Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1571767
MD5:	854ca372c90e86bd9a9dce642d7c1a88
SHA1:	11c86768112cfb75a3a9b0b8ef36997e80fedcdf
SHA256:	52a610b0ad89165f4a65a504f9cdd2ecdf8310d96088529fed72463a54fcd6c8
Tags:	NETexeMSILuser-jstrosch
Infos:

Detection

AsyncRAT, VenomRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected AsyncRAT

Yara detected VenomRAT

.NET source code contains potential unpacker

.NET source code contains very large strings

.NET source code references suspicious native API functions

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

file.exe (PID: 2008 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 854CA372C90E86BD9A9DCE642D7C1A88)

powershell.exe (PID: 4464 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yRnixT.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 2764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 6924 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yRnixT" /XML "C:\Users\user\AppData\Local\Temp\tmp8110.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

file.exe (PID: 7252 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 854CA372C90E86BD9A9DCE642D7C1A88)

cmd.exe (PID: 7688 cmdline: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "NotepadUpdate" /tr '"C:\Users\user\AppData\Roaming\NotepadUpdate.exe"' & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7748 cmdline: schtasks /create /f /sc onlogon /rl highest /tn "NotepadUpdate" /tr '"C:\Users\user\AppData\Roaming\NotepadUpdate.exe"' MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 7704 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp7A3A.tmp.bat"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 7800 cmdline: timeout 3 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

NotepadUpdate.exe (PID: 7904 cmdline: "C:\Users\user\AppData\Roaming\NotepadUpdate.exe" MD5: 854CA372C90E86BD9A9DCE642D7C1A88)

powershell.exe (PID: 4480 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yRnixT.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7176 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yRnixT" /XML "C:\Users\user\AppData\Local\Temp\tmpC5F9.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 3808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

NotepadUpdate.exe (PID: 5000 cmdline: "C:\Users\user\AppData\Roaming\NotepadUpdate.exe" MD5: 854CA372C90E86BD9A9DCE642D7C1A88)

NotepadUpdate.exe (PID: 7184 cmdline: "C:\Users\user\AppData\Roaming\NotepadUpdate.exe" MD5: 854CA372C90E86BD9A9DCE642D7C1A88)

yRnixT.exe (PID: 7400 cmdline: C:\Users\user\AppData\Roaming\yRnixT.exe MD5: 854CA372C90E86BD9A9DCE642D7C1A88)

schtasks.exe (PID: 7492 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yRnixT" /XML "C:\Users\user\AppData\Local\Temp\tmp92A4.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

yRnixT.exe (PID: 7564 cmdline: "C:\Users\user\AppData\Roaming\yRnixT.exe" MD5: 854CA372C90E86BD9A9DCE642D7C1A88)

yRnixT.exe (PID: 7572 cmdline: "C:\Users\user\AppData\Roaming\yRnixT.exe" MD5: 854CA372C90E86BD9A9DCE642D7C1A88)

yRnixT.exe (PID: 7580 cmdline: "C:\Users\user\AppData\Roaming\yRnixT.exe" MD5: 854CA372C90E86BD9A9DCE642D7C1A88)

NotepadUpdate.exe (PID: 7816 cmdline: C:\Users\user\AppData\Roaming\NotepadUpdate.exe MD5: 854CA372C90E86BD9A9DCE642D7C1A88)

powershell.exe (PID: 7980 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yRnixT.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7996 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yRnixT" /XML "C:\Users\user\AppData\Local\Temp\tmpC1D2.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 8024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

NotepadUpdate.exe (PID: 8140 cmdline: "C:\Users\user\AppData\Roaming\NotepadUpdate.exe" MD5: 854CA372C90E86BD9A9DCE642D7C1A88)

NotepadUpdate.exe (PID: 7716 cmdline: "C:\Users\user\AppData\Roaming\NotepadUpdate.exe" MD5: 854CA372C90E86BD9A9DCE642D7C1A88)

schtasks.exe (PID: 3548 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yRnixT" /XML "C:\Users\user\AppData\Local\Temp\tmp1263.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

NotepadUpdate.exe (PID: 5232 cmdline: "C:\Users\user\AppData\Roaming\NotepadUpdate.exe" MD5: 854CA372C90E86BD9A9DCE642D7C1A88)

NotepadUpdate.exe (PID: 7272 cmdline: "C:\Users\user\AppData\Roaming\NotepadUpdate.exe" MD5: 854CA372C90E86BD9A9DCE642D7C1A88)

schtasks.exe (PID: 7704 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yRnixT" /XML "C:\Users\user\AppData\Local\Temp\tmp32EB.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

NotepadUpdate.exe (PID: 8076 cmdline: "C:\Users\user\AppData\Roaming\NotepadUpdate.exe" MD5: 854CA372C90E86BD9A9DCE642D7C1A88)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Malware Configuration

Threatname: VenomRAT

{"Server": "185.208.158.187", "Ports": "4449", "Version": "Venom RAT + HVNC + Stealer + Grabber  v6.0.3", "Autorun": "true", "Install_Folder": "%AppData%", "Install_File": "NotepadUpdate.exe", "AES_key": "Ijk68MD56nk4n4T5u0ZGNHKlucnIy5B2", "Mutex": "tnybaidkzovl", "Certificate": "MIICOTCCAaKgAwIBAgIVAPyfwFFMs6hxoSr1U5gHJmBruaj1MA0GCSqGSIb3DQEBDQUAMGoxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEfMB0GA1UECgwWVmVub21SQVQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMDgxNDA5NDEwOVoXDTMzMDUyMzA5NDEwOVowEzERMA8GA1UEAwwIVmVub21SQVQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMk9aXYluIabmb8kV7b5XTizjGIK0IH5qWN260bNCSIKNt2zQOLq6jGfh+VvAA/ddzW3TGyxBUMbya8CatcEPCCiU4SEc8xjyE/n8+O0uya4p8g4ooTRIrNFHrRVySKchyTv32rce963WWvmj+qDvwUHHkEY+Dsjf46C40vWLDxAgMBAAGjMjAwMB0GA1UdDgQWBBQsonRhlv8vx7fdxs/nJE8fsLDixjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAAVFFK4iQZ7aqDrUwV6nj3VoXFOcHVo+g9p9ikiXT8DjC2iQioCrN3cN4+w7YOkjPDL+fP3A7v+EI9z1lwEHgAqFPY7tF7sT9JEFtq/+XPM9bgDZnh4o1EWLq7Zdm66whSYsGIPR8wJdtjw6U396lrRHe6ODtIGB/JXyYYIdaVrz", "ServerSignature": "A4QJGpJy/V4cCbTnbG8X0PYHWV+LKegq58mj1q2ZoZfA9x2FqmL8bhLOPQGSBEmtgnKkbETqeRPrsSNvJO3utAVaR5kG3pnQrTTE4Lpy9we7minikcrB8f5ahxH3VCeDhOHw6yDiQnmF1keRGK6R8QzedMamHwNFpeTFBVGJSwg=", "External_config_on_Pastebin": "null", "BDOS": "false", "Startup_Delay": "10", "Group": "Default", "AntiProcess": "false", "AntiVM": "false"}

Threatname: AsyncRAT

{"Server": "185.208.158.187", "Ports": "4449", "Version": "Venom RAT + HVNC + Stealer + Grabber  v6.0.3", "Autorun": "true", "Install_Folder": "%AppData%", "Install_File": "NotepadUpdate.exe", "AES_key": "Ijk68MD56nk4n4T5u0ZGNHKlucnIy5B2", "Mutex": "tnybaidkzovl", "Certificate": "MIICOTCCAaKgAwIBAgIVAPyfwFFMs6hxoSr1U5gHJmBruaj1MA0GCSqGSIb3DQEBDQUAMGoxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEfMB0GA1UECgwWVmVub21SQVQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMDgxNDA5NDEwOVoXDTMzMDUyMzA5NDEwOVowEzERMA8GA1UEAwwIVmVub21SQVQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMk9aXYluIabmb8kV7b5XTizjGIK0IH5qWN260bNCSIKNt2zQOLq6jGfh+VvAA/ddzW3TGyxBUMbya8CatcEPCCiU4SEc8xjyE/n8+O0uya4p8g4ooTRIrNFHrRVySKchyTv32rce963WWvmj+qDvwUHHkEY+Dsjf46C40vWLDxAgMBAAGjMjAwMB0GA1UdDgQWBBQsonRhlv8vx7fdxs/nJE8fsLDixjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAAVFFK4iQZ7aqDrUwV6nj3VoXFOcHVo+g9p9ikiXT8DjC2iQioCrN3cN4+w7YOkjPDL+fP3A7v+EI9z1lwEHgAqFPY7tF7sT9JEFtq/+XPM9bgDZnh4o1EWLq7Zdm66whSYsGIPR8wJdtjw6U396lrRHe6ODtIGB/JXyYYIdaVrz", "ServerSignature": "A4QJGpJy/V4cCbTnbG8X0PYHWV+LKegq58mj1q2ZoZfA9x2FqmL8bhLOPQGSBEmtgnKkbETqeRPrsSNvJO3utAVaR5kG3pnQrTTE4Lpy9we7minikcrB8f5ahxH3VCeDhOHw6yDiQnmF1keRGK6R8QzedMamHwNFpeTFBVGJSwg=", "External_config_on_Pastebin": "null", "BDOS": "false", "Startup_Delay": "10", "Group": "Default", "AntiProcess": "false", "AntiVM": "false"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000028.00000002.2168725401.0000000002F43000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000006.00000002.1828540463.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000000.00000002.1705169063.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000014.00000002.1922432597.00000000024C3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000008.00000002.1758094080.0000000002C8F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000016.00000002.1891236933.00000000025FF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000024.00000002.2083701044.0000000002A86000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: file.exe PID: 2008	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: file.exe PID: 2008	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: file.exe PID: 7252	JoeSecurity_VenomRAT	Yara detected VenomRAT	Joe Security
Process Memory Space: yRnixT.exe PID: 7400	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: yRnixT.exe PID: 7400	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: NotepadUpdate.exe PID: 7816	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: NotepadUpdate.exe PID: 7816	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: NotepadUpdate.exe PID: 7904	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: NotepadUpdate.exe PID: 7904	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: NotepadUpdate.exe PID: 7716	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: NotepadUpdate.exe PID: 7716	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: NotepadUpdate.exe PID: 7272	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: NotepadUpdate.exe PID: 7272	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
22.2.NotepadUpdate.exe.2621244.1.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
22.2.NotepadUpdate.exe.2621244.1.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xda86:$q1: Select * from Win32_CacheMemory 0xdac6:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xdb14:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xdb62:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
36.2.NotepadUpdate.exe.2aa0f9c.2.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
36.2.NotepadUpdate.exe.2aa0f9c.2.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xda86:$q1: Select * from Win32_CacheMemory 0xdac6:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xdb14:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xdb62:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
8.2.yRnixT.exe.2cb0f5c.3.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
8.2.yRnixT.exe.2cb0f5c.3.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xda86:$q1: Select * from Win32_CacheMemory 0xdac6:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xdb14:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xdb62:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
22.2.NotepadUpdate.exe.260e960.0.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
22.2.NotepadUpdate.exe.260e960.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xf886:$q1: Select * from Win32_CacheMemory 0x2216a:$q1: Select * from Win32_CacheMemory 0x363f6:$q1: Select * from Win32_CacheMemory 0xf8c6:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x221aa:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x36436:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xf914:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x221f8:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x36484:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xf962:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x22246:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x364d2:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
0.2.file.exe.2cd3a78.3.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.file.exe.2cd3a78.3.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xda86:$q1: Select * from Win32_CacheMemory 0xdac6:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xdb14:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xdb62:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
8.2.yRnixT.exe.2c9e678.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
8.2.yRnixT.exe.2c9e678.0.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xda86:$q1: Select * from Win32_CacheMemory 0xdac6:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xdb14:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xdb62:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
40.2.NotepadUpdate.exe.2f4f2f0.2.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
40.2.NotepadUpdate.exe.2f4f2f0.2.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xda86:$q1: Select * from Win32_CacheMemory 0xdac6:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xdb14:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xdb62:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
36.2.NotepadUpdate.exe.2a8e6b8.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
36.2.NotepadUpdate.exe.2a8e6b8.0.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xda86:$q1: Select * from Win32_CacheMemory 0xdac6:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xdb14:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xdb62:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
20.2.NotepadUpdate.exe.24e1238.2.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
20.2.NotepadUpdate.exe.24e1238.2.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xda86:$q1: Select * from Win32_CacheMemory 0xdac6:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xdb14:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xdb62:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
40.2.NotepadUpdate.exe.2f61bd4.1.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
40.2.NotepadUpdate.exe.2f61bd4.1.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xda86:$q1: Select * from Win32_CacheMemory 0xdac6:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xdb14:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xdb62:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
22.2.NotepadUpdate.exe.2621244.1.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
22.2.NotepadUpdate.exe.2621244.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xf886:$q1: Select * from Win32_CacheMemory 0x23b12:$q1: Select * from Win32_CacheMemory 0xf8c6:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x23b52:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xf914:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x23ba0:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xf962:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x23bee:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
8.2.yRnixT.exe.2c9e678.0.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
8.2.yRnixT.exe.2c9e678.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xf886:$q1: Select * from Win32_CacheMemory 0x2216a:$q1: Select * from Win32_CacheMemory 0x36f2e:$q1: Select * from Win32_CacheMemory 0xf8c6:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x221aa:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x36f6e:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xf914:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x221f8:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x36fbc:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xf962:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x22246:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x3700a:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
40.2.NotepadUpdate.exe.2f61bd4.1.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
40.2.NotepadUpdate.exe.2f61bd4.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xf886:$q1: Select * from Win32_CacheMemory 0x22762:$q1: Select * from Win32_CacheMemory 0xf8c6:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x227a2:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xf914:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x227f0:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xf962:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x2283e:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
22.2.NotepadUpdate.exe.260e960.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
22.2.NotepadUpdate.exe.260e960.0.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xda86:$q1: Select * from Win32_CacheMemory 0xdac6:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xdb14:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xdb62:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
20.2.NotepadUpdate.exe.24e1238.2.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
20.2.NotepadUpdate.exe.24e1238.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xf886:$q1: Select * from Win32_CacheMemory 0x2276e:$q1: Select * from Win32_CacheMemory 0xf8c6:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x227ae:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xf914:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x227fc:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xf962:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x2284a:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
36.2.NotepadUpdate.exe.2a8e6b8.0.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
36.2.NotepadUpdate.exe.2a8e6b8.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xf886:$q1: Select * from Win32_CacheMemory 0x2216a:$q1: Select * from Win32_CacheMemory 0x35046:$q1: Select * from Win32_CacheMemory 0xf8c6:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x221aa:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x35086:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xf914:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x221f8:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x350d4:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xf962:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x22246:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x35122:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
36.2.NotepadUpdate.exe.2aa0f9c.2.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
36.2.NotepadUpdate.exe.2aa0f9c.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xf886:$q1: Select * from Win32_CacheMemory 0x22762:$q1: Select * from Win32_CacheMemory 0xf8c6:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x227a2:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xf914:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x227f0:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xf962:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x2283e:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
0.2.file.exe.2cd3a78.3.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.file.exe.2cd3a78.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xf886:$q1: Select * from Win32_CacheMemory 0x2271a:$q1: Select * from Win32_CacheMemory 0xf8c6:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x2275a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xf914:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x227a8:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xf962:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x227f6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
6.2.file.exe.400000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
6.2.file.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xf886:$q1: Select * from Win32_CacheMemory 0xf8c6:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xf914:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xf962:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
0.2.file.exe.2cc1194.2.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.file.exe.2cc1194.2.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xda86:$q1: Select * from Win32_CacheMemory 0xdac6:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xdb14:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xdb62:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
20.2.NotepadUpdate.exe.24ce954.1.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
20.2.NotepadUpdate.exe.24ce954.1.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xda86:$q1: Select * from Win32_CacheMemory 0xdac6:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xdb14:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xdb62:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
8.2.yRnixT.exe.2cb0f5c.3.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
8.2.yRnixT.exe.2cb0f5c.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xf886:$q1: Select * from Win32_CacheMemory 0x2464a:$q1: Select * from Win32_CacheMemory 0xf8c6:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x2468a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xf914:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x246d8:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xf962:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x24726:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
20.2.NotepadUpdate.exe.24ce954.1.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
20.2.NotepadUpdate.exe.24ce954.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xf886:$q1: Select * from Win32_CacheMemory 0x2216a:$q1: Select * from Win32_CacheMemory 0x35052:$q1: Select * from Win32_CacheMemory 0xf8c6:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x221aa:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x35092:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xf914:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x221f8:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x350e0:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xf962:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x22246:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x3512e:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
0.2.file.exe.2cc1194.2.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.file.exe.2cc1194.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xf886:$q1: Select * from Win32_CacheMemory 0x2216a:$q1: Select * from Win32_CacheMemory 0x34ffe:$q1: Select * from Win32_CacheMemory 0xf8c6:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x221aa:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x3503e:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xf914:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x221f8:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x3508c:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xf962:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x22246:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x350da:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
40.2.NotepadUpdate.exe.2f4f2f0.2.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
40.2.NotepadUpdate.exe.2f4f2f0.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xf886:$q1: Select * from Win32_CacheMemory 0x2216a:$q1: Select * from Win32_CacheMemory 0x35046:$q1: Select * from Win32_CacheMemory 0xf8c6:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x221aa:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x35086:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xf914:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x221f8:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x350d4:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xf962:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x22246:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x35122:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
Click to see the 45 entries

