hash: edbd38e3536d30f50419436d9f7ec46545b92ee00f818a346482c82a05c57271
Instruction Fuzzy Hash: 2CE15170E1030A8FEB65DF69D4846AEB7B2FF85304F209529E405AB385DB35DC86CB91

Function 06DFA0D1 Relevance: 6.1, APIs: 4, Instructions: 136
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 06DFA15E
GetCurrentThread.KERNEL32 ref: 06DFA19B
GetCurrentProcess.KERNEL32 ref: 06DFA1D8
GetCurrentThreadId.KERNEL32 ref: 06DFA231

Memory Dump Source

Source File: 00000004.00000002.4493041618.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6df0000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: b74888c0576e2e269bf6655c84392252d829b81d2b76ae33b714bf101a04f223
Instruction ID: 91cc6b968d22eea31c70058896a474b01f05128d21915f51ce8684318eaad29d
Opcode Fuzzy Hash: b74888c0576e2e269bf6655c84392252d829b81d2b76ae33b714bf101a04f223
Instruction Fuzzy Hash: 995185B0D1034ACFDB54DFAAD848BAEBFF1AF48304F258059E109A7350D7345884CB62

Function 06DFA0E0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 06DFA15E
GetCurrentThread.KERNEL32 ref: 06DFA19B
GetCurrentProcess.KERNEL32 ref: 06DFA1D8
GetCurrentThreadId.KERNEL32 ref: 06DFA231

Memory Dump Source

Source File: 00000004.00000002.4493041618.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6df0000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: f0307135c49dee3995676a3ca8ab4d94603c3de47268b969967ffed9d1e6f012
Instruction ID: 05dc84f32d76cdd3acddd63462ce934af1352e64a4aaadeed1e89ee759598be9
Opcode Fuzzy Hash: f0307135c49dee3995676a3ca8ab4d94603c3de47268b969967ffed9d1e6f012
Instruction Fuzzy Hash: B75164B0D1030ACFDB54DFAAD948BAEBBF2EF88304F258419E509A7350D7745984CB66

Function 06E09230 Relevance: 5.2, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 06E092B2
$]q, xrefs: 06E09277
$]q, xrefs: 06E092BE
$]q, xrefs: 06E09283

Memory Dump Source

Source File: 00000004.00000002.4493193297.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e00000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: 457fc5e081f8439eb28a78119a1b9ab95ff90c5a1610a2d0b8f50db12b43dc03
Instruction ID: 023fc2ee1c9d2642e9657893b9e31be021ca4a02dfa679c1c2b47b6da4f90c53
Opcode Fuzzy Hash: 457fc5e081f8439eb28a78119a1b9ab95ff90c5a1610a2d0b8f50db12b43dc03
Instruction Fuzzy Hash: DA917F31B0020A9FDB54DF69D8507AEB3F6FF89204F109569C80DEB385EB749D868B91

Function 06E0D030 Relevance: 4.5, Strings: 3, Instructions: 799
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 06E0D427
$]q, xrefs: 06E0D42F
$]q, xrefs: 06E0D43B

Memory Dump Source

Source File: 00000004.00000002.4493193297.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e00000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q
API String ID: 0-182748909
Opcode ID: 7af0b33fe822cff8e4d15f9eec9750c32c8681ebfc1b724369471d5a672a14aa
Instruction ID: ca134d1ff1217b0a6cd5b16b98a80f7884da6d4e58668d7bd09ea4a0a28b1e85
Opcode Fuzzy Hash: 7af0b33fe822cff8e4d15f9eec9750c32c8681ebfc1b724369471d5a672a14aa
Instruction Fuzzy Hash: 32624D70A1120A8FDB55DBA8D880A5DBBF3FF84304F218A69E4059F355DB75EC86CB81

Function 06E04C70 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fbq, xrefs: 06E04C9B
\Obq, xrefs: 06E04E4B
XPbq, xrefs: 06E04DC1

Memory Dump Source

Source File: 00000004.00000002.4493193297.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e00000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID: fbq$XPbq$\Obq
API String ID: 0-4057264190
Opcode ID: be1d2a151088726a7ccdc21cd8b6d553e2402f5fd51cec9e708b75234e021a41
Instruction ID: e5b97b3e09c49c460128dfe48da78c016a1af872096b75564664a4be65b10672
Opcode Fuzzy Hash: be1d2a151088726a7ccdc21cd8b6d553e2402f5fd51cec9e708b75234e021a41
Instruction Fuzzy Hash: 96616E70F00219DFEB54DFA5C858BAEBAF6FB88700F208529E105AB3D5DB754C458B91

Function 06E0922F Relevance: 2.7, Strings: 2, Instructions: 151
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 06E092B2
$]q, xrefs: 06E09277

Memory Dump Source

Source File: 00000004.00000002.4493193297.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e00000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: 7cb20b24f7fd171fd5ae8f03305803b01a9548a8cf0b7b30ccded842189c9fc1
Instruction ID: 38479bbdf60c477da70745554907058a9710c04f7c832ac2b9d6a4db8f9c1880
Opcode Fuzzy Hash: 7cb20b24f7fd171fd5ae8f03305803b01a9548a8cf0b7b30ccded842189c9fc1
Instruction Fuzzy Hash: 5B514031B002069FEB54DF79E854BAE73F6FF89604F109469C809EB385DB349C468B91

Function 06E04C61 Relevance: 2.6, Strings: 2, Instructions: 142
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fbq, xrefs: 06E04C9B
XPbq, xrefs: 06E04DC1

Memory Dump Source

Source File: 00000004.00000002.4493193297.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e00000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID: fbq$XPbq
API String ID: 0-2292610095
Opcode ID: f45eb0a1d46e3771fb0dfaafc1faaeace721fa3b881b317a9c63a5dc4a4b1433
Instruction ID: 2956402a43759f4ea504ac14ea63b3a7d3fe7e2279ad90c5df494b64533ea721
Opcode Fuzzy Hash: f45eb0a1d46e3771fb0dfaafc1faaeace721fa3b881b317a9c63a5dc4a4b1433
Instruction Fuzzy Hash: 25515D70B00209DFEB54DFA5C854BAEBBF7FF88700F208529E105AB395DA758C428B95

Function 06DF672C Relevance: 1.6, APIs: 1, Instructions: 121COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06DF684A

Memory Dump Source

Source File: 00000004.00000002.4493041618.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6df0000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 0e949b4f2c6959a75b70d7008955fa55cda97c451071ac807892743b4c96897c
Instruction ID: 52d7bd9ff216f2fbdf5db99c0845a6e8eb076a7b866f36d54739a46c7286bb07
Opcode Fuzzy Hash: 0e949b4f2c6959a75b70d7008955fa55cda97c451071ac807892743b4c96897c
Instruction Fuzzy Hash: F051D2B0C10349AFDB14CF9AC884ADEBBB5FF89310F65812AE919AB250D7759845CF90

Function 06DF6738 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06DF684A

Memory Dump Source

Source File: 00000004.00000002.4493041618.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6df0000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: fd010eb804c24d216c2f9e1f0b71bc091a2acbf998904c05c0aedd77e5ea4cdb
Instruction ID: 65f1be58074b53f007cac35c92d3a9865a1728d8d5a0acfc23deeba06ed6337d
Opcode Fuzzy Hash: fd010eb804c24d216c2f9e1f0b71bc091a2acbf998904c05c0aedd77e5ea4cdb
Instruction Fuzzy Hash: A241C0B1D103499FDB14CF99C884ADEBBB5BF88310F25812AE919AB250D775A845CF90

Function 06DFA0B4 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 06DFB679

Memory Dump Source

Source File: 00000004.00000002.4493041618.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6df0000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 2f020c2398d96366d3c91330d777c659a4a3b1ed9ca83bf9f5d494787ccc7b28
Instruction ID: ef93c2b857c9020e76883cf4ec3955b18bc32c0750481057cdcfc85f74249dd8
Opcode Fuzzy Hash: 2f020c2398d96366d3c91330d777c659a4a3b1ed9ca83bf9f5d494787ccc7b28
Instruction Fuzzy Hash: 7D4138B4910305CFDB54DF99C888AAABBF5FF88314F25C459E519AB321D375A841CFA0

Function 06DFBF07 Relevance: 1.6, APIs: 1, Instructions: 72comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 06DFBF90

Memory Dump Source

Source File: 00000004.00000002.4493041618.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6df0000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: b6f647b5235b90841dcabf7e527b602325b1cde984f8bc097f45ef2e6bde6f30
Instruction ID: f94e511f260878fce57fbd1cf1fead14319dde9d5397448c562bf710eadf0b47
Opcode Fuzzy Hash: b6f647b5235b90841dcabf7e527b602325b1cde984f8bc097f45ef2e6bde6f30
Instruction Fuzzy Hash: 933111B0D11208DFDB54CF99C984BCEBBF5AF48304F24802AE504AB290D7B5A945CFA5

Function 06DFBF08 Relevance: 1.6, APIs: 1, Instructions: 71comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 06DFBF90

Memory Dump Source

Source File: 00000004.00000002.4493041618.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6df0000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 579219f33f0179741f0c0ad116412f52bcb0bea4c7274e5f04d16440e4c9d648
Instruction ID: 70f553f51b3d1ae7fba3852088289349bc6ab5b60a78503af09308a5d2912763
Opcode Fuzzy Hash: 579219f33f0179741f0c0ad116412f52bcb0bea4c7274e5f04d16440e4c9d648
Instruction Fuzzy Hash: E2311FB0D11208DFDB54CF99C988BCEBBF5AF48304F24802AE504AB290D7B5A945CFA5

Function 06DFBD60 Relevance: 1.6, APIs: 1, Instructions: 70comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 06DFBE15

Memory Dump Source

Source File: 00000004.00000002.4493041618.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6df0000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: ee328e97eaccd0d46f2995b3d151bf03f06c1ccc548939301268bf0efa3382ea
Instruction ID: f98104596ff443349b409e651850a92144358a8e774e63250439f091b9486a44
Opcode Fuzzy Hash: ee328e97eaccd0d46f2995b3d151bf03f06c1ccc548939301268bf0efa3382ea
Instruction Fuzzy Hash: 7021ACB1D203848FCB20DFA9D545BDABFF4EF49324F10485AD586A7200C379A588CBA1

Function 06DFA320 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06DFA3AF

Memory Dump Source

Source File: 00000004.00000002.4493041618.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6df0000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 750d7e12de2375c8c6c668d501c852378ac982c256962776aaa08a594ea5c7a3
Instruction ID: 183e2866868b808143882aa8e1f0e2087d4d62c5cc21ed9c9a7c87cef2e5f4a2
Opcode Fuzzy Hash: 750d7e12de2375c8c6c668d501c852378ac982c256962776aaa08a594ea5c7a3
Instruction Fuzzy Hash: 8221D2B5D102499FDB10CFAAD885ADEBFF8EB48310F15841AE958A3350D374A954CFA1

Function 06DFA328 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06DFA3AF

Memory Dump Source

Source File: 00000004.00000002.4493041618.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6df0000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2acf1a3cf9d00a17896c09d548359082341f80680d4b8c2e147e69fd0884778a
Instruction ID: 295b37c0208e9fdd5ace020f89abc45a6b3d52fffcdac5a584f19bc7dfeb6c75
Opcode Fuzzy Hash: 2acf1a3cf9d00a17896c09d548359082341f80680d4b8c2e147e69fd0884778a
Instruction Fuzzy Hash: 4921E2B5D102099FDB10CFAAD884ADEFBF8EB48310F14801AE918A3310D378A944CFA1

Function 017C8038 Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000), ref: 017C80B0

Memory Dump Source

Source File: 00000004.00000002.4472900401.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_17c0000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 636c7233bb20102cfd8832950e72301ac9034b9d83286e35941502837ff79e2a
Instruction ID: 01dbdce92c666f441a69363444927e92df79746d62e454c38257c9d645561ec5
Opcode Fuzzy Hash: 636c7233bb20102cfd8832950e72301ac9034b9d83286e35941502837ff79e2a
Instruction Fuzzy Hash: 462127B1C0061A9BDB14CFAAC445BDEFBB4FB48720F158529D819B7240D378A944CFA2

Function 017C77B0 Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000), ref: 017C80B0

Memory Dump Source

Source File: 00000004.00000002.4472900401.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_17c0000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 77239452bddb3405bddeb0f761db6f751e83ac9d62137afc920e7a16bf7f95eb
Instruction ID: c44b75742903a3741f0acfa9cffc5cb6f0035173e60fea36676d8eca04e48303
Opcode Fuzzy Hash: 77239452bddb3405bddeb0f761db6f751e83ac9d62137afc920e7a16bf7f95eb
Instruction Fuzzy Hash: 552147B1C0065A9BCB20CF9AC444BAEFBF4EB48720F10812DD818B7240D378A940CFA2

Function 06DFDCC8 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 06DFDD4B

Memory Dump Source

Source File: 00000004.00000002.4493041618.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6df0000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 7d98ba48d238da206b729d54149b97e1f23e802e759140f3980691e4b983be24
Instruction ID: b4dc1ecbd94949707f20a6826af6d35fa5e9ac51495316a2319a848cc4bb1218
Opcode Fuzzy Hash: 7d98ba48d238da206b729d54149b97e1f23e802e759140f3980691e4b983be24
Instruction Fuzzy Hash: A22130B6D102098FCB14CFA9D944BEEFBF5BF88310F14842AE459A7250C774AA45CFA1

Function 06DFDCD0 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 06DFDD4B

Memory Dump Source

Source File: 00000004.00000002.4493041618.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6df0000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 11275d4581c13a12d968336a9f72064df6915ce39dc9864853b6352a372aea13
Instruction ID: 3a7b0dc9b84bff804ddf7976615c917f9e5f63b2dc16e9a0a32460ff2804579b
Opcode Fuzzy Hash: 11275d4581c13a12d968336a9f72064df6915ce39dc9864853b6352a372aea13
Instruction Fuzzy Hash: 802110B5D102098FCB14DF9AD844BEEFBF5AF88310F10842AE419A7250C774A944CFA1

Function 017CF0A0 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32 ref: 017CF107

Memory Dump Source

Source File: 00000004.00000002.4472900401.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_17c0000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: ad3b8656cf1ecf857817fc1249070ee55a48fd15a019c676ad5663337b7db25b
Instruction ID: 458d8292882f437ddcc12454605252026d5a9f926eb05934588df938e12d9f22
Opcode Fuzzy Hash: ad3b8656cf1ecf857817fc1249070ee55a48fd15a019c676ad5663337b7db25b
Instruction Fuzzy Hash: 461120B1C1065A9BCB10DFAAD445BDEFBF4AF88320F11812AD818B7240D378A944CFA1

Function 017CF09F Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32 ref: 017CF107

Memory Dump Source

Source File: 00000004.00000002.4472900401.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_17c0000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 38b0384a03014d6dd301e0256ad875726cfaf9d885fca573a42bf40474e7f8c6
Instruction ID: ef5b9d94fc4c76850768eb8152e8d4e02db246b3ba89473cfed24b554e81877f
Opcode Fuzzy Hash: 38b0384a03014d6dd301e0256ad875726cfaf9d885fca573a42bf40474e7f8c6
Instruction Fuzzy Hash: 3911F0B2C1065A9BDB10DFAAD545BDEFBF4AF48320F15816AD818B7240D378A944CFA1

Function 06DF4648 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 06DF56F6

Memory Dump Source

Source File: 00000004.00000002.4493041618.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6df0000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: cd4b12bc689aa868450171734056cc47ef4bdd8d9c3d7aa482a30c4ece270b67
Instruction ID: 254d89dc7dd826ffc8a86d8da44a8ec17169b77ed7d37f87923007073a98f80d
Opcode Fuzzy Hash: cd4b12bc689aa868450171734056cc47ef4bdd8d9c3d7aa482a30c4ece270b67
Instruction Fuzzy Hash: F51132B5C103498FDB10DF9AD448BDEFBF4EB88210F11842AD529B7200C374A545CFA1

Function 06DF5688 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 06DF56F6

Memory Dump Source

Source File: 00000004.00000002.4493041618.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6df0000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 7c7c25a7004f308fad734c30529cd38ca196ab85b8dfadf3d85847fb942b23c2
Instruction ID: fc7997519522219f0975f293e6f8f46d3f1483354959afeb962db96dd3681935
Opcode Fuzzy Hash: 7c7c25a7004f308fad734c30529cd38ca196ab85b8dfadf3d85847fb942b23c2
Instruction Fuzzy Hash: 0911F0B5C102498FCB10DF9AD849ADEFBF4EF88220F21846AD969B7200D375A545CFA1

Function 06DFBDB9 Relevance: 1.5, APIs: 1, Instructions: 47comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 06DFBE15

Memory Dump Source

Source File: 00000004.00000002.4493041618.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6df0000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: eda32e9ff03530c177310adb4aede47dbbe08225eced11e36ce38ff86572afec
Instruction ID: 927f051a6744437121c9815080f8184d8539d3c6a1da41484699dd5bd70504f6
Opcode Fuzzy Hash: eda32e9ff03530c177310adb4aede47dbbe08225eced11e36ce38ff86572afec
Instruction Fuzzy Hash: 2411F2B5C103498FCB20DF9AD489BDEFBF4EB48324F20845AD959A7200D379A944CFA5

Function 06DFAF64 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,06DFB8CD), ref: 06DFB957

Memory Dump Source

Source File: 00000004.00000002.4493041618.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6df0000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: c50bb8b1cde28740f121d5ccf7f70a60b6b946338ab5cd205a62bc2b61afa40d
Instruction ID: 06bdcbc820279038041e06e059b084752d0e32cfd893955405f7669083921522
Opcode Fuzzy Hash: c50bb8b1cde28740f121d5ccf7f70a60b6b946338ab5cd205a62bc2b61afa40d
Instruction Fuzzy Hash: 1311F2B1C102498FDB50DF9AD444B9EBBF4EB88310F20846AD529B7250C774A944CFA5

Function 06DFB19C Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 06DFBE15

Memory Dump Source

Source File: 00000004.00000002.4493041618.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6df0000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 6f8c94b76b31804a817e442cf625533435208646ccd14c423c38aa47c0dba987
Instruction ID: b2696b1d7187d82b7939a48599c6ffbb60d50e1165df1c7384c19648f1a62129
Opcode Fuzzy Hash: 6f8c94b76b31804a817e442cf625533435208646ccd14c423c38aa47c0dba987
Instruction Fuzzy Hash: 3211F2B5C102498FDB20DF9AD449B9EBBF8EB48310F20845AD619A7200D374A944CBA5

Function 06DFB8F0 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,06DFB8CD), ref: 06DFB957

Memory Dump Source

Source File: 00000004.00000002.4493041618.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6df0000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: cc6ea9c142ecdbd0ae5fb0dd1414f00feeff07d87139814bb6d0b8ead2d836fa
Instruction ID: ec09f376a60e6177505a1c17aed8a7c63b26d58cfe62c0a241b623ba7f7f4dcc
Opcode Fuzzy Hash: cc6ea9c142ecdbd0ae5fb0dd1414f00feeff07d87139814bb6d0b8ead2d836fa
Instruction Fuzzy Hash: DB11F2B5C002498FCB10DF9AD445BDEFBF4EB89324F20846AD569B3250C774A944CFA5

Function 06E0DBB8 Relevance: 1.4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

PH]q, xrefs: 06E0DD01

Memory Dump Source

Source File: 00000004.00000002.4493193297.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e00000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: 71ed2b981fc886371e897162719949098f61e52fd76d530e57155935ce592961
Instruction ID: daf98fe4ce449435d6f092a3710269efde783e545872d871e0b7a81b22234397
Opcode Fuzzy Hash: 71ed2b981fc886371e897162719949098f61e52fd76d530e57155935ce592961
Instruction Fuzzy Hash: 2E419470E0030ADFEB65DFA5C89469EBBB2FF45354F204529E405EB284DF709981CB91

Function 06E0DBA5 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

PH]q, xrefs: 06E0DD01

Memory Dump Source

Source File: 00000004.00000002.4493193297.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e00000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: 3aa953ec8de53e277386600338c8a196b1dcedc2216c2af7f8333725019d44c1
Instruction ID: 72e8e198e0ebc994c3ea033efeb52ec0ac2d78f0686665b43c960133dcb38124
Opcode Fuzzy Hash: 3aa953ec8de53e277386600338c8a196b1dcedc2216c2af7f8333725019d44c1
Instruction Fuzzy Hash: 1841C370E00305DFEB65CFA4C88469EBBB2FF45314F248929E405EB284EB70D886CB91

Function 06E021C5 Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

PH]q, xrefs: 06E02313

Memory Dump Source

Source File: 00000004.00000002.4493193297.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e00000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: 936be77c11aaa602b4482db2812c68caac45bd83d5dd79fda9f07febbf8c6c0b
Instruction ID: 4f9c5e144c770e995feee7ee7fade7fe52e1c37b22b70335fb867a7563dc8d53
Opcode Fuzzy Hash: 936be77c11aaa602b4482db2812c68caac45bd83d5dd79fda9f07febbf8c6c0b
Instruction Fuzzy Hash: 3E310331B003028FEB599BB4D45866E3BE3EF89254F248528D406EB381DF39DD86C795

Function 06E021D8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PH]q, xrefs: 06E02313

Memory Dump Source

Source File: 00000004.00000002.4493193297.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e00000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: 1e2dd1d7a0272c8d2c0bb6b1415591cddd7b979cf46b285e64b37552709beb40
Instruction ID: 3893bd9e7b1c7895657d2822d41c12e9750337715d28470ef02c0d1ec99e39e0
Opcode Fuzzy Hash: 1e2dd1d7a0272c8d2c0bb6b1415591cddd7b979cf46b285e64b37552709beb40
Instruction Fuzzy Hash: 7531D030B103068FEB599BB4D45866E3AE3BF89254F209538D406EB384DF39DD86CB95

Function 06E04B59 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

\Obq, xrefs: 06E04B65

Memory Dump Source

Source File: 00000004.00000002.4493193297.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e00000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID: \Obq
API String ID: 0-2878401908
Opcode ID: f40c2d5d8b6e40f5f2489e114d1d613b38720baf8f735dee6e3bdb5962b39c7b
Instruction ID: 0c1d2eb563a74894993dbfcf7cad640c921a1bd47ff8cc7f7e32d7a2aed60d38
Opcode Fuzzy Hash: f40c2d5d8b6e40f5f2489e114d1d613b38720baf8f735dee6e3bdb5962b39c7b
Instruction Fuzzy Hash: A5F07A31A64219DBEB14DF94E999BAEBBB2FF84615F204119E502A72D8CBB41C41CFC0

Function 06E0B310 Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4493193297.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e00000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b913733e28a8ee5a3df1d389a87a0891d6459b6ec8a6632dacc3dc18d93c72f
Instruction ID: 2f87a757ac7ce52a0a2f8a8fda018cf0b1a07013efcd41f1cb533b6f700c435a
Opcode Fuzzy Hash: 2b913733e28a8ee5a3df1d389a87a0891d6459b6ec8a6632dacc3dc18d93c72f
Instruction Fuzzy Hash: 34A18174F102098BEF64DA6DD8947AE76B6FB89314F215429E409EB3C1CB39DCC18792

Function 06E0B2FF Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4493193297.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e00000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06e9d63ccb987ed9a8eac04d61f06419d4cd33639df24a98a2116723ed0c1bf5
Instruction ID: 6afbf4cb4540556ee65a2af58e38003bb7d39d6a400695269d059fd8abac9a0c
Opcode Fuzzy Hash: 06e9d63ccb987ed9a8eac04d61f06419d4cd33639df24a98a2116723ed0c1bf5
Instruction Fuzzy Hash: 7CA17174F102098BEF64DAADD4947AE76B6FB89314F215829E409EB3C1CA39DCC18751

Function 06E0B728 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4493193297.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e00000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eed11d2e00ab875f947acd8047c78bd306ca7dff24b66f9a6fbb1b09e88b07aa
Instruction ID: 8f9416b95e3c082b730ad3c2e181a23bd908d0236cf1c54bf037252b382f4627
Opcode Fuzzy Hash: eed11d2e00ab875f947acd8047c78bd306ca7dff24b66f9a6fbb1b09e88b07aa
Instruction Fuzzy Hash: 33B14A70E1020A8BEFA4CB68D4847ADB7B1FB45318F249966E454EB391C736DCC1CBA1

Function 06E0B721 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4493193297.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e00000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fda1db4266b7621bce8151fef28268ff7a37f26e054e65d147c31bb8d6f28baa
Instruction ID: 6af9257971d90997b3d43071bbc057495cfae261d60b51e94d31413094f219f7
Opcode Fuzzy Hash: fda1db4266b7621bce8151fef28268ff7a37f26e054e65d147c31bb8d6f28baa
Instruction Fuzzy Hash: D7A11A70E1020A8BEFA4CB58D484BADB7B1FB45318F649926E419EB391D736DCC1CB91

Function 06E06DF8 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4493193297.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e00000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e017fbd41fd9faa54b1cd01194f5a085f2bc06f195a25f31e96a48a7470736f9
Instruction ID: 2c50e3df1ab19e4b3ac752779d22fa4a795dc9d7db18fe198dff2d773b43f037
Opcode Fuzzy Hash: e017fbd41fd9faa54b1cd01194f5a085f2bc06f195a25f31e96a48a7470736f9
Instruction Fuzzy Hash: 7FA18D30A003058FEB64DF68D958BADB7F2EF84314F559569E419AB390DB35EC86CB80

Function 06E059E0 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4493193297.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e00000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55922742a5676b83e4813963927a351d931e65f8ee5a9d526dd44c8040d9e6bb
Instruction ID: d22933e66a1971eb5cbae1f801d3f4dc4cdd839a725e0c219aff60eaa493dad5
Opcode Fuzzy Hash: 55922742a5676b83e4813963927a351d931e65f8ee5a9d526dd44c8040d9e6bb
Instruction Fuzzy Hash: 82916E31F003059BEB14DFA4D9D4AAE77B6EB84314F209929D806AB384DB34ED46CF91

Function 06E059DF Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4493193297.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e00000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83a63522eae14cb5a4e72e3867bef2cf7f65b311dbf022b6093f836576905315
Instruction ID: 30cee0c0234f092b264f44dd1db73397b4282550da1cf8b6981f816d816cb7bb
Opcode Fuzzy Hash: 83a63522eae14cb5a4e72e3867bef2cf7f65b311dbf022b6093f836576905315
Instruction Fuzzy Hash: F9916C71F003059BEB14DFA4D9D4AAE77B6EB84314F209929D806AB384DB34ED46CF91

Function 06E062D8 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4493193297.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e00000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78c8ab94a1223e263c7c6a50aa8d6a2883249fdae5bf6ba58d3ec90c7c7e2baf
Instruction ID: 83968f334a5d1fcf31787579dbec851800f39c0dcc3e41c34cc208d670804fa0
Opcode Fuzzy Hash: 78c8ab94a1223e263c7c6a50aa8d6a2883249fdae5bf6ba58d3ec90c7c7e2baf
Instruction Fuzzy Hash: A961B0B1F001214FEB149A6EC88466FBAD7AFD4224F254479E80EDB360DE79DD4287D2

Function 06E043A0 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4493193297.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e00000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c18759ad7dee1c5c3b18859e95cecc2099dc7ad4d74eda49f33b5e16d89b3d0e
Instruction ID: 296c972804c978674c75e3e7415c05012f09034e28abc937cc15318183ef39cc
Opcode Fuzzy Hash: c18759ad7dee1c5c3b18859e95cecc2099dc7ad4d74eda49f33b5e16d89b3d0e
Instruction Fuzzy Hash: E5814B34B10606DFEF44DFA9D55479EB7F2AB88304F209528D50AEB3D4EA34DC868B81

Function 06E043B0 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4493193297.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e00000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1655567c31c46eb47e42a5fda5db90e69cb5ad20e1fa2488771b9724d3dfd4da
Instruction ID: 96c1e9c4de79ff45ce1530c3a869ab9233ed9e4888202230240f15a8042b8020
Opcode Fuzzy Hash: 1655567c31c46eb47e42a5fda5db90e69cb5ad20e1fa2488771b9724d3dfd4da
Instruction Fuzzy Hash: 0F814E30B10606DBEF54DFA9D55475E77F2EF88304F209429D50AEB394EA34DC868B81

Function 06E043AF Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4493193297.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e00000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c19183169d237d48c75679c4b872eb321f4180382e0725b65bfe3afea24a1e8
Instruction ID: 0f2178da4a9db9f62123e9dffe2bacfd1bcabfc3ec0e094bf236e22ea89e46f1
Opcode Fuzzy Hash: 8c19183169d237d48c75679c4b872eb321f4180382e0725b65bfe3afea24a1e8
Instruction Fuzzy Hash: 88814D71B10606DBEF44DFA9D55479E77F2AF88304F209429D50AEB394EA34DC868B81

Function 06E046D8 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4493193297.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e00000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7119e415b7bf9f3d071db7889b325e2509535c4981261255fb4bc5c648631736
Instruction ID: eb6662a91a69280a3f817c78eaf37d2e24e71a6c8f00765e8fb6cc083f5fa2c1
Opcode Fuzzy Hash: 7119e415b7bf9f3d071db7889b325e2509535c4981261255fb4bc5c648631736
Instruction Fuzzy Hash: 7B912E30E1021ACBEF60DF68C990B9DB7B1FF89304F208599D549AB395DB70AA85CF51

Function 06E046D7 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4493193297.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e00000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fd5d154ca4d762fcdae09a7213b4d90060ae19114468df030bed09f54325f52
Instruction ID: 0cfc1ef4039cec74d9635e9b6b55a45148cc849bea3d85ea9ba503be70d2ab8e
Opcode Fuzzy Hash: 1fd5d154ca4d762fcdae09a7213b4d90060ae19114468df030bed09f54325f52
Instruction Fuzzy Hash: DF914E30E1021ACBEF60DF68C990B9DB7B1FF89304F208599D549AB385DB70AA85CF50

Function 06E0F018 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4493193297.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e00000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e609e15ca5e8197ad1dd9b631745f84067366c63f6e36039b2f54e7baa98e89
Instruction ID: 69aad23fa56ef5430e312ad25e52c4352fb234006f95845102fa8ada74577d86
Opcode Fuzzy Hash: 0e609e15ca5e8197ad1dd9b631745f84067366c63f6e36039b2f54e7baa98e89
Instruction Fuzzy Hash: F9714F70A012099FDB54DFA9C990A9DBBF6FF88304F249529E405EB395DB30EC86CB50

Function 06E0F017 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4493193297.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e00000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02b5391a20dc10bec186610ca964e9e028a2cf4f090fd82a234c7b93f3f6b962
Instruction ID: df19f53b0f32b987e09c7bce0c9911152c9957a24c594333c2ff72fd3559ae0c
Opcode Fuzzy Hash: 02b5391a20dc10bec186610ca964e9e028a2cf4f090fd82a234c7b93f3f6b962
Instruction Fuzzy Hash: 62714E74A012099FDB54DFA9C990A9DBBF6FF88304F248529D405EB395DB30EC86CB50

Function 06E0FC98 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4493193297.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e00000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41343f6f724c2f302d633990ec0a46747701d83a03e520521d35aecb18753f85
Instruction ID: c55f18650a3dda24c4d04b2f42ba323ca3a0195370af04914aea0606de33a596
Opcode Fuzzy Hash: 41343f6f724c2f302d633990ec0a46747701d83a03e520521d35aecb18753f85
Instruction Fuzzy Hash: 1F51C471E01205DFEB64DB78E4446ADBBB2FB84329F108869E506D7281DF358D96CB81

Function 06E0FA48 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4493193297.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e00000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9b7ba56c13459d1d8bf6db718c5e1f42f328ec39b6fd5a3f68a0a70058bb036
Instruction ID: c16dc441679d57a3429e23a0c9f17883503b2668b29140ca637d53df3e789d42
Opcode Fuzzy Hash: b9b7ba56c13459d1d8bf6db718c5e1f42f328ec39b6fd5a3f68a0a70058bb036
Instruction Fuzzy Hash: 4451D5B4B212059BFF745A6CDC9472F3A5AD78D304F20052AE90AC73D4CA2CCCE187A2

Function 06E0FA58 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4493193297.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e00000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ce78ce16ab2e25a65ce74fa35d2adad21cf2e7852973af3b4e49be8106e8004
Instruction ID: 7ffb6c20bf858554e28ed7063477cd52e32c55160ebcbd5d90651e2d90f4c858
Opcode Fuzzy Hash: 2ce78ce16ab2e25a65ce74fa35d2adad21cf2e7852973af3b4e49be8106e8004
Instruction Fuzzy Hash: E051C3B4B312059BFF7456ACDC9472F265AE78D714F20052AE90AC77D4CA2CCCE187A2

Function 06E05528 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4493193297.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e00000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce85f5e908870611855a6c638f30a95f9756527398eb3b5c155d7cd2fbe55d64
Instruction ID: db651ad0fb17b7083912afabc0c3f1efd45d0677973546204a938b3dc4d256bd
Opcode Fuzzy Hash: ce85f5e908870611855a6c638f30a95f9756527398eb3b5c155d7cd2fbe55d64
Instruction Fuzzy Hash: 1D413C71E107098BEF60CE99D980AAFFBB6EB94214F10492AE116D7690D731E9858F90

Function 06E0DA59 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4493193297.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e00000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34e175003077ec17b2a83b805de92160246fdac29aad7ffe9949ef159a0b1a81
Instruction ID: f99b3c985e91698b079dd91ddcf5c19118731e0d1ed32b375f06651cfd7c4ab3
Opcode Fuzzy Hash: 34e175003077ec17b2a83b805de92160246fdac29aad7ffe9949ef159a0b1a81
Instruction Fuzzy Hash: A8318670E1070A8FDF15DFA5D8906DEBBB2EF45314F208929E405EB244DB74A986CB41

Function 06E056A7 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4493193297.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e00000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de5d8e4b5fe12d71baab424716925f8aac459d2fea47365737f3f7f05e06b6d4
Instruction ID: 3f3b3e247b84702c8d682d363135275268621d6bd9df61d2041957c686fef0db
Opcode Fuzzy Hash: de5d8e4b5fe12d71baab424716925f8aac459d2fea47365737f3f7f05e06b6d4
Instruction Fuzzy Hash: F431A175E103058FEF608FA8C68066EB7A1FB45324F24982AD859EB2D1C234D981CFA1

Function 06E02089 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4493193297.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e00000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62bd9d5696a53c1caa8b80d855ea0e4f78482d5e005be9da9554f37b6fcee8ac
Instruction ID: cca33c85b3a4207aa7171b634745fb750b1bd58842622bfebc9aa6eabf16246b
Opcode Fuzzy Hash: 62bd9d5696a53c1caa8b80d855ea0e4f78482d5e005be9da9554f37b6fcee8ac
Instruction Fuzzy Hash: CD318470E142059FEB15CFA4D89869EB7F2EF89304F10C919E905E7341DB71AD46CB51

Function 06E02098 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4493193297.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e00000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1875b10bd8c6f4d0cd6ad6066db8b315c6a0eaae511427baa0ef2c891f2d185c
Instruction ID: b7591b6cad8e144eb28e85bc06ac82add12089715aeaa2fccf463c639125bfee
Opcode Fuzzy Hash: 1875b10bd8c6f4d0cd6ad6066db8b315c6a0eaae511427baa0ef2c891f2d185c
Instruction Fuzzy Hash: 4A317270E142098FDB19CFA5D89869EB7F2EF89304F10C919E916E7340DB71AD86CB51

Function 06E03FB8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4493193297.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e00000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b49c899d262a075ce9a106cbc67ce641f3c33e29957fc1cce37834f8752bf94
Instruction ID: 8b432dda5fa7f1e4b3f7702d6e055f58bf43430163f698eb0d9dc21eff1885fe
Opcode Fuzzy Hash: 9b49c899d262a075ce9a106cbc67ce641f3c33e29957fc1cce37834f8752bf94
Instruction Fuzzy Hash: 93218B76F01205DFEB50CF69E984AAEB7F5EB88710F109029E905E7390E735DD418B92

Function 06E03FB7 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4493193297.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e00000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eddb7321021cd6c6ffd1415b0c2d81fa86018f99aef654924f9c2c0831cf35de
Instruction ID: 2a4859177af52e2399c880560683c5ced85d66e8bc0e0a2c05c79e020f66fde9
Opcode Fuzzy Hash: eddb7321021cd6c6ffd1415b0c2d81fa86018f99aef654924f9c2c0831cf35de
Instruction Fuzzy Hash: C6218976F012059FEB40CFA9E984AAEB7F1EB88710F108025E905E7390E735DD418B92

Function 016FD030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4472508264.00000000016FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_16fd000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50d186c13f246bceb893912d1ab8ff4d8c6115261b815b322fc8681a27946c6b
Instruction ID: d34fa65fd82e5292975efb681f2710554ff6567beff8372b8b3d0bb2f6607f0b
Opcode Fuzzy Hash: 50d186c13f246bceb893912d1ab8ff4d8c6115261b815b322fc8681a27946c6b
Instruction Fuzzy Hash: E22134B1504200EFDB15DF98DDC0B26BBA5FB84314F24C56DDA0A4B382C33AE407CA62

Function 016FD118 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4472508264.00000000016FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_16fd000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f96edce2a6786b2d12395caa3edc74d6dba45409383efe35054367b1922afbd5
Instruction ID: 3240de7a172573817bcbd1d6d8bf13ea1ddf7bf65241a11644408fb3d775b32f
Opcode Fuzzy Hash: f96edce2a6786b2d12395caa3edc74d6dba45409383efe35054367b1922afbd5
Instruction Fuzzy Hash: D921D4B1604244DFDB05DF58DDC0B26BFA5FB84319F24C66DDA094B396C336E846C661

Function 016FD006 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4472508264.00000000016FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_16fd000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73c9f5e79e3c642ee4097b661c4e0d28e60200db4bdc0d96e7c9a29133d24b4a
Instruction ID: e089c9b0499bede46e2d60066d3cdf6f1b3df7ce9d235b85a4c5dff95051f4cd
Opcode Fuzzy Hash: 73c9f5e79e3c642ee4097b661c4e0d28e60200db4bdc0d96e7c9a29133d24b4a
Instruction Fuzzy Hash: 4F214B715093C09FC703CF64D994711BF71AB46214F29C5DBD9898F2A7C33A981ACB62

Function 06E06DF7 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4493193297.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e00000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5fbf1a3eac57d99769056d532b6cf184d11010026229c5d298f3b4ebc6d1be6
Instruction ID: ac0e28ad7497c28b39cc0abcb4f712ed6d06b98c153b6ccd2cc76ca2595e96d4
Opcode Fuzzy Hash: c5fbf1a3eac57d99769056d532b6cf184d11010026229c5d298f3b4ebc6d1be6
Instruction Fuzzy Hash: D521E171B012159FEF44CA68E9547ADB7B3EF84314F149425E809EB3C0DB30ED968B80

Function 06E03567 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4493193297.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e00000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8df5186142ac0fab901278b9904016ecb595571444ccab18060c24ad27b5fb1b
Instruction ID: e71ddeeed96d0b1253face9a74c0c2674988c8ec771262098678ee40ddafd727
Opcode Fuzzy Hash: 8df5186142ac0fab901278b9904016ecb595571444ccab18060c24ad27b5fb1b
Instruction Fuzzy Hash: A41193B5E002168FDF68DB68D8811DEF7B5EB89310F10996AD119EB340DA31DA81CF91

Function 06E040C8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4493193297.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e00000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df7e28dd82b058796f10ab61bc51699cbf2e084c40d9070de1fe425982b1698a
Instruction ID: fdb9f886a1c2dbce8615e3c576acf17f288b0d8d76f23bea055444cb20839ec3
Opcode Fuzzy Hash: df7e28dd82b058796f10ab61bc51699cbf2e084c40d9070de1fe425982b1698a
Instruction Fuzzy Hash: 2511A136B10225CBEB549669DC146AE73F6EBC8315F008539D50AE7394EE35DC068BD2

Function 06E0AFF8 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4493193297.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e00000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4738c0c6b5378e1aadcb22b76d1444ccf1a40974f7c44a16699c60643e744848
Instruction ID: b83ec3f297abdc7e9b35e55aaa6a81f8eac03061ac65539622c5541e1a800017
Opcode Fuzzy Hash: 4738c0c6b5378e1aadcb22b76d1444ccf1a40974f7c44a16699c60643e744848
Instruction Fuzzy Hash: A9119131D1471E8BDF21CFA5C4406DEBBB5BF85300F10452AD805FB240EBB1A985CB81

Function 06E0F287 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4493193297.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e00000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 732e0413e4e89f6e664e6b10afd820c399e6f1e7eba7f39859e45aa3e9260aed
Instruction ID: d9f85902f9dfc42aa165cc5eddf6f92831d1da480f69c1bad2b99a0d41bb5279
Opcode Fuzzy Hash: 732e0413e4e89f6e664e6b10afd820c399e6f1e7eba7f39859e45aa3e9260aed
Instruction Fuzzy Hash: 63014C76F002014FDB21C5B8D46836E6BD2CBC5214F10482AE509CB380DE24CD868395

Function 06E0A3E3 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4493193297.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e00000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f1269f92b69fe04eae77661c808ecda6c21e2b4c5b312861430916c4252595c
Instruction ID: bb4c9ceef029ddec787f0cdb9d1e127908831c289455c85cc3f089bc05cd176b
Opcode Fuzzy Hash: 4f1269f92b69fe04eae77661c808ecda6c21e2b4c5b312861430916c4252595c
Instruction Fuzzy Hash: 51014735B103101FE751967CE85876FB7E2DB86318F10883AF00ADB392CE28DD828781

Function 06E04300 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4493193297.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e00000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a76397adaf566741830289366d4f59b73d3ed0fcf5f2f48a511316b2f66c4980
Instruction ID: 254dd8eed5b5af874cec9444091ba722a3e309d14468e19bd42c7a6faa00dc75
Opcode Fuzzy Hash: a76397adaf566741830289366d4f59b73d3ed0fcf5f2f48a511316b2f66c4980
Instruction Fuzzy Hash: AE01A775700301CFEBA5866CD55871EBBE6EBC9315F20A829E20ECB3D1D929ED828355

Function 016FD113 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4472508264.00000000016FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_16fd000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5579b083a50cc5d9e4ccc55ce504f2965e3ec9196ae8fb77b77903d6534710be
Instruction ID: d804eda0baefb89508c4f700caadebbdba8ef266c814f5ed2db6bfe023ef3ea3
Opcode Fuzzy Hash: 5579b083a50cc5d9e4ccc55ce504f2965e3ec9196ae8fb77b77903d6534710be
Instruction Fuzzy Hash: 29118B75504284CFDB06CF54D9C4B15BFA2FB84218F24C6ADD9494B796C33AE44ACB51

Function 06E03D88 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4493193297.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e00000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e7ac9d235858748a79781badc04ea7ad9313601abe6b37d85f04105134e7fff
Instruction ID: 3b8546026a1325d2a7dd2acaa32c819f4b6df1f6cf02473970f6463dcaa42b48
Opcode Fuzzy Hash: 4e7ac9d235858748a79781badc04ea7ad9313601abe6b37d85f04105134e7fff
Instruction Fuzzy Hash: F611B0B5D01259AFDB00DF9AD885ADEFFB8FB48314F50812AE918A7240C374A954CFE5

Function 06E04310 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4493193297.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e00000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 014fd97800b719be9be256289ba4511591b638d38f26111b8ef25d6b52d7ee51
Instruction ID: c23b1c403c76dbbb530e0ee1284fca5b2567882eaaf207985298aa287294386d
Opcode Fuzzy Hash: 014fd97800b719be9be256289ba4511591b638d38f26111b8ef25d6b52d7ee51
Instruction Fuzzy Hash: CC01A231B002118BEB64957DD54872FA6DADBC9614F209839E20EC73C0ED69EC424395

Function 06E03D87 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4493193297.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e00000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6debabc6838fe2645fb50de93cd1376ae340059bcb0987677eccea9dc893e7f4
Instruction ID: ae2cdcfa920e8e4d0c59474ad8454080b89f80e792c1f6242e670831f3fda70c
Opcode Fuzzy Hash: 6debabc6838fe2645fb50de93cd1376ae340059bcb0987677eccea9dc893e7f4
Instruction Fuzzy Hash: A911BDB5D01219AFDB00DF9AD985ADEFBB4FB48314F10822AE918B7240C374A954CFA5

Function 06E0F298 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4493193297.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e00000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9f1884c98b8227d0f38a9722db9e25bb8dcde509bdf73a65a7a8339b308d95e
Instruction ID: 9743553fb996698565435bbabb3ecc85a0d679bd2a0fd3d379731dae8ecf4ba7
Opcode Fuzzy Hash: e9f1884c98b8227d0f38a9722db9e25bb8dcde509bdf73a65a7a8339b308d95e
Instruction Fuzzy Hash: 0E01D135B102110BEB75D5BDD46872F66D6DBC9628F20882AF50AC7380DE25DD824396

Function 06E0430F Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4493193297.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e00000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b5779dc15679329c524428717bd3d7e190e9f74e24823ac202a80dea9598f64
Instruction ID: c54ddaeeeddb361b4028c5e5275924a234c2b7c8540072b2f8d100c662c5d34b
Opcode Fuzzy Hash: 1b5779dc15679329c524428717bd3d7e190e9f74e24823ac202a80dea9598f64
Instruction Fuzzy Hash: 8901D175B002118BEB6585BCD54872FA7DBEBC8615F209839E20ECB3C0ED29EC824395

Function 06E0A3F0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4493193297.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e00000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea9f90ea5e08b2e38662cc8ee1694f07c7351639cc71b2ff9b815c6070fcc34a
Instruction ID: a68e669853e1ab2b8e86eefd4bfbcc472925c6935d72994a67d923c1046a57ac
Opcode Fuzzy Hash: ea9f90ea5e08b2e38662cc8ee1694f07c7351639cc71b2ff9b815c6070fcc34a
Instruction Fuzzy Hash: 8201D135B102155BEB60D66DE44872FB7E6EB8A718F108839E50AD7381DE25EC828785

Function 06E040C7 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4493193297.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e00000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43eff16cca2c6072c405f85ce2c11b5cc4e33cf0d2f1e33c0f75c57d66a25ce5
Instruction ID: 8aae74bf9570ed60fed9fc06f35bc9c3c18207c1a2f7e9f8202d08d79531a66c
Opcode Fuzzy Hash: 43eff16cca2c6072c405f85ce2c11b5cc4e33cf0d2f1e33c0f75c57d66a25ce5
Instruction Fuzzy Hash: F7018136B101259BEB9595A9DD143AE72EBABC8215F004136D60AE7284EE25CC1687D2

Function 06E0C8C0 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4493193297.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e00000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e5e5ca233552b8cfaa4ca062ae518641e66f8af510c2f594d2aa580350e9a19
Instruction ID: db558f096ba7e7d7c3e1d059d6781595546ea831d65be020b2656226689be462
Opcode Fuzzy Hash: 8e5e5ca233552b8cfaa4ca062ae518641e66f8af510c2f594d2aa580350e9a19
Instruction Fuzzy Hash: EA01F4B1F22328ABDB14DA69E840A9EB776EB84714F204539E905EB380DB31AC41C7C4

Function 06E06568 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4493193297.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e00000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b02033aacef49996b4cf93f1f1e51190a933cde1f571e1fcd23a89474ba532b0
Instruction ID: cd4d42525604d8e6488835457c5e9540ed421d5872609567288726c2d1dfa819
Opcode Fuzzy Hash: b02033aacef49996b4cf93f1f1e51190a933cde1f571e1fcd23a89474ba532b0
Instruction Fuzzy Hash: 24E0C274E10308AFEF50CEB0D90975E73ECEB0121CF2088A4D808DB286E172CA919780

Function 06E06567 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4493193297.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e00000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fe1ed44de82a22f53902a3c146a3b3963b3ae2d6432ef043069ac53a80d5022
Instruction ID: f13c5c6a9f7d2d284cbbeccd4ec89161c5826180510d9cacc7d956009fe02e09
Opcode Fuzzy Hash: 9fe1ed44de82a22f53902a3c146a3b3963b3ae2d6432ef043069ac53a80d5022
Instruction Fuzzy Hash: BCE01275E142099EEF90CEB0DB4935E73E8EB4121CF205DA5D408EB285E176CA919780

Non-executed Functions

Function 06E07780 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$]q, xrefs: 06E078D6
$]q, xrefs: 06E07D0B
$]q, xrefs: 06E07CF5
$]q, xrefs: 06E07D01
$]q, xrefs: 06E07C56
$]q, xrefs: 06E078CA
$]q, xrefs: 06E07D17
$]q, xrefs: 06E07899
$]q, xrefs: 06E078A5
$]q, xrefs: 06E07C62

Memory Dump Source

Source File: 00000004.00000002.4493193297.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e00000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-2843079600
Opcode ID: 7439fa20378707adddeb7a0afb34c7ea05e235e8a86d844907785504f17743b0
Instruction ID: 2dba09a9415b65d6d00e54674d6a6dcc2fa5aa0d1da7b024cb560630ce85a1d1
Opcode Fuzzy Hash: 7439fa20378707adddeb7a0afb34c7ea05e235e8a86d844907785504f17743b0
Instruction Fuzzy Hash: 61121E70E00219CFEF64DF69C894A9DB7B2BF89704F209569D409AB394DB30AD81CF91