Sigma Signatures

System Summary

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Source: Process started

Author: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "NotepadUpdate" /tr '"C:\Users\user\AppData\Roaming\NotepadUpdate.exe"' & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "NotepadUpdate" /tr '"C:\Users\user\AppData\Roaming\NotepadUpdate.exe"' & exit, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 7252, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "NotepadUpdate" /tr '"C:\Users\user\AppData\Roaming\NotepadUpdate.exe"' & exit, ProcessId: 7688, ProcessName: cmd.exe

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Source: Process started

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yRnixT.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yRnixT.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 2008, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yRnixT.exe", ProcessId: 4464, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Roaming\NotepadUpdate.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\yRnixT.exe, ProcessId: 7580, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NotepadUpdate

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yRnixT" /XML "C:\Users\user\AppData\Local\Temp\tmp92A4.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yRnixT" /XML "C:\Users\user\AppData\Local\Temp\tmp92A4.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\yRnixT.exe, ParentImage: C:\Users\user\AppData\Roaming\yRnixT.exe, ParentProcessId: 7400, ParentProcessName: yRnixT.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yRnixT" /XML "C:\Users\user\AppData\Local\Temp\tmp92A4.tmp", ProcessId: 7492, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yRnixT" /XML "C:\Users\user\AppData\Local\Temp\tmp8110.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yRnixT" /XML "C:\Users\user\AppData\Local\Temp\tmp8110.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 2008, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yRnixT" /XML "C:\Users\user\AppData\Local\Temp\tmp8110.tmp", ProcessId: 6924, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yRnixT.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yRnixT.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 2008, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yRnixT.exe", ProcessId: 4464, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yRnixT" /XML "C:\Users\user\AppData\Local\Temp\tmp8110.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yRnixT" /XML "C:\Users\user\AppData\Local\Temp\tmp8110.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 2008, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yRnixT" /XML "C:\Users\user\AppData\Local\Temp\tmp8110.tmp", ProcessId: 6924, ProcessName: schtasks.exe

Suricata Signatures

ET MALWARE Observed Malicious SSL Cert (VenomRAT)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-09T17:35:36.400639+0100	2052267	1	Domain Observed Used for C2 Detected	185.208.158.187	4449	192.168.2.4	49742	TCP

ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-09T17:35:36.400639+0100	2842478	1	Malware Command and Control Activity Detected	185.208.158.187	4449	192.168.2.4	49742	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000028.00000002.2168725401.0000000002F43000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: VenomRAT {"Server": "185.208.158.187", "Ports": "4449", "Version": "Venom RAT + HVNC + Stealer + Grabber v6.0.3", "Autorun": "true", "Install_Folder": "%AppData%", "Install_File": "NotepadUpdate.exe", "AES_key": "Ijk68MD56nk4n4T5u0ZGNHKlucnIy5B2", "Mutex": "tnybaidkzovl", "Certificate": "MIICOTCCAaKgAwIBAgIVAPyfwFFMs6hxoSr1U5gHJmBruaj1MA0GCSqGSIb3DQEBDQUAMGoxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEfMB0GA1UECgwWVmVub21SQVQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMDgxNDA5NDEwOVoXDTMzMDUyMzA5NDEwOVowEzERMA8GA1UEAwwIVmVub21SQVQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMk9aXYluIabmb8kV7b5XTizjGIK0IH5qWN260bNCSIKNt2zQOLq6jGfh+VvAA/ddzW3TGyxBUMbya8CatcEPCCiU4SEc8xjyE/n8+O0uya4p8g4ooTRIrNFHrRVySKchyTv32rce963WWvmj+qDvwUHHkEY+Dsjf46C40vWLDxAgMBAAGjMjAwMB0GA1UdDgQWBBQsonRhlv8vx7fdxs/nJE8fsLDixjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAAVFFK4iQZ7aqDrUwV6nj3VoXFOcHVo+g9p9ikiXT8DjC2iQioCrN3cN4+w7YOkjPDL+fP3A7v+EI9z1lwEHgAqFPY7tF7sT9JEFtq/+XPM9bgDZnh4o1EWLq7Zdm66whSYsGIPR8wJdtjw6U396lrRHe6ODtIGB/JXyYYIdaVrz", "ServerSignature": "A4QJGpJy/V4cCbTnbG8X0PYHWV+LKegq58mj1q2ZoZfA9x2FqmL8bhLOPQGSBEmtgnKkbETqeRPrsSNvJO3utAVaR5kG3pnQrTTE4Lpy9we7minikcrB8f5ahxH3VCeDhOHw6yDiQnmF1keRGK6R8QzedMamHwNFpeTFBVGJSwg=", "External_config_on_Pastebin": "null", "BDOS": "false", "Startup_Delay": "10", "Group": "Default", "AntiProcess": "false", "AntiVM": "false"}
Source: 00000028.00000002.2168725401.0000000002F43000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: AsyncRAT {"Server": "185.208.158.187", "Ports": "4449", "Version": "Venom RAT + HVNC + Stealer + Grabber v6.0.3", "Autorun": "true", "Install_Folder": "%AppData%", "Install_File": "NotepadUpdate.exe", "AES_key": "Ijk68MD56nk4n4T5u0ZGNHKlucnIy5B2", "Mutex": "tnybaidkzovl", "Certificate": "MIICOTCCAaKgAwIBAgIVAPyfwFFMs6hxoSr1U5gHJmBruaj1MA0GCSqGSIb3DQEBDQUAMGoxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEfMB0GA1UECgwWVmVub21SQVQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMDgxNDA5NDEwOVoXDTMzMDUyMzA5NDEwOVowEzERMA8GA1UEAwwIVmVub21SQVQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMk9aXYluIabmb8kV7b5XTizjGIK0IH5qWN260bNCSIKNt2zQOLq6jGfh+VvAA/ddzW3TGyxBUMbya8CatcEPCCiU4SEc8xjyE/n8+O0uya4p8g4ooTRIrNFHrRVySKchyTv32rce963WWvmj+qDvwUHHkEY+Dsjf46C40vWLDxAgMBAAGjMjAwMB0GA1UdDgQWBBQsonRhlv8vx7fdxs/nJE8fsLDixjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAAVFFK4iQZ7aqDrUwV6nj3VoXFOcHVo+g9p9ikiXT8DjC2iQioCrN3cN4+w7YOkjPDL+fP3A7v+EI9z1lwEHgAqFPY7tF7sT9JEFtq/+XPM9bgDZnh4o1EWLq7Zdm66whSYsGIPR8wJdtjw6U396lrRHe6ODtIGB/JXyYYIdaVrz", "ServerSignature": "A4QJGpJy/V4cCbTnbG8X0PYHWV+LKegq58mj1q2ZoZfA9x2FqmL8bhLOPQGSBEmtgnKkbETqeRPrsSNvJO3utAVaR5kG3pnQrTTE4Lpy9we7minikcrB8f5ahxH3VCeDhOHw6yDiQnmF1keRGK6R8QzedMamHwNFpeTFBVGJSwg=", "External_config_on_Pastebin": "null", "BDOS": "false", "Startup_Delay": "10", "Group": "Default", "AntiProcess": "false", "AntiVM": "false"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	ReversingLabs: Detection: 42%

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 42%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: ZKDyp.pdb source: file.exe, NotepadUpdate.exe.6.dr, yRnixT.exe.0.dr
Source:	Binary string: ZKDyp.pdbSHA256n source: file.exe, NotepadUpdate.exe.6.dr, yRnixT.exe.0.dr

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 185.208.158.187:4449 -> 192.168.2.4:49742
Source: Network traffic	Suricata IDS: 2052265 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (VenomRAT) : 185.208.158.187:4449 -> 192.168.2.4:49742
Source: Network traffic	Suricata IDS: 2052267 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (VenomRAT) : 185.208.158.187:4449 -> 192.168.2.4:49742

Source: global traffic

TCP traffic: 192.168.2.4:49742 -> 185.208.158.187:4449

Source: Joe Sandbox View

ASN Name: SIMPLECARRER2IT SIMPLECARRER2IT

Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187

Source: file.exe, NotepadUpdate.exe.6.dr, yRnixT.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: file.exe, NotepadUpdate.exe.6.dr, yRnixT.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: yRnixT.exe, 0000000D.00000002.4131305740.0000000000B56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: yRnixT.exe, 0000000D.00000002.4131305740.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: file.exe, NotepadUpdate.exe.6.dr, yRnixT.exe.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: file.exe, 00000000.00000002.1705169063.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000006.00000002.1831223958.0000000002E15000.00000004.00000800.00020000.00000000.sdmp, yRnixT.exe, 00000008.00000002.1758094080.0000000002C8F000.00000004.00000800.00020000.00000000.sdmp, yRnixT.exe, 0000000D.00000002.4138337719.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, yRnixT.exe, 0000000D.00000002.4138337719.0000000002E1E000.00000004.00000800.00020000.00000000.sdmp, NotepadUpdate.exe, 00000014.00000002.1922432597.00000000024C3000.00000004.00000800.00020000.00000000.sdmp, NotepadUpdate.exe, 00000016.00000002.1891236933.00000000025FF000.00000004.00000800.00020000.00000000.sdmp, NotepadUpdate.exe, 00000024.00000002.2083701044.0000000002A86000.00000004.00000800.00020000.00000000.sdmp, NotepadUpdate.exe, 00000028.00000002.2168725401.0000000002F43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: file.exe, 00000000.00000002.1710678515.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: file.exe, 00000000.00000002.1710678515.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: file.exe, 00000000.00000002.1710678515.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: file.exe, 00000000.00000002.1710678515.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: file.exe, 00000000.00000002.1710678515.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: file.exe, 00000000.00000002.1710678515.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: file.exe, 00000000.00000002.1710678515.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: file.exe, 00000000.00000002.1710678515.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: file.exe, 00000000.00000002.1710678515.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: file.exe, 00000000.00000002.1710678515.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: file.exe, 00000000.00000002.1710678515.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: file.exe, 00000000.00000002.1710678515.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: file.exe, 00000000.00000002.1710678515.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: file.exe, 00000000.00000002.1710678515.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: file.exe, 00000000.00000002.1710678515.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: file.exe, 00000000.00000002.1710678515.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: file.exe, 00000000.00000002.1710678515.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: file.exe, 00000000.00000002.1710678515.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: file.exe, 00000000.00000002.1710678515.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: file.exe, 00000000.00000002.1710678515.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1709506424.0000000005420000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: file.exe, 00000000.00000002.1710678515.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: file.exe, 00000000.00000002.1710678515.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: file.exe, 00000000.00000002.1710678515.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: file.exe, 00000000.00000002.1710678515.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: NotepadUpdate.exe, 00000014.00000002.1922432597.0000000002469000.00000004.00000800.00020000.00000000.sdmp, NotepadUpdate.exe, 00000024.00000002.2083701044.0000000002A29000.00000004.00000800.00020000.00000000.sdmp, NotepadUpdate.exe, 00000028.00000002.2168725401.0000000002EE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.or
Source: file.exe, 00000000.00000002.1710678515.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: file.exe, NotepadUpdate.exe.6.dr, yRnixT.exe.0.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: 22.2.NotepadUpdate.exe.2621244.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.NotepadUpdate.exe.2aa0f9c.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.yRnixT.exe.2cb0f5c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.NotepadUpdate.exe.260e960.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.2cd3a78.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.yRnixT.exe.2c9e678.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.NotepadUpdate.exe.2f4f2f0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.NotepadUpdate.exe.2a8e6b8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.NotepadUpdate.exe.24e1238.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.NotepadUpdate.exe.2f61bd4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.NotepadUpdate.exe.2621244.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.yRnixT.exe.2c9e678.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.NotepadUpdate.exe.2f61bd4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.NotepadUpdate.exe.260e960.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.NotepadUpdate.exe.24e1238.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.NotepadUpdate.exe.2a8e6b8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.NotepadUpdate.exe.2aa0f9c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.2cd3a78.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.2cc1194.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.NotepadUpdate.exe.24ce954.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.yRnixT.exe.2cb0f5c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.NotepadUpdate.exe.24ce954.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.2cc1194.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.NotepadUpdate.exe.2f4f2f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000028.00000002.2168725401.0000000002F43000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1828540463.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1705169063.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1922432597.00000000024C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1758094080.0000000002C8F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1891236933.00000000025FF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2083701044.0000000002A86000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 2008, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yRnixT.exe PID: 7400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NotepadUpdate.exe PID: 7816, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NotepadUpdate.exe PID: 7904, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NotepadUpdate.exe PID: 7716, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NotepadUpdate.exe PID: 7272, type: MEMORYSTR