Function 06E0AA10 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$]q, xrefs: 06E0ABC2
$]q, xrefs: 06E0ABCE
$]q, xrefs: 06E0AB61
$]q, xrefs: 06E0AB98
$]q, xrefs: 06E0AB6D
$]q, xrefs: 06E0AB06
$]q, xrefs: 06E0AB12
$]q, xrefs: 06E0AB8C

Memory Dump Source

Source File: 00000004.00000002.4493193297.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e00000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-1273862796
Opcode ID: f3d57513936f419fc751bdb33b9aace6e7ff5dd4cf278d13b2fb9da3aca032a5
Instruction ID: aa057b92b61c39e30041efbe08120bdf1faf583f554de06d145adbc68505ca1d
Opcode Fuzzy Hash: f3d57513936f419fc751bdb33b9aace6e7ff5dd4cf278d13b2fb9da3aca032a5
Instruction Fuzzy Hash: EF917D70A0030D9FEB68DB69D584BAEB7F2EF44305F209539E801AB295DB749D81CF80

Function 06E07180 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

$]q, xrefs: 06E074C8
$]q, xrefs: 06E074BC
.5uq, xrefs: 06E071DB
$]q, xrefs: 06E07688
$]q, xrefs: 06E0761C
$]q, xrefs: 06E07462
$]q, xrefs: 06E07694

Memory Dump Source

Source File: 00000004.00000002.4493193297.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e00000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID: .5uq$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-981061697
Opcode ID: eae55d3e04dd82db44eb48b422a01f8531471e80e8884ccaa34d01bc95924f23
Instruction ID: 2d94b7a480c89715d4a0229fc95d7ebe63b8d1326fc7a04930739a5cd62048fe
Opcode Fuzzy Hash: eae55d3e04dd82db44eb48b422a01f8531471e80e8884ccaa34d01bc95924f23
Instruction Fuzzy Hash: 22F15D74B01209DFDB58DFA9D498A6EB7B2FF88305F249569D4059B394CB34EC82CB81

Function 06E0BAE0 Relevance: 7.7, Strings: 6, Instructions: 197COMMON

Download Yara Rule

Strings

$]q, xrefs: 06E0BCAD
$]q, xrefs: 06E0BCED
$]q, xrefs: 06E0BCB9
$]q, xrefs: 06E0BC85
$]q, xrefs: 06E0BC79
$]q, xrefs: 06E0BCE1

Memory Dump Source

Source File: 00000004.00000002.4493193297.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e00000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-3723351465
Opcode ID: 18261871fac8ba1ba3471bf5f2fb57c4bd31d3ac6f33459f0940fea7fc93b6ae
Instruction ID: 97e1c07d2a17c203d6e623bff64631b2e70d176dd5b2537311aa1eac4894e715
Opcode Fuzzy Hash: 18261871fac8ba1ba3471bf5f2fb57c4bd31d3ac6f33459f0940fea7fc93b6ae
Instruction Fuzzy Hash: E0717370E1021A8FEB68DFA8D4806ADB7B2FF84704F11996AD405DF284DB76DD85CB81

Function 06E084B8 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$]q, xrefs: 06E08777
$]q, xrefs: 06E0871E
$]q, xrefs: 06E08783
$]q, xrefs: 06E08712

Memory Dump Source

Source File: 00000004.00000002.4493193297.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e00000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: 0333f0a47b7fd80e33df3d1803bd3364e178202d799d811a97f851ab1ca1db99
Instruction ID: e3976b29aeb056f0473ce4c09ecd8dccf443951edd165b9113b964e49e2870b1
Opcode Fuzzy Hash: 0333f0a47b7fd80e33df3d1803bd3364e178202d799d811a97f851ab1ca1db99
Instruction Fuzzy Hash: DCB13B30B10209CFEB68DFA9D4946AEB7B2FF84304F649569D405AB394DB35DC82CB91

Function 06E088D0 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

LR]q, xrefs: 06E089C3
LR]q, xrefs: 06E08A12
$]q, xrefs: 06E0895B
$]q, xrefs: 06E0894F

Memory Dump Source

Source File: 00000004.00000002.4493193297.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e00000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID: LR]q$LR]q$$]q$$]q
API String ID: 0-3527005858
Opcode ID: 4880da48d0cb0ea1e9e2018d2e8d8eec784f748aeef6c410b6c3942e73d5afe5
Instruction ID: 1426d43960c929e7db3768fa5881fc3dd77283560a7b01a8a3febf6370d21600
Opcode Fuzzy Hash: 4880da48d0cb0ea1e9e2018d2e8d8eec784f748aeef6c410b6c3942e73d5afe5
Instruction Fuzzy Hash: 7351D4307003069FEB58EB29D854A6B77F6FF89304F208969E4069B394DB34EC81CB95

Function 06E0ADA7 Relevance: 5.2, Strings: 4, Instructions: 154COMMON

Download Yara Rule

Strings

$]q, xrefs: 06E0AF1C
$]q, xrefs: 06E0AF74
$]q, xrefs: 06E0AEC9
$]q, xrefs: 06E0AF4B

Memory Dump Source

Source File: 00000004.00000002.4493193297.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e00000_TECHNICAL SPECIFICATIONS.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: 455a9e51a21067342191bf8ed5585f877c1f5a878081bce022dd9a24027e8001
Instruction ID: 0ae2d5afe1e6204b4f8d9dfa21ed08149279405602c997537cb7aebaafcb1f15
Opcode Fuzzy Hash: 455a9e51a21067342191bf8ed5585f877c1f5a878081bce022dd9a24027e8001
Instruction Fuzzy Hash: A8517D70A103098FEF65DB68D5846ADB3B6EB84304F249939E405A7385DB34EC82CB91

Analysis Process: newapp.exePID: 7516, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	9.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	100
Total number of Limit Nodes:	4

Executed Functions

Function 0962E17C Relevance: 1.8, APIs: 1, Instructions: 250
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0962E3BE

Memory Dump Source

Source File: 00000006.00000002.2195497153.0000000009620000.00000040.00000800.00020000.00000000.sdmp, Offset: 09620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9620000_newapp.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 4e25a5be605470f8b697e1412ade613ee7adf926782a62b3bc85b92842fb1b1a
Instruction ID: e7125c01e1b3ec3020917eb761acdac4dad593614b3b84668b6b76f1f12bf38e
Opcode Fuzzy Hash: 4e25a5be605470f8b697e1412ade613ee7adf926782a62b3bc85b92842fb1b1a
Instruction Fuzzy Hash: 74A16E71D006298FDF25CFA8C8417EDBBB2FF48314F1485A9E819A7280DB759985CF92

Function 0962E188 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0962E3BE

Memory Dump Source

Source File: 00000006.00000002.2195497153.0000000009620000.00000040.00000800.00020000.00000000.sdmp, Offset: 09620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9620000_newapp.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 0ac8411be65935c1f702d149f46f934a350854c2e2e6f27f509dd01bcf8a5203
Instruction ID: 091d92bad0ee94224f19285b9016cbc6a8aabc75519df3de0109f35de5ab2fe2
Opcode Fuzzy Hash: 0ac8411be65935c1f702d149f46f934a350854c2e2e6f27f509dd01bcf8a5203
Instruction Fuzzy Hash: 09914D71D016298FDF25CFA8C8417DDBBB2FF48314F1485A9E809A7240DB759985CF92

Function 031AAF19 Relevance: 1.7, APIs: 1, Instructions: 202
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 031AB17E

Memory Dump Source

Source File: 00000006.00000002.2187537672.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_31a0000_newapp.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 12cb33d8d4277d41b0c5dc82542316e1c8c6bccf6df92dc760d1eb706084f3cf
Instruction ID: 0ae4f9e5fdc002395ed884e22e0ad03fa06f42db64a8f3d16c56766f3ee6eaa1
Opcode Fuzzy Hash: 12cb33d8d4277d41b0c5dc82542316e1c8c6bccf6df92dc760d1eb706084f3cf
Instruction Fuzzy Hash: 6A8156B4A04B458FD724DF29D45479ABBF5FF88301F04892EE48AD7A40DB35E845CB91

Function 031A590C Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 031A59C9

Memory Dump Source

Source File: 00000006.00000002.2187537672.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_31a0000_newapp.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: fe45ba0ea494ff39ee3a130763830cb71597e47b83f0757d483c129e571da999
Instruction ID: 9620f6b94cd3ba2e17d32b56c8c1d8eb0be0445b77817ffa1fa120ba4d84ac6f
Opcode Fuzzy Hash: fe45ba0ea494ff39ee3a130763830cb71597e47b83f0757d483c129e571da999
Instruction Fuzzy Hash: 7441EFB4D0462DCBDB24CFA9C884A8DBBB6BF49304F20806AD408AB251DB756946CF91

Function 031A449C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 031A59C9

Memory Dump Source

Source File: 00000006.00000002.2187537672.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_31a0000_newapp.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 3348d14f096c6598509f21b8b76212da95539c6ea424c78cae4cb98171880849
Instruction ID: e65ebe6e1b72ef7b87347eeec7c3f1777a2879ec40c57f0f2888ff0afc427848
Opcode Fuzzy Hash: 3348d14f096c6598509f21b8b76212da95539c6ea424c78cae4cb98171880849
Instruction Fuzzy Hash: D141D1B4D0472DCBDB24DFA9C884BDDBBB6BF49304F20806AD408AB251DB716946CF91

Function 0962DAF8 Relevance: 1.6, APIs: 1, Instructions: 75
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0962DB90

Memory Dump Source

Source File: 00000006.00000002.2195497153.0000000009620000.00000040.00000800.00020000.00000000.sdmp, Offset: 09620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9620000_newapp.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 7bb0d648d4b393d69e7bf637ca8da546336ab5d19e82692f281cb25a5218ad91
Instruction ID: a4cd4eef4199643fe8b271ad62e36808ec131cecb257a8a71f346917e71422ba
Opcode Fuzzy Hash: 7bb0d648d4b393d69e7bf637ca8da546336ab5d19e82692f281cb25a5218ad91
Instruction Fuzzy Hash: B52155B1D003599FCB10DFA9C881BEEBBF4FB88310F10842AE919A7240C7789941CFA1

Function 0962D528 Relevance: 1.6, APIs: 1, Instructions: 74threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0962D5AE

Memory Dump Source

Source File: 00000006.00000002.2195497153.0000000009620000.00000040.00000800.00020000.00000000.sdmp, Offset: 09620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9620000_newapp.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 646fc10da2053fcc328453c45c58ff108f802fd66553595c1413eb1c5678911a
Instruction ID: 5c49837081148aa70ac44f371a61625a46c09a1312bbbc006a2fb17375f6b6ca
Opcode Fuzzy Hash: 646fc10da2053fcc328453c45c58ff108f802fd66553595c1413eb1c5678911a
Instruction Fuzzy Hash: 99217A71D007098FCB10CFAAC4457EEBBF4EF49314F20802AD519A7280D7789545CFA1

Function 083A5D50 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 083A5DEF

Memory Dump Source

Source File: 00000006.00000002.2195146819.00000000083A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_83a0000_newapp.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 1b2b7ce64f838350961c6630cfbf6c2ba61f95d8599d69d9dd4c47ca059bbc05
Instruction ID: 7c031d8e19fcf6fd9e6d8bef1b6ed448068c65694ba1b8e58b32b88716ab349c
Opcode Fuzzy Hash: 1b2b7ce64f838350961c6630cfbf6c2ba61f95d8599d69d9dd4c47ca059bbc05
Instruction Fuzzy Hash: EB31B1B5D012499FDB10CF99D884ADEFBF5FB88320F14846EE919A7210D374A954CFA1

Function 083A5D58 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 083A5DEF

Memory Dump Source

Source File: 00000006.00000002.2195146819.00000000083A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_83a0000_newapp.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: d2747eaa3c5f9e4347828512a1448d491594b2f0748edcf62d8459b9fb273f1e
Instruction ID: 2afa83b7be23e5067bea704736972d3d30a7c1e877d4086ce19f039b1e4ecc5b
Opcode Fuzzy Hash: d2747eaa3c5f9e4347828512a1448d491594b2f0748edcf62d8459b9fb273f1e
Instruction Fuzzy Hash: C621C0B5D003499FDB10CF9AD884A9EFBF5FB48310F14842EE919A7210D374A944CFA0

Function 0962DB00 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0962DB90

Memory Dump Source

Source File: 00000006.00000002.2195497153.0000000009620000.00000040.00000800.00020000.00000000.sdmp, Offset: 09620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9620000_newapp.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 3e422183fb776eb251d79ce4a74fc02e6e37f633d7c8342df9dd94b674ff0ac5
Instruction ID: ad081f2e41a2bdf452843b6b7f38e401ec877bb6384fb2400fa1d1e85e4f435e
Opcode Fuzzy Hash: 3e422183fb776eb251d79ce4a74fc02e6e37f633d7c8342df9dd94b674ff0ac5
Instruction Fuzzy Hash: 982113B5D003599FCB10DFA9C885BDEBBF5FB88310F10842AE919A7240D7789954DBA1

Function 0962DBE8 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0962DC70

Memory Dump Source

Source File: 00000006.00000002.2195497153.0000000009620000.00000040.00000800.00020000.00000000.sdmp, Offset: 09620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9620000_newapp.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: e5a63d82ff5a947663d0505fc4452df579537ea10befe47f082be24026afcbfe
Instruction ID: 397759607959634ec78fadbe1d3cf2c577ecc6c58b7fcf85fb07d18f39f6ba5c
Opcode Fuzzy Hash: e5a63d82ff5a947663d0505fc4452df579537ea10befe47f082be24026afcbfe
Instruction Fuzzy Hash: A12148B5D003599FDB10DFAAC885AEEFBF4FF48320F10842AE919A7240C7749541DBA1

Function 031AD808 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,031AD7D6,?,?,?,?,?), ref: 031AD897

Memory Dump Source

Source File: 00000006.00000002.2187537672.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_31a0000_newapp.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 517ccdff063c6fc6a31bbc45be2461b1d643fb75e1d896012c309872d9b34a69
Instruction ID: 2a84aa7033c82e6b3f3c8fb70c96da6e1d6d1ded387961cee98ebb31483247fd
Opcode Fuzzy Hash: 517ccdff063c6fc6a31bbc45be2461b1d643fb75e1d896012c309872d9b34a69
Instruction Fuzzy Hash: F72116B5C002489FDB10DFAAD985ADEFFF8EB48310F14841AE918A3310D374A954CFA1

Function 031ABCA0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,031AD7D6,?,?,?,?,?), ref: 031AD897

Memory Dump Source

Source File: 00000006.00000002.2187537672.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_31a0000_newapp.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 316517703f1255ca38ae330378f59be620e655277e9ac4872e610c4138643254
Instruction ID: 64039be6364fedaeaac19e2d8cbd716e14ab1f0a3d31b25dd7e80df6b3870c1b
Opcode Fuzzy Hash: 316517703f1255ca38ae330378f59be620e655277e9ac4872e610c4138643254
Instruction Fuzzy Hash: CD2116B5D007489FDB10CF9AD584ADEFBF8EB48310F14841AE918A3310D374A954CFA1

Function 0962DBF0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0962DC70

Memory Dump Source

Source File: 00000006.00000002.2195497153.0000000009620000.00000040.00000800.00020000.00000000.sdmp, Offset: 09620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9620000_newapp.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: ec5aaf9aeda4c552fbf976b2638b4b0b3cccfb574eb8e927c37af788e5a4b0ce
Instruction ID: 8f58624277529b85cf8d43783a5603f5f02e5653d9ec617f94b678edb767783c
Opcode Fuzzy Hash: ec5aaf9aeda4c552fbf976b2638b4b0b3cccfb574eb8e927c37af788e5a4b0ce
Instruction Fuzzy Hash: E12128B1D003599FCB10DFAAC845ADEFBF5FF48310F108429E919A7240C7749541DBA1

Function 0962D530 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0962D5AE

Memory Dump Source

Source File: 00000006.00000002.2195497153.0000000009620000.00000040.00000800.00020000.00000000.sdmp, Offset: 09620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9620000_newapp.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 08fc4884f3e02f14ef1bda060e383b56bbbe0adbcb27e63d96bec62c668aa8e0
Instruction ID: dd33c86aab23bef4461467164e033f7a13f835f38dd5bfd6a3b1c103a17343fa
Opcode Fuzzy Hash: 08fc4884f3e02f14ef1bda060e383b56bbbe0adbcb27e63d96bec62c668aa8e0
Instruction Fuzzy Hash: C1211871D007198FDB10DFAAC4857EEBBF4EF89314F148429D519A7280DB78A945CFA1

Function 0962DA38 Relevance: 1.6, APIs: 1, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0962DAAE

Memory Dump Source

Source File: 00000006.00000002.2195497153.0000000009620000.00000040.00000800.00020000.00000000.sdmp, Offset: 09620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9620000_newapp.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1772ff4365d70c284d313c665b95c4291aaf8d81b5f202382bf551325b2045f5
Instruction ID: 81b42b6c1f5a9c222950cc714f866c46ab487b3d72a2e6d265d58049d6e3ab3f
Opcode Fuzzy Hash: 1772ff4365d70c284d313c665b95c4291aaf8d81b5f202382bf551325b2045f5
Instruction Fuzzy Hash: 982167728002499FCB10DFA9C845AEEBFF5EF88320F20841AE519A7250CB35A541CFA1

Function 0962DA40 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0962DAAE

Memory Dump Source

Source File: 00000006.00000002.2195497153.0000000009620000.00000040.00000800.00020000.00000000.sdmp, Offset: 09620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9620000_newapp.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9695e804286d8337cb618567497ffffdc18a6b44641892e566d01febbf950831
Instruction ID: 428036623da546f4722a9042e9f7177ab777247cdba7b566efa84c57fe0010e8
Opcode Fuzzy Hash: 9695e804286d8337cb618567497ffffdc18a6b44641892e566d01febbf950831
Instruction Fuzzy Hash: 8B115671C002499FCB10DFAAC845ADEBFF9EB88320F20841AE519A7290C775A540CFA1

Function 0962D478 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0962D4E2

Memory Dump Source

Source File: 00000006.00000002.2195497153.0000000009620000.00000040.00000800.00020000.00000000.sdmp, Offset: 09620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9620000_newapp.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 2de2296041354aec6116eb1b54a84a973c014d9f3a7aeb345646b915047199b5
Instruction ID: 6812cb0b28e118e61c715804f4c74d6af5cc3517f892765d86577ef39a96ed76
Opcode Fuzzy Hash: 2de2296041354aec6116eb1b54a84a973c014d9f3a7aeb345646b915047199b5
Instruction Fuzzy Hash: 691158B1D006498FCB20DFAAC8457EEFFF4EB88324F20841AD819A7240CB35A545CFA1

Function 0962D480 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0962D4E2

Memory Dump Source

Source File: 00000006.00000002.2195497153.0000000009620000.00000040.00000800.00020000.00000000.sdmp, Offset: 09620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9620000_newapp.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 6576e65e0fb7efb42277b7bdf8b731f5b934ec13668541e3e44535c4939f48a8
Instruction ID: c5f86a087d45c07510f046440b92021e3cf16e15aa53cb36246ac616d9d30c5f
Opcode Fuzzy Hash: 6576e65e0fb7efb42277b7bdf8b731f5b934ec13668541e3e44535c4939f48a8
Instruction Fuzzy Hash: 491136B1D003498FCB20DFAAC4457DEFBF8EB88324F20841AD519A7240CB75A945CFA1

Function 031AB118 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 031AB17E

Memory Dump Source

Source File: 00000006.00000002.2187537672.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_31a0000_newapp.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 021b01f35f3b23a14f18197a398bb7674bb88950ccf0f854128267e922e32835
Instruction ID: 9e18271c04f84c88e2127f6c559c26661889105fe977d180f7c6ab290bedf31d
Opcode Fuzzy Hash: 021b01f35f3b23a14f18197a398bb7674bb88950ccf0f854128267e922e32835
Instruction Fuzzy Hash: 7911E0B5C047898FCB10CF9AD948BDEFBF8EB88314F14845AD819A7210D379A545CFA1

Function 016DD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2186946786.00000000016DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_16dd000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 506a56041822e28a129572dcb8b76565bc6bbd9f905ec7f659ff10e91e7af96d
Instruction ID: 9e9c47be04c70cfa1cfe8684e25917e14c080de6ec2c95b34e62c4e5243aa400
Opcode Fuzzy Hash: 506a56041822e28a129572dcb8b76565bc6bbd9f905ec7f659ff10e91e7af96d
Instruction Fuzzy Hash: 942103B1904240EFDB05EF98DDC0B26BF65FB88318F64C569E9090B296C336D416CBA1

Function 016DD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2186946786.00000000016DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_16dd000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 199f38348193bafa57f272d8080172b4ff3c64500df585bcaa5ad8a8b3813a77
Instruction ID: 64ed6aa495405da6cdc338a257c9de271c393cf9baccb84433b5678d4f8a7fc5
Opcode Fuzzy Hash: 199f38348193bafa57f272d8080172b4ff3c64500df585bcaa5ad8a8b3813a77
Instruction Fuzzy Hash: F82148B1900200EFDB01EF98DDC0B6ABF65FB84324F24C56DD90A0B386C336E416C6A1

Function 016ED01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2187030577.00000000016ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 016ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_16ed000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42d61c10b42d73e385c375ca383e942814e2dae7d34c5eccc17452d5a29761ac
Instruction ID: ae0d0884bcca03a969d7b6c7cf792a2360db6db4f459c1f1ca2b418e7d4aa4a0
Opcode Fuzzy Hash: 42d61c10b42d73e385c375ca383e942814e2dae7d34c5eccc17452d5a29761ac
Instruction Fuzzy Hash: E221F2B1604240DFDB15DF58D9C8B26BFA5FB84354F28C66DD90A4B386C33AD447CA61

Function 016ED1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2187030577.00000000016ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 016ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_16ed000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80b1cf5c9bd36dd12e700f57137fff1d99b75d5a82ecd03d376a5023060318b3
Instruction ID: 10bede2ae6feb710b85b5a51911983bbd87292bc729a252457997b4590fd422e
Opcode Fuzzy Hash: 80b1cf5c9bd36dd12e700f57137fff1d99b75d5a82ecd03d376a5023060318b3
Instruction Fuzzy Hash: 852129B5504240EFDB05DF98DDC8B25BBE5FB84324F24C66DDA094B396C336D406CA61

Function 016ED006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2187030577.00000000016ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 016ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_16ed000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fb140526b953f8b1a805f975a63846095f40a8d038d45ea757e9cd13992ed93
Instruction ID: 5a36a87fb2cfad372ffca42d3f2c1166c28c59bff206835932f633cea2f410ad
Opcode Fuzzy Hash: 2fb140526b953f8b1a805f975a63846095f40a8d038d45ea757e9cd13992ed93
Instruction Fuzzy Hash: 312162755093808FDB13CF64D994715BFB1FB46214F28C6DAD8498F6A7C33A980ACB62

Function 016DD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2186946786.00000000016DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_16dd000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
Instruction ID: f536d68146eb4e9a3227fc183305c73b454e5835ddc6a46bccf0a248f3e86049
Opcode Fuzzy Hash: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
Instruction Fuzzy Hash: 7011E172804280DFCB12DF54D9C4B1ABF71FB84314F24C6A9D8490B656C336D45ACBA1

Function 016DD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2186946786.00000000016DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_16dd000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
Instruction ID: aa7b8cf17e73c27b2dd47164aa2083a2dda3b7e9deac0713d5644d0db3389efe
Opcode Fuzzy Hash: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
Instruction Fuzzy Hash: 9211DF72804240DFDB12DF44D9C4B56BF71FB84324F24C2A9D9090B696C33AE45ACBA1

Function 016ED1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2187030577.00000000016ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 016ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_16ed000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
Instruction ID: 4e2f440ecd2622f8f721053fadcc3ea21508b13b478dd5be52069993a8c8ca65
Opcode Fuzzy Hash: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
Instruction Fuzzy Hash: 9511BB75904280DFDB02CF54D9C8B15BBA1FB84224F24C6A9D9494B796C33AD40ACB61

Analysis Process: newapp.exePID: 7576, Parent PID: 7516COMMON

Execution Graph

Execution Coverage:	12.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	230
Total number of Limit Nodes:	25

Executed Functions

Function 06C3B318 Relevance: 8.3, Strings: 6, Instructions: 762COMMON

Download Yara Rule

Strings

$]q, xrefs: 06C3BCF5
$]q, xrefs: 06C3BC81
$]q, xrefs: 06C3BCC1
$]q, xrefs: 06C3BC8D
$]q, xrefs: 06C3BCE9
$]q, xrefs: 06C3BCB5

Memory Dump Source

Source File: 00000007.00000002.2267513480.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c30000_newapp.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-3723351465
Opcode ID: 083ff52c1d61d1d6b7cf5d31888e802ab2b88b17109fea1a6ad7994af73ef492
Instruction ID: 8a992c3a23ae875da92230831f25f6e1efc02c7a2dd6556edb7bd27072237d41
Opcode Fuzzy Hash: 083ff52c1d61d1d6b7cf5d31888e802ab2b88b17109fea1a6ad7994af73ef492
Instruction Fuzzy Hash: 01525F70E102198FDF64DF68D4807ADB7B2EB99310F24852AE409EB395DB35DD82CB91

Function 06C33570 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 06C33CBC
$]q, xrefs: 06C33C7B
$]q, xrefs: 06C33C98
$]q, xrefs: 06C33C6F
$]q, xrefs: 06C33CA4
$]q, xrefs: 06C33CC8

Memory Dump Source

Source File: 00000007.00000002.2267513480.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c30000_newapp.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-3723351465
Opcode ID: f22fe4d7d72774b14a1b55be92ead860404fc09238575a8905a46d38e91d0388
Instruction ID: 5e53c1339eb3e22bb3c5610798728db114400e35690703e5136267c2113ca7d1
Opcode Fuzzy Hash: f22fe4d7d72774b14a1b55be92ead860404fc09238575a8905a46d38e91d0388
Instruction Fuzzy Hash: 49324031E1065ACFDB15DF75D89459DB7B2FF89300F20C6AAD449AB254EB30AE85CB80

Function 0126E91D Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 443
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 0126EAFE
Xaq, xrefs: 0126EB17

Memory Dump Source

Source File: 00000007.00000002.2252363745.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1260000_newapp.jbxd

Similarity

API ID:
String ID: Xaq$$]q
API String ID: 0-1280934391
Opcode ID: 6dd027df4ab3238b1f1af3a9a09c83f8ab6b81164f6b4012fdce4150351efdf2
Instruction ID: e60a710ced4b2d27bdaf2f27f72d2a3c39c78493650744cfc5edff17b5ab690a
Opcode Fuzzy Hash: 6dd027df4ab3238b1f1af3a9a09c83f8ab6b81164f6b4012fdce4150351efdf2
Instruction Fuzzy Hash: E3E12474B102159FDB19EF78985827E7FABBFC8710B198469E046DB3C5CE348C428B92

Function 06C37E68 Relevance: 3.0, Strings: 2, Instructions: 471
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 06C381CB
$]q, xrefs: 06C381D7

Memory Dump Source

Source File: 00000007.00000002.2267513480.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c30000_newapp.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: 4dc7cd6257a2dace474fe3f8c18bb0678974fa2510a0265a1f40242fb2330812
Instruction ID: 4f13ad5c5cc0c000a8b303ab8f186ea8ef9ab9834d2d4e8f54a70a319500748d
Opcode Fuzzy Hash: 4dc7cd6257a2dace474fe3f8c18bb0678974fa2510a0265a1f40242fb2330812
Instruction Fuzzy Hash: 42029E31B012169FDB54DF65D8906AEB7F2FF84304F248568E815AB381DB39ED82CB91

Function 06C366E0 Relevance: .8, Instructions: 810COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2267513480.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c30000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94c699858517a93a0b3701430cb24323f21a3decfdd7728879acc04bbf83e11b
Instruction ID: 46d5c3fc34f04006c94408b0ef2f3915f7d9114a7ddcc20cd64700d429ffe427
Opcode Fuzzy Hash: 94c699858517a93a0b3701430cb24323f21a3decfdd7728879acc04bbf83e11b
Instruction Fuzzy Hash: 8F62CF31B002159FDB54DF69D584AADB7F2EF88314F248469E80AEB390DB35ED46CB90

Function 06C3C268 Relevance: .6, Instructions: 643COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2267513480.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c30000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9485a1dc88a2502592897ecffa1424c2a897235aaa31cccfddf5609d901cf5a
Instruction ID: 08192e9941339b2dd7476d9d2e208a30aab7e859c0a2318f1fbc34f5bb6c3343
Opcode Fuzzy Hash: d9485a1dc88a2502592897ecffa1424c2a897235aaa31cccfddf5609d901cf5a
Instruction Fuzzy Hash: 16328034B102199FDB54DF68D990BADBBB2FB89310F208529E405FB351DB39ED428B91

Function 06C356B0 Relevance: .6, Instructions: 589COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2267513480.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c30000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8124d25d7479e625075741d5464bb26832b877cb938c0379f6d43b3163457cde
Instruction ID: 023f0a6c94b9c504f22ce146003161f6fffd8821b48d8cbbc760b7f899c1c3b2
Opcode Fuzzy Hash: 8124d25d7479e625075741d5464bb26832b877cb938c0379f6d43b3163457cde
Instruction Fuzzy Hash: 7412C275F102258FDF60DFA4C8806AEB7B2FB84310F64846AD859DB385DA34DD42CB91

Function 06C3ADB0 Relevance: 10.4, Strings: 8, Instructions: 387
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 06C3AF88
$]q, xrefs: 06C3AEDD
$]q, xrefs: 06C3AED1
$]q, xrefs: 06C3AF24
$]q, xrefs: 06C3AF7C
$]q, xrefs: 06C3AF5F
$]q, xrefs: 06C3AF53
$]q, xrefs: 06C3AF30

Memory Dump Source

Source File: 00000007.00000002.2267513480.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c30000_newapp.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-1273862796
Opcode ID: 4b43df185c3de4d724b19d9f92fa99932050645369dbef04b7eeb0f987a4f1ea
Instruction ID: ecad22934ad1b43750b812d9e8d4cca426436c80d689196bb362c63e05904c92
Opcode Fuzzy Hash: 4b43df185c3de4d724b19d9f92fa99932050645369dbef04b7eeb0f987a4f1ea
Instruction Fuzzy Hash: 4DE18070E1021A8FDB55DFA9D4846AEB7B2EF89304F20862DE805EB344DB35DD56CB81

Function 06C19E31 Relevance: 6.1, APIs: 4, Instructions: 138
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 06C19EBE
GetCurrentThread.KERNEL32 ref: 06C19EFB
GetCurrentProcess.KERNEL32 ref: 06C19F38
GetCurrentThreadId.KERNEL32 ref: 06C19F91

Memory Dump Source

Source File: 00000007.00000002.2267379287.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c10000_newapp.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 42464208e647fdbeb0b9685e0ab95c024be3c30af52a0da61fe716354b507816
Instruction ID: 8a4fc7b23d6568a9271b8d79289ceed73e6f2d21f0dd5408faf78a71249b48ca
Opcode Fuzzy Hash: 42464208e647fdbeb0b9685e0ab95c024be3c30af52a0da61fe716354b507816
Instruction Fuzzy Hash: DA5176B0D1024A9FDB54CFA9D948BDEBBF1FF49304F208459E419AB3A0D7349984CB61

Function 06C19E40 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 06C19EBE
GetCurrentThread.KERNEL32 ref: 06C19EFB
GetCurrentProcess.KERNEL32 ref: 06C19F38
GetCurrentThreadId.KERNEL32 ref: 06C19F91

Memory Dump Source

Source File: 00000007.00000002.2267379287.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c10000_newapp.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 19de1f1522b37f0996f975dbaaf2e8f53546046d2ea2c66c219c73dce97b9483
Instruction ID: c5645c9e2c08c2f9a4dcbb38807c8cf464fa5ce112969b54e44ac549a6353970
Opcode Fuzzy Hash: 19de1f1522b37f0996f975dbaaf2e8f53546046d2ea2c66c219c73dce97b9483
Instruction Fuzzy Hash: 075155B0D1020A8FDB54DFA9D948B9EBBF1FF48314F20845DE419A73A0D734A984CB65

Function 06C39238 Relevance: 5.2, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 06C392BA
$]q, xrefs: 06C392C6
$]q, xrefs: 06C3928B
$]q, xrefs: 06C3927F

Memory Dump Source

Source File: 00000007.00000002.2267513480.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c30000_newapp.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: bbfbc4dc30836681ec0ba5001d86c3546d6c6e81ec4e12494fa02663464a83c9
Instruction ID: c9db209bf3ea376e53aedf98b9dd5ca8f6f6f1c6cd40df7e2505553fff79432f
Opcode Fuzzy Hash: bbfbc4dc30836681ec0ba5001d86c3546d6c6e81ec4e12494fa02663464a83c9
Instruction Fuzzy Hash: F7916130B0021A9FDB54DF79D8907AFB3F2FB88600F108569D80DEB344EA759D468B92

Function 06C3D038 Relevance: 4.5, Strings: 3, Instructions: 796
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 06C3D42F
$]q, xrefs: 06C3D443
$]q, xrefs: 06C3D437

Memory Dump Source

Source File: 00000007.00000002.2267513480.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c30000_newapp.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q
API String ID: 0-182748909
Opcode ID: abafe4c9c6d3b07e0cdd867c6aa6a0a1d53a4950b872b2446dae1c002048e087
Instruction ID: 6d9b6a00081f50b0e86978e49f5f696048a779f4d7e24d59ad49a056db24aed8
Opcode Fuzzy Hash: abafe4c9c6d3b07e0cdd867c6aa6a0a1d53a4950b872b2446dae1c002048e087
Instruction Fuzzy Hash: F3625D70A1021A8FCB55EF68D580A5DB7B3FF84304B208A68E4469F355DB79FD86CB81

Function 06C34C78 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XPbq, xrefs: 06C34DC9
fbq, xrefs: 06C34CA3
\Obq, xrefs: 06C34E53

Memory Dump Source

Source File: 00000007.00000002.2267513480.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c30000_newapp.jbxd

Similarity

API ID:
String ID: fbq$XPbq$\Obq
API String ID: 0-4057264190
Opcode ID: 4a1def242ca81badc816ff345fa7d62ba9668e3afd27ce09aeceab4eeb9388aa
Instruction ID: 98d46c4c4f413ffa00f3b0ad4f7775a469d80acdf2894250f564ac32a5f90e1f
Opcode Fuzzy Hash: 4a1def242ca81badc816ff345fa7d62ba9668e3afd27ce09aeceab4eeb9388aa
Instruction Fuzzy Hash: EC618F30F102199FEB54DFA5C8547AEBBF2FB88700F208529E106AB395DF758D458B90

Function 06C39228 Relevance: 2.7, Strings: 2, Instructions: 156
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 06C392BA
$]q, xrefs: 06C3927F

Memory Dump Source

Source File: 00000007.00000002.2267513480.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c30000_newapp.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: 015757417bc962a22c3d441638b8eb14e7f171131082f2dbdc9e06685893a2db
Instruction ID: 4bb554f76d0a9bc2946d936ee8744b6a6ed7c349c7fc4d7c577076d95d5bd050
Opcode Fuzzy Hash: 015757417bc962a22c3d441638b8eb14e7f171131082f2dbdc9e06685893a2db
Instruction Fuzzy Hash: C3517370B002169FEB54DF75D994B6F73F2FB88604F108429C819EB394EA75DD068B92

Function 06C34C69 Relevance: 2.6, Strings: 2, Instructions: 139COMMON

Download Yara Rule

Strings

XPbq, xrefs: 06C34DC9
fbq, xrefs: 06C34CA3

Memory Dump Source

Source File: 00000007.00000002.2267513480.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c30000_newapp.jbxd

Similarity

API ID:
String ID: fbq$XPbq
API String ID: 0-2292610095
Opcode ID: 5b0057025ee81f21a0d0f024d1ef09b376e43af214c6d60373ac52b3e532b100
Instruction ID: f14cc918ca4ae85185efde6fd639df9840c762d457367542d66079bb10c3cb2b
Opcode Fuzzy Hash: 5b0057025ee81f21a0d0f024d1ef09b376e43af214c6d60373ac52b3e532b100
Instruction Fuzzy Hash: 0E51B070F102199FEB55DFA4C854BAEBBF2FF88700F208529E106AB395DE758C018B90

Function 0126E943 Relevance: 1.7, APIs: 1, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2252363745.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1260000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 612b989558248a74bcc33814f6698dacc119c5327fd5272d109c444c07fe98e5
Instruction ID: 68385a8d125600f509f3e39bdd217d611850395a7f68f6c111cf9d1d80c9afe2
Opcode Fuzzy Hash: 612b989558248a74bcc33814f6698dacc119c5327fd5272d109c444c07fe98e5
Instruction Fuzzy Hash: AB515B755152928FDB06EB7CD4502ED7FA5AF8A320F2A046DC5449F3C2CA358C8ACB91

Function 0126EE98 Relevance: 1.6, APIs: 1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2252363745.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1260000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0faebf61e5dc87097bfd32bc1543e77a97b0eee525ecd71651f1f2a148aa865
Instruction ID: 735ecc161ba8718b82a4bc83e4f5792db6ff9ebb0f03c9d783d5797dd684fea4
Opcode Fuzzy Hash: c0faebf61e5dc87097bfd32bc1543e77a97b0eee525ecd71651f1f2a148aa865
Instruction Fuzzy Hash: E6415472D1039A8FCB14CFB9D8042AEBFF5AF88310F15856AD418A7381DB74A881CBD1

Function 06C1648C Relevance: 1.6, APIs: 1, Instructions: 119COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06C165AA

Memory Dump Source

Source File: 00000007.00000002.2267379287.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c10000_newapp.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: c24ab68d2d346adb6c884a645856b4a2ff071237e52ff692abeb873277ab331c
Instruction ID: 3a12818717687035210f06ac27db955dd006309d8ec60b1c72a3a201824238ec
Opcode Fuzzy Hash: c24ab68d2d346adb6c884a645856b4a2ff071237e52ff692abeb873277ab331c
Instruction Fuzzy Hash: B651EFB1D00349AFDB14CFAAC884ADEBFB5BF49310F24852EE418AB210D7709985CF91

Function 06C16498 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06C165AA

Memory Dump Source

Source File: 00000007.00000002.2267379287.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c10000_newapp.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 7a1d03bad836abddd7fd0cd5bc880b97434045bae6e7bfe80466e316d4fb4fdf
Instruction ID: 3ca16a38c78af80e9b6401e70650222a7a1a03fb11f58e9ad2cf9968c140deaf
Opcode Fuzzy Hash: 7a1d03bad836abddd7fd0cd5bc880b97434045bae6e7bfe80466e316d4fb4fdf
Instruction Fuzzy Hash: 5B41CEB1D103099FDF14CF9AC884ADEBBB5FF49310F24812AE819AB254D775A945CF90

Function 06C19E0C Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 06C1B3D9

Memory Dump Source

Source File: 00000007.00000002.2267379287.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c10000_newapp.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: c4bd0c50ae9475fd404f00d4c29094f20721fbd96610f997816b85b8a6105bf4
Instruction ID: aac5b61a387a493297300c5cbfa0fb6ce640f5331375237c600de87c89ef0454
Opcode Fuzzy Hash: c4bd0c50ae9475fd404f00d4c29094f20721fbd96610f997816b85b8a6105bf4
Instruction Fuzzy Hash: CC4138B4900309CFDB54CF9AC888AAABBF5FF89314F24C459D519AB321D774A941DFA0

Function 06C1BC67 Relevance: 1.6, APIs: 1, Instructions: 72comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 06C1BCF0

Memory Dump Source

Source File: 00000007.00000002.2267379287.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c10000_newapp.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 02b28769923ae5e73ce5f6677d0547748f319874e258b6741f13cba78f3cab24
Instruction ID: 4b4ae90a0ce68ff44220da4ae4147558161a39209237f13826cc6852a43caaa7
Opcode Fuzzy Hash: 02b28769923ae5e73ce5f6677d0547748f319874e258b6741f13cba78f3cab24
Instruction Fuzzy Hash: 0031F1B0D01249DFDB24DF99C984BCEBBF5AF49314F208069E404AB294DBB46945CF65

Function 06C1BC68 Relevance: 1.6, APIs: 1, Instructions: 71comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 06C1BCF0

Memory Dump Source

Source File: 00000007.00000002.2267379287.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c10000_newapp.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 3489f7085e7e783c757ed0cd346affeafa0ef9684fa8b793b3e4fcace89a3f45
Instruction ID: 5a35444123d04af4bd01550f585f2965e2bb79bddfca410f340f10dd28363308
Opcode Fuzzy Hash: 3489f7085e7e783c757ed0cd346affeafa0ef9684fa8b793b3e4fcace89a3f45
Instruction Fuzzy Hash: EA31FFB0D01249DFDB24DF99C984BCEBBF5AF49314F208069E404AB2A4DBB4A945CF65

Function 06C1A087 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06C1A10F

Memory Dump Source

Source File: 00000007.00000002.2267379287.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c10000_newapp.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 045fb662d81167da961de18cd074340f934b7b9ba625e84cd7905964df4b7260
Instruction ID: 8bb5b04ea7eb2c27cd2edf77aafb0564c2f06d62308bfe9ef9fb9f49880498dd
Opcode Fuzzy Hash: 045fb662d81167da961de18cd074340f934b7b9ba625e84cd7905964df4b7260
Instruction Fuzzy Hash: 3421E6B5D012499FDB10CFA9D984ADEFFF8EB49320F14801AE914A7350D374A944CF61

Function 0126E9AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?), ref: 0126EFE7

Memory Dump Source

Source File: 00000007.00000002.2252363745.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1260000_newapp.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 0650c59ec23c87dbc8895c76e24279f990ebfbfce121aa699b840f00a7895da6
Instruction ID: 8a4152c1ef7b6972c8da050be2ccec3b4ee489d9e154505bcdd6d0b62abebbb6
Opcode Fuzzy Hash: 0650c59ec23c87dbc8895c76e24279f990ebfbfce121aa699b840f00a7895da6
Instruction Fuzzy Hash: 951126B6C15266CFDB01EFA8D4453DDBFA4EF4A320F264086D444AB282D334598ACBA5

Function 06C1A088 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06C1A10F

Memory Dump Source

Source File: 00000007.00000002.2267379287.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c10000_newapp.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0871655d2b1f12a9923f3aa4f0305fc257bf656cd3e8628b0ba8fa0d359b6b00
Instruction ID: 00b69be438940f5016cc8374a1057908f3045ac6ca7fec7d98216039d0134651
Opcode Fuzzy Hash: 0871655d2b1f12a9923f3aa4f0305fc257bf656cd3e8628b0ba8fa0d359b6b00
Instruction Fuzzy Hash: 5621E4B5D002499FDB10CFAAD984ADEFBF8EB49320F14801AE918A7350D378A944CF61

Function 06C1DA28 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 06C1DAAB

Memory Dump Source

Source File: 00000007.00000002.2267379287.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c10000_newapp.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 49cb48d029b328af0d1b9a4d1caf0a147e03bb8a118bd70e8c5aaf86016b98af
Instruction ID: 8e5fb4a8205f043887c1bdc1a73b87f6595bb7b6f25a390995189f30edb32e36
Opcode Fuzzy Hash: 49cb48d029b328af0d1b9a4d1caf0a147e03bb8a118bd70e8c5aaf86016b98af
Instruction Fuzzy Hash: B52132B5D002099FCB14CF9AD844BEEBBF5AF88320F14842AE459A7250D774A945CFA1

Function 06C1DA30 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 06C1DAAB

Memory Dump Source

Source File: 00000007.00000002.2267379287.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c10000_newapp.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: b7e6deb3a6cfcfe581fe65ef677d1a696da9c94b2f2d92decc4de48c8de344ae
Instruction ID: 7c2f3bc4a0776fe5fe12c19d38323337a5e80a1dac328fddcea9e08b5f57348c
Opcode Fuzzy Hash: b7e6deb3a6cfcfe581fe65ef677d1a696da9c94b2f2d92decc4de48c8de344ae
Instruction Fuzzy Hash: 052110B5D002099FCB14DF9AD844BEEFBF5EF89320F14842AE419A7250C774A945CFA1

Function 0126E9CD Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?), ref: 0126EFE7

Memory Dump Source

Source File: 00000007.00000002.2252363745.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1260000_newapp.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 4da90184ba53197a27cc0cd68e72fc567dbad02b7a86bb022470d1e1315d22d5
Instruction ID: 1a423c4ca09aec4f33c54d5b5c9ecf85be3ecaa7b9b65a62d875d50b389f9054
Opcode Fuzzy Hash: 4da90184ba53197a27cc0cd68e72fc567dbad02b7a86bb022470d1e1315d22d5
Instruction Fuzzy Hash: CD11C2B6C152668FDB00DFA8D4457DEBBA4AF0A314F164086D454AB282D738994ACBA2

Function 0126EF80 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?), ref: 0126EFE7

Memory Dump Source

Source File: 00000007.00000002.2252363745.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1260000_newapp.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 1f24cce4c844b351d3adae0c664886d27ea178ecd7719ecde0864b6093fc4283
Instruction ID: 092bfa08c838098134bbb84f94b0e730bc33676ec1ec9538595b0db7e186c067
Opcode Fuzzy Hash: 1f24cce4c844b351d3adae0c664886d27ea178ecd7719ecde0864b6093fc4283
Instruction Fuzzy Hash: 0D1123B1C1025A9BCB10DF9AC444BDEFBF8EF48320F11816AE818B7240D378A944CFA1

Function 06C137C8 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 06C15456

Memory Dump Source

Source File: 00000007.00000002.2267379287.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c10000_newapp.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: e6145e6b6e4542062076cc4e132ee50d3796e48186c89c096209a6f893be1a5f
Instruction ID: 39755784d428ec0a5b8f2ab62ba5a004d909e644bec11f2dc33b921912bb7b4a
Opcode Fuzzy Hash: e6145e6b6e4542062076cc4e132ee50d3796e48186c89c096209a6f893be1a5f
Instruction Fuzzy Hash: 5D11F0B5C002498FDB20DF9AC444B9EFBF4EB89220F50845AD829B7210D375A545CFA5

Function 06C1AE3C Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,06C1B62D), ref: 06C1B6B7

Memory Dump Source

Source File: 00000007.00000002.2267379287.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c10000_newapp.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 29ccdb6e9b04bc3a56ba354a16352b1e7cd29ed92c4d85136b5fb329e9dae6e9
Instruction ID: 5a666677a052014ee33e86c5091d520e5d0e3a3a296ba03dd5e72d43b4b955bb
Opcode Fuzzy Hash: 29ccdb6e9b04bc3a56ba354a16352b1e7cd29ed92c4d85136b5fb329e9dae6e9
Instruction Fuzzy Hash: 721100B1D00249CFCB60DF9AD548B9EBBF8EB49320F20845AD519A7350C374A944CFA5

Function 06C1B074 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 06C1BB75

Memory Dump Source

Source File: 00000007.00000002.2267379287.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c10000_newapp.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 1973a457eb29bcd8eb77d324b08d0891086aca6988dde200aa16e3a8f6aa37dd
Instruction ID: fe9c62e0c66cd5abe1937f87a127c6e2b8c8b5fbcde08c6dc6e1c6c06c65a15a
Opcode Fuzzy Hash: 1973a457eb29bcd8eb77d324b08d0891086aca6988dde200aa16e3a8f6aa37dd
Instruction Fuzzy Hash: CD1112B1C003498FCB20DF9AD488B9EBBF8EB49320F20845AD519B7750D375A944CFA5

Function 06C1B657 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,06C1B62D), ref: 06C1B6B7

Memory Dump Source

Source File: 00000007.00000002.2267379287.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c10000_newapp.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 28f834fdd2d00fe474ef33ff069bb2c625f9cff03ffd5ab713ec811c5970a80e
Instruction ID: 540c0fe3220cc4d921be6846cb0d4fecda153298b9f3ce3e8f6084cf0dc838f8
Opcode Fuzzy Hash: 28f834fdd2d00fe474ef33ff069bb2c625f9cff03ffd5ab713ec811c5970a80e
Instruction Fuzzy Hash: C91112B5C002498FCB20DF9AD944BDEFBF8EB49320F20841AD519A7350C374A944CFA5

Function 06C1BB1F Relevance: 1.5, APIs: 1, Instructions: 44comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 06C1BB75

Memory Dump Source

Source File: 00000007.00000002.2267379287.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c10000_newapp.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: bc812cdb2ca14547fd655ea0bdf4888822e82a333fc2f1c5680e87afd6a83e9a
Instruction ID: 14ec71f00946d11377b54e7b630bdadf899623bcddc838a2bf39d29166d78e51
Opcode Fuzzy Hash: bc812cdb2ca14547fd655ea0bdf4888822e82a333fc2f1c5680e87afd6a83e9a
Instruction Fuzzy Hash: 0E1112B5C003498FCB20DFAAD489BDEBBF8EB49320F208419D518A7650C375A944CFA5

Function 06C153CB Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 06C15456

Memory Dump Source

Source File: 00000007.00000002.2267379287.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c10000_newapp.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 7c5a589db5f8d00343140d59e6ae1f7cfecea7be142bc7e23258a908b1fc5f23
Instruction ID: 83f63e556538f1ad374eb8542da6555a0177e27dcb6890ff3b8f574bc1cbd7f2
Opcode Fuzzy Hash: 7c5a589db5f8d00343140d59e6ae1f7cfecea7be142bc7e23258a908b1fc5f23
Instruction Fuzzy Hash: 1A018BB69042488FDB10DF99D4043CAFBF0AB86315F24844AC559A7252C335A55ACF61