Yara detected VenomRAT

Source: Yara match

File source: Process Memory Space: file.exe PID: 7252, type: MEMORYSTR

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.file.exe.2cc1194.2.raw.unpack, Keylogger.cs

.Net Code: KeyboardLayout

System Summary

Malicious sample detected (through community Yara rule)

Source: 22.2.NotepadUpdate.exe.2621244.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 36.2.NotepadUpdate.exe.2aa0f9c.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 8.2.yRnixT.exe.2cb0f5c.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 22.2.NotepadUpdate.exe.260e960.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.2.file.exe.2cd3a78.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 8.2.yRnixT.exe.2c9e678.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 40.2.NotepadUpdate.exe.2f4f2f0.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 36.2.NotepadUpdate.exe.2a8e6b8.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 20.2.NotepadUpdate.exe.24e1238.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 40.2.NotepadUpdate.exe.2f61bd4.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 22.2.NotepadUpdate.exe.2621244.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 8.2.yRnixT.exe.2c9e678.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 40.2.NotepadUpdate.exe.2f61bd4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 22.2.NotepadUpdate.exe.260e960.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 20.2.NotepadUpdate.exe.24e1238.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 36.2.NotepadUpdate.exe.2a8e6b8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 36.2.NotepadUpdate.exe.2aa0f9c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.2.file.exe.2cd3a78.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 6.2.file.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.2.file.exe.2cc1194.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 20.2.NotepadUpdate.exe.24ce954.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 8.2.yRnixT.exe.2cb0f5c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 20.2.NotepadUpdate.exe.24ce954.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.2.file.exe.2cc1194.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 40.2.NotepadUpdate.exe.2f4f2f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen

.NET source code contains very large strings

Source: file.exe, Form1.cs	Long String: Length: 166868
Source: yRnixT.exe.0.dr, Form1.cs	Long String: Length: 166868

Source: C:\Users\user\Desktop\file.exe	Code function: 6_2_02B332C8 NtProtectVirtualMemory,	6_2_02B332C8
Source: C:\Users\user\Desktop\file.exe	Code function: 6_2_02B32E73 NtProtectVirtualMemory,	6_2_02B32E73
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Code function: 13_2_00D332D0 NtProtectVirtualMemory,	13_2_00D332D0
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Code function: 13_2_00D32E7B NtProtectVirtualMemory,	13_2_00D32E7B
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Code function: 13_2_00D33397 NtProtectVirtualMemory,	13_2_00D33397
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 27_2_00EB32D0 NtProtectVirtualMemory,	27_2_00EB32D0
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 27_2_00EB2E7B NtProtectVirtualMemory,	27_2_00EB2E7B
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 27_2_00EB3397 NtProtectVirtualMemory,	27_2_00EB3397
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 33_2_017A32D0 NtProtectVirtualMemory,	33_2_017A32D0
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 33_2_017A2E80 NtProtectVirtualMemory,	33_2_017A2E80
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 39_2_010032D0 NtProtectVirtualMemory,	39_2_010032D0
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 39_2_01002E7A NtProtectVirtualMemory,	39_2_01002E7A

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01164218	0_2_01164218
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01166F92	0_2_01166F92
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0116D424	0_2_0116D424
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_072E2620	0_2_072E2620
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_072E4C08	0_2_072E4C08
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_072E4BF8	0_2_072E4BF8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_072E2A58	0_2_072E2A58
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_072E4258	0_2_072E4258
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_072E21B9	0_2_072E21B9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_072EB188	0_2_072EB188
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_072E21E8	0_2_072E21E8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_08AE0FE8	0_2_08AE0FE8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_08AE0FF8	0_2_08AE0FF8
Source: C:\Users\user\Desktop\file.exe	Code function: 6_2_02B326F8	6_2_02B326F8
Source: C:\Users\user\Desktop\file.exe	Code function: 6_2_02B326E7	6_2_02B326E7
Source: C:\Users\user\Desktop\file.exe	Code function: 6_2_02B32E73	6_2_02B32E73
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Code function: 8_2_01244218	8_2_01244218
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Code function: 8_2_01246F93	8_2_01246F93
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Code function: 8_2_0124D424	8_2_0124D424
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Code function: 8_2_07032620	8_2_07032620
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Code function: 8_2_07034C05	8_2_07034C05
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Code function: 8_2_07034C08	8_2_07034C08
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Code function: 8_2_0703A4B1	8_2_0703A4B1
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Code function: 8_2_07032A58	8_2_07032A58
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Code function: 8_2_07034258	8_2_07034258
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Code function: 8_2_070321E8	8_2_070321E8
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Code function: 13_2_00D32700	13_2_00D32700
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Code function: 13_2_00D326EF	13_2_00D326EF
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Code function: 13_2_00D32E7B	13_2_00D32E7B
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Code function: 13_2_02B0E558	13_2_02B0E558
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Code function: 13_2_02B0AAF1	13_2_02B0AAF1
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Code function: 13_2_02B0EE28	13_2_02B0EE28
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Code function: 13_2_02B02790	13_2_02B02790
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Code function: 13_2_02B03C80	13_2_02B03C80
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 20_2_008A4218	20_2_008A4218
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 20_2_008A6F92	20_2_008A6F92
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 20_2_008AD424	20_2_008AD424
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 20_2_06A7A6E8	20_2_06A7A6E8
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 20_2_06A72620	20_2_06A72620
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 20_2_06A74C08	20_2_06A74C08
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 20_2_06A72A58	20_2_06A72A58
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 20_2_06A74258	20_2_06A74258
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 20_2_06A74BF8	20_2_06A74BF8
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 20_2_06A721B9	20_2_06A721B9
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 20_2_06A721E8	20_2_06A721E8
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 20_2_07F90FF8	20_2_07F90FF8
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 20_2_07F90FE8	20_2_07F90FE8
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 22_2_00C94218	22_2_00C94218
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 22_2_00C96F93	22_2_00C96F93
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 22_2_00C9D424	22_2_00C9D424
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 22_2_06BB2620	22_2_06BB2620
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 22_2_06BBA7E8	22_2_06BBA7E8
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 22_2_06BB4C08	22_2_06BB4C08
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 22_2_06BB2A58	22_2_06BB2A58
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 22_2_06BB4258	22_2_06BB4258
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 22_2_06BB4BF8	22_2_06BB4BF8
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 22_2_06BB21B9	22_2_06BB21B9
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 22_2_06BB21E8	22_2_06BB21E8
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 22_2_080D0FE8	22_2_080D0FE8
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 22_2_080D0FF8	22_2_080D0FF8
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 27_2_00EB2700	27_2_00EB2700
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 27_2_00EB26EF	27_2_00EB26EF
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 27_2_00EB2E7B	27_2_00EB2E7B
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 33_2_017A2700	33_2_017A2700
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 33_2_017A26EF	33_2_017A26EF
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 33_2_017A2E80	33_2_017A2E80
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 36_2_00F84218	36_2_00F84218
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 36_2_00F86F90	36_2_00F86F90
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 36_2_00F8D424	36_2_00F8D424
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 36_2_070E2620	36_2_070E2620
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 36_2_070EA3C0	36_2_070EA3C0
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 36_2_070E4258	36_2_070E4258
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 36_2_070E21E8	36_2_070E21E8
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 36_2_070E4C08	36_2_070E4C08
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 36_2_070E4BF8	36_2_070E4BF8
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 36_2_070E2A58	36_2_070E2A58
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 39_2_01002700	39_2_01002700
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 39_2_01002E7A	39_2_01002E7A
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 39_2_010026EF	39_2_010026EF
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 40_2_014A4218	40_2_014A4218
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 40_2_014A6F90	40_2_014A6F90
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 40_2_014AD424	40_2_014AD424
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 40_2_074A2620	40_2_074A2620
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 40_2_074A4C08	40_2_074A4C08
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 40_2_074A4BF8	40_2_074A4BF8
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 40_2_074AA3B0	40_2_074AA3B0
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 40_2_074A2A58	40_2_074A2A58
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 40_2_074A4258	40_2_074A4258
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 40_2_074A21E8	40_2_074A21E8
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 40_2_089C0FF8	40_2_089C0FF8
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 40_2_089C0FE8	40_2_089C0FE8

Source: file.exe

Static PE information: invalid certificate

Source: file.exe, 00000000.00000002.1709957975.00000000056B0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs file.exe
Source: file.exe, 00000000.00000002.1707146671.0000000003C59000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs file.exe
Source: file.exe, 00000000.00000002.1711717454.0000000007340000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs file.exe
Source: file.exe, 00000000.00000002.1707146671.0000000003D2B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs file.exe
Source: file.exe, 00000000.00000002.1707146671.0000000003D2B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs file.exe
Source: file.exe, 00000000.00000002.1705169063.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientAny.exe" vs file.exe
Source: file.exe, 00000000.00000002.1704017610.0000000000D5E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe, 00000000.00000000.1670278668.0000000000794000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameZKDyp.exe" vs file.exe
Source: file.exe, 00000006.00000002.1828540463.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientAny.exe" vs file.exe
Source: file.exe, 00000006.00000002.1845314745.0000000003BB9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameZKDyp.exe" vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameZKDyp.exe" vs file.exe

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 22.2.NotepadUpdate.exe.2621244.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 36.2.NotepadUpdate.exe.2aa0f9c.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 8.2.yRnixT.exe.2cb0f5c.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 22.2.NotepadUpdate.exe.260e960.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.2.file.exe.2cd3a78.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 8.2.yRnixT.exe.2c9e678.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 40.2.NotepadUpdate.exe.2f4f2f0.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 36.2.NotepadUpdate.exe.2a8e6b8.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 20.2.NotepadUpdate.exe.24e1238.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 40.2.NotepadUpdate.exe.2f61bd4.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 22.2.NotepadUpdate.exe.2621244.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 8.2.yRnixT.exe.2c9e678.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 40.2.NotepadUpdate.exe.2f61bd4.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 22.2.NotepadUpdate.exe.260e960.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 20.2.NotepadUpdate.exe.24e1238.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 36.2.NotepadUpdate.exe.2a8e6b8.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 36.2.NotepadUpdate.exe.2aa0f9c.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.2.file.exe.2cd3a78.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 6.2.file.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.2.file.exe.2cc1194.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 20.2.NotepadUpdate.exe.24ce954.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 8.2.yRnixT.exe.2cb0f5c.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 20.2.NotepadUpdate.exe.24ce954.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.2.file.exe.2cc1194.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 40.2.NotepadUpdate.exe.2f4f2f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI

Source: 0.2.file.exe.2cc1194.2.raw.unpack, Settings.cs

Base64 encoded string: '+fy4kJHXq5yjoRbT2HlapvDnJRSL4nlaXbmHCfQoBj4MKq9AEaP1jrPdMS/5YJfPKfboE2jJQQkn9MmH9XqiiP9Zwqpt+5j0HKvZpIF/h+phOpJZC8DzZXV3H/mlq6np', 'QMhnCLJh3j2EZSPvoRKnYsvq4WuaVQVcnc/ZVt+e2aFLFzvp9kRZV/qgi3S3zdZJ4kGa0fj7kyAfXBrxh3xn/Q==', 'uUeSzj1moPHzfrJ+bjtIGJI68PX51RXvqSowrdbs9N+JFY13VGwG0KNypMQYrKFVg+beJTIQ75t/Ro5lJDLXOw==', 'J5e3O7FDx+A+XMtNFXJi+5cXLt05QZLCpZYk6FdyzhPG8pqAgJCnfMUQvh8Mc4/d92KpJ/99xGT99ChwxnEa5A==', 'vldddpERTBHeFnXOH4XqSicVG2H7Ae0TiDwpxsRsrrvgQeivkrI/6Y7PDRzxVlai5SIHFidzBsqKrr2ueOTNeQ=='

Source: 0.2.file.exe.3f04a38.4.raw.unpack, UHi0eoOg2wkdgdy45Q.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.file.exe.3f04a38.4.raw.unpack, UHi0eoOg2wkdgdy45Q.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.file.exe.3f04a38.4.raw.unpack, UHi0eoOg2wkdgdy45Q.cs	Security API names: _0020.AddAccessRule
Source: 0.2.file.exe.3eae218.5.raw.unpack, XI2khyB3gZGMGu6NEM.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.file.exe.3eae218.5.raw.unpack, UHi0eoOg2wkdgdy45Q.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.file.exe.3eae218.5.raw.unpack, UHi0eoOg2wkdgdy45Q.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.file.exe.3eae218.5.raw.unpack, UHi0eoOg2wkdgdy45Q.cs	Security API names: _0020.AddAccessRule
Source: 0.2.file.exe.7340000.9.raw.unpack, UHi0eoOg2wkdgdy45Q.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.file.exe.7340000.9.raw.unpack, UHi0eoOg2wkdgdy45Q.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.file.exe.7340000.9.raw.unpack, UHi0eoOg2wkdgdy45Q.cs	Security API names: _0020.AddAccessRule
Source: 0.2.file.exe.3f04a38.4.raw.unpack, XI2khyB3gZGMGu6NEM.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.file.exe.2cc1194.2.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.file.exe.2cc1194.2.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.file.exe.7340000.9.raw.unpack, XI2khyB3gZGMGu6NEM.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@63/28@0/1

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Roaming\yRnixT.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3808:120:WilError_03
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2764:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8024:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6008:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7048:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7524:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7696:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7768:120:WilError_03
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Mutant created: \Sessions\1\BaseNamedObjects\tnybaidkzovl
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5960:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7788:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7988:120:WilError_03

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\tmp8110.tmp

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp7A3A.tmp.bat""

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%

Source: C:\Users\user\AppData\Roaming\yRnixT.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 42%