Function 06C153EB Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 06C15456

Memory Dump Source

Source File: 00000007.00000002.2267379287.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c10000_newapp.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 88907c0da8b14cd38b8a521946589cdc9c8c73a5caf6e3bbdbf599fc31cec6cf
Instruction ID: 8bc7cdc85c9727f6899caaf102212e568fb0a8cb4c838ba141e8ac5f75c34f5f
Opcode Fuzzy Hash: 88907c0da8b14cd38b8a521946589cdc9c8c73a5caf6e3bbdbf599fc31cec6cf
Instruction Fuzzy Hash: 2CF058B5C00248CEDB10DF8AE4087CEBBF4AB8A316F60804AC019AB260C3799156CFA1

Function 06C3DBC0 Relevance: 1.4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

PH]q, xrefs: 06C3DD09

Memory Dump Source

Source File: 00000007.00000002.2267513480.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c30000_newapp.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: cf9ad23dfe80a4ead4f76078a09769ff6437a3ac22c8d2f8f0ac311f68749131
Instruction ID: 23aa0e814ab635d82e0a0353c43e36c7f3dc356138d3c10a32258b9d9ad4755f
Opcode Fuzzy Hash: cf9ad23dfe80a4ead4f76078a09769ff6437a3ac22c8d2f8f0ac311f68749131
Instruction Fuzzy Hash: E241A370E1021ADFDB65EF65D45469EBBB2FF85300F20452DE406E7240DB74EA46CB91

Function 06C3DBAD Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

PH]q, xrefs: 06C3DD09

Memory Dump Source

Source File: 00000007.00000002.2267513480.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c30000_newapp.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: 406aa9fed55244129cd6c847362555960f7b22f504a84a7808af28278edf64a1
Instruction ID: 6c2c79aec4fb807d0825598359340a6eaf0818e91f7519c207c0941ff1e53445
Opcode Fuzzy Hash: 406aa9fed55244129cd6c847362555960f7b22f504a84a7808af28278edf64a1
Instruction Fuzzy Hash: F241B470E102169FDB65EF65D45469EBBB2FF85300F20852DE806EB340EB74EA46CB91

Function 06C321C5 Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

PH]q, xrefs: 06C32313

Memory Dump Source

Source File: 00000007.00000002.2267513480.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c30000_newapp.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: 8db0ed48c5a1a917e456d80b7e356f6b16d2ef07336de41c14adb6f566ae4c9d
Instruction ID: 8fbc15fcfc0d3d6e10c829d9efb5102877c2eb4383720b8a8e6c46fa46a0844d
Opcode Fuzzy Hash: 8db0ed48c5a1a917e456d80b7e356f6b16d2ef07336de41c14adb6f566ae4c9d
Instruction Fuzzy Hash: 7D31D130B102169FDB559B74D95466E37A2FF89210B208538E406DB385DF3ADE468BA1

Function 06C321D8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PH]q, xrefs: 06C32313

Memory Dump Source

Source File: 00000007.00000002.2267513480.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c30000_newapp.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: e3a509b99f38ae8c84134ee01a166abe79e142aafd2b80203982d0b9aa626d7b
Instruction ID: d08aca8ffed22c87ab71a05831f64eddb387697aa5061d634bc7ed7e7233336c
Opcode Fuzzy Hash: e3a509b99f38ae8c84134ee01a166abe79e142aafd2b80203982d0b9aa626d7b
Instruction Fuzzy Hash: 7231E330B102169FDF559B74D95466E3AE3BF89210B20853CE406DB384DE3ADE41C7D5

Function 06C34B61 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

\Obq, xrefs: 06C34B6D

Memory Dump Source

Source File: 00000007.00000002.2267513480.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c30000_newapp.jbxd

Similarity

API ID:
String ID: \Obq
API String ID: 0-2878401908
Opcode ID: 17278ecd76a329d14f3e2ecc886466fb9483f807fe28a83661165309ea7264d9
Instruction ID: f11caac4d4c2625733c05a8c3d96cf36fd0ace39600f34834f71475b7ea43e3e
Opcode Fuzzy Hash: 17278ecd76a329d14f3e2ecc886466fb9483f807fe28a83661165309ea7264d9
Instruction Fuzzy Hash: 4FF0DA30A60129DFDB14DF94E899BAE7BB2FF88605F204119E402A7294CBB41D01CBC0

Function 06C3B307 Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2267513480.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c30000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09ff36e897d2c6b32901c6f75e5b9f6548988cb882e9ff148356300e7f926190
Instruction ID: 9e5969923059d44da99739803154733a7112e6bf0a5f7c6d259e603c4dc5e730
Opcode Fuzzy Hash: 09ff36e897d2c6b32901c6f75e5b9f6548988cb882e9ff148356300e7f926190
Instruction Fuzzy Hash: 7CA18374F101198BEF64CB6DC4907BEB7B6FB99310F204429E409EB391CA39DD918B92

Function 06C362E0 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2267513480.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c30000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92c7f97b3f7423fc0855bdb5b5fec12eb9ea90ea0ba3ad084c1e20e8c7215937
Instruction ID: d10da3f4b270823b7032e4a53d395716bdafb35d002bb6966a9ed2308e55222a
Opcode Fuzzy Hash: 92c7f97b3f7423fc0855bdb5b5fec12eb9ea90ea0ba3ad084c1e20e8c7215937
Instruction Fuzzy Hash: 49619071F000215FDB54AA6EC88066FBAD7AFD4224F254479E80EDB360DE79ED0287D1

Function 06C343A8 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2267513480.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c30000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba1cbb3c650ded0c142d34605b0214f05d438125ce54195fcfff492c78221b90
Instruction ID: 99f17af01886652026b6c17dd233cce23c6043a65817589b81dc4932a8128645
Opcode Fuzzy Hash: ba1cbb3c650ded0c142d34605b0214f05d438125ce54195fcfff492c78221b90
Instruction Fuzzy Hash: 62815F71B0021A8FDB48DFA9D45476EB7F3EB88304F208529D40AEB394EB75DD468B41

Function 06C343B8 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2267513480.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c30000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f5d9d7f5dd8dc04a85c215f3ca10a8fa92f5792296a67386818dabf8723d4f8
Instruction ID: d967b553117a49332eb6490bc976697a92bbcbca162583e933cc1582236399f8
Opcode Fuzzy Hash: 0f5d9d7f5dd8dc04a85c215f3ca10a8fa92f5792296a67386818dabf8723d4f8
Instruction Fuzzy Hash: 57814E30B1021A8FDF48DFA9D45476EB7F2EB85304F208529D40AEB394DB75ED468B52

Function 06C346C8 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2267513480.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c30000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 870230c2109db93b35cca1fe603606b4ca213be7ca1979d1c0741326c17c5527
Instruction ID: 478a44a889239e5b0de93708efec86f49204f4750da7b659268bae1efe0ea03d
Opcode Fuzzy Hash: 870230c2109db93b35cca1fe603606b4ca213be7ca1979d1c0741326c17c5527
Instruction Fuzzy Hash: 0F912D30E1061A8FDF64DF68C890B9DB7B1FF89300F208699D549AB295DB70AA85CF51

Function 06C346E0 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2267513480.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c30000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89b1fefb4eb13524075c732f0803e83bf37c843ca3b87843313e7489479461a0
Instruction ID: febdb602dba9b7b05a4f0dd965f25f64d76e3aa2ac3bbd8814679a11c0a5bbdf
Opcode Fuzzy Hash: 89b1fefb4eb13524075c732f0803e83bf37c843ca3b87843313e7489479461a0
Instruction Fuzzy Hash: A9912C30E1061A8BDF64DF68C880B9DB7B1FF89310F20C699D549AB285DB70AA85CF51

Function 06C3F010 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2267513480.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c30000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1612d46c2f3fb776dcdc2e7b615cc37b53049f500723a9e0fe3b99b172be8e38
Instruction ID: bc0cdb5fa5186af0e61bc6dad4351160db59e9cd96fb23103c56e196c06392f9
Opcode Fuzzy Hash: 1612d46c2f3fb776dcdc2e7b615cc37b53049f500723a9e0fe3b99b172be8e38
Instruction Fuzzy Hash: 37714B71E002598FCB54DFA9D980AADBBF6FF88300F248929E415EB355DA34ED46CB50

Function 06C3F020 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2267513480.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c30000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9653365814eb0e1ee9151ac331e16fc8193dd9725e472177189838df3a62f27
Instruction ID: a66a21169aedf49bbd71b60f2e886833635ab290580cd0187b476e9a13516798
Opcode Fuzzy Hash: c9653365814eb0e1ee9151ac331e16fc8193dd9725e472177189838df3a62f27
Instruction Fuzzy Hash: CE714A71E002199FCB54DFA9D980AADBBF6FF88300F208929E415AB355DB34ED46CB50

Function 06C3FCA0 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2267513480.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c30000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63c6e7a127a342dfad224559666890562891f14510c358b205f7404eada8d849
Instruction ID: a767b5c111ca07d1b0d9a0a5ac2ae5d269a6be8a40cc76fa62b45a84d8933ba5
Opcode Fuzzy Hash: 63c6e7a127a342dfad224559666890562891f14510c358b205f7404eada8d849
Instruction Fuzzy Hash: 21611331E002259FDB64AF78E4942ADB7B2FB84311F108C7EE52AD7241DB398E55CB81

Function 06C3FA50 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2267513480.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c30000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8000bd370cb2d5a3d9769e92c971fb7e7864ffcd4f8ef2c7ad12dba0b767f51
Instruction ID: a9c290b3219c30d4c9f7c618baf2b6aeaba0bb4061d9c7a55f7091c37c855770
Opcode Fuzzy Hash: f8000bd370cb2d5a3d9769e92c971fb7e7864ffcd4f8ef2c7ad12dba0b767f51
Instruction Fuzzy Hash: A451EAB4F201159BEF646ABCD854B3F2A5AD78D310F20493EE50AD73D0DA2CCD9183A2

Function 06C3FA60 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2267513480.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c30000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac65811a5901659adef64f4ec4221d7aab29f2252eb4eb5a1bc30a656172fbee
Instruction ID: cc56ed454a54ee3580f53daa1e6efd5a07242c59c862b476d6b43302bcf952e6
Opcode Fuzzy Hash: ac65811a5901659adef64f4ec4221d7aab29f2252eb4eb5a1bc30a656172fbee
Instruction Fuzzy Hash: BC51B7B4F201259BEF646ABCD954B3F2A5AD78D314F20493DE50AD7390CA2CCD9183A2

Function 06C35530 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2267513480.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c30000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dd080c39a49ae5fb10d84a843a2f6433285d46159b5dd743171359e5b6fe5d0
Instruction ID: fc287c6630bfdb04b7f01a76f3c87fdbccb20ee5c27bac95dea26d31be732bca
Opcode Fuzzy Hash: 9dd080c39a49ae5fb10d84a843a2f6433285d46159b5dd743171359e5b6fe5d0
Instruction Fuzzy Hash: 3C416A71E006198FDF70CEA9D880AAFFBF6FB94310F50492AE116D7650D731E9458B90

Function 06C356A0 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2267513480.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c30000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82fdb4c837b1ddb6873e9b38feee66baa7504cd7d38cbad64d0f1ce6cedf998e
Instruction ID: 7d896e0fb0fac6689cae5895664ad68c7bfe16d7d34c15e8af819190828e860d
Opcode Fuzzy Hash: 82fdb4c837b1ddb6873e9b38feee66baa7504cd7d38cbad64d0f1ce6cedf998e
Instruction Fuzzy Hash: 97318375E20225CFDF608F68C4807AEBBB1FB45320FA5856AD459DB345C234EE41CB91

Function 06C3DA61 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2267513480.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c30000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81aae168ffd785a78c8b7fe0f42baa459a1d304027d8268048e6c867c4b260c3
Instruction ID: b4ebc072b7780950d82a3c9acaabf33b5ef073bf17b6faf17f771525a1ff90cf
Opcode Fuzzy Hash: 81aae168ffd785a78c8b7fe0f42baa459a1d304027d8268048e6c867c4b260c3
Instruction Fuzzy Hash: 4231BB70E1071A9BCB55DF65C58069EBBF6FF84304F208929E806EB340DB74B946CB41

Function 06C32088 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2267513480.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c30000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4edd7fa73b5e81598e3b4fcba732b20f6d587c22316d8e146567f0e38819713
Instruction ID: 914b7a55d8dacaf0d137ca4b441ad22705842d00eca2fc1d5b1a7a89848b8096
Opcode Fuzzy Hash: c4edd7fa73b5e81598e3b4fcba732b20f6d587c22316d8e146567f0e38819713
Instruction Fuzzy Hash: 13316D31E1061A9FCB54CF64C99469EB7F2EF89310F10892DE806A7350DB35EE46CB90

Function 06C32098 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2267513480.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c30000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1be0adcaf82885259f2eaaed543ea0e4e5d5750d507a034d786f6bf5e2e96064
Instruction ID: 34df33e904c1a748191ddbd85cf41d21eae7b9d3d3d4b0d77cd5c5971c7feae1
Opcode Fuzzy Hash: 1be0adcaf82885259f2eaaed543ea0e4e5d5750d507a034d786f6bf5e2e96064
Instruction Fuzzy Hash: D5313A31E1061A9BCF19CF64C99569EB7F2AF89300F108929E906E7350DB75EE46CB90

Function 06C33FC0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2267513480.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c30000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbbcb42230e835f9961c8c6263f908c2a915b25e9ebb87a9c1f378f4387c1f56
Instruction ID: a6839d7a394ecb6aabc247a0a0e09f4118806ec4d68aabb5e6514d2a33cb3758
Opcode Fuzzy Hash: dbbcb42230e835f9961c8c6263f908c2a915b25e9ebb87a9c1f378f4387c1f56
Instruction Fuzzy Hash: 06218EB5F002559FDB50CF69D880AAEBBF5EB48710F108029E909EB394E73ADD018B91

Function 06C33FB0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2267513480.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c30000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcb26bd6f41c1ac084705d613b56c85db040fc8e4fc641be3d9bd82c9a1babf8
Instruction ID: 530c0ca7992bc4572e83f77fa1f8b4cac83ee1e652b12284977ea18f2be4139f
Opcode Fuzzy Hash: dcb26bd6f41c1ac084705d613b56c85db040fc8e4fc641be3d9bd82c9a1babf8
Instruction Fuzzy Hash: C121BFB1F002169FDB41CF79D880AAEBBF5EB48710F048069E909EB344E739DD018B91

Function 0121D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2251487337.000000000121D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0121D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_121d000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f695d8daa9ec80d0465a92c0fe0e6141d40ce57100a868a83d6daca2497ab1e5
Instruction ID: 329e75232e0de122af1c2cd8e77e099fddbb77ec190515a12daacc64a0f57410
Opcode Fuzzy Hash: f695d8daa9ec80d0465a92c0fe0e6141d40ce57100a868a83d6daca2497ab1e5
Instruction Fuzzy Hash: 5F2137B1514208DFDB11DF58D9C8B26BBE5FB94314F24C56DD9090B24AC377D447CA62

Function 06C36E00 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2267513480.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c30000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33ce1543c32725690843eea15f72704edd9bd8b7c22fb806ddcbe4803036b316
Instruction ID: 0ffbdc89df228c7277b1c0fc5d1054d1e3b65b559d94c2327898afa6fbc0815d
Opcode Fuzzy Hash: 33ce1543c32725690843eea15f72704edd9bd8b7c22fb806ddcbe4803036b316
Instruction Fuzzy Hash: 4721A231B101299FDF44DB6AE9506ADB7B7EB84310F248439E409E7340DB35ED558BD4

Function 06C33560 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2267513480.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c30000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d17a5be9afb91b9c9a9bbc53af3fdfc8fb4b86a1c41363b96e4ce2b9d86e4c76
Instruction ID: 1ca2d100a34fd6a5f8f64a8fef92b0a3c37533525955ae6a4a12e15f06075f6c
Opcode Fuzzy Hash: d17a5be9afb91b9c9a9bbc53af3fdfc8fb4b86a1c41363b96e4ce2b9d86e4c76
Instruction Fuzzy Hash: 2121D571E001A59FCB649F78D8805DEBBB2EB89310F1485A9D00DE7344DA31DA41CB91

Function 06C340D0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2267513480.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c30000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d739c59412ccee5fa9fdc0baac2011521e614bcec566e68b94f87d101039b097
Instruction ID: bebdc6ae25d6a3ee1f840be0d9ffc944179b26eb742eeceaaf152f0280b0daa2
Opcode Fuzzy Hash: d739c59412ccee5fa9fdc0baac2011521e614bcec566e68b94f87d101039b097
Instruction Fuzzy Hash: 1F11A535B105285FDB88DA69DC146AE73FAEBC8710F008139D40AE7354DF2ADC0687D1

Function 06C3B000 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2267513480.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c30000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b84fcc4e7b2a1e2b06efc0537b738ad4fd1cc20255891979b8446daedf9a608
Instruction ID: 521a538bc729f8590911dd8a54b335b93b4c0fc8cebc4df327fb00abe2f75d35
Opcode Fuzzy Hash: 6b84fcc4e7b2a1e2b06efc0537b738ad4fd1cc20255891979b8446daedf9a608
Instruction Fuzzy Hash: 73115171D1076E8BCF21CFA6C94569EBBB5BF95300F10462AD805FB200DBB1A945CB81

Function 06C3315C Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2267513480.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c30000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b47592b8560d79ca3d0069c1bcd10ddbc56f81a77f19bb2b93ef2e7194c06bb
Instruction ID: 42066689e1a96a5eddb6a6e144f0c59bfda40988d8dceb3b1156c262b5ded69c
Opcode Fuzzy Hash: 1b47592b8560d79ca3d0069c1bcd10ddbc56f81a77f19bb2b93ef2e7194c06bb
Instruction Fuzzy Hash: 0321C0B1D01269AFCB10DF9AD884ADEFFB4FB49310F50812AE918A7240D374A954CBE5

Function 06C34308 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2267513480.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c30000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c88bdc527559caa976dbbebf09ce546ee867bd1a14b0d41fbb0e4d7d53f396d0
Instruction ID: dac42cf22b68bc35d53163a4d5ab2afa850bf36deb85d361db6ca35495c5a6f1
Opcode Fuzzy Hash: c88bdc527559caa976dbbebf09ce546ee867bd1a14b0d41fbb0e4d7d53f396d0
Instruction Fuzzy Hash: 1C01DF76B102210BEBA9D668D85972EA7C7DBC9711F20883EE10EC7385ED25DD020382

Function 0121D02B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2251487337.000000000121D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0121D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_121d000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
Instruction ID: 5c413dc740b4e00114f1a2d9230541a565ab859c72dab0d80fc27bc3468098c1
Opcode Fuzzy Hash: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
Instruction Fuzzy Hash: BA11BB75504284CFDB12CF58D5C8B15BBA2FB84314F28C6AAD9494B65AC33BD44ACB62

Function 06C33D88 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2267513480.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c30000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153b29cc0135bc3576e16a72a7557d8e66828d3a23480af3b94388b740a5e7a6
Instruction ID: c1b473bc09551790b2b2be3bdb28f5e9a88632208a2b1166dd3b888608b09f46
Opcode Fuzzy Hash: 153b29cc0135bc3576e16a72a7557d8e66828d3a23480af3b94388b740a5e7a6
Instruction Fuzzy Hash: 2A21CFB5D01269AFCB10DF9AD984ADEFFB4FB48310F50812AE918B7240D374A954CBA5

Function 06C3F28F Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2267513480.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c30000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76b32075bac188ee5d1359468c9284ea5fd73f41b82da10079d84a387dd0d330
Instruction ID: 74fc7a0e6355988f9d3959290b00bbe56185ebe81c5f878f09ca210c0535699d
Opcode Fuzzy Hash: 76b32075bac188ee5d1359468c9284ea5fd73f41b82da10079d84a387dd0d330
Instruction Fuzzy Hash: CF01DF76F204214BDB619678959872EA7D2DBC9620F20882DF50AC7340EE25DD034382

Function 06C34318 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2267513480.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c30000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d3902c5082704979a7544ba011d85d3269d2d829a06f0ff898ef4df2e9900c4
Instruction ID: cd0e2c71bc578dc6dd766040154cb45618e5a3cad797943f17bfbb67fc9895cb
Opcode Fuzzy Hash: 6d3902c5082704979a7544ba011d85d3269d2d829a06f0ff898ef4df2e9900c4
Instruction Fuzzy Hash: 1B01AD31B101210BDBA9966DD44972EA7DADBC9A20F20C83DE50EC7344ED65DD024382

Function 06C340BF Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2267513480.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c30000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dedf00212de4db3b3eb8d3d13dd2bed1f09165953ebe5d8a4e1d3b9fe662d638
Instruction ID: 2e895643589bd636f6b22c49c7feaaadbcc68483ca8a3f043f2b4deb017e017b
Opcode Fuzzy Hash: dedf00212de4db3b3eb8d3d13dd2bed1f09165953ebe5d8a4e1d3b9fe662d638
Instruction Fuzzy Hash: 3F01F736F141245BEB89DD68DC507EF73EA9BC8600F10803AC10AE7344EE2ACC0A87D2

Function 06C3F2A0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2267513480.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c30000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 728f746acf76ff8e68af77aefdd4b0cedc63540b1507a1a7d9f474a016bbbc32
Instruction ID: e05617cc5bcf3400e6033872e1a931123b8fd7f876fbab591316c403149f0073
Opcode Fuzzy Hash: 728f746acf76ff8e68af77aefdd4b0cedc63540b1507a1a7d9f474a016bbbc32
Instruction Fuzzy Hash: 2601A435F205214BDB65A67D959472EA7D6DBC9620F20883DF50EC7340DE25DD024385

Function 06C3A3EA Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2267513480.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c30000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7f0f3f62fcaa5cb6018dcac18b19e4ab6c5f2e1c87b8c98496d55c45b3cc460
Instruction ID: 88cb0c9dce111732d2a9471673b4275c5ca4e6dfe59de9d70b94ed04c1397b18
Opcode Fuzzy Hash: a7f0f3f62fcaa5cb6018dcac18b19e4ab6c5f2e1c87b8c98496d55c45b3cc460
Instruction Fuzzy Hash: 7F01F731B104218FD761DA78E45971BA7D2DB89710F10C43DF44AC7351DD29ED128381

Function 06C3A3F8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2267513480.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c30000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081036f3d903c9ed29e9b0cb0a8698664450cf4dfb3d26e9a99b1d81530a42d3
Instruction ID: 7fd2f489ad8d67cc5c653466d289b009d4d5b50489046b305e472bf3f8c8e16a
Opcode Fuzzy Hash: 081036f3d903c9ed29e9b0cb0a8698664450cf4dfb3d26e9a99b1d81530a42d3
Instruction Fuzzy Hash: 5601F431B104208FDB60DA79E45972BB7D6DB89B10F20843CF54EC7350DE29ED128781

Function 06C36560 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2267513480.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c30000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f41107917a4712ef6e30d2e400afba0162508670e5cbd9a5fc09433ce65ecb9b
Instruction ID: c2b1c4027a99ccd9052e1f8648e1febca623795b993172d4770b0f40ed0feae3
Opcode Fuzzy Hash: f41107917a4712ef6e30d2e400afba0162508670e5cbd9a5fc09433ce65ecb9b
Instruction Fuzzy Hash: 6EE09AB1B05118ABCBA0CEA48A8474E77EAEB45204F2088B9D809DB206F132EB128740

Function 06C36570 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2267513480.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c30000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60989437eb31f36a88b24c626a9401e03f262ae62647aa4789d74cd00d0c7935
Instruction ID: cb059ecc5469a492913e8f40a4c84bbccecd7537724f7aec99010c8ecfbec094
Opcode Fuzzy Hash: 60989437eb31f36a88b24c626a9401e03f262ae62647aa4789d74cd00d0c7935
Instruction Fuzzy Hash: DAE01271F10218BBDF90DEB5C94575EB7EDE706214F2088B9D409DB206E576DB029780

Non-executed Functions

Function 06C37788 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$]q, xrefs: 06C37C5E
$]q, xrefs: 06C37D1F
$]q, xrefs: 06C378A1
$]q, xrefs: 06C378D2
$]q, xrefs: 06C37D13
$]q, xrefs: 06C37CFD
$]q, xrefs: 06C37C6A
$]q, xrefs: 06C378DE
$]q, xrefs: 06C37D09
$]q, xrefs: 06C378AD

Memory Dump Source

Source File: 00000007.00000002.2267513480.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c30000_newapp.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-2843079600
Opcode ID: 36912d31d04ee0e3dade746ac687089ecd40940840f7045fbe7f0787e4c57d1f
Instruction ID: 32e564be4479f8c697b440a9b47a6246c59ee393a2d3da02d99135279685b591
Opcode Fuzzy Hash: 36912d31d04ee0e3dade746ac687089ecd40940840f7045fbe7f0787e4c57d1f
Instruction Fuzzy Hash: 34122E70E00229CFDB64DF69C894AADB7F2BF89704F208569D409AB354DB349D81CF95

Function 06C3AA18 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$]q, xrefs: 06C3ABCA
$]q, xrefs: 06C3ABD6
$]q, xrefs: 06C3AB75
$]q, xrefs: 06C3AB69
$]q, xrefs: 06C3AB94
$]q, xrefs: 06C3AB0E
$]q, xrefs: 06C3ABA0
$]q, xrefs: 06C3AB1A

Memory Dump Source

Source File: 00000007.00000002.2267513480.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c30000_newapp.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-1273862796
Opcode ID: 5ad6a949e26b6dad5bef762f05a9b4ce5d385879770d96a0659365e33d180c4f
Instruction ID: d7ddd9b699046e18f88b5628a2024a9755503aabca83032a251c3eb4ea05e28d
Opcode Fuzzy Hash: 5ad6a949e26b6dad5bef762f05a9b4ce5d385879770d96a0659365e33d180c4f
Instruction Fuzzy Hash: 7F919530A10219DFDB68DFA9D594B6E77F2FF44704F10852DE881AB290CB799D51CB90

Function 06C37188 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

$]q, xrefs: 06C37690
$]q, xrefs: 06C37624
$]q, xrefs: 06C374C4
$]q, xrefs: 06C3746A
.5uq, xrefs: 06C371E3
$]q, xrefs: 06C374D0
$]q, xrefs: 06C3769C

Memory Dump Source

Source File: 00000007.00000002.2267513480.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c30000_newapp.jbxd

Similarity

API ID:
String ID: .5uq$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-981061697
Opcode ID: 58875e70cb97698585b06c1905e855e78c2001c92d28e6620c008c7e00d73f6b
Instruction ID: b734d32c2361e2cb26026f8bd9a470ff6145cca90def92d455d6167fc4af9446
Opcode Fuzzy Hash: 58875e70cb97698585b06c1905e855e78c2001c92d28e6620c008c7e00d73f6b
Instruction Fuzzy Hash: 76F16470B10215CFDB59EF69C594A6EB7B2FF84700F208568D405AB394DB39EC82CB94

Function 06C384C0 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$]q, xrefs: 06C3878B
$]q, xrefs: 06C38726
$]q, xrefs: 06C3877F
$]q, xrefs: 06C3871A

Memory Dump Source

Source File: 00000007.00000002.2267513480.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c30000_newapp.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: 83359a76adc732c828b97ea6d51bae0b27d6f3096208022a51ac5fa5263b0a77
Instruction ID: ddd2d2fa229ef8d7ce1c6ac069ec5daf12b52bc44690ad1ac7ddf2b83b87eac6
Opcode Fuzzy Hash: 83359a76adc732c828b97ea6d51bae0b27d6f3096208022a51ac5fa5263b0a77
Instruction Fuzzy Hash: 79B12C30E11219CFDB54EFA9C494A6EB7B2FF84304F248529E4069B395DB75DD82CB81

Function 06C388D8 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

$]q, xrefs: 06C38957
$]q, xrefs: 06C38963
LR]q, xrefs: 06C38A1A
LR]q, xrefs: 06C389CB

Memory Dump Source

Source File: 00000007.00000002.2267513480.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c30000_newapp.jbxd

Similarity

API ID:
String ID: LR]q$LR]q$$]q$$]q
API String ID: 0-3527005858
Opcode ID: a992d6f779e844efb2b794f3e2befb8072a06d220a4498e483d4cfac26e990e0
Instruction ID: 1fa4379481c4051b463807bcb28e42578f3f57b62dc291fccb0204884d9b58da
Opcode Fuzzy Hash: a992d6f779e844efb2b794f3e2befb8072a06d220a4498e483d4cfac26e990e0
Instruction Fuzzy Hash: 1451C130B113129FDB58EF29C880A6A77E2FF88700F14896DF406AB395DA35ED41CB91

Function 06C3ADA2 Relevance: 5.2, Strings: 4, Instructions: 158COMMON

Download Yara Rule

Strings

$]q, xrefs: 06C3AED1
$]q, xrefs: 06C3AF24
$]q, xrefs: 06C3AF7C
$]q, xrefs: 06C3AF53

Memory Dump Source

Source File: 00000007.00000002.2267513480.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c30000_newapp.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: 6869b1359007fafca9ee3af8b22f3768cc5937a380ea0c8b54fb00f468ee3527
Instruction ID: 8c47b7d24aabe45982424f87d65440fbaf502197974e2b5252685a1a06b13aea
Opcode Fuzzy Hash: 6869b1359007fafca9ee3af8b22f3768cc5937a380ea0c8b54fb00f468ee3527
Instruction Fuzzy Hash: 1D519274E102158FDF65DFA9D580A6EB3B2EF88300F208929E446EB350DB35DD61CB81

Analysis Process: newapp.exePID: 7856, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	9.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	56
Total number of Limit Nodes:	3

Executed Functions

Function 074DE17C Relevance: 1.8, APIs: 1, Instructions: 250
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 074DE3BE

Memory Dump Source

Source File: 00000009.00000002.2291285339.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_74d0000_newapp.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6f5b93ec62e958d48735ccfded22b8b11c943eb85153a860d791658395c395fc
Instruction ID: 8edff42fee799c495ec9eff4e41f268296c8b803e7dabf8a78ae4e94aa8bc7bb
Opcode Fuzzy Hash: 6f5b93ec62e958d48735ccfded22b8b11c943eb85153a860d791658395c395fc
Instruction Fuzzy Hash: DDA161B1D0022ACFDB20CF68C9557EEBBB1FF48314F14856AD859A7240DB749985CF92

Function 074DE188 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 074DE3BE

Memory Dump Source

Source File: 00000009.00000002.2291285339.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_74d0000_newapp.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 4443f2b43868653785d86d3d56e79474adccdc949f0efdf883d99ec43c89fe20
Instruction ID: 935b01458c5f9bc0351d9a9dd8e17157856ee33a5cc3d2c92f417a87686634f4
Opcode Fuzzy Hash: 4443f2b43868653785d86d3d56e79474adccdc949f0efdf883d99ec43c89fe20
Instruction Fuzzy Hash: 1B9160B1D0022ACFDB20CF68C9547EEBBB2FF48314F14856AD849A7240DB749985CF92

Function 0187AF19 Relevance: 1.7, APIs: 1, Instructions: 202
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0187B17E

Memory Dump Source

Source File: 00000009.00000002.2271302020.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1870000_newapp.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 16a5bb12e7bd464d4d957557859dc6494f456968bf7741bb6b418b31508a96ef
Instruction ID: 50ca0e069403050b803238f79e913956801ba70f12019c171d0bdfa0b02be6bb
Opcode Fuzzy Hash: 16a5bb12e7bd464d4d957557859dc6494f456968bf7741bb6b418b31508a96ef
Instruction Fuzzy Hash: C1817770A00B458FD729DF29D04479ABBF2FF88314F04892DE58AD7A50DB35EA45CBA1

Function 0187590C Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 018759C9

Memory Dump Source

Source File: 00000009.00000002.2271302020.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1870000_newapp.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 5a7e49baf35a32eceb68c2feb92c146cca3bfac5de82a2d47116371d38d7485b
Instruction ID: 68469b6bf9381a689fe44807498eb5fe41fa060102927c42f4c5a976072fe59d
Opcode Fuzzy Hash: 5a7e49baf35a32eceb68c2feb92c146cca3bfac5de82a2d47116371d38d7485b
Instruction Fuzzy Hash: BE41C1B1D00719CBDB24DFA9C884BDDBBB5BF49314F20806AD408AB251DB75AA46CF91

Function 0187449C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 018759C9

Memory Dump Source

Source File: 00000009.00000002.2271302020.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1870000_newapp.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 40b69d7779325c131b77ab32e555b35531ccf972a974b1fe1bb73aa2a073966a
Instruction ID: 3795817cab8dab9e1317eb4e2a99e4a31fc054d45a158db0b0b8428256204b56
Opcode Fuzzy Hash: 40b69d7779325c131b77ab32e555b35531ccf972a974b1fe1bb73aa2a073966a
Instruction Fuzzy Hash: 9541C0B0C0071DCBDB24DFA9C884BDDBBB5BF49314F20806AD408AB251DB75AA46CF91

Function 074DDAF8 Relevance: 1.6, APIs: 1, Instructions: 75
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 074DDB90

Memory Dump Source

Source File: 00000009.00000002.2291285339.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_74d0000_newapp.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 8ce9fe8828060f9aaa8d7211e7f09d8c62caeb7b958f4a07d6da39e61a21aa9b
Instruction ID: 51b1036b99034987e12ea10b32e1c40a39581fa67f7905069e5641eba075bfb5
Opcode Fuzzy Hash: 8ce9fe8828060f9aaa8d7211e7f09d8c62caeb7b958f4a07d6da39e61a21aa9b
Instruction Fuzzy Hash: 6B2159B5D003099FDB10DFA9C845BEEBBF5FB88310F10842AE559A7240C7749941CBA1

Function 074DD528 Relevance: 1.6, APIs: 1, Instructions: 74
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 074DD5AE

Memory Dump Source

Source File: 00000009.00000002.2291285339.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_74d0000_newapp.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: be6c9f2242006d191209c6e8f62993363cde47455ec333908e5cbc9b67e9222f
Instruction ID: 0c62879da8699e40866c4d1c25c067487e9730f59049d6c0a40f09bee45e8053
Opcode Fuzzy Hash: be6c9f2242006d191209c6e8f62993363cde47455ec333908e5cbc9b67e9222f
Instruction Fuzzy Hash: 452168B5D002099FDB10CFAAC8457EEBBF4AF89214F10842AD459A7241D73899458FA1

Function 083B5D50 Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 083B5DEF

Memory Dump Source

Source File: 00000009.00000002.2292328948.00000000083B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83b0000_newapp.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: c2fb287dc54532350163dc0a616c638729372fcc94cbc527f5f2bc660095d718
Instruction ID: 59d4d9a775c77ab75665bf4b494a359288d51774435b99f40c2f98e7e7ee0be6
Opcode Fuzzy Hash: c2fb287dc54532350163dc0a616c638729372fcc94cbc527f5f2bc660095d718
Instruction Fuzzy Hash: F231D1B5D002499FDB10CF9AD884ADEBBF5FB88310F14842EE919A7610D374A944CFA1

Function 0187D808 Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0187D7D6,?,?,?,?,?), ref: 0187D897

Memory Dump Source

Source File: 00000009.00000002.2271302020.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1870000_newapp.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: cf1811b497d1e2a74d31aed0f266d547ea93a5779acd786c10e48cf6ad4537b2
Instruction ID: abd069794894dd4227a3f98da5416a6e0906735fbde262dc381bf11fa39f6b3d
Opcode Fuzzy Hash: cf1811b497d1e2a74d31aed0f266d547ea93a5779acd786c10e48cf6ad4537b2
Instruction Fuzzy Hash: E92155B5C002499FDB10CFAAD884ADEBFF4EF49320F14851AE958E7250C378A945CFA1

Function 083B5D58 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 083B5DEF

Memory Dump Source

Source File: 00000009.00000002.2292328948.00000000083B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_83b0000_newapp.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: d5dd3f6b6490870c5343520140d4f520bca280ca383c18c8e6e132f885705562
Instruction ID: 2e65ca5a41260fd19e5390b747b97fb021786150eb5fe05ce3d6930ff3bcd299
Opcode Fuzzy Hash: d5dd3f6b6490870c5343520140d4f520bca280ca383c18c8e6e132f885705562
Instruction Fuzzy Hash: 8821AEB5D003499FDB10CF9AD884ADEBBF5AB88320F14842EE919A7610D775A944CFA1

Function 074DDB00 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 074DDB90

Memory Dump Source

Source File: 00000009.00000002.2291285339.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_74d0000_newapp.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 2e6feafdd99ce6d280bab0016fdd76f56e327d1ce34d3ae760c860294700f857
Instruction ID: 37b70ecc9119a185655eff6bebb2812887c385ca096dcb0c21606089fd75479a
Opcode Fuzzy Hash: 2e6feafdd99ce6d280bab0016fdd76f56e327d1ce34d3ae760c860294700f857
Instruction Fuzzy Hash: 032144B5D003499FCB10CFA9C885BEEBBF4FF88314F10842AE959A7240C7789940CBA1

Function 074DDBE8 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 074DDC70

Memory Dump Source

Source File: 00000009.00000002.2291285339.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_74d0000_newapp.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 8a4548168f9fc9d804e5dd77fac9e49f1a8275fbbbc382cf3f9fca3762119fbd
Instruction ID: 1e5996949b809239ee5ff9d38f77e53dd2323834b74386d5d44f57066e2e81a3
Opcode Fuzzy Hash: 8a4548168f9fc9d804e5dd77fac9e49f1a8275fbbbc382cf3f9fca3762119fbd
Instruction Fuzzy Hash: 0F214AB5D003499FDB10CFAAD885ADEFBF4FF88320F50842AE519A7240C7749941DBA1

Function 0187BCA0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0187D7D6,?,?,?,?,?), ref: 0187D897

Memory Dump Source

Source File: 00000009.00000002.2271302020.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1870000_newapp.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: bed69ed5fae7bc43c86ec508e002b87e530ee0d413e046534bcdb365c59cf0ee
Instruction ID: cbe047b47c14d6ecd4a860a8d2b5fa85a1e7be21cef8c4f969fbf3fef8c8bed1
Opcode Fuzzy Hash: bed69ed5fae7bc43c86ec508e002b87e530ee0d413e046534bcdb365c59cf0ee
Instruction Fuzzy Hash: 802103B5D002489FDB10CF9AD884AEEBFF8EB48310F14842AE918A3310D374A954CFA1

Function 074DD530 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 074DD5AE

Memory Dump Source

Source File: 00000009.00000002.2291285339.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_74d0000_newapp.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: ac9c75df86450890e0dda20060bee1434b80d9f267ed262f38b8e71291971a28
Instruction ID: 2b15d349ad711b41f4bd438fc96a738c221db1389a361a924f8c506b443afb37
Opcode Fuzzy Hash: ac9c75df86450890e0dda20060bee1434b80d9f267ed262f38b8e71291971a28
Instruction Fuzzy Hash: FE2138B1D003098FDB10DFAAC4857EEBBF4EF88314F10842AD459A7240DB78A945CFA1

Function 074DDBF0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 074DDC70

Memory Dump Source

Source File: 00000009.00000002.2291285339.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_74d0000_newapp.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 545f31a64e96ceb35018afed527f0fa94435b48f05a5c3aff514afda8433e26f
Instruction ID: f8d9f996b5fbce85983f93142d3283c40fbb8160a0005a402606dac98923a8e0
Opcode Fuzzy Hash: 545f31a64e96ceb35018afed527f0fa94435b48f05a5c3aff514afda8433e26f
Instruction Fuzzy Hash: 682125B1D003499FDB10DFAAC885AEEFBF5FF88310F50842AE559A7240C7789941DBA1

Function 074DDA38 Relevance: 1.6, APIs: 1, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 074DDAAE

Memory Dump Source

Source File: 00000009.00000002.2291285339.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_74d0000_newapp.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: bbbd376947a78ae4f648a5dc140da392621615546a0855a50cbbeb30d04b9f49
Instruction ID: e242f9ae92e85d4a0d080bf57a80e8fd72e5e02033377f29f85fed79ac363054
Opcode Fuzzy Hash: bbbd376947a78ae4f648a5dc140da392621615546a0855a50cbbeb30d04b9f49
Instruction Fuzzy Hash: 22216AB6D002099FDB10DFA9D8446DEBFF5EF88320F14841AD519A7250CB359541CFA1

Function 074DD478 Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 074DD4E2

Memory Dump Source

Source File: 00000009.00000002.2291285339.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_74d0000_newapp.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 088a61f6cfca4655c0154ed028d2078914fc6a6adb2834af975d84584b1f87e0
Instruction ID: 4baa7878b17ba466369c536cc4546b6e8ef32e925b0c2b3a1065606a4832dbfd
Opcode Fuzzy Hash: 088a61f6cfca4655c0154ed028d2078914fc6a6adb2834af975d84584b1f87e0
Instruction Fuzzy Hash: 2D113AB5D002498BDB10DFAAC4457DEFBF4AB88214F24841AD559A7240CB356545CBA1

Function 074DDA40 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 074DDAAE

Memory Dump Source

Source File: 00000009.00000002.2291285339.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_74d0000_newapp.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a31165b12138b5451311509a9f00860e77f1c5c2c87181631956ba9567e68be9
Instruction ID: c261a553946119020ad859a17931469189699627bf2c7268c3afda844f51d88d
Opcode Fuzzy Hash: a31165b12138b5451311509a9f00860e77f1c5c2c87181631956ba9567e68be9
Instruction Fuzzy Hash: CF1156B5D002499FCB10DFAAC844ADFBFF5EF88320F20841AE519A7250CB75A941CFA1

Function 074DD480 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 074DD4E2

Memory Dump Source

Source File: 00000009.00000002.2291285339.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_74d0000_newapp.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 09dd9bc657cd45d9218a269f96e2e31a7d0f35311f8491b88428d8697b0d9ab7
Instruction ID: 74efd148d366ed572ac470b8effddaa4b95ffa6ff0846266b55cc42b6896faec
Opcode Fuzzy Hash: 09dd9bc657cd45d9218a269f96e2e31a7d0f35311f8491b88428d8697b0d9ab7
Instruction Fuzzy Hash: 091128B5D002498FDB20DFAAC4457DEFBF4AB88324F20841AD419A7240CB75A945CFA1

Function 0187B118 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0187B17E

Memory Dump Source

Source File: 00000009.00000002.2271302020.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1870000_newapp.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: c6fdd757f23fcb5687412c1b117610651b98d2049afd4d0fdf7c3188e148a0d5
Instruction ID: f463bfa1db6cd61eb1448e5749d3815d5c3b37746dc7f537763480d6137f2fb9
Opcode Fuzzy Hash: c6fdd757f23fcb5687412c1b117610651b98d2049afd4d0fdf7c3188e148a0d5
Instruction Fuzzy Hash: 0211F2B5C007498FDB20CF9AD848ADEFBF5EF88324F10842AD519A7210D379A645CFA1

Function 0181D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2270311002.000000000181D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0181D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_181d000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 536bb0d28c9005cadf0246245b06be9ed67db09b66a20bcdb6c33a5aacd6975a
Instruction ID: cd599dd206b78a194ff780453d8d3a4233749d29b9431d34f9a05f3fa364680d
Opcode Fuzzy Hash: 536bb0d28c9005cadf0246245b06be9ed67db09b66a20bcdb6c33a5aacd6975a
Instruction Fuzzy Hash: EF2167B2500244DFDB05DF58D9C8B66BF69FB88318F24C66DE8098B24AC336D516CBB1

Function 0181D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2270311002.000000000181D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0181D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_181d000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f6c5308b2ec49bf2f8776d41586c1a97a3e324751514338168e3ef448c51c93
Instruction ID: 6c2790cd7cbf709692fc08b5c43209c9da855ef2e2d00588b0ab43af542a95e0
Opcode Fuzzy Hash: 4f6c5308b2ec49bf2f8776d41586c1a97a3e324751514338168e3ef448c51c93
Instruction Fuzzy Hash: AC217FB2540204DFDB05DF44D5C4B56BF69FB84314F24C66DD9098F24AC336E516C7A1

Function 0182D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2270957987.000000000182D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0182D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_182d000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf8a07682a9101ea5f7d513e235f67d0fbe1c440ccb8e2fe35fbc8052f8d5a82
Instruction ID: 11ff0f462e646872e1f87acdc2d38b003037a567808b5c893e720f1d4c8cc660
Opcode Fuzzy Hash: bf8a07682a9101ea5f7d513e235f67d0fbe1c440ccb8e2fe35fbc8052f8d5a82
Instruction Fuzzy Hash: 562129B1504204EFDB06DF98D5C0B25BFA5FB85328F34C66DD9098B352C336E586CA61

Function 0182D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2270957987.000000000182D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0182D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_182d000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a92600407c6cdcca340e9ab638c5d7165deb32da7ab55b7f4f49fad18331bee
Instruction ID: 7810268399f502637ca3536de55cfb7ed9547497cd5da85b7cf7c40fa7d781b0
Opcode Fuzzy Hash: 5a92600407c6cdcca340e9ab638c5d7165deb32da7ab55b7f4f49fad18331bee
Instruction Fuzzy Hash: 742145B1504244DFCB12CF58D4C0B16BF65EB84314F20C66DD80A8B2A2C33AC487CA61

Function 0181D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2270311002.000000000181D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0181D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_181d000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
Instruction ID: ebed69312175b82a6d9ef1565c9b333f7487565d8a98cbec42bc05e838f99499
Opcode Fuzzy Hash: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
Instruction Fuzzy Hash: 6C110372444240CFDB16CF44D5C4B56BF71FB84324F24C6A9D9094B65BC33AE55ACBA1

Function 0181D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2270311002.000000000181D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0181D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_181d000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
Instruction ID: c6ff0aff53b79717923b9acaa64ef947b06aa3e5e43807464d055ee2b188aa3a
Opcode Fuzzy Hash: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
Instruction Fuzzy Hash: AB110372404280CFCB06CF54D5C4B56BF71FB84314F24C6A9E8494B65BC336D55ACBA1

Function 0182D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2270957987.000000000182D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0182D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_182d000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
Instruction ID: 92fea14e1bb1a7e9c7221a90bfc85edc3703ad535e1afc804cb15b242d8e546a
Opcode Fuzzy Hash: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
Instruction Fuzzy Hash: 9811DD75504280CFDB12CF58D5C4B15FFA2FB84314F24C6AAD8498B6A6C33AD54BCBA2

Function 0182D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2270957987.000000000182D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0182D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_182d000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
Instruction ID: 0b692b8c606bf4ed97104e12a6b81b66d35e924b55cbecbda1a4324da13668f4
Opcode Fuzzy Hash: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
Instruction Fuzzy Hash: F611BB75904280DFDB02CF54D5C4B15BFA2FB85324F24C6A9D8498B696C33AE44ACB61

Function 0181D731 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2270311002.000000000181D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0181D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_181d000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 345028085b36d3609f82ba45820dfb0a15ce0a3592434b2f1937dee4dc0a4fcf
Instruction ID: 4eb21c11087351a507e8e1abe8478614cced6501521a2b11c5cb6a8c83c2c092
Opcode Fuzzy Hash: 345028085b36d3609f82ba45820dfb0a15ce0a3592434b2f1937dee4dc0a4fcf
Instruction Fuzzy Hash: 29012B724043849AF7104FA9DDC8767FFACDF80324F18CE1AED098A18AC3389940C671

Function 0181D730 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2270311002.000000000181D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0181D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_181d000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf70d084c6520b54fdad24b1ab1e650e2ecb8d4b8d9784d497ca56ec78d7390a
Instruction ID: 1a4df6c570437aa8c7f277095b4f45487ad7fb7506808c2c0aaba97007d98319
Opcode Fuzzy Hash: bf70d084c6520b54fdad24b1ab1e650e2ecb8d4b8d9784d497ca56ec78d7390a
Instruction Fuzzy Hash: 27F062724043849EF7118A19DDC8B66FFACEB81774F18CA5AED084A296C3799844CA71

Analysis Process: newapp.exePID: 7944, Parent PID: 7856COMMON

Execution Graph

Execution Coverage:	12.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	170
Total number of Limit Nodes:	19

Executed Functions

Function 06A03570 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 06A03C6F
$]q, xrefs: 06A03CC8
$]q, xrefs: 06A03C98
$]q, xrefs: 06A03C7B
$]q, xrefs: 06A03CBC
$]q, xrefs: 06A03CA4

Memory Dump Source

Source File: 0000000A.00000002.4493805686.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6a00000_newapp.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-3723351465
Opcode ID: 7126598b41e2aa386cad8cab9e6f11203d9378bff04ae509616e0808be3226d1
Instruction ID: e9f1172fe15acc8bdb9af5eb25986351f95e437f27296b3774d36c04495a1b9e
Opcode Fuzzy Hash: 7126598b41e2aa386cad8cab9e6f11203d9378bff04ae509616e0808be3226d1
Instruction Fuzzy Hash: 9B323231E1061ACFDB54EF75D89459DB7B2FFC9300F20CAA9D449AB254EB30A985CB90

Function 06A07E68 Relevance: 3.0, Strings: 2, Instructions: 476
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 06A081CB
$]q, xrefs: 06A081D7

Memory Dump Source

Source File: 0000000A.00000002.4493805686.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6a00000_newapp.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: 985dcb60ed816616d0ed1c0c618a9c3cf7134e26199fdbd4e670058ab350b526
Instruction ID: 94339e25dc84acdc4fba27d25a7719fe82b2b3fff5cf72cadcafe05ef16dc32c
Opcode Fuzzy Hash: 985dcb60ed816616d0ed1c0c618a9c3cf7134e26199fdbd4e670058ab350b526
Instruction Fuzzy Hash: F8028030B0021A9FEF54EB64E8906AEB7E2FF84314F248569D815DB394DB35EC46CB91