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yRnixT.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yRnixT" /XML "C:\Users\user\AppData\Local\Temp\tmp8110.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\yRnixT.exe C:\Users\user\AppData\Roaming\yRnixT.exe
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yRnixT" /XML "C:\Users\user\AppData\Local\Temp\tmp92A4.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process created: C:\Users\user\AppData\Roaming\yRnixT.exe "C:\Users\user\AppData\Roaming\yRnixT.exe"
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process created: C:\Users\user\AppData\Roaming\yRnixT.exe "C:\Users\user\AppData\Roaming\yRnixT.exe"
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process created: C:\Users\user\AppData\Roaming\yRnixT.exe "C:\Users\user\AppData\Roaming\yRnixT.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "NotepadUpdate" /tr '"C:\Users\user\AppData\Roaming\NotepadUpdate.exe"' & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp7A3A.tmp.bat""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "NotepadUpdate" /tr '"C:\Users\user\AppData\Roaming\NotepadUpdate.exe"'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3
Source: unknown	Process created: C:\Users\user\AppData\Roaming\NotepadUpdate.exe C:\Users\user\AppData\Roaming\NotepadUpdate.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\NotepadUpdate.exe "C:\Users\user\AppData\Roaming\NotepadUpdate.exe"
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yRnixT.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yRnixT" /XML "C:\Users\user\AppData\Local\Temp\tmpC1D2.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process created: C:\Users\user\AppData\Roaming\NotepadUpdate.exe "C:\Users\user\AppData\Roaming\NotepadUpdate.exe"
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yRnixT.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yRnixT" /XML "C:\Users\user\AppData\Local\Temp\tmpC5F9.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process created: C:\Users\user\AppData\Roaming\NotepadUpdate.exe "C:\Users\user\AppData\Roaming\NotepadUpdate.exe"
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process created: C:\Users\user\AppData\Roaming\NotepadUpdate.exe "C:\Users\user\AppData\Roaming\NotepadUpdate.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\NotepadUpdate.exe "C:\Users\user\AppData\Roaming\NotepadUpdate.exe"
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yRnixT" /XML "C:\Users\user\AppData\Local\Temp\tmp1263.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process created: C:\Users\user\AppData\Roaming\NotepadUpdate.exe "C:\Users\user\AppData\Roaming\NotepadUpdate.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\NotepadUpdate.exe "C:\Users\user\AppData\Roaming\NotepadUpdate.exe"
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yRnixT" /XML "C:\Users\user\AppData\Local\Temp\tmp32EB.tmp"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process created: C:\Users\user\AppData\Roaming\NotepadUpdate.exe "C:\Users\user\AppData\Roaming\NotepadUpdate.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yRnixT.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yRnixT" /XML "C:\Users\user\AppData\Local\Temp\tmp8110.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "NotepadUpdate" /tr '"C:\Users\user\AppData\Roaming\NotepadUpdate.exe"' & exit	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp7A3A.tmp.bat""	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yRnixT" /XML "C:\Users\user\AppData\Local\Temp\tmp92A4.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process created: C:\Users\user\AppData\Roaming\yRnixT.exe "C:\Users\user\AppData\Roaming\yRnixT.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process created: C:\Users\user\AppData\Roaming\yRnixT.exe "C:\Users\user\AppData\Roaming\yRnixT.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process created: C:\Users\user\AppData\Roaming\yRnixT.exe "C:\Users\user\AppData\Roaming\yRnixT.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "NotepadUpdate" /tr '"C:\Users\user\AppData\Roaming\NotepadUpdate.exe"'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\NotepadUpdate.exe "C:\Users\user\AppData\Roaming\NotepadUpdate.exe"
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yRnixT.exe"
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yRnixT" /XML "C:\Users\user\AppData\Local\Temp\tmpC1D2.tmp"
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process created: C:\Users\user\AppData\Roaming\NotepadUpdate.exe "C:\Users\user\AppData\Roaming\NotepadUpdate.exe"
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yRnixT.exe"
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yRnixT" /XML "C:\Users\user\AppData\Local\Temp\tmpC5F9.tmp"
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process created: C:\Users\user\AppData\Roaming\NotepadUpdate.exe "C:\Users\user\AppData\Roaming\NotepadUpdate.exe"
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process created: C:\Users\user\AppData\Roaming\NotepadUpdate.exe "C:\Users\user\AppData\Roaming\NotepadUpdate.exe"
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yRnixT" /XML "C:\Users\user\AppData\Local\Temp\tmp1263.tmp"
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process created: C:\Users\user\AppData\Roaming\NotepadUpdate.exe "C:\Users\user\AppData\Roaming\NotepadUpdate.exe"
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yRnixT" /XML "C:\Users\user\AppData\Local\Temp\tmp32EB.tmp"
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process created: C:\Users\user\AppData\Roaming\NotepadUpdate.exe "C:\Users\user\AppData\Roaming\NotepadUpdate.exe"

Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: msasn1.dll

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: ZKDyp.pdb source: file.exe, NotepadUpdate.exe.6.dr, yRnixT.exe.0.dr
Source:	Binary string: ZKDyp.pdbSHA256n source: file.exe, NotepadUpdate.exe.6.dr, yRnixT.exe.0.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: file.exe, Form1.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: yRnixT.exe.0.dr, Form1.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: 0.2.file.exe.3f04a38.4.raw.unpack, UHi0eoOg2wkdgdy45Q.cs	.Net Code: SHC2vEFlSG System.Reflection.Assembly.Load(byte[])
Source: 0.2.file.exe.3eae218.5.raw.unpack, UHi0eoOg2wkdgdy45Q.cs	.Net Code: SHC2vEFlSG System.Reflection.Assembly.Load(byte[])
Source: 0.2.file.exe.7340000.9.raw.unpack, UHi0eoOg2wkdgdy45Q.cs	.Net Code: SHC2vEFlSG System.Reflection.Assembly.Load(byte[])
Source: 0.2.file.exe.2cc1194.2.raw.unpack, ClientSocket.cs	.Net Code: Invoke System.AppDomain.Load(byte[])

Source: file.exe

Static PE information: 0xCE6BAE37 [Thu Sep 28 21:50:47 2079 UTC]

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_050DAF18 push eax; mov dword ptr [esp], ecx	0_2_050DAF1C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_050D9B4D push 8BFFFFFFh; retf	0_2_050D9B59
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_050D9B77 push 8BFFFFFFh; retf	0_2_050D9B7F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_08AEF8B0 push esp; retf	0_2_08AEF8B1
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Code function: 8_2_0124C748 push esp; ret	8_2_0124C75A
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Code function: 13_2_00D31275 push edi; ret	13_2_00D31282
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 20_2_07F9F8B0 push esp; retf	20_2_07F9F8B1
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 22_2_04BBB5F1 push eax; ret	22_2_04BBB623
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 22_2_04BBAF18 push eax; mov dword ptr [esp], ecx	22_2_04BBAF1C
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 22_2_04BBAF07 push eax; mov dword ptr [esp], ecx	22_2_04BBAF1C
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 22_2_04BB9B77 push 8BFFFFFFh; retf	22_2_04BB9B7F
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 22_2_04BB9B4D push 8BFFFFFFh; retf	22_2_04BB9B59
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 22_2_080DF8B0 push esp; retf	22_2_080DF8B1
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 27_2_00EB1270 push edi; ret	27_2_00EB1282
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 33_2_017A1270 push edi; ret	33_2_017A1282
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 39_2_01001270 push edi; ret	39_2_01001282
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 40_2_089CF8B0 push esp; retf	40_2_089CF8B1

Source: 0.2.file.exe.3f04a38.4.raw.unpack, HQgIcrb1MjaQ9an05q.cs	High entropy of concatenated method names: 'DjchaENVxG', 'ySnh9q0MT9', 'UBUhvaLeZP', 'F63hC2Ic5y', 'iPjhZvBG4r', 'aGQhp6O8jV', 'lnchIXsWrT', 'voKhB4wrhw', 'VTrhxLLUU7', 'mr7hw6xHCF'
Source: 0.2.file.exe.3f04a38.4.raw.unpack, B9phGliPml9PtZ4Z2H.cs	High entropy of concatenated method names: 'pEMk7sdFMf', 'yD9k1U8CCE', 'oJlks8nf23', 'Hc2kh11wTC', 'DSGkr9TYOi', 'OM8kO7MCmH', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.file.exe.3f04a38.4.raw.unpack, ABsoPldLn3NXfXEMYB.cs	High entropy of concatenated method names: 'ISpWBUf1nM', 'MHdWxVVhnf', 'E6sW4YfuD9', 't6xWcuoiAr', 'YDGWJwggQH', 'o4eWNRAmXe', 'UcLWPZgOLh', 'rknWuWB8cj', 'jMMWoRM5N1', 'RxuWFJB6YC'
Source: 0.2.file.exe.3f04a38.4.raw.unpack, RRUDKqRDY5aF8NfIUO.cs	High entropy of concatenated method names: 'gTVr09WxUC', 'DGkrq6eE7C', 'DqJrrdlnya', 'qbhrDB1VF4', 'XRVrTXkIoa', 'danr5iAX0V', 'Dispose', 'DgsXyATJ33', 'DsqXQYhRNY', 'kk9X7gMquR'
Source: 0.2.file.exe.3f04a38.4.raw.unpack, dSxR6oPp2X3LJABhrW.cs	High entropy of concatenated method names: 'nichydQHiy', 'uACh7QdGIF', 'sd0hsJTKtS', 'cUSsiIqXIo', 'lACszuuNpa', 'JIFhSNJN5y', 'zLbhUoGTf6', 'fNyhAMqlU3', 'Ucjh8VZK4j', 'I9Qh2d42Rg'
Source: 0.2.file.exe.3f04a38.4.raw.unpack, PW1TxBAjXAU1SL3225.cs	High entropy of concatenated method names: 'dFpv4Za7D', 'AOFCs2f57', 'BLVpSK9a5', 'Ld6I0ZBZK', 'Xn5xiY9Uv', 'AhewnNZ4O', 'BOBycXNHHuun7lVTux', 'Pecf5ouqGLMyXJqqKw', 'etRX9Fuwb', 'mjRk7rxVR'
Source: 0.2.file.exe.3f04a38.4.raw.unpack, UtEm7ZUUdySBNfsxC1b.cs	High entropy of concatenated method names: 'MufkiZRayw', 'TAnkzUZlaX', 'CKuDSUbb4J', 'uWyDUxjYQn', 'dhaDAklLNb', 'R8aD8qRrHu', 'w26D2qHh3v', 'D8oDt3bbRj', 'ig2DyL7diJ', 'HIGDQ0Zdy2'
Source: 0.2.file.exe.3f04a38.4.raw.unpack, XrysEW2FNuLbQmlr4O.cs	High entropy of concatenated method names: 'YcmUhI2khy', 'mgZUOGMGu6', 'cvbULFBqMN', 'TmRU37RecV', 'bXPU0q0m31', 'yS3UGxdSER', 'k3DwGkPq8xs0jSrDoS', 'ihgWqUyYC3MXiMcAO1', 'TtyUUW5Iup', 'iIUU8R1Dtj'
Source: 0.2.file.exe.3f04a38.4.raw.unpack, NxyD3cMFXrVVj9loGN.cs	High entropy of concatenated method names: 'rurqLErBkX', 'igyq3v0cSV', 'ToString', 'GmSqyQE5Ok', 'UMcqQeAxH9', 'OoWq7sK0Tm', 'ro3q1BUkDe', 'sjOqsaQmVy', 'fSWqhkbqeA', 'trqqO7xKXb'
Source: 0.2.file.exe.3f04a38.4.raw.unpack, vggVGAz17L3H6FyYZZ.cs	High entropy of concatenated method names: 'cCwkpN7NpN', 'JqckBYgFKC', 'm1akxZsEnb', 'zRPk4eDnPo', 'MW7kcs9vGF', 'x3JkJFxTsq', 'F82kNvG51x', 'wQCk5UIlYa', 'bE7ka5PawZ', 'yonk9CDt19'
Source: 0.2.file.exe.3f04a38.4.raw.unpack, MUM9VQUAXuERKjnIbsx.cs	High entropy of concatenated method names: 'ToString', 'iIsDB3HtYl', 'HwkDxiIfAB', 'LaQDwDjNpn', 'pq4D4c3JZ7', 'kT3Dcg2kxk', 'Jw5Dg5Wuvy', 'WaCDJq8jm7', 'KuYSmYMCwChUK3LTLZt', 'O1md9pMNlmf5oQe48Yg'
Source: 0.2.file.exe.3f04a38.4.raw.unpack, W319S34xdSER5ocG2S.cs	High entropy of concatenated method names: 'moWstKsvtV', 'Q3SsQgqZNI', 'tIcs1VIlgY', 'vlVshkiuFJ', 'SRIsOUL3WP', 'Cb41nHu86Y', 'Usy1f232tx', 'jyF1RsvHdM', 'xI11mOm4Hb', 'RJH16Hv3i2'
Source: 0.2.file.exe.3f04a38.4.raw.unpack, lNGVxQfqGLcan3Lp9M.cs	High entropy of concatenated method names: 'cQlqmyoyYK', 'Jk0qiDy4ko', 'ju3XSWDM9l', 'cr2XUrdhXX', 'SHMqFRCcuw', 'xQGqKGt4js', 'RKAqdahK2a', 'NXFqjUFWXn', 'OskqejwcG3', 'CNXqlt7u1J'
Source: 0.2.file.exe.3f04a38.4.raw.unpack, XI2khyB3gZGMGu6NEM.cs	High entropy of concatenated method names: 'PVoQjCwRxJ', 's1xQe6jj8v', 'W6FQlATVWA', 'WGhQMFWntN', 'ArqQnRDt4Z', 'eFaQfmJVtN', 'uRRQRr7hn8', 'OVFQmhDVdr', 'Ul4Q63KfUx', 'pDnQiDVpbb'
Source: 0.2.file.exe.3f04a38.4.raw.unpack, VecVHvwHyyHk9UXPq0.cs	High entropy of concatenated method names: 'vAH1ZicP0n', 'G1S1I3cxmu', 'uTZ7gxKQ4f', 'dtQ7Jy0GMl', 'dcI7NqZKKd', 'zJa7HT4U11', 'M0N7PwKMb2', 'Vid7utfqWv', 'sos7bMW58y', 'hPt7orjOf1'
Source: 0.2.file.exe.3f04a38.4.raw.unpack, Ct0RVsU2rXyfApny3yP.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'qZhYrjY28t', 'EANYkPdPMw', 'CdcYD8muqQ', 'W62YYWGdX0', 'GaUYTjeeC2', 'pItYVdKf17', 'kDlY5nNJa0'
Source: 0.2.file.exe.3f04a38.4.raw.unpack, UHi0eoOg2wkdgdy45Q.cs	High entropy of concatenated method names: 'RdD8t3yRSo', 'cA18yddgF5', 'DM08Q5oluH', 'Q8M87YBhuq', 'XT681aIK4p', 'qYh8s05rUU', 'LYx8hdeTPZ', 'OSL8OY0LGl', 'lMj8Ena6Kw', 'tsm8LFkfDl'
Source: 0.2.file.exe.3f04a38.4.raw.unpack, fp1wa8xvbFBqMNMmR7.cs	High entropy of concatenated method names: 'fZu7CgybWn', 'T6L7pRsMpF', 'C9A7BdFIZB', 'KvF7xInibO', 'iIg70vaXee', 'u2U7GbV2UA', 'aEZ7qQPVLQ', 'u0T7XRnkp8', 'KGD7rbhSdm', 'WPr7k8QQx4'
Source: 0.2.file.exe.3f04a38.4.raw.unpack, vco2rglDvffCsdoxBm.cs	High entropy of concatenated method names: 'ToString', 'yHrGFl8VmY', 'lN2GcoBwXc', 'RfVGgGkUXd', 'vCvGJVXG0Z', 'PipGNDfUM4', 'Cx5GHy4CcZ', 'h5iGP5TahZ', 'AdBGuS66YU', 'qZkGbk4yLC'
Source: 0.2.file.exe.3f04a38.4.raw.unpack, lEfnObUSQa0iQ2YOSUM.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'C40kFKecxq', 'HCLkK7KYId', 'HNMkdSZH6F', 'GPHkjC06mm', 'JNsked9m2K', 'qwUkl7BF71', 'he9kMVO4h8'
Source: 0.2.file.exe.3f04a38.4.raw.unpack, i2OBo96rvxu0pvsKTl.cs	High entropy of concatenated method names: 'E1Or4xMdaQ', 'Mobrc03xPn', 'DJErgftcIY', 'J3MrJbfYrr', 'N8BrNHq7Eg', 'p3TrHQfyEj', 'xPwrPDWQWv', 's6nru0kSf0', 'ujErbG3nIS', 'KenroNw8Pq'
Source: 0.2.file.exe.3f04a38.4.raw.unpack, gWMV7njwRFXwI609Kq.cs	High entropy of concatenated method names: 'D9j0ol0TWO', 'Ia70KhS5Eu', 'BsH0jp5Q4u', 'VVb0evuJjF', 'wRj0cQNETC', 'SiM0gAEXi4', 'CRl0JG7U8g', 'a410NwgsFb', 'cww0Hw7vxd', 'Ts80P5IMwC'
Source: 0.2.file.exe.3f04a38.4.raw.unpack, zFX7V0QuWvXYfYGmwN.cs	High entropy of concatenated method names: 'Dispose', 'waFU68NfIU', 'nwPAcW230R', 'iNS0us0PJY', 'k6aUiPHQUk', 'aA1Uz3TlZd', 'ProcessDialogKey', 'z1sAS2OBo9', 'svxAUu0pvs', 'PTlAAp9phG'
Source: 0.2.file.exe.3eae218.5.raw.unpack, HQgIcrb1MjaQ9an05q.cs	High entropy of concatenated method names: 'DjchaENVxG', 'ySnh9q0MT9', 'UBUhvaLeZP', 'F63hC2Ic5y', 'iPjhZvBG4r', 'aGQhp6O8jV', 'lnchIXsWrT', 'voKhB4wrhw', 'VTrhxLLUU7', 'mr7hw6xHCF'
Source: 0.2.file.exe.3eae218.5.raw.unpack, B9phGliPml9PtZ4Z2H.cs	High entropy of concatenated method names: 'pEMk7sdFMf', 'yD9k1U8CCE', 'oJlks8nf23', 'Hc2kh11wTC', 'DSGkr9TYOi', 'OM8kO7MCmH', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.file.exe.3eae218.5.raw.unpack, ABsoPldLn3NXfXEMYB.cs	High entropy of concatenated method names: 'ISpWBUf1nM', 'MHdWxVVhnf', 'E6sW4YfuD9', 't6xWcuoiAr', 'YDGWJwggQH', 'o4eWNRAmXe', 'UcLWPZgOLh', 'rknWuWB8cj', 'jMMWoRM5N1', 'RxuWFJB6YC'
Source: 0.2.file.exe.3eae218.5.raw.unpack, RRUDKqRDY5aF8NfIUO.cs	High entropy of concatenated method names: 'gTVr09WxUC', 'DGkrq6eE7C', 'DqJrrdlnya', 'qbhrDB1VF4', 'XRVrTXkIoa', 'danr5iAX0V', 'Dispose', 'DgsXyATJ33', 'DsqXQYhRNY', 'kk9X7gMquR'
Source: 0.2.file.exe.3eae218.5.raw.unpack, dSxR6oPp2X3LJABhrW.cs	High entropy of concatenated method names: 'nichydQHiy', 'uACh7QdGIF', 'sd0hsJTKtS', 'cUSsiIqXIo', 'lACszuuNpa', 'JIFhSNJN5y', 'zLbhUoGTf6', 'fNyhAMqlU3', 'Ucjh8VZK4j', 'I9Qh2d42Rg'
Source: 0.2.file.exe.3eae218.5.raw.unpack, PW1TxBAjXAU1SL3225.cs	High entropy of concatenated method names: 'dFpv4Za7D', 'AOFCs2f57', 'BLVpSK9a5', 'Ld6I0ZBZK', 'Xn5xiY9Uv', 'AhewnNZ4O', 'BOBycXNHHuun7lVTux', 'Pecf5ouqGLMyXJqqKw', 'etRX9Fuwb', 'mjRk7rxVR'
Source: 0.2.file.exe.3eae218.5.raw.unpack, UtEm7ZUUdySBNfsxC1b.cs	High entropy of concatenated method names: 'MufkiZRayw', 'TAnkzUZlaX', 'CKuDSUbb4J', 'uWyDUxjYQn', 'dhaDAklLNb', 'R8aD8qRrHu', 'w26D2qHh3v', 'D8oDt3bbRj', 'ig2DyL7diJ', 'HIGDQ0Zdy2'
Source: 0.2.file.exe.3eae218.5.raw.unpack, XrysEW2FNuLbQmlr4O.cs	High entropy of concatenated method names: 'YcmUhI2khy', 'mgZUOGMGu6', 'cvbULFBqMN', 'TmRU37RecV', 'bXPU0q0m31', 'yS3UGxdSER', 'k3DwGkPq8xs0jSrDoS', 'ihgWqUyYC3MXiMcAO1', 'TtyUUW5Iup', 'iIUU8R1Dtj'
Source: 0.2.file.exe.3eae218.5.raw.unpack, NxyD3cMFXrVVj9loGN.cs	High entropy of concatenated method names: 'rurqLErBkX', 'igyq3v0cSV', 'ToString', 'GmSqyQE5Ok', 'UMcqQeAxH9', 'OoWq7sK0Tm', 'ro3q1BUkDe', 'sjOqsaQmVy', 'fSWqhkbqeA', 'trqqO7xKXb'
Source: 0.2.file.exe.3eae218.5.raw.unpack, vggVGAz17L3H6FyYZZ.cs	High entropy of concatenated method names: 'cCwkpN7NpN', 'JqckBYgFKC', 'm1akxZsEnb', 'zRPk4eDnPo', 'MW7kcs9vGF', 'x3JkJFxTsq', 'F82kNvG51x', 'wQCk5UIlYa', 'bE7ka5PawZ', 'yonk9CDt19'
Source: 0.2.file.exe.3eae218.5.raw.unpack, MUM9VQUAXuERKjnIbsx.cs	High entropy of concatenated method names: 'ToString', 'iIsDB3HtYl', 'HwkDxiIfAB', 'LaQDwDjNpn', 'pq4D4c3JZ7', 'kT3Dcg2kxk', 'Jw5Dg5Wuvy', 'WaCDJq8jm7', 'KuYSmYMCwChUK3LTLZt', 'O1md9pMNlmf5oQe48Yg'
Source: 0.2.file.exe.3eae218.5.raw.unpack, W319S34xdSER5ocG2S.cs	High entropy of concatenated method names: 'moWstKsvtV', 'Q3SsQgqZNI', 'tIcs1VIlgY', 'vlVshkiuFJ', 'SRIsOUL3WP', 'Cb41nHu86Y', 'Usy1f232tx', 'jyF1RsvHdM', 'xI11mOm4Hb', 'RJH16Hv3i2'
Source: 0.2.file.exe.3eae218.5.raw.unpack, lNGVxQfqGLcan3Lp9M.cs	High entropy of concatenated method names: 'cQlqmyoyYK', 'Jk0qiDy4ko', 'ju3XSWDM9l', 'cr2XUrdhXX', 'SHMqFRCcuw', 'xQGqKGt4js', 'RKAqdahK2a', 'NXFqjUFWXn', 'OskqejwcG3', 'CNXqlt7u1J'
Source: 0.2.file.exe.3eae218.5.raw.unpack, XI2khyB3gZGMGu6NEM.cs	High entropy of concatenated method names: 'PVoQjCwRxJ', 's1xQe6jj8v', 'W6FQlATVWA', 'WGhQMFWntN', 'ArqQnRDt4Z', 'eFaQfmJVtN', 'uRRQRr7hn8', 'OVFQmhDVdr', 'Ul4Q63KfUx', 'pDnQiDVpbb'
Source: 0.2.file.exe.3eae218.5.raw.unpack, VecVHvwHyyHk9UXPq0.cs	High entropy of concatenated method names: 'vAH1ZicP0n', 'G1S1I3cxmu', 'uTZ7gxKQ4f', 'dtQ7Jy0GMl', 'dcI7NqZKKd', 'zJa7HT4U11', 'M0N7PwKMb2', 'Vid7utfqWv', 'sos7bMW58y', 'hPt7orjOf1'
Source: 0.2.file.exe.3eae218.5.raw.unpack, Ct0RVsU2rXyfApny3yP.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'qZhYrjY28t', 'EANYkPdPMw', 'CdcYD8muqQ', 'W62YYWGdX0', 'GaUYTjeeC2', 'pItYVdKf17', 'kDlY5nNJa0'
Source: 0.2.file.exe.3eae218.5.raw.unpack, UHi0eoOg2wkdgdy45Q.cs	High entropy of concatenated method names: 'RdD8t3yRSo', 'cA18yddgF5', 'DM08Q5oluH', 'Q8M87YBhuq', 'XT681aIK4p', 'qYh8s05rUU', 'LYx8hdeTPZ', 'OSL8OY0LGl', 'lMj8Ena6Kw', 'tsm8LFkfDl'
Source: 0.2.file.exe.3eae218.5.raw.unpack, fp1wa8xvbFBqMNMmR7.cs	High entropy of concatenated method names: 'fZu7CgybWn', 'T6L7pRsMpF', 'C9A7BdFIZB', 'KvF7xInibO', 'iIg70vaXee', 'u2U7GbV2UA', 'aEZ7qQPVLQ', 'u0T7XRnkp8', 'KGD7rbhSdm', 'WPr7k8QQx4'
Source: 0.2.file.exe.3eae218.5.raw.unpack, vco2rglDvffCsdoxBm.cs	High entropy of concatenated method names: 'ToString', 'yHrGFl8VmY', 'lN2GcoBwXc', 'RfVGgGkUXd', 'vCvGJVXG0Z', 'PipGNDfUM4', 'Cx5GHy4CcZ', 'h5iGP5TahZ', 'AdBGuS66YU', 'qZkGbk4yLC'
Source: 0.2.file.exe.3eae218.5.raw.unpack, lEfnObUSQa0iQ2YOSUM.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'C40kFKecxq', 'HCLkK7KYId', 'HNMkdSZH6F', 'GPHkjC06mm', 'JNsked9m2K', 'qwUkl7BF71', 'he9kMVO4h8'
Source: 0.2.file.exe.3eae218.5.raw.unpack, i2OBo96rvxu0pvsKTl.cs	High entropy of concatenated method names: 'E1Or4xMdaQ', 'Mobrc03xPn', 'DJErgftcIY', 'J3MrJbfYrr', 'N8BrNHq7Eg', 'p3TrHQfyEj', 'xPwrPDWQWv', 's6nru0kSf0', 'ujErbG3nIS', 'KenroNw8Pq'
Source: 0.2.file.exe.3eae218.5.raw.unpack, gWMV7njwRFXwI609Kq.cs	High entropy of concatenated method names: 'D9j0ol0TWO', 'Ia70KhS5Eu', 'BsH0jp5Q4u', 'VVb0evuJjF', 'wRj0cQNETC', 'SiM0gAEXi4', 'CRl0JG7U8g', 'a410NwgsFb', 'cww0Hw7vxd', 'Ts80P5IMwC'
Source: 0.2.file.exe.3eae218.5.raw.unpack, zFX7V0QuWvXYfYGmwN.cs	High entropy of concatenated method names: 'Dispose', 'waFU68NfIU', 'nwPAcW230R', 'iNS0us0PJY', 'k6aUiPHQUk', 'aA1Uz3TlZd', 'ProcessDialogKey', 'z1sAS2OBo9', 'svxAUu0pvs', 'PTlAAp9phG'
Source: 0.2.file.exe.7340000.9.raw.unpack, HQgIcrb1MjaQ9an05q.cs	High entropy of concatenated method names: 'DjchaENVxG', 'ySnh9q0MT9', 'UBUhvaLeZP', 'F63hC2Ic5y', 'iPjhZvBG4r', 'aGQhp6O8jV', 'lnchIXsWrT', 'voKhB4wrhw', 'VTrhxLLUU7', 'mr7hw6xHCF'
Source: 0.2.file.exe.7340000.9.raw.unpack, B9phGliPml9PtZ4Z2H.cs	High entropy of concatenated method names: 'pEMk7sdFMf', 'yD9k1U8CCE', 'oJlks8nf23', 'Hc2kh11wTC', 'DSGkr9TYOi', 'OM8kO7MCmH', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.file.exe.7340000.9.raw.unpack, ABsoPldLn3NXfXEMYB.cs	High entropy of concatenated method names: 'ISpWBUf1nM', 'MHdWxVVhnf', 'E6sW4YfuD9', 't6xWcuoiAr', 'YDGWJwggQH', 'o4eWNRAmXe', 'UcLWPZgOLh', 'rknWuWB8cj', 'jMMWoRM5N1', 'RxuWFJB6YC'
Source: 0.2.file.exe.7340000.9.raw.unpack, RRUDKqRDY5aF8NfIUO.cs	High entropy of concatenated method names: 'gTVr09WxUC', 'DGkrq6eE7C', 'DqJrrdlnya', 'qbhrDB1VF4', 'XRVrTXkIoa', 'danr5iAX0V', 'Dispose', 'DgsXyATJ33', 'DsqXQYhRNY', 'kk9X7gMquR'
Source: 0.2.file.exe.7340000.9.raw.unpack, dSxR6oPp2X3LJABhrW.cs	High entropy of concatenated method names: 'nichydQHiy', 'uACh7QdGIF', 'sd0hsJTKtS', 'cUSsiIqXIo', 'lACszuuNpa', 'JIFhSNJN5y', 'zLbhUoGTf6', 'fNyhAMqlU3', 'Ucjh8VZK4j', 'I9Qh2d42Rg'
Source: 0.2.file.exe.7340000.9.raw.unpack, PW1TxBAjXAU1SL3225.cs	High entropy of concatenated method names: 'dFpv4Za7D', 'AOFCs2f57', 'BLVpSK9a5', 'Ld6I0ZBZK', 'Xn5xiY9Uv', 'AhewnNZ4O', 'BOBycXNHHuun7lVTux', 'Pecf5ouqGLMyXJqqKw', 'etRX9Fuwb', 'mjRk7rxVR'
Source: 0.2.file.exe.7340000.9.raw.unpack, UtEm7ZUUdySBNfsxC1b.cs	High entropy of concatenated method names: 'MufkiZRayw', 'TAnkzUZlaX', 'CKuDSUbb4J', 'uWyDUxjYQn', 'dhaDAklLNb', 'R8aD8qRrHu', 'w26D2qHh3v', 'D8oDt3bbRj', 'ig2DyL7diJ', 'HIGDQ0Zdy2'
Source: 0.2.file.exe.7340000.9.raw.unpack, XrysEW2FNuLbQmlr4O.cs	High entropy of concatenated method names: 'YcmUhI2khy', 'mgZUOGMGu6', 'cvbULFBqMN', 'TmRU37RecV', 'bXPU0q0m31', 'yS3UGxdSER', 'k3DwGkPq8xs0jSrDoS', 'ihgWqUyYC3MXiMcAO1', 'TtyUUW5Iup', 'iIUU8R1Dtj'
Source: 0.2.file.exe.7340000.9.raw.unpack, NxyD3cMFXrVVj9loGN.cs	High entropy of concatenated method names: 'rurqLErBkX', 'igyq3v0cSV', 'ToString', 'GmSqyQE5Ok', 'UMcqQeAxH9', 'OoWq7sK0Tm', 'ro3q1BUkDe', 'sjOqsaQmVy', 'fSWqhkbqeA', 'trqqO7xKXb'
Source: 0.2.file.exe.7340000.9.raw.unpack, vggVGAz17L3H6FyYZZ.cs	High entropy of concatenated method names: 'cCwkpN7NpN', 'JqckBYgFKC', 'm1akxZsEnb', 'zRPk4eDnPo', 'MW7kcs9vGF', 'x3JkJFxTsq', 'F82kNvG51x', 'wQCk5UIlYa', 'bE7ka5PawZ', 'yonk9CDt19'
Source: 0.2.file.exe.7340000.9.raw.unpack, MUM9VQUAXuERKjnIbsx.cs	High entropy of concatenated method names: 'ToString', 'iIsDB3HtYl', 'HwkDxiIfAB', 'LaQDwDjNpn', 'pq4D4c3JZ7', 'kT3Dcg2kxk', 'Jw5Dg5Wuvy', 'WaCDJq8jm7', 'KuYSmYMCwChUK3LTLZt', 'O1md9pMNlmf5oQe48Yg'
Source: 0.2.file.exe.7340000.9.raw.unpack, W319S34xdSER5ocG2S.cs	High entropy of concatenated method names: 'moWstKsvtV', 'Q3SsQgqZNI', 'tIcs1VIlgY', 'vlVshkiuFJ', 'SRIsOUL3WP', 'Cb41nHu86Y', 'Usy1f232tx', 'jyF1RsvHdM', 'xI11mOm4Hb', 'RJH16Hv3i2'
Source: 0.2.file.exe.7340000.9.raw.unpack, lNGVxQfqGLcan3Lp9M.cs	High entropy of concatenated method names: 'cQlqmyoyYK', 'Jk0qiDy4ko', 'ju3XSWDM9l', 'cr2XUrdhXX', 'SHMqFRCcuw', 'xQGqKGt4js', 'RKAqdahK2a', 'NXFqjUFWXn', 'OskqejwcG3', 'CNXqlt7u1J'
Source: 0.2.file.exe.7340000.9.raw.unpack, XI2khyB3gZGMGu6NEM.cs	High entropy of concatenated method names: 'PVoQjCwRxJ', 's1xQe6jj8v', 'W6FQlATVWA', 'WGhQMFWntN', 'ArqQnRDt4Z', 'eFaQfmJVtN', 'uRRQRr7hn8', 'OVFQmhDVdr', 'Ul4Q63KfUx', 'pDnQiDVpbb'
Source: 0.2.file.exe.7340000.9.raw.unpack, VecVHvwHyyHk9UXPq0.cs	High entropy of concatenated method names: 'vAH1ZicP0n', 'G1S1I3cxmu', 'uTZ7gxKQ4f', 'dtQ7Jy0GMl', 'dcI7NqZKKd', 'zJa7HT4U11', 'M0N7PwKMb2', 'Vid7utfqWv', 'sos7bMW58y', 'hPt7orjOf1'
Source: 0.2.file.exe.7340000.9.raw.unpack, Ct0RVsU2rXyfApny3yP.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'qZhYrjY28t', 'EANYkPdPMw', 'CdcYD8muqQ', 'W62YYWGdX0', 'GaUYTjeeC2', 'pItYVdKf17', 'kDlY5nNJa0'
Source: 0.2.file.exe.7340000.9.raw.unpack, UHi0eoOg2wkdgdy45Q.cs	High entropy of concatenated method names: 'RdD8t3yRSo', 'cA18yddgF5', 'DM08Q5oluH', 'Q8M87YBhuq', 'XT681aIK4p', 'qYh8s05rUU', 'LYx8hdeTPZ', 'OSL8OY0LGl', 'lMj8Ena6Kw', 'tsm8LFkfDl'
Source: 0.2.file.exe.7340000.9.raw.unpack, fp1wa8xvbFBqMNMmR7.cs	High entropy of concatenated method names: 'fZu7CgybWn', 'T6L7pRsMpF', 'C9A7BdFIZB', 'KvF7xInibO', 'iIg70vaXee', 'u2U7GbV2UA', 'aEZ7qQPVLQ', 'u0T7XRnkp8', 'KGD7rbhSdm', 'WPr7k8QQx4'
Source: 0.2.file.exe.7340000.9.raw.unpack, vco2rglDvffCsdoxBm.cs	High entropy of concatenated method names: 'ToString', 'yHrGFl8VmY', 'lN2GcoBwXc', 'RfVGgGkUXd', 'vCvGJVXG0Z', 'PipGNDfUM4', 'Cx5GHy4CcZ', 'h5iGP5TahZ', 'AdBGuS66YU', 'qZkGbk4yLC'
Source: 0.2.file.exe.7340000.9.raw.unpack, lEfnObUSQa0iQ2YOSUM.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'C40kFKecxq', 'HCLkK7KYId', 'HNMkdSZH6F', 'GPHkjC06mm', 'JNsked9m2K', 'qwUkl7BF71', 'he9kMVO4h8'
Source: 0.2.file.exe.7340000.9.raw.unpack, i2OBo96rvxu0pvsKTl.cs	High entropy of concatenated method names: 'E1Or4xMdaQ', 'Mobrc03xPn', 'DJErgftcIY', 'J3MrJbfYrr', 'N8BrNHq7Eg', 'p3TrHQfyEj', 'xPwrPDWQWv', 's6nru0kSf0', 'ujErbG3nIS', 'KenroNw8Pq'
Source: 0.2.file.exe.7340000.9.raw.unpack, gWMV7njwRFXwI609Kq.cs	High entropy of concatenated method names: 'D9j0ol0TWO', 'Ia70KhS5Eu', 'BsH0jp5Q4u', 'VVb0evuJjF', 'wRj0cQNETC', 'SiM0gAEXi4', 'CRl0JG7U8g', 'a410NwgsFb', 'cww0Hw7vxd', 'Ts80P5IMwC'
Source: 0.2.file.exe.7340000.9.raw.unpack, zFX7V0QuWvXYfYGmwN.cs	High entropy of concatenated method names: 'Dispose', 'waFU68NfIU', 'nwPAcW230R', 'iNS0us0PJY', 'k6aUiPHQUk', 'aA1Uz3TlZd', 'ProcessDialogKey', 'z1sAS2OBo9', 'svxAUu0pvs', 'PTlAAp9phG'

Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Roaming\yRnixT.exe			Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Roaming\NotepadUpdate.exe			Jump to dropped file

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: 22.2.NotepadUpdate.exe.2621244.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.NotepadUpdate.exe.2aa0f9c.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.yRnixT.exe.2cb0f5c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.NotepadUpdate.exe.260e960.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.2cd3a78.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.yRnixT.exe.2c9e678.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.NotepadUpdate.exe.2f4f2f0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.NotepadUpdate.exe.2a8e6b8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.NotepadUpdate.exe.24e1238.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.NotepadUpdate.exe.2f61bd4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.NotepadUpdate.exe.2621244.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.yRnixT.exe.2c9e678.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.NotepadUpdate.exe.2f61bd4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.NotepadUpdate.exe.260e960.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.NotepadUpdate.exe.24e1238.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.NotepadUpdate.exe.2a8e6b8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.NotepadUpdate.exe.2aa0f9c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.2cd3a78.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.2cc1194.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.NotepadUpdate.exe.24ce954.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.yRnixT.exe.2cb0f5c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.NotepadUpdate.exe.24ce954.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.2cc1194.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.NotepadUpdate.exe.2f4f2f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000028.00000002.2168725401.0000000002F43000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1828540463.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1705169063.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1922432597.00000000024C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1758094080.0000000002C8F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1891236933.00000000025FF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2083701044.0000000002A86000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 2008, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yRnixT.exe PID: 7400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NotepadUpdate.exe PID: 7816, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NotepadUpdate.exe PID: 7904, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NotepadUpdate.exe PID: 7716, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NotepadUpdate.exe PID: 7272, type: MEMORYSTR

Yara detected VenomRAT

Source: Yara match

File source: Process Memory Space: file.exe PID: 7252, type: MEMORYSTR

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yRnixT" /XML "C:\Users\user\AppData\Local\Temp\tmp8110.tmp"

Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NotepadUpdate			Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NotepadUpdate			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: file.exe PID: 2008, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yRnixT.exe PID: 7400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NotepadUpdate.exe PID: 7816, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NotepadUpdate.exe PID: 7904, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NotepadUpdate.exe PID: 7716, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NotepadUpdate.exe PID: 7272, type: MEMORYSTR

Yara detected AsyncRAT

Source: Yara match	File source: 22.2.NotepadUpdate.exe.2621244.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.NotepadUpdate.exe.2aa0f9c.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.yRnixT.exe.2cb0f5c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.NotepadUpdate.exe.260e960.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.2cd3a78.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.yRnixT.exe.2c9e678.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.NotepadUpdate.exe.2f4f2f0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.NotepadUpdate.exe.2a8e6b8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.NotepadUpdate.exe.24e1238.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.NotepadUpdate.exe.2f61bd4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.NotepadUpdate.exe.2621244.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.yRnixT.exe.2c9e678.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.NotepadUpdate.exe.2f61bd4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.NotepadUpdate.exe.260e960.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.NotepadUpdate.exe.24e1238.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.NotepadUpdate.exe.2a8e6b8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.NotepadUpdate.exe.2aa0f9c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.2cd3a78.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.2cc1194.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.NotepadUpdate.exe.24ce954.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.yRnixT.exe.2cb0f5c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.NotepadUpdate.exe.24ce954.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.2cc1194.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.NotepadUpdate.exe.2f4f2f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000028.00000002.2168725401.0000000002F43000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1828540463.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1705169063.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1922432597.00000000024C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1758094080.0000000002C8F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1891236933.00000000025FF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2083701044.0000000002A86000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 2008, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yRnixT.exe PID: 7400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NotepadUpdate.exe PID: 7816, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NotepadUpdate.exe PID: 7904, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NotepadUpdate.exe PID: 7716, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NotepadUpdate.exe PID: 7272, type: MEMORYSTR

Yara detected VenomRAT

Source: Yara match

File source: Process Memory Space: file.exe PID: 7252, type: MEMORYSTR

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\yRnixT.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: file.exe, 00000000.00000002.1705169063.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000006.00000002.1828540463.0000000000402000.00000040.00000400.00020000.00000000.sdmp, yRnixT.exe, 00000008.00000002.1758094080.0000000002C8F000.00000004.00000800.00020000.00000000.sdmp, NotepadUpdate.exe, 00000014.00000002.1922432597.00000000024C3000.00000004.00000800.00020000.00000000.sdmp, NotepadUpdate.exe, 00000016.00000002.1891236933.00000000025FF000.00000004.00000800.00020000.00000000.sdmp, NotepadUpdate.exe, 00000024.00000002.2083701044.0000000002A86000.00000004.00000800.00020000.00000000.sdmp, NotepadUpdate.exe, 00000028.00000002.2168725401.0000000002F43000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: TASKMGR.EXE#PROCESSHACKER.EXE

Source: C:\Users\user\Desktop\file.exe	Memory allocated: 1120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 2C50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 2A50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 8B30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 9B30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 9D30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: AD30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 1050000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 2B50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 4B50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Memory allocated: 1240000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Memory allocated: 2C30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Memory allocated: 4C30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Memory allocated: 8890000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Memory allocated: 9890000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Memory allocated: 9A80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Memory allocated: AA80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Memory allocated: D10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Memory allocated: 2B30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Memory allocated: 2760000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: 880000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: 2460000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: 2390000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: 7FE0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: 8FE0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: 91D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: A1D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: BF0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: 25A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: BF0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: 8120000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: 9120000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: 9310000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: A310000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: E70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: 2A80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: 27A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: 1770000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: 3200000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: 5200000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: F80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: 2A20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: 4A20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: 8610000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: 9610000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: 9800000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: A800000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: 1000000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: 2B30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: 4B30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: 14A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: 2EE0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: 2CE0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: 8A10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: 9A10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: 9C00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: AC00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: 1420000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: 3060000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: 5060000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7352	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2215	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Window / User API: threadDelayed 820	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Window / User API: threadDelayed 9036	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7090
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2619
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5260

Source: C:\Users\user\Desktop\file.exe TID: 3368	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7280	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7276	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe TID: 7440	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe TID: 7452	Thread sleep time: -21213755684765971s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe TID: 7576	Thread sleep count: 820 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe TID: 7576	Thread sleep count: 9036 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 7864	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 7924	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8168	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 8160	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7244	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7204	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 7284	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 7744	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 5024	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 7764	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 792	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\AppData\Roaming\yRnixT.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem

Source: C:\Users\user\AppData\Roaming\yRnixT.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 922337203685477

Source: NotepadUpdate.exe, 00000024.00000002.2108418833.0000000006CD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Z
Source: yRnixT.exe, 00000008.00000002.1764479559.00000000075A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&00000
Source: NotepadUpdate.exe, 00000024.00000002.2108112586.0000000006CB9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: om&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-15
Source: yRnixT.exe, 0000000D.00000002.4131305740.0000000000B56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0.2.file.exe.2cc1194.2.raw.unpack, Keylogger.cs	Reference to suspicious API methods: MapVirtualKey(vkCode, 0u)
Source: 0.2.file.exe.2cc1194.2.raw.unpack, DInvokeCore.cs	Reference to suspicious API methods: DynamicAPIInvoke("ntdll.dll", "NtProtectVirtualMemory", typeof(Delegates.NtProtectVirtualMemory), ref Parameters)
Source: 0.2.file.exe.2cc1194.2.raw.unpack, AntiProcess.cs	Reference to suspicious API methods: OpenProcess(1u, bInheritHandle: false, processId)

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yRnixT.exe"
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yRnixT.exe"
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yRnixT.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yRnixT.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yRnixT.exe"
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yRnixT.exe"

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Users\user\Desktop\file.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Memory written: C:\Users\user\AppData\Roaming\yRnixT.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory written: C:\Users\user\AppData\Roaming\NotepadUpdate.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory written: C:\Users\user\AppData\Roaming\NotepadUpdate.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory written: C:\Users\user\AppData\Roaming\NotepadUpdate.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory written: C:\Users\user\AppData\Roaming\NotepadUpdate.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yRnixT.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yRnixT" /XML "C:\Users\user\AppData\Local\Temp\tmp8110.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "NotepadUpdate" /tr '"C:\Users\user\AppData\Roaming\NotepadUpdate.exe"' & exit	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp7A3A.tmp.bat""	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yRnixT" /XML "C:\Users\user\AppData\Local\Temp\tmp92A4.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process created: C:\Users\user\AppData\Roaming\yRnixT.exe "C:\Users\user\AppData\Roaming\yRnixT.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process created: C:\Users\user\AppData\Roaming\yRnixT.exe "C:\Users\user\AppData\Roaming\yRnixT.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Process created: C:\Users\user\AppData\Roaming\yRnixT.exe "C:\Users\user\AppData\Roaming\yRnixT.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "NotepadUpdate" /tr '"C:\Users\user\AppData\Roaming\NotepadUpdate.exe"'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\NotepadUpdate.exe "C:\Users\user\AppData\Roaming\NotepadUpdate.exe"
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yRnixT.exe"
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yRnixT" /XML "C:\Users\user\AppData\Local\Temp\tmpC1D2.tmp"
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process created: C:\Users\user\AppData\Roaming\NotepadUpdate.exe "C:\Users\user\AppData\Roaming\NotepadUpdate.exe"
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yRnixT.exe"
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yRnixT" /XML "C:\Users\user\AppData\Local\Temp\tmpC5F9.tmp"
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process created: C:\Users\user\AppData\Roaming\NotepadUpdate.exe "C:\Users\user\AppData\Roaming\NotepadUpdate.exe"
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process created: C:\Users\user\AppData\Roaming\NotepadUpdate.exe "C:\Users\user\AppData\Roaming\NotepadUpdate.exe"
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yRnixT" /XML "C:\Users\user\AppData\Local\Temp\tmp1263.tmp"
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process created: C:\Users\user\AppData\Roaming\NotepadUpdate.exe "C:\Users\user\AppData\Roaming\NotepadUpdate.exe"
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yRnixT" /XML "C:\Users\user\AppData\Local\Temp\tmp32EB.tmp"
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process created: C:\Users\user\AppData\Roaming\NotepadUpdate.exe "C:\Users\user\AppData\Roaming\NotepadUpdate.exe"

Source: yRnixT.exe, 0000000D.00000002.4138337719.0000000002B83000.00000004.00000800.00020000.00000000.sdmp, yRnixT.exe, 0000000D.00000002.4138337719.0000000002B96000.00000004.00000800.00020000.00000000.sdmp, yRnixT.exe, 0000000D.00000002.4138337719.0000000002B90000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@\dq&
Source: yRnixT.exe, 0000000D.00000002.4138337719.0000000002E90000.00000004.00000800.00020000.00000000.sdmp, yRnixT.exe, 0000000D.00000002.4138337719.0000000002B83000.00000004.00000800.00020000.00000000.sdmp, yRnixT.exe, 0000000D.00000002.4138337719.0000000002B96000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: yRnixT.exe, 0000000D.00000002.4138337719.0000000002E90000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager`,dq
Source: yRnixT.exe, 0000000D.00000002.4138337719.0000000002B83000.00000004.00000800.00020000.00000000.sdmp, yRnixT.exe, 0000000D.00000002.4138337719.0000000002B90000.00000004.00000800.00020000.00000000.sdmp, yRnixT.exe, 0000000D.00000002.4138337719.0000000002BCC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTedq
Source: yRnixT.exe, 0000000D.00000002.4138337719.0000000002F06000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@\dqPaste_bin@\dq
Source: yRnixT.exe, 0000000D.00000002.4138337719.0000000002B96000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTedq,q
Source: yRnixT.exe, 0000000D.00000002.4138337719.0000000002B83000.00000004.00000800.00020000.00000000.sdmp, yRnixT.exe, 0000000D.00000002.4138337719.0000000002B96000.00000004.00000800.00020000.00000000.sdmp, yRnixT.exe, 0000000D.00000002.4138337719.0000000002B90000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@\dq
Source: yRnixT.exe, 0000000D.00000002.4138337719.0000000002B96000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTedqLo

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Queries volume information: C:\Users\user\AppData\Roaming\yRnixT.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Queries volume information: C:\Users\user\AppData\Roaming\yRnixT.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yRnixT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Queries volume information: C:\Users\user\AppData\Roaming\NotepadUpdate.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Queries volume information: C:\Users\user\AppData\Roaming\NotepadUpdate.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Queries volume information: C:\Users\user\AppData\Roaming\NotepadUpdate.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Queries volume information: C:\Users\user\AppData\Roaming\NotepadUpdate.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Queries volume information: C:\Users\user\AppData\Roaming\NotepadUpdate.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Queries volume information: C:\Users\user\AppData\Roaming\NotepadUpdate.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Queries volume information: C:\Users\user\AppData\Roaming\NotepadUpdate.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Queries volume information: C:\Users\user\AppData\Roaming\NotepadUpdate.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: 22.2.NotepadUpdate.exe.2621244.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.NotepadUpdate.exe.2aa0f9c.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.yRnixT.exe.2cb0f5c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.NotepadUpdate.exe.260e960.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.2cd3a78.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.yRnixT.exe.2c9e678.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.NotepadUpdate.exe.2f4f2f0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.NotepadUpdate.exe.2a8e6b8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.NotepadUpdate.exe.24e1238.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.NotepadUpdate.exe.2f61bd4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.NotepadUpdate.exe.2621244.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.yRnixT.exe.2c9e678.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.NotepadUpdate.exe.2f61bd4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.NotepadUpdate.exe.260e960.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.NotepadUpdate.exe.24e1238.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.NotepadUpdate.exe.2a8e6b8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.NotepadUpdate.exe.2aa0f9c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.2cd3a78.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.2cc1194.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.NotepadUpdate.exe.24ce954.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.yRnixT.exe.2cb0f5c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.NotepadUpdate.exe.24ce954.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.2cc1194.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.NotepadUpdate.exe.2f4f2f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000028.00000002.2168725401.0000000002F43000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1828540463.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1705169063.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1922432597.00000000024C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1758094080.0000000002C8F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1891236933.00000000025FF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2083701044.0000000002A86000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 2008, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yRnixT.exe PID: 7400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NotepadUpdate.exe PID: 7816, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NotepadUpdate.exe PID: 7904, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NotepadUpdate.exe PID: 7716, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NotepadUpdate.exe PID: 7272, type: MEMORYSTR

Yara detected VenomRAT

Source: Yara match

File source: Process Memory Space: file.exe PID: 7252, type: MEMORYSTR

Source: file.exe, 00000000.00000002.1705169063.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000006.00000002.1828540463.0000000000402000.00000040.00000400.00020000.00000000.sdmp, yRnixT.exe, 00000008.00000002.1758094080.0000000002C8F000.00000004.00000800.00020000.00000000.sdmp, NotepadUpdate.exe, 00000014.00000002.1922432597.00000000024C3000.00000004.00000800.00020000.00000000.sdmp, NotepadUpdate.exe, 00000016.00000002.1891236933.00000000025FF000.00000004.00000800.00020000.00000000.sdmp, NotepadUpdate.exe, 00000024.00000002.2083701044.0000000002A86000.00000004.00000800.00020000.00000000.sdmp, NotepadUpdate.exe, 00000028.00000002.2168725401.0000000002F43000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: MSASCui.exe
Source: file.exe, 00000000.00000002.1705169063.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000006.00000002.1828540463.0000000000402000.00000040.00000400.00020000.00000000.sdmp, yRnixT.exe, 00000008.00000002.1758094080.0000000002C8F000.00000004.00000800.00020000.00000000.sdmp, NotepadUpdate.exe, 00000014.00000002.1922432597.00000000024C3000.00000004.00000800.00020000.00000000.sdmp, NotepadUpdate.exe, 00000016.00000002.1891236933.00000000025FF000.00000004.00000800.00020000.00000000.sdmp, NotepadUpdate.exe, 00000024.00000002.2083701044.0000000002A86000.00000004.00000800.00020000.00000000.sdmp, NotepadUpdate.exe, 00000028.00000002.2168725401.0000000002F43000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: procexp.exe
Source: file.exe, 00000000.00000002.1705169063.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000006.00000002.1828540463.0000000000402000.00000040.00000400.00020000.00000000.sdmp, yRnixT.exe, 00000008.00000002.1758094080.0000000002C8F000.00000004.00000800.00020000.00000000.sdmp, NotepadUpdate.exe, 00000014.00000002.1922432597.00000000024C3000.00000004.00000800.00020000.00000000.sdmp, NotepadUpdate.exe, 00000016.00000002.1891236933.00000000025FF000.00000004.00000800.00020000.00000000.sdmp, NotepadUpdate.exe, 00000024.00000002.2083701044.0000000002A86000.00000004.00000800.00020000.00000000.sdmp, NotepadUpdate.exe, 00000028.00000002.2168725401.0000000002F43000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\AppData\Roaming\yRnixT.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	131 Windows Management Instrumentation	3 Scheduled Task/Job	112 Process Injection	1 Masquerading	1 Input Capture	341 Security Software Discovery	Remote Services	1 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	3 Scheduled Task/Job	1 Scripting	3 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Native API	1 Registry Run Keys / Startup Folder	1 Registry Run Keys / Startup Folder	151 Virtualization/Sandbox Evasion	Security Account Manager	151 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 DLL Side-Loading	1 DLL Side-Loading	112 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	211 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	24 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	42%	ReversingLabs	ByteCode-MSIL.Trojan.CrypterX
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\NotepadUpdate.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\yRnixT.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\NotepadUpdate.exe	42%	ReversingLabs	ByteCode-MSIL.Trojan.CrypterX
C:\Users\user\AppData\Roaming\yRnixT.exe	42%	ReversingLabs	ByteCode-MSIL.Trojan.CrypterX

Source	Detection	Scanner	Label	Link
http://www.w3.or	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	file.exe, 00000000.00000002.1710678515.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	file.exe, 00000000.00000002.1710678515.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	file.exe, 00000000.00000002.1710678515.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	file.exe, 00000000.00000002.1710678515.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	file.exe, 00000000.00000002.1710678515.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers?	file.exe, 00000000.00000002.1710678515.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.w3.or	NotepadUpdate.exe, 00000014.00000002.1922432597.0000000002469000.00000004.00000800.00020000.00000000.sdmp, NotepadUpdate.exe, 00000024.00000002.2083701044.0000000002A29000.00000004.00000800.00020000.00000000.sdmp, NotepadUpdate.exe, 00000028.00000002.2168725401.0000000002EE9000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	file.exe, 00000000.00000002.1710678515.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers	file.exe, 00000000.00000002.1710678515.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	file.exe, 00000000.00000002.1710678515.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	file.exe, NotepadUpdate.exe.6.dr, yRnixT.exe.0.dr	false		high
http://www.carterandcone.coml	file.exe, 00000000.00000002.1710678515.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sajatypeworks.com	file.exe, 00000000.00000002.1710678515.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.typography.netD	file.exe, 00000000.00000002.1710678515.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/cabarga.htmlN	file.exe, 00000000.00000002.1710678515.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	file.exe, 00000000.00000002.1710678515.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/staff/dennis.htm	file.exe, 00000000.00000002.1710678515.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	file.exe, 00000000.00000002.1710678515.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/frere-user.html	file.exe, 00000000.00000002.1710678515.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	file.exe, 00000000.00000002.1710678515.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/DPlease	file.exe, 00000000.00000002.1710678515.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers8	file.exe, 00000000.00000002.1710678515.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	file.exe, 00000000.00000002.1710678515.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	file.exe, 00000000.00000002.1710678515.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.urwpp.deDPlease	file.exe, 00000000.00000002.1710678515.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.zhongyicts.com.cn	file.exe, 00000000.00000002.1710678515.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	file.exe, 00000000.00000002.1705169063.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000006.00000002.1831223958.0000000002E15000.00000004.00000800.00020000.00000000.sdmp, yRnixT.exe, 00000008.00000002.1758094080.0000000002C8F000.00000004.00000800.00020000.00000000.sdmp, yRnixT.exe, 0000000D.00000002.4138337719.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, yRnixT.exe, 0000000D.00000002.4138337719.0000000002E1E000.00000004.00000800.00020000.00000000.sdmp, NotepadUpdate.exe, 00000014.00000002.1922432597.00000000024C3000.00000004.00000800.00020000.00000000.sdmp, NotepadUpdate.exe, 00000016.00000002.1891236933.00000000025FF000.00000004.00000800.00020000.00000000.sdmp, NotepadUpdate.exe, 00000024.00000002.2083701044.0000000002A86000.00000004.00000800.00020000.00000000.sdmp, NotepadUpdate.exe, 00000028.00000002.2168725401.0000000002F43000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	file.exe, 00000000.00000002.1710678515.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1709506424.0000000005420000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.208.158.187	unknown	Switzerland		34888	SIMPLECARRER2IT	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1571767
Start date and time:	2024-12-09 17:34:18 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 13m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	45
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@63/28@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 673 Number of non-executed functions: 17
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.218.208.109, 4.245.163.56, 13.107.246.63, 172.202.163.200
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
11:35:09	API Interceptor	1x Sleep call for process: file.exe modified
11:35:12	API Interceptor	45x Sleep call for process: powershell.exe modified
11:35:14	API Interceptor	7005700x Sleep call for process: yRnixT.exe modified
11:35:26	API Interceptor	4x Sleep call for process: NotepadUpdate.exe modified
16:35:13	Task Scheduler	Run new task: yRnixT path: C:\Users\user\AppData\Roaming\yRnixT.exe
16:35:24	Task Scheduler	Run new task: NotepadUpdate path: "C:\Users\user\AppData\Roaming\NotepadUpdate.exe"
16:35:38	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run NotepadUpdate "C:\Users\user\AppData\Roaming\NotepadUpdate.exe"
16:35:46	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run NotepadUpdate "C:\Users\user\AppData\Roaming\NotepadUpdate.exe"

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.208.158.187	file.exe	Get hash	malicious	AsyncRAT, VenomRAT	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SIMPLECARRER2IT	file.exe	Get hash	malicious	AsyncRAT, VenomRAT	Browse	185.208.158.187
	lLNOwu1HG4.js	Get hash	malicious	RHADAMANTHYS	Browse	185.196.8.68
	file.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse	185.196.8.239
	stail.exe	Get hash	malicious	Socks5Systemz	Browse	185.208.158.202
	getlab.exe	Get hash	malicious	Socks5Systemz	Browse	185.208.158.202
	chutmarao.ps1	Get hash	malicious	RHADAMANTHYS	Browse	185.196.8.68
	RjygH3Vh7O.exe	Get hash	malicious	RHADAMANTHYS	Browse	185.196.8.68
	SekpL8Z26C.exe	Get hash	malicious	Unknown	Browse	185.208.159.79
	file.exe	Get hash	malicious	Unknown	Browse	185.208.159.79
	file.exe	Get hash	malicious	Unknown	Browse	185.208.159.79

Process:	C:\Users\user\AppData\Roaming\NotepadUpdate.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\yRnixT.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\yRnixT.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	2232
Entropy (8bit):	5.380285623575084
Encrypted:	false
SSDEEP:	48:8WSU4xympjgs4RIoU99tK8NPZHUl7u1iMuge//8M0Uyus:8LHxvCsIfA2KRHmOugw1s
MD5:	7BB5843D0555D0B3CAE823A23F8CCBFA
SHA1:	3B895E6824BF18445F39261D53AD759F77EE9C80
SHA-256:	D7B5B9AC9010CCC5E668714E049D6EDFE1583CA9140F4044E7B6A348D064234D
SHA-512:	89B7CD31395365E92796FBA2B1EB3484C14811505C2F358CC97FAFE5960BC3ECABFEC7DF3FDE3BBA05206A63444FA43025B961CE49248FEF6EE9EB67F3DDF643
Malicious:	false
Preview:	@...e.................................E..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1zr2u04c.xov.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2ccwn4sp.xuu.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2ccy42u1.ikv.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5olz220h.xzx.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5qoe0nc2.iew.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_imcvoym0.psm.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j1wtbp2l.wi5.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kmtzm3wl.xpl.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kvrj0p4d.e3j.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lnqqs2nf.qof.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pcivxl5m.i5v.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vwddicu5.oel.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp1263.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\NotepadUpdate.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1572
Entropy (8bit):	5.102847873787985
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtah++xvn:cge1wYrFdOFzOzN33ODOiDdKrsuTov
MD5:	9A8F5F43D99A5CC380619782E78C89E4
SHA1:	051A4856142F9B249AD6EA16D914A6C1D3786775
SHA-256:	391DA5A3D8D467D2DC616F105FAF16B5370D35C8D19375993FA0DB511868308F
SHA-512:	0ED96B80669B8C3E89AAF3CC45D05BCE6B4405D7288BF384AC618B2A02147BD7E5985936DBFDC7DC04C595E490303D21C90A69F078C895E7652993C9F996BAD8
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Local\Temp\tmp32EB.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\NotepadUpdate.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1572
Entropy (8bit):	5.102847873787985
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtah++xvn:cge1wYrFdOFzOzN33ODOiDdKrsuTov
MD5:	9A8F5F43D99A5CC380619782E78C89E4
SHA1:	051A4856142F9B249AD6EA16D914A6C1D3786775
SHA-256:	391DA5A3D8D467D2DC616F105FAF16B5370D35C8D19375993FA0DB511868308F
SHA-512:	0ED96B80669B8C3E89AAF3CC45D05BCE6B4405D7288BF384AC618B2A02147BD7E5985936DBFDC7DC04C595E490303D21C90A69F078C895E7652993C9F996BAD8
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Local\Temp\tmp7A3A.tmp.bat

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	157
Entropy (8bit):	4.995880694641826
Encrypted:	false
SSDEEP:	3:mKDDCMNqTtvL5ot+kiEaKC5eiBNJovmqRDt+kiE2J5xAInTRI4PZPy:hWKqTtT6wknaZ5eOovmq1wkn23fTZPk
MD5:	0B146A4500D92A81B3316D0873FD5F41
SHA1:	4D0DA81BDF14E8979AE1B7F14C6F38338AA46785
SHA-256:	C64424DEB606AD9F5B1043FF47AC5D4D54AF17355D4220C57693B669159F72D5
SHA-512:	29C8F3F4E42A3AAAE23BF628E0D8461D69DD90908FEB0F6B206729EBC94F5ADCE38F8C6C3AF4DBA176A9D92364276F44F8EEB0B714728796C76BEB00E26F1BEF
Malicious:	false
Preview:	@echo off..timeout 3 > NUL..START "" "C:\Users\user\AppData\Roaming\NotepadUpdate.exe"..CD C:\Users\user\AppData\Local\Temp\..DEL "tmp7A3A.tmp.bat" /f /q..

C:\Users\user\AppData\Local\Temp\tmp8110.tmp

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1572
Entropy (8bit):	5.102847873787985
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtah++xvn:cge1wYrFdOFzOzN33ODOiDdKrsuTov
MD5:	9A8F5F43D99A5CC380619782E78C89E4
SHA1:	051A4856142F9B249AD6EA16D914A6C1D3786775
SHA-256:	391DA5A3D8D467D2DC616F105FAF16B5370D35C8D19375993FA0DB511868308F
SHA-512:	0ED96B80669B8C3E89AAF3CC45D05BCE6B4405D7288BF384AC618B2A02147BD7E5985936DBFDC7DC04C595E490303D21C90A69F078C895E7652993C9F996BAD8
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Local\Temp\tmp92A4.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\yRnixT.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1572
Entropy (8bit):	5.102847873787985
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtah++xvn:cge1wYrFdOFzOzN33ODOiDdKrsuTov
MD5:	9A8F5F43D99A5CC380619782E78C89E4
SHA1:	051A4856142F9B249AD6EA16D914A6C1D3786775
SHA-256:	391DA5A3D8D467D2DC616F105FAF16B5370D35C8D19375993FA0DB511868308F
SHA-512:	0ED96B80669B8C3E89AAF3CC45D05BCE6B4405D7288BF384AC618B2A02147BD7E5985936DBFDC7DC04C595E490303D21C90A69F078C895E7652993C9F996BAD8
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Local\Temp\tmpC1D2.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\NotepadUpdate.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1572
Entropy (8bit):	5.102847873787985
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtah++xvn:cge1wYrFdOFzOzN33ODOiDdKrsuTov
MD5:	9A8F5F43D99A5CC380619782E78C89E4
SHA1:	051A4856142F9B249AD6EA16D914A6C1D3786775
SHA-256:	391DA5A3D8D467D2DC616F105FAF16B5370D35C8D19375993FA0DB511868308F
SHA-512:	0ED96B80669B8C3E89AAF3CC45D05BCE6B4405D7288BF384AC618B2A02147BD7E5985936DBFDC7DC04C595E490303D21C90A69F078C895E7652993C9F996BAD8
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Local\Temp\tmpC5F9.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\NotepadUpdate.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1572
Entropy (8bit):	5.102847873787985
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtah++xvn:cge1wYrFdOFzOzN33ODOiDdKrsuTov
MD5:	9A8F5F43D99A5CC380619782E78C89E4
SHA1:	051A4856142F9B249AD6EA16D914A6C1D3786775
SHA-256:	391DA5A3D8D467D2DC616F105FAF16B5370D35C8D19375993FA0DB511868308F
SHA-512:	0ED96B80669B8C3E89AAF3CC45D05BCE6B4405D7288BF384AC618B2A02147BD7E5985936DBFDC7DC04C595E490303D21C90A69F078C895E7652993C9F996BAD8
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Roaming\MyData\DataLogs.conf

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	8
Entropy (8bit):	2.75
Encrypted:	false
SSDEEP:	3:Rt:v
MD5:	CF759E4C5F14FE3EEC41B87ED756CEA8
SHA1:	C27C796BB3C2FAC929359563676F4BA1FFADA1F5
SHA-256:	C9F9F193409217F73CC976AD078C6F8BF65D3AABCF5FAD3E5A47536D47AA6761
SHA-512:	C7F832AEE13A5EB36D145F35D4464374A9E12FA2017F3C2257442D67483B35A55ECCAE7F7729243350125B37033E075EFBC2303839FD86B81B9B4DCA3626953B
Malicious:	false
Preview:	.5.False

C:\Users\user\AppData\Roaming\NotepadUpdate.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	803848
Entropy (8bit):	6.539114096795053
Encrypted:	false
SSDEEP:	12288:x1M0EGmwx0mUkw1tnPxv8opsdH0dwDIqkR:xuymwZ3UtPxvnps8wY
MD5:	854CA372C90E86BD9A9DCE642D7C1A88
SHA1:	11C86768112CFB75A3A9B0B8EF36997E80FEDCDF
SHA-256:	52A610B0AD89165F4A65A504F9CDD2ECDF8310D96088529FED72463A54FCD6C8
SHA-512:	8E84E56178ECDE6B20E3C605E146B001E5A1F4AFE3101F299D18278F666EF4F478C68D3EC0DBE48E95960FB23AB970C1BE6534627FE2029137B30F9D1F6DEE43
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 42%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...7.k...............0..............#... ...@....@.. ....................................@.................................7#..O....@..\................6...`..........p............................................ ............... ..H............text........ ...................... ..`.rsrc...\....@......................@..@.reloc.......`......................@..B................k#......H............R......J...h....,...........................................0............}......}.....(.......(......{...........%.r...p(....s.....%.r...p(....s.....%.r%..p(....s.......o.......(...+....-....o....&..0...........s2.....o.......0...........sA.....o.......0...........s/.....o.......0...........s8.....o.......0...........s;.....o.......0...........s>.....o.......0...........s5.....o.......0...........sD.....o.......0...........sG.....o.......0...........s .

C:\Users\user\AppData\Roaming\yRnixT.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	803848
Entropy (8bit):	6.539114096795053
Encrypted:	false
SSDEEP:	12288:x1M0EGmwx0mUkw1tnPxv8opsdH0dwDIqkR:xuymwZ3UtPxvnps8wY
MD5:	854CA372C90E86BD9A9DCE642D7C1A88
SHA1:	11C86768112CFB75A3A9B0B8EF36997E80FEDCDF
SHA-256:	52A610B0AD89165F4A65A504F9CDD2ECDF8310D96088529FED72463A54FCD6C8
SHA-512:	8E84E56178ECDE6B20E3C605E146B001E5A1F4AFE3101F299D18278F666EF4F478C68D3EC0DBE48E95960FB23AB970C1BE6534627FE2029137B30F9D1F6DEE43
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 42%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...7.k...............0..............#... ...@....@.. ....................................@.................................7#..O....@..\................6...`..........p............................................ ............... ..H............text........ ...................... ..`.rsrc...\....@......................@..@.reloc.......`......................@..B................k#......H............R......J...h....,...........................................0............}......}.....(.......(......{...........%.r...p(....s.....%.r...p(....s.....%.r%..p(....s.......o.......(...+....-....o....&..0...........s2.....o.......0...........sA.....o.......0...........s/.....o.......0...........s8.....o.......0...........s;.....o.......0...........s>.....o.......0...........s5.....o.......0...........sD.....o.......0...........sG.....o.......0...........s .

C:\Users\user\AppData\Roaming\yRnixT.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

\Device\Null

Download File

Process:	C:\Windows\SysWOW64\timeout.exe
File Type:	ASCII text, with CRLF line terminators, with overstriking
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.41440934524794
Encrypted:	false
SSDEEP:	3:hYFqdLGAR+mQRKVxLZXt0sn:hYFqGaNZKsn
MD5:	3DD7DD37C304E70A7316FE43B69F421F
SHA1:	A3754CFC33E9CA729444A95E95BCB53384CB51E4
SHA-256:	4FA27CE1D904EA973430ADC99062DCF4BAB386A19AB0F8D9A4185FA99067F3AA
SHA-512:	713533E973CF0FD359AC7DB22B1399392C86D9FD1E715248F5724AAFBBF0EEB5EAC0289A0E892167EB559BE976C2AD0A0A0D8EFC407FFAF5B3C3A32AA9A0AAA4
Malicious:	false
Preview:	..Waiting for 3 seconds, press a key to continue ....2.1.0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.539114096795053
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.98% Win32 Executable (generic) a (10002005/4) 49.93% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	file.exe
File size:	803'848 bytes
MD5:	854ca372c90e86bd9a9dce642d7c1a88
SHA1:	11c86768112cfb75a3a9b0b8ef36997e80fedcdf
SHA256:	52a610b0ad89165f4a65a504f9cdd2ecdf8310d96088529fed72463a54fcd6c8
SHA512:	8e84e56178ecde6b20e3c605e146b001e5a1f4afe3101f299d18278f666ef4f478c68d3ec0dbe48e95960fb23ab970c1be6534627fe2029137b30f9d1f6dee43
SSDEEP:	12288:x1M0EGmwx0mUkw1tnPxv8opsdH0dwDIqkR:xuymwZ3UtPxvnps8wY
TLSH:	AD05623D49BD12EB81A9C79DCBE89827F614A46FB150ACA494C647A53347F4B34C323E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...7.k...............0..............#... ...@....@.. ....................................@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4c238a
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xCE6BAE37 [Thu Sep 28 21:50:47 2079 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/11/2018 00:00:00 08/11/2021 23:59:59
Subject Chain	CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
Version:	3
Thumbprint MD5:	DABD77E44EF6B3BB91740FA46696B779
Thumbprint SHA-1:	5B9E273CF11941FD8C6BE3F038C4797BBE884268
Thumbprint SHA-256:	4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
Serial:	7C1118CBBADC95DA3752C46E47A27438

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc2337	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc4000	0x55c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xc0e00	0x3608
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc6000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xc0ae8	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xc0390	0xc0400	780aeee552f6bad0fd6ac13758fb717f	False	0.6116671915637191	data	6.514593037884995	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc4000	0x55c	0x600	41045e561f85d1fe2e2a0d49c03c0056	False	0.3984375	data	3.917552678641129	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc6000	0xc	0x200	653a37b10ced2269be0235f2d6739db4	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xc4090	0x2cc	data			0.4329608938547486
RT_MANIFEST	0xc436c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-09T17:35:36.400639+0100	2842478	ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)	1	185.208.158.187	4449	192.168.2.4	49742	TCP
2024-12-09T17:35:36.400639+0100	2052265	ET MALWARE Observed Malicious SSL Cert (VenomRAT)	1	185.208.158.187	4449	192.168.2.4	49742	TCP
2024-12-09T17:35:36.400639+0100	2052267	ET MALWARE Observed Malicious SSL Cert (VenomRAT)	1	185.208.158.187	4449	192.168.2.4	49742	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 9, 2024 17:35:34.867188931 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:35:34.986526012 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:35:34.986613989 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:35:34.993288040 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:35:35.113091946 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:35:36.270994902 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:35:36.277760029 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:35:36.400639057 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:35:36.692193985 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:35:36.829039097 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:35:37.792943954 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:35:37.912343025 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:35:37.912452936 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:35:38.031963110 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:35:49.423949957 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:35:49.543754101 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:35:49.544008017 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:35:49.663397074 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:35:49.972047091 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:35:50.021935940 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:35:50.163647890 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:35:50.171489954 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:35:50.292455912 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:35:50.292526007 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:35:50.412199974 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:36:01.508197069 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:36:01.628021955 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:36:01.628109932 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:36:01.747566938 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:36:02.061981916 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:36:02.110337973 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:36:02.253719091 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:36:02.272463083 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:36:02.391802073 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:36:02.391863108 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:36:02.511285067 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:36:13.142352104 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:36:13.261713028 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:36:13.261858940 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:36:13.382169008 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:36:13.703041077 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:36:13.751101017 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:36:13.895133972 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:36:13.902314901 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:36:14.021738052 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:36:14.021845102 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:36:14.141508102 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:36:24.782799959 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:36:24.902256966 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:36:24.902424097 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:36:25.024132967 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:36:25.332149982 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:36:25.376019001 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:36:25.523694038 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:36:25.540431023 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:36:25.662290096 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:36:25.662408113 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:36:25.781909943 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:36:36.431143045 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:36:36.550599098 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:36:36.551408052 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:36:36.670851946 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:36:36.978578091 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:36:37.032284021 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:36:37.170212030 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:36:37.172144890 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:36:37.291676998 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:36:37.291789055 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:36:37.411684036 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:36:45.127597094