Function 06A066E0 Relevance: .8, Instructions: 823COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4493805686.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6a00000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8ab3d822edf6020233346e102d9ebd5b3f3c8e6a2b99af2f95a0db94f191026
Instruction ID: 5e0219dc2cd93766cc274df5c512e34bacbf9f956392aa1234d12253afa9165b
Opcode Fuzzy Hash: b8ab3d822edf6020233346e102d9ebd5b3f3c8e6a2b99af2f95a0db94f191026
Instruction Fuzzy Hash: B862A134B002058FEB64EB64E594AADB7F2FF84318F248469E406DB394DB35ED56CB90

Function 06A0C268 Relevance: .6, Instructions: 648COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4493805686.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6a00000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de57c141dd17457d545dbc4cf6d404156c61d250e6b8f85aa60cbdb34887b831
Instruction ID: cb383723eb841e4c8065021c4f934409c0a1146d46d17f317de97b3033ed6c3f
Opcode Fuzzy Hash: de57c141dd17457d545dbc4cf6d404156c61d250e6b8f85aa60cbdb34887b831
Instruction Fuzzy Hash: AE329834B002099FEF54EB68E890B6DB7B2FB88320F218525E506EB395DB35DC45CB91

Function 06A056B0 Relevance: .6, Instructions: 602COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4493805686.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6a00000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36a6a8f267b90fcb52a1288fc70efdb3dd5b37f243ac4165b9213f05b970ea2a
Instruction ID: 23f2238f0f1119b712bea239d9cadc48ee97af9210680c05402639dcfe3acce2
Opcode Fuzzy Hash: 36a6a8f267b90fcb52a1288fc70efdb3dd5b37f243ac4165b9213f05b970ea2a
Instruction Fuzzy Hash: 9A22D275F002158FEF64EF64E9846AEB7B2EB84320F248466D9599F384DA34DC45CF90

Function 06A0B307 Relevance: .6, Instructions: 569COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4493805686.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6a00000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37a303f3f4034b1a7da2e660556a34d332148c676359fa807060bdc7e1482d17
Instruction ID: 59d712b4665dda84b00c954a8ba1047cf51fab90165949398e5fec4a29a97a4b
Opcode Fuzzy Hash: 37a303f3f4034b1a7da2e660556a34d332148c676359fa807060bdc7e1482d17
Instruction Fuzzy Hash: 5E225374E101098BEF64EB58E5907ADB7B2EB49310F248465E405EF3D5CB36DC81CBA1

Function 06A0ADB0 Relevance: 10.4, Strings: 8, Instructions: 390
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 06A0AF30
$]q, xrefs: 06A0AF24
$]q, xrefs: 06A0AF88
$]q, xrefs: 06A0AF5F
$]q, xrefs: 06A0AF53
$]q, xrefs: 06A0AED1
$]q, xrefs: 06A0AF7C
$]q, xrefs: 06A0AEDD

Memory Dump Source

Source File: 0000000A.00000002.4493805686.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6a00000_newapp.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-1273862796
Opcode ID: 2e5968b48868aade0dd3bd4f8de3d6c276ee4bfb9f1008838298c20c5a40f587
Instruction ID: cea7f9079faa9b0a488c0faeb1150ece96d17ce80ecdd1b83a618c3a6fbd458b
Opcode Fuzzy Hash: 2e5968b48868aade0dd3bd4f8de3d6c276ee4bfb9f1008838298c20c5a40f587
Instruction Fuzzy Hash: C5E17230E1030A8FDB65EB68E5906AEB7F2FF89304F208569D509DB385DB359846CB91

Function 06A0B730 Relevance: 8.0, Strings: 6, Instructions: 473
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 06A0BC8D
$]q, xrefs: 06A0BC81
$]q, xrefs: 06A0BCC1
$]q, xrefs: 06A0BCB5
$]q, xrefs: 06A0BCE9
$]q, xrefs: 06A0BCF5

Memory Dump Source

Source File: 0000000A.00000002.4493805686.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6a00000_newapp.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-3723351465
Opcode ID: c58040b9b97a162077670adcc67b40c805cbbaa37ac2ad2b8563db34e3b0cb43
Instruction ID: 3a2a7eed57dd73909be99b5980c2370b98d7a659baa8def95244857102aadaf1
Opcode Fuzzy Hash: c58040b9b97a162077670adcc67b40c805cbbaa37ac2ad2b8563db34e3b0cb43
Instruction Fuzzy Hash: 4D026030E1010A8FEFA4EF68E6806ADB7B1EF45314F248566D405DF295DB36DC85CBA1

Function 069E9E31 Relevance: 6.1, APIs: 4, Instructions: 138
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 069E9EBE
GetCurrentThread.KERNEL32 ref: 069E9EFB
GetCurrentProcess.KERNEL32 ref: 069E9F38
GetCurrentThreadId.KERNEL32 ref: 069E9F91

Memory Dump Source

Source File: 0000000A.00000002.4493487142.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_69e0000_newapp.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 5f7a938f309a94e2429df2cfe1d3c4be91294eda519e1db15ead7c1f951c92ba
Instruction ID: 9c05ccfa288920c52db4805369d4cb1d1cd504c4878d2fe3cc5134249c7e1ac0
Opcode Fuzzy Hash: 5f7a938f309a94e2429df2cfe1d3c4be91294eda519e1db15ead7c1f951c92ba
Instruction Fuzzy Hash: 105187B0D103499FDB55CFAAD848B9EBFF5AF48304F20885DE109A7760C7345844CB62

Function 069E9E40 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 069E9EBE
GetCurrentThread.KERNEL32 ref: 069E9EFB
GetCurrentProcess.KERNEL32 ref: 069E9F38
GetCurrentThreadId.KERNEL32 ref: 069E9F91

Memory Dump Source

Source File: 0000000A.00000002.4493487142.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_69e0000_newapp.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 55ab5b40be505636e8dc408fa6ff6775a9245a1df50cb1d98266f2315bba7faf
Instruction ID: 2680be971b81734da689608df8bce95c5681d3d22e92cdc8ab7ef1d9ceeb1bb8
Opcode Fuzzy Hash: 55ab5b40be505636e8dc408fa6ff6775a9245a1df50cb1d98266f2315bba7faf
Instruction Fuzzy Hash: 4A5164B0D103098FDB54DFAAD848B9EBBF5FF88314F208459E10AA77A0D7389944CB65

Function 06A09238 Relevance: 5.2, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 06A0927F
$]q, xrefs: 06A092C6
$]q, xrefs: 06A0928B
$]q, xrefs: 06A092BA

Memory Dump Source

Source File: 0000000A.00000002.4493805686.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6a00000_newapp.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: 73f2461a90a388026e56ba1ce89ed07d8a331ee8c56b913a8de81b09728fb4f1
Instruction ID: 8334f22358d40886a5c44c13ade4e26cf601183a2ab39006837cdfdb9e462e83
Opcode Fuzzy Hash: 73f2461a90a388026e56ba1ce89ed07d8a331ee8c56b913a8de81b09728fb4f1
Instruction Fuzzy Hash: 97914270B0020A9FDB54EF65D9607AFB7F2BB88704F108469D41DEB385EB309D468B92

Function 06A0D038 Relevance: 4.5, Strings: 3, Instructions: 799
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 06A0D42F
$]q, xrefs: 06A0D443
$]q, xrefs: 06A0D437

Memory Dump Source

Source File: 0000000A.00000002.4493805686.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6a00000_newapp.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q
API String ID: 0-182748909
Opcode ID: 951b321354e0a2257043fdf9b29d73b84ccd976a7eaef035b47326ede4df4924
Instruction ID: 9a0cf4e0849c6fe496fce34ec0042b6f3f7cb8006320fac55330caba41840ab6
Opcode Fuzzy Hash: 951b321354e0a2257043fdf9b29d73b84ccd976a7eaef035b47326ede4df4924
Instruction Fuzzy Hash: F8623030A0020A8FDB55EF68E590A5EB7E3FF84314B218968E4099F359DB75ED46CBC1

Function 06A04C78 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Obq, xrefs: 06A04E53
XPbq, xrefs: 06A04DC9
fbq, xrefs: 06A04CA3

Memory Dump Source

Source File: 0000000A.00000002.4493805686.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6a00000_newapp.jbxd

Similarity

API ID:
String ID: fbq$XPbq$\Obq
API String ID: 0-4057264190
Opcode ID: 94efd96273f8bfce9b4b627f41e3b5962d39cced88fa77ab783f54fad70f1eef
Instruction ID: 6adff6176f320295528220f107ad47b8f5108cd222c390b2e6b7e7aafa7f0da9
Opcode Fuzzy Hash: 94efd96273f8bfce9b4b627f41e3b5962d39cced88fa77ab783f54fad70f1eef
Instruction Fuzzy Hash: 2E616130F00219DFEB64EFA4D8547AEBBF6FB88710F208429D105AB394DB754C458B51

Function 06A09228 Relevance: 2.7, Strings: 2, Instructions: 163
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 06A0927F
$]q, xrefs: 06A092BA

Memory Dump Source

Source File: 0000000A.00000002.4493805686.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6a00000_newapp.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: 53c8de769156a7443ba82c73beebcee7ad9677e82b72329e258c461797af6a34
Instruction ID: b71c2af3261ec19178522abb622717eef18851be16f373ad9a832da6d899f902
Opcode Fuzzy Hash: 53c8de769156a7443ba82c73beebcee7ad9677e82b72329e258c461797af6a34
Instruction Fuzzy Hash: 9B516430B001099FEB54EB74E960BAFB7F2BB88744F108469D419DB385EA309C42CB92

Function 06A04C69 Relevance: 2.6, Strings: 2, Instructions: 143COMMON

Download Yara Rule

Strings

XPbq, xrefs: 06A04DC9
fbq, xrefs: 06A04CA3

Memory Dump Source

Source File: 0000000A.00000002.4493805686.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6a00000_newapp.jbxd

Similarity

API ID:
String ID: fbq$XPbq
API String ID: 0-2292610095
Opcode ID: 447d25dc9091355e7de1b3148b5ca8f9fc8922921f68741ba25aac229c7f7200
Instruction ID: 8185d72f068c214d50020edfc9c50fce6319086ef773a663d2ae1cbe4f1dee89
Opcode Fuzzy Hash: 447d25dc9091355e7de1b3148b5ca8f9fc8922921f68741ba25aac229c7f7200
Instruction Fuzzy Hash: 75516270F102099FEB54DFA5C854BAEBBF6FF88710F208529D105AB395DB759C018B91

Function 02CDEE98 Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4473150259.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2cd0000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 040aaa399efd5bf38a3354d515756726a59270a8e1f789259d42d8311baa67fc
Instruction ID: 804b7d74daf9c6218f10c75c800044afcef293190f3a32f9fb704401ae6bc603
Opcode Fuzzy Hash: 040aaa399efd5bf38a3354d515756726a59270a8e1f789259d42d8311baa67fc
Instruction Fuzzy Hash: FB416472E043968FCB04DF79D8042EEBBF5AF89310F1485ABD404EB281DB389845CBA1

Function 069E648C Relevance: 1.6, APIs: 1, Instructions: 121COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 069E65AA

Memory Dump Source

Source File: 0000000A.00000002.4493487142.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_69e0000_newapp.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 9da23dba8da45a54c198f8a19a86ab55f50bfa5e78f7eee956ead734809c722b
Instruction ID: 9ff89de3634cd84315bff1c7b1b7e8bd292e8bf021b5e9ab97143051577d58bf
Opcode Fuzzy Hash: 9da23dba8da45a54c198f8a19a86ab55f50bfa5e78f7eee956ead734809c722b
Instruction Fuzzy Hash: 8651DEB1D10309AFDB14CF9AD884ADEBBB5FF48310F24812AE419AB211D775A985CF91

Function 069E6498 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 069E65AA

Memory Dump Source

Source File: 0000000A.00000002.4493487142.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_69e0000_newapp.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 46d261f69e28c655b4215a107c0e04fe3ba63d29d30727d224e279d4d8d01337
Instruction ID: a98d9dbfd01fee2f393fe16336a701bb3295b5beb5123c8563c43101d4d43112
Opcode Fuzzy Hash: 46d261f69e28c655b4215a107c0e04fe3ba63d29d30727d224e279d4d8d01337
Instruction Fuzzy Hash: 0E41DEB1D10309DFDB14CF9AD884ADEBBB5BF88310F24812AE819AB210D775A845CF90

Function 069E9E0C Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 069EB3D9

Memory Dump Source

Source File: 0000000A.00000002.4493487142.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_69e0000_newapp.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: b39b3e38825197c865dff68a48091fc1107656aa1a13d4b30450a899fdac87e9
Instruction ID: 3b3c71c2825225f22c99875fffee36595945220d7a30d032dc425cb6bd4cc5c3
Opcode Fuzzy Hash: b39b3e38825197c865dff68a48091fc1107656aa1a13d4b30450a899fdac87e9
Instruction Fuzzy Hash: 15415AB4A00309CFDB54CF99C988AAEBBF5FB88314F248859D519A7725D374A841CBA0

Function 069EBC5C Relevance: 1.6, APIs: 1, Instructions: 77comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 069EBCF0

Memory Dump Source

Source File: 0000000A.00000002.4493487142.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_69e0000_newapp.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 89c122b343aa16d71dc01d4233225b8dc190d940f1425442af69b4f445e3745f
Instruction ID: f8916e60cadc07d3c60fd126368421c5cdb6d48e747a96e00beb588beee71912
Opcode Fuzzy Hash: 89c122b343aa16d71dc01d4233225b8dc190d940f1425442af69b4f445e3745f
Instruction Fuzzy Hash: 783103B4D01248DFDB20CF99C984BCEBBF5AB48314F24802AE505AB294DB746985CB65

Function 069EBC68 Relevance: 1.6, APIs: 1, Instructions: 71comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 069EBCF0

Memory Dump Source

Source File: 0000000A.00000002.4493487142.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_69e0000_newapp.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: bd7ed48b090d84b8bb931ec17c1a6a4f4214462ac9ad8d97b7ecf8baa98a20b1
Instruction ID: 9878bdeb05a51aab1ad53edcff116bc9dfd9b025a77240398bb724bb85c13197
Opcode Fuzzy Hash: bd7ed48b090d84b8bb931ec17c1a6a4f4214462ac9ad8d97b7ecf8baa98a20b1
Instruction Fuzzy Hash: 073102B4E01248DFDB14CF99C984BCEBBF5EF48314F20801AE505AB294D774A985CF55

Function 069EA080 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 069EA10F

Memory Dump Source

Source File: 0000000A.00000002.4493487142.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_69e0000_newapp.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 83a11b7755999996527f1646ef29fd178065f67ba22d828ef854a9aba02f68b3
Instruction ID: bed54f042ff1ddb90a76c7a13ad5e20aa88c48570f4a3676ec4c1235dcb50315
Opcode Fuzzy Hash: 83a11b7755999996527f1646ef29fd178065f67ba22d828ef854a9aba02f68b3
Instruction Fuzzy Hash: AF21E5B5D002499FDB10CFAAD884ADEFFF8EB48310F14801AE914A3250D378A954CF61

Function 069EA088 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 069EA10F

Memory Dump Source

Source File: 0000000A.00000002.4493487142.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_69e0000_newapp.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 5a1c3a1422e84516a637c598963ae9a7a9fdf6b7697c6d12c5d15e2278af2594
Instruction ID: d5f3e5f2178da6bb126f2719928d430283944cf234480b6ce221279bc4d0e149
Opcode Fuzzy Hash: 5a1c3a1422e84516a637c598963ae9a7a9fdf6b7697c6d12c5d15e2278af2594
Instruction Fuzzy Hash: 1421C4B5D002499FDB10CF9AD984ADEFFF8EB48310F14841AE918A3350D378A954CF65

Function 069EDA2B Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 069EDAAB

Memory Dump Source

Source File: 0000000A.00000002.4493487142.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_69e0000_newapp.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: f2be19e400c382f6ee3bd3f4310a5d3cf1ff57f77ab9bcea36dd962ea4a456bb
Instruction ID: 0fcf5ca80797f4be1761944ae9f8a1a4a0606fd3724454bd7859e54159c5d128
Opcode Fuzzy Hash: f2be19e400c382f6ee3bd3f4310a5d3cf1ff57f77ab9bcea36dd962ea4a456bb
Instruction Fuzzy Hash: 7C2115B5D002099FCB54DF9AD844BDEFBF9EF88320F14841AE459A7250C774AA45CFA1

Function 069EDA30 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 069EDAAB

Memory Dump Source

Source File: 0000000A.00000002.4493487142.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_69e0000_newapp.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 492df8e1e2c4cab3e4dc5cfd519e240608c6ec2c88f06d0c6eada5acb0927f88
Instruction ID: df5ce9930a7a459843405086da3bca8d3526f997fa0d0c8898047a3dbac42e03
Opcode Fuzzy Hash: 492df8e1e2c4cab3e4dc5cfd519e240608c6ec2c88f06d0c6eada5acb0927f88
Instruction Fuzzy Hash: 8E2115B5D002099FCB14DF9AD844BDEFBF9EF88320F14841AD419A7250C774A944CFA1

Function 02CDEF80 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?), ref: 02CDEFE7

Memory Dump Source

Source File: 0000000A.00000002.4473150259.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2cd0000_newapp.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 0a2104b4e4e7635a25f9e03506419bfb18fb99a6f91533c9e512b463fac7e8e5
Instruction ID: dbfdf61d110a76a6b053db8a71b85437b9e1661d47c56c3924e0bfaf9d532349
Opcode Fuzzy Hash: 0a2104b4e4e7635a25f9e03506419bfb18fb99a6f91533c9e512b463fac7e8e5
Instruction Fuzzy Hash: 131123B1C0025A9BCB10DF9AD444BDEFBF4EF48320F11816AE818A7240D378A944CFA1

Function 069E53E8 Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 069E5456

Memory Dump Source

Source File: 0000000A.00000002.4493487142.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_69e0000_newapp.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: ab579ee0a6362bd077008775641e9e0b46e552f40551bf2ce85ee1aca844f146
Instruction ID: 7bbec6d9f90816c353dacd16fac3a9877c463d07d2b195ce0f5ab5729b404441
Opcode Fuzzy Hash: ab579ee0a6362bd077008775641e9e0b46e552f40551bf2ce85ee1aca844f146
Instruction Fuzzy Hash: 101102B5D002498FCB10DF9AD844ADEFBF8EB89314F21852AD829B7610D379A545CFA1

Function 069E37C8 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 069E5456

Memory Dump Source

Source File: 0000000A.00000002.4493487142.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_69e0000_newapp.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a15b4c3f8bc8227d83690d156c8c8a6036ab9e367fbc9d0a0019e817e6120e9a
Instruction ID: 00ad1cac0e98f24cb3930666d883d4ed67620b60a8f90a9361debbdd3197de07
Opcode Fuzzy Hash: a15b4c3f8bc8227d83690d156c8c8a6036ab9e367fbc9d0a0019e817e6120e9a
Instruction Fuzzy Hash: 841120B5C003498FCB10DF9AD844BDEFBF8EB88214F11841AD419B7610D375A945CFA1

Function 069EBB19 Relevance: 1.5, APIs: 1, Instructions: 49comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 069EBB75

Memory Dump Source

Source File: 0000000A.00000002.4493487142.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_69e0000_newapp.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 5cd5e26d3440b69adddbb28d3a708f18c06e3e613a2b96e70720b450a888dd91
Instruction ID: 4a0da85b424fefa304127a9f6439e19c78f53a6b5cfa7012b7d4f8322337a492
Opcode Fuzzy Hash: 5cd5e26d3440b69adddbb28d3a708f18c06e3e613a2b96e70720b450a888dd91
Instruction Fuzzy Hash: 72113AB5D003498FCB10DF9AD985BDEBFF8EB49310F148459D518A3640C375A544CFA5

Function 069EB650 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,069EB62D), ref: 069EB6B7

Memory Dump Source

Source File: 0000000A.00000002.4493487142.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_69e0000_newapp.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: f49c5480431d04dc2325766df88d4998006377b0b1aa881fc25557dab0ad9507
Instruction ID: 58cdaa0b95cbf4f4e1807df3ce22092e04f96da097c1ce0120cb47371ab3c6bc
Opcode Fuzzy Hash: f49c5480431d04dc2325766df88d4998006377b0b1aa881fc25557dab0ad9507
Instruction Fuzzy Hash: 3D1100B5C002498FCB20DF9AD985BDEBFF8EB48720F20845AD519A3250C379A944CFA5

Function 069EAE3C Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,069EB62D), ref: 069EB6B7

Memory Dump Source

Source File: 0000000A.00000002.4493487142.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_69e0000_newapp.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 558f7ac7d46729a63e462230c3c5dca2d41d7249fcf9585c2b8a7d8a7be670ca
Instruction ID: fea0f4f2f841c9d4d4144aaf7a83626d80da8098f737ca7fc70cd01381f0057a
Opcode Fuzzy Hash: 558f7ac7d46729a63e462230c3c5dca2d41d7249fcf9585c2b8a7d8a7be670ca
Instruction Fuzzy Hash: 3D1130B1C00349CFCB20DF9AD988B9EBBF8EB48320F20841AD519A3740C374A944CFA5

Function 069EB074 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 069EBB75

Memory Dump Source

Source File: 0000000A.00000002.4493487142.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_69e0000_newapp.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 8760e7baf0e40573e47d77b02e8a6d7180135be02818336146a637f8c8b9fcb7
Instruction ID: 8d6ee300d04facab57c9f60d5ec6c8a6841968b3445bdd49577c62f8b0db32a0
Opcode Fuzzy Hash: 8760e7baf0e40573e47d77b02e8a6d7180135be02818336146a637f8c8b9fcb7
Instruction Fuzzy Hash: 2E1145B1D00349CFCB20DF9AD588B9EBBF8EB48320F24841AD519A3750C378A944CFA5

Function 069E53CA Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 069E5456

Memory Dump Source

Source File: 0000000A.00000002.4493487142.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_69e0000_newapp.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 49eb41403beb1fba22340ddee303d1dbc7ce1a3a953545e36fe82014adb532f2
Instruction ID: 13093220e1d5a06d6d792d7514784636d1e82918a61dd48ef425bf45b8ef1f0a
Opcode Fuzzy Hash: 49eb41403beb1fba22340ddee303d1dbc7ce1a3a953545e36fe82014adb532f2
Instruction Fuzzy Hash: 0F0165F5D056088FCB10CF9AD4047CAFBF0AF89319F25859AC159AB252D336A456CFA1

Function 06A0DBAD Relevance: 1.4, Strings: 1, Instructions: 126COMMON

Download Yara Rule

Strings

PH]q, xrefs: 06A0DD09

Memory Dump Source

Source File: 0000000A.00000002.4493805686.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6a00000_newapp.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: e8bd20be27e302716ed43255e1604d17f8f651ce7dd912edb0ee56b308f371ce
Instruction ID: e91d8f063ce3f475eae827fb5c7d6f83e8cbba8168e029bc6e53c167053940e8
Opcode Fuzzy Hash: e8bd20be27e302716ed43255e1604d17f8f651ce7dd912edb0ee56b308f371ce
Instruction Fuzzy Hash: 9C41B371E0060A9FEB65FFB5D45069EBBF2BF85300F244529E405DB284DB74E946CB81

Function 06A021C5 Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

PH]q, xrefs: 06A02313

Memory Dump Source

Source File: 0000000A.00000002.4493805686.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6a00000_newapp.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: 76c6cc38976de14ef800b97f67c9831dd33fbeca8f79241509405bc7604f0fc7
Instruction ID: 2300e9df379f9646ea7362564fa3fab351a942ddd463c3b3a9ec4f511ee95794
Opcode Fuzzy Hash: 76c6cc38976de14ef800b97f67c9831dd33fbeca8f79241509405bc7604f0fc7
Instruction Fuzzy Hash: DA41D030B103018FEB59ABB4E45476EBBE2AB8D350F1044B8D406DB389DE35CD46CB91

Function 06A021D8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PH]q, xrefs: 06A02313

Memory Dump Source

Source File: 0000000A.00000002.4493805686.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6a00000_newapp.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: 28f86ab5b535934a2cf863df8809b28be8cf49067145c5cd642748745d21478c
Instruction ID: 6c52beda1068d70ccd8cfe7bf5c2ff3bb35df5ecd4f00f191362b587f1465b9a
Opcode Fuzzy Hash: 28f86ab5b535934a2cf863df8809b28be8cf49067145c5cd642748745d21478c
Instruction Fuzzy Hash: 3D31B030B103068FEB59ABB4E45876E7AE2AB8D354F204478D406DB388DE35DE458B91

Function 06A04B61 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

\Obq, xrefs: 06A04B6D

Memory Dump Source

Source File: 0000000A.00000002.4493805686.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6a00000_newapp.jbxd

Similarity

API ID:
String ID: \Obq
API String ID: 0-2878401908
Opcode ID: 7ca837a876b186971886b15acea028bc03e8b02a82260e1c0f0e61881936e9e0
Instruction ID: 1ac1bdaf1b659d595735ba768090b8f9691c73811ab1ee2fbc2bf977e2da0bfc
Opcode Fuzzy Hash: 7ca837a876b186971886b15acea028bc03e8b02a82260e1c0f0e61881936e9e0
Instruction Fuzzy Hash: C6F0DA30A54219DBDB14EF94E998BAEBBF2FF88711F204119E502A7294CBB01C41CBC0

Function 06A062E0 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4493805686.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6a00000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ada7f96d5979036d1ec1adc86d6e543f7c3e23d46b7f34768918117512b0199d
Instruction ID: 9d37f1c9e590f2a47b899f4eadd3f39de1a4f47fe2ae25ff231970078fdaf383
Opcode Fuzzy Hash: ada7f96d5979036d1ec1adc86d6e543f7c3e23d46b7f34768918117512b0199d
Instruction Fuzzy Hash: AC61B071F000224BDB54AB6AD88065FFAD7AFD8224B254479E80EDB364DE65ED0287D2

Function 06A043A8 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4493805686.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6a00000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d12e1fb1b1d584cbd5194b227aec731142be468da4d633500a7f2598b873a7fa
Instruction ID: e23748cd3cc5586e46cc83ff004abc4452c33d698bca3b2116617b25ed11c3c7
Opcode Fuzzy Hash: d12e1fb1b1d584cbd5194b227aec731142be468da4d633500a7f2598b873a7fa
Instruction Fuzzy Hash: 20814030B0020A9FDB54EFA4D4546AEB7F3FB89304F218529D50AEB394EB35DC468B51

Function 06A046C8 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4493805686.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6a00000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25b7a6d2c74d0a6d5f4e7bf1934d70144dc9352201837652f6f7dae8805bc8f2
Instruction ID: 94872117fc210db9aa674dcbaab2be3df19f1ffc58dc3bb32a23afcd4b43c8df
Opcode Fuzzy Hash: 25b7a6d2c74d0a6d5f4e7bf1934d70144dc9352201837652f6f7dae8805bc8f2
Instruction Fuzzy Hash: 0C914E30E1061ACFEF60DF64C890B9DB7B1FF89310F2085A9D549AB295DB70AA85CF51

Function 06A046E0 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4493805686.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6a00000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0362bd935214051f97480b1f817e8c9eef2a721101a26960d2ef671ca19a7623
Instruction ID: a97d2a35bc63f466f6243e72ad6d94f8469b9227795ead1dd2d136e641d4af94
Opcode Fuzzy Hash: 0362bd935214051f97480b1f817e8c9eef2a721101a26960d2ef671ca19a7623
Instruction Fuzzy Hash: B9913D30E1061ACBEF64DF68C880B9DB7B1FF89314F208599D54DAB285DB70AA85CF51

Function 06A0F010 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4493805686.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6a00000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7420c602a324e50a2b56319f5b8cc594619758d75a2ffde26ef9cfdfa5e7e32b
Instruction ID: fdd21531fc7d126df77e4f14f4e2cd06624eacbd1aecba7d27b1629db91457d3
Opcode Fuzzy Hash: 7420c602a324e50a2b56319f5b8cc594619758d75a2ffde26ef9cfdfa5e7e32b
Instruction Fuzzy Hash: FB715F70A002099FDB54EFA9D990A9DFBF6FF88300F258469E415EB394DB30E946CB50

Function 06A0F020 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4493805686.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6a00000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d528adb63727824a5036177f3854e190b80e2e4649c08614456b73d3729d77b8
Instruction ID: 624c1386588f986fcd4ff9538a998c7b0a6b218f44ada391cfca544034fb2302
Opcode Fuzzy Hash: d528adb63727824a5036177f3854e190b80e2e4649c08614456b73d3729d77b8
Instruction Fuzzy Hash: 8F712D70A002099FDB54EFA9D990A9DFBF6FF88304F258469E815EB354DB30E946CB50

Function 06A0FCA0 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4493805686.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6a00000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b060cad978eec7c3ae888f686064d712cf9c803078a32002a97acd36161a82c
Instruction ID: e5ae08013cdd012db7adcec5ab633b9c3817a7bc791ab18b2211eb20a52383b6
Opcode Fuzzy Hash: 6b060cad978eec7c3ae888f686064d712cf9c803078a32002a97acd36161a82c
Instruction Fuzzy Hash: 5851F331E00109DFEB64BB78F4546ADBBB2FB85314F108879E90AEB284DB358C45CB81

Function 06A0FA50 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4493805686.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6a00000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa0e699bfbb609ea9095b0f922d94886cae7ae539a7025700094e058f466fd66
Instruction ID: e5bba14c4bdeb4dbc83f76956c4bf41f76cca770cd80788187a19753f8e3e039
Opcode Fuzzy Hash: aa0e699bfbb609ea9095b0f922d94886cae7ae539a7025700094e058f466fd66
Instruction Fuzzy Hash: EB51A574B201055FFF74676CE86472F365AD78D310F21452AE90ADB3D5CA68CC9287E2

Function 06A0FA60 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4493805686.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6a00000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6689aef5242636d00cb468599b2b9c1b14b3c854e739af2147ad190d3372ae19
Instruction ID: 1adda7761a16770c7c59c2208044bae496bd3b1059cec555db3ff0ebe29e21a9
Opcode Fuzzy Hash: 6689aef5242636d00cb468599b2b9c1b14b3c854e739af2147ad190d3372ae19
Instruction Fuzzy Hash: 25518074B201059FFF74676CE864B2F365AD78D310F21442AE90ADB3D5CA68DC9287E2

Function 06A05522 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4493805686.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6a00000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58c9b3fbe786dd89b6071afa043e12212e8b745305470f9adc3d407efc57a26d
Instruction ID: 9b5e62221119f0089e60d5a56e0ffd1cde20b6fde2824747427c5585ce96773f
Opcode Fuzzy Hash: 58c9b3fbe786dd89b6071afa043e12212e8b745305470f9adc3d407efc57a26d
Instruction Fuzzy Hash: 8F418F75E006098FEF60DFA9E980AAFFBF2EB54310F14492AE115DB690D731E9458F90

Function 06A056A0 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4493805686.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6a00000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eba9120fb4205408f8640587f7a7ceb63fdf7225a9a525d28139aa3c963fd7ab
Instruction ID: 888a6f87fa1a301e1541aeb2a49ed442b87f789879be9dd8fb20109ad91bba11
Opcode Fuzzy Hash: eba9120fb4205408f8640587f7a7ceb63fdf7225a9a525d28139aa3c963fd7ab
Instruction Fuzzy Hash: 6E31B271E102058FEF60AFA9D6806AEBBA1FB45320F258866D859DF285C234DD41DF91

Function 06A02088 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4493805686.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6a00000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fccedd4cd1d33d1d64d64297c5c42606a53fa44b569a8f49c9dad9461db8572f
Instruction ID: f4546007235ed908b15872fc1f93ec8445c57235b5a0fe3f30b18c5894722f90
Opcode Fuzzy Hash: fccedd4cd1d33d1d64d64297c5c42606a53fa44b569a8f49c9dad9461db8572f
Instruction Fuzzy Hash: 7731C030E003069FDB55DF64E8A869EFBB2AF89300F10C529E916EB390DB719946CB50

Function 06A0DA61 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4493805686.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6a00000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d65707dcb5db90c9bfb5097c70743f6d0bbd3250316ec50ecdf7c3bfd5bdc068
Instruction ID: 7ea2dfce8eddd37bdba3d6031e61bc038a002056a091cda3a107cd558095f365
Opcode Fuzzy Hash: d65707dcb5db90c9bfb5097c70743f6d0bbd3250316ec50ecdf7c3bfd5bdc068
Instruction Fuzzy Hash: 1A31A731E1070A9BDB65EFA5D49068EBBB2FF85314F208929E405EB244DB74A9468B81

Function 06A02098 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4493805686.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6a00000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c4b515f89de3c608370246ee88ba6be3785a1100f218c1279c10cac425aa7fd
Instruction ID: c461e5cdb8bbbffac24fd27073b354a451cd993ec663104a19c98f014009a84f
Opcode Fuzzy Hash: 5c4b515f89de3c608370246ee88ba6be3785a1100f218c1279c10cac425aa7fd
Instruction Fuzzy Hash: 42316130E0060A9FDB55DF64E85869EB7B2AF89300F10C529E916EB344DB75AD46CB50

Function 06A03FB0 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4493805686.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6a00000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dee05673b001b18356240a7d9615cc5e54e24883f3ebfdda93306e253e268e80
Instruction ID: c41f71888d57ae3f409b032967aab92053057b31565e7a3ac5a6224a75af4cce
Opcode Fuzzy Hash: dee05673b001b18356240a7d9615cc5e54e24883f3ebfdda93306e253e268e80
Instruction Fuzzy Hash: FA219F71F01209AFDB10DF78EC90AAEBBF5EB48714F148029E909EB394D735D8018B91

Function 06A03FC0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4493805686.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6a00000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 155bd8f4da219c825f7e8640152a846e28cddd172b3e54f9e82c173a3d7745f7
Instruction ID: 312f337b37efbeb2539593ed27385a06c6a14406110d7d6ec9295f113c298213
Opcode Fuzzy Hash: 155bd8f4da219c825f7e8640152a846e28cddd172b3e54f9e82c173a3d7745f7
Instruction Fuzzy Hash: 72216075F002199FEB50EF69E890AAEB7F5FB48714F108029E909EB394E735D901CB91

Function 06A0A3EA Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4493805686.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6a00000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a951bb9a0d8af00c97710d7afe87c29f884e4f374b92bb903c9a170ee050772
Instruction ID: 8e314e07e0f05411ea3b830a5eb483f8a8124080322e34938011a202c9741633
Opcode Fuzzy Hash: 2a951bb9a0d8af00c97710d7afe87c29f884e4f374b92bb903c9a170ee050772
Instruction Fuzzy Hash: 00210D34B002159FE751EB74F55469EF7F2DB89310B108466E50AD7282DA31DD06C791

Function 0112D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4470524278.000000000112D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_112d000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12595ecdc8bae7a19330704e9fb19df44fda6a6e198c0c1c0c91148a596173c1
Instruction ID: d60598172f87ede453d2e95547e84bd99b93db492bf0a4dc4e991d17c0a55829
Opcode Fuzzy Hash: 12595ecdc8bae7a19330704e9fb19df44fda6a6e198c0c1c0c91148a596173c1
Instruction Fuzzy Hash: CC2125B1504200DFDF19DF58E9C0B26BBA5FB84314F24C56DD9094B266C33AD427CA66

Function 06A03560 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4493805686.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6a00000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95be01bafe80a870d298206566cddae23841f20273fbd248dde9c38cf961c96c
Instruction ID: f90fd7604dfc32a17afcd3505e2fda0760c2f869e21f47bc17a941ef907408c7
Opcode Fuzzy Hash: 95be01bafe80a870d298206566cddae23841f20273fbd248dde9c38cf961c96c
Instruction Fuzzy Hash: 0F210870E002165FDF64AF78D8405DEBBF1EB85310F1045A9D01AEB380DA31DA41CB91

Function 06A06E00 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4493805686.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6a00000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a2594c870e52156bd4044fec754f4bb8d6caf22e39765d8164a699b606f724b
Instruction ID: bc3ceafdcd67e9e3c6f9cf68b0fcb6e37056510e00b33a468b6723758007040b
Opcode Fuzzy Hash: 0a2594c870e52156bd4044fec754f4bb8d6caf22e39765d8164a699b606f724b
Instruction Fuzzy Hash: 6521A230F102199FEF44EB69F86069EB7B7EB85314F248425E409EB384DB31ED568B94

Function 06A04308 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4493805686.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6a00000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81f5bbea0df30aee832d456850d60b88bccc6be392d1c150dfb91a2d2e542c77
Instruction ID: 3829c272602917438635fd37001e363ac1c677d113f488cc016f26ef8e9bdaa8
Opcode Fuzzy Hash: 81f5bbea0df30aee832d456850d60b88bccc6be392d1c150dfb91a2d2e542c77
Instruction Fuzzy Hash: 72119C31B042124BEB61A63CA81075FFBC6EBCE721F21542AE399CB3C5DA11CC024393

Function 06A040D0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4493805686.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6a00000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 405e65cbbf32d0e1209ca3ee3910dae052ceeefe5c570a4b716fa386827abe8e
Instruction ID: 40c02c43c307af52b54020eb5930d53d31100b630216b5baf89f55a13cf64e9e
Opcode Fuzzy Hash: 405e65cbbf32d0e1209ca3ee3910dae052ceeefe5c570a4b716fa386827abe8e
Instruction Fuzzy Hash: F9118231B001199FEB54EA68DC146AF72FAFBC8310B008139C60AEB384DE65DC0287D1

Function 06A0F28F Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4493805686.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6a00000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00513daa697345812293a52e82e2c391879be651e400e5af67e8a26b74b2bb55
Instruction ID: 267cf777aa565285e4491cc6bcca0040d5cfad773a621bc3345e9b36486413f7
Opcode Fuzzy Hash: 00513daa697345812293a52e82e2c391879be651e400e5af67e8a26b74b2bb55
Instruction Fuzzy Hash: F7012431B101120FDB31A67CA85076FBBDBDBCA320F10886AF90EDB381DA14CD424392

Function 06A040BF Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4493805686.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6a00000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51a5e79fc6c0a4e6189c8067b26b460adba762a53a8b8acb60c312a9ac18e1a0
Instruction ID: 39b6a5136cd505996c02ae53d84d01f53ebc4c7a33fd152468b10a095a5f8a87
Opcode Fuzzy Hash: 51a5e79fc6c0a4e6189c8067b26b460adba762a53a8b8acb60c312a9ac18e1a0
Instruction Fuzzy Hash: 1E01B931B091159BEF55EA68DC106EF76EBEBC9310F014039D549E7284DF66880647D2

Function 06A0315C Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4493805686.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6a00000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1336b737af87d34be9c76cc5c6c1f58a6afeb6c5b3224b91e71c07f5b39c4024
Instruction ID: 9169889814aea99cd5b4f76d48666301cb046d20f092fefc7413a945cdb0c991
Opcode Fuzzy Hash: 1336b737af87d34be9c76cc5c6c1f58a6afeb6c5b3224b91e71c07f5b39c4024
Instruction Fuzzy Hash: 8C21C3B5D01259AFDB00DF9AD884A9EFFF4FB49310F10812AE518A7241D374A954CBA5

Function 06A03D88 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4493805686.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6a00000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13a9cd2c4adb595ac399c9d693396496119cb7973d4b5b075cf36b01695d060d
Instruction ID: 7daf95761a13d3421627deb0217d440e7bf39e6690658c4ccfc0db5ed5f9c96a
Opcode Fuzzy Hash: 13a9cd2c4adb595ac399c9d693396496119cb7973d4b5b075cf36b01695d060d
Instruction Fuzzy Hash: BA2106B1D002599FCB00DF9AD884ACEFFF4FB49310F10811AE918A7240C378A954CFA5

Function 0112D02B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4470524278.000000000112D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_112d000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
Instruction ID: 9180fbc8ef242bc15a2ae82d3a95bb915f3e4e3cf282a72cd21675b870eb0f6e
Opcode Fuzzy Hash: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
Instruction Fuzzy Hash: E211DD75504280CFDB16CF58E5C4B15FFB1FB84314F28C6AAD8494B666C33AD45ACB62

Function 06A04318 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4493805686.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6a00000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2abf1782b9aa0c796e35dc926126f368b0335d1ed187810b77124a0b2ade12cd
Instruction ID: 1f5397bca4996299e7cc9e23ebfdf6a97b464743cd6fe76ba57d0d10d6a33900
Opcode Fuzzy Hash: 2abf1782b9aa0c796e35dc926126f368b0335d1ed187810b77124a0b2ade12cd
Instruction Fuzzy Hash: 75016231B001124BEB65A66DA41471FF7DBEBCDB24F20883AE60ECB388DD65DC024392

Function 06A0F2A0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4493805686.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6a00000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e168e138fd9e599a339d0d06075ff92678dc078c47ae16de7bb7de3677ad7905
Instruction ID: 19ca3a102c567e693eb8a4e8897fd32f76ce620b61a39de178d2b6a73479d013
Opcode Fuzzy Hash: e168e138fd9e599a339d0d06075ff92678dc078c47ae16de7bb7de3677ad7905
Instruction Fuzzy Hash: 22018135B105120FEB75A67DA45472FB6D6DBC9720F208839E90EDB384DA25DD024386

Function 06A0A3F8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4493805686.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6a00000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2b1c727298b5aa1f743755f9458c1b1e4d72af9e37b020bde2a6aa3bb189e72
Instruction ID: 2c038c4c3144b14e630874f7a81ba5609b2e100af909e5a8acdc323065a0c771
Opcode Fuzzy Hash: e2b1c727298b5aa1f743755f9458c1b1e4d72af9e37b020bde2a6aa3bb189e72
Instruction Fuzzy Hash: CB018134B001155FEB60EA38F46871AB7D6DB89714F208439E60ECB395DE26DD068791

Function 06A0C8C8 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4493805686.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6a00000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 664219308e01b28cbc11a4d7b651c169754b3b258351dd0c4d22400f6f875c76
Instruction ID: afe4c49b236db9457fa086505783e16f41fd28fdbad90cbd16e85545fff037a7
Opcode Fuzzy Hash: 664219308e01b28cbc11a4d7b651c169754b3b258351dd0c4d22400f6f875c76
Instruction Fuzzy Hash: C901CD31F102295FDB54EB79F85069EB776F785364F104539E906EB384DB31980587D0

Function 06A06560 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4493805686.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6a00000_newapp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a3d6d579ff7d6e8e1846f83aa56bf853d95ed21aecaf08fa60491010f708fbe
Instruction ID: 0f0823c055793fc22214983dd8ec0af73cf6a640c98a0629c50a26a784c5fe72
Opcode Fuzzy Hash: 8a3d6d579ff7d6e8e1846f83aa56bf853d95ed21aecaf08fa60491010f708fbe
Instruction Fuzzy Hash: A8E09BB59091055FEB50EF60DDC475E7B99DB05318F2048A5D405CF182E177DA518751

Non-executed Functions

Function 06A07788 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$]q, xrefs: 06A078DE
$]q, xrefs: 06A07CFD
$]q, xrefs: 06A07D13
$]q, xrefs: 06A078A1
$]q, xrefs: 06A078AD
$]q, xrefs: 06A07C6A
$]q, xrefs: 06A07C5E
$]q, xrefs: 06A07D1F
$]q, xrefs: 06A07D09
$]q, xrefs: 06A078D2

Memory Dump Source

Source File: 0000000A.00000002.4493805686.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6a00000_newapp.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-2843079600
Opcode ID: 027f0ab1ced4c99910e2cf26b9f90caa3fb94b959da75a88260dd438060d1d91
Instruction ID: 6592c3e1383c025006e0869daca90cc7b5d199b5a408521d786ec36415c6e80f
Opcode Fuzzy Hash: 027f0ab1ced4c99910e2cf26b9f90caa3fb94b959da75a88260dd438060d1d91
Instruction Fuzzy Hash: 3B120F30E012198FEB64EF69D8946ADB7F2BF89304F208569D409AB354DB30ED85CF91

Function 06A0AA18 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$]q, xrefs: 06A0ABD6
$]q, xrefs: 06A0AB94
$]q, xrefs: 06A0AB69
$]q, xrefs: 06A0AB75
$]q, xrefs: 06A0ABCA
$]q, xrefs: 06A0AB0E
$]q, xrefs: 06A0AB1A
$]q, xrefs: 06A0ABA0

Memory Dump Source

Source File: 0000000A.00000002.4493805686.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6a00000_newapp.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-1273862796
Opcode ID: 236c23f2b1179b6ed38e741535e847c2c500a4503e24efa786d232b970405a72
Instruction ID: 4a309006c58c6ca2d070690fc74f9a3b2d1bf3ecc5594aebae72737d8f57537f
Opcode Fuzzy Hash: 236c23f2b1179b6ed38e741535e847c2c500a4503e24efa786d232b970405a72
Instruction Fuzzy Hash: F7917030E10309DFEB68EF69E594B6EB7F2BF44304F208529E9059B296DB749D41CB90

Function 06A07188 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

$]q, xrefs: 06A07624
.5uq, xrefs: 06A071E3
$]q, xrefs: 06A0746A
$]q, xrefs: 06A074D0
$]q, xrefs: 06A074C4
$]q, xrefs: 06A0769C
$]q, xrefs: 06A07690

Memory Dump Source

Source File: 0000000A.00000002.4493805686.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6a00000_newapp.jbxd

Similarity

API ID:
String ID: .5uq$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-981061697
Opcode ID: 53a45dc0e69521408a5f05249ea8505d753752097597dae32abe004b645fb1b5
Instruction ID: 397b121cd93e219693048b5a7d30bd1f7803fe3da5d201718579587ce292b6d9
Opcode Fuzzy Hash: 53a45dc0e69521408a5f05249ea8505d753752097597dae32abe004b645fb1b5
Instruction Fuzzy Hash: 51F12C74B11209DFDB59EFA8D490A6EB7B2FF84300F258569D4069B398DB35EC42CB90

Function 06A084C0 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$]q, xrefs: 06A08726
$]q, xrefs: 06A0877F
$]q, xrefs: 06A0871A
$]q, xrefs: 06A0878B

Memory Dump Source

Source File: 0000000A.00000002.4493805686.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6a00000_newapp.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: c519d969c82c7892a921958c3c730acb152514386dc9c74b462f61f5e28c1a6e
Instruction ID: 3480c009135607275fe514a7075e8c0dc0eed4c9d33dd12b493a1273027362aa
Opcode Fuzzy Hash: c519d969c82c7892a921958c3c730acb152514386dc9c74b462f61f5e28c1a6e
Instruction Fuzzy Hash: 36B12D30A10209CFEB58EF69D4906AEB7B3FF84344F248429D4069B394DB79DC86CB85

Function 06A088D8 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

LR]q, xrefs: 06A089CB
LR]q, xrefs: 06A08A1A
$]q, xrefs: 06A08957
$]q, xrefs: 06A08963

Memory Dump Source

Source File: 0000000A.00000002.4493805686.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6a00000_newapp.jbxd

Similarity

API ID:
String ID: LR]q$LR]q$$]q$$]q
API String ID: 0-3527005858
Opcode ID: 75358f0471fe065ca8791d602015cfb229372884e1bf9aeaae2e3b10d809e40d
Instruction ID: 5da922aa4fad1063bc83677c4321376dba3864708aa4ec9787740db858e5a54d
Opcode Fuzzy Hash: 75358f0471fe065ca8791d602015cfb229372884e1bf9aeaae2e3b10d809e40d
Instruction Fuzzy Hash: 1451C6307002069FEB58FB68E450A6AB7F2FF44304F158969E4059B3D4DB34EC41CB95

Function 06A0ADA2 Relevance: 5.2, Strings: 4, Instructions: 164COMMON

Download Yara Rule

Strings

$]q, xrefs: 06A0AF24
$]q, xrefs: 06A0AF53
$]q, xrefs: 06A0AED1
$]q, xrefs: 06A0AF7C

Memory Dump Source

Source File: 0000000A.00000002.4493805686.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6a00000_newapp.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: aba3b7417514c78d7b59da08f4340a16790f74f563c2a2daf0c362916aaef57f
Instruction ID: fbc80f738654c20810bd5429a2f7b1b3e1d668c1cc6daccd3bb1bb1e20336935
Opcode Fuzzy Hash: aba3b7417514c78d7b59da08f4340a16790f74f563c2a2daf0c362916aaef57f
Instruction Fuzzy Hash: 6651A530E103058FEB65EB68E59066EB7F6EF45310F248529E606DB385DB31DC41CB81

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report TECHNICAL SPECIFICATIONS.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TECHNICAL SPECIFICATIONS.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\newapp.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_adewuqtv.gbm.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i3ayo3bm.3qa.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qfx2nr3o.uew.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tdegadgi.w0u.ps1

C:\Users\user\AppData\Roaming\newapp\newapp.exe

C:\Users\user\AppData\Roaming\newapp\newapp.exe:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

Windows Analysis Report
TECHNICAL SPECIFICATIONS.exe

Function 00C1D5B9 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Function 00C1D5C8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 07C01398 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 248
COMMON

Function 08E8E17C Relevance: 1.7, APIs: 1, Instructions: 248
processCOMMON

Function 08E8E188 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 00C1AF27 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Function 07C05CC1 Relevance: 1.6, APIs: 1, Instructions: 104
COMMON

Function 00C1590C Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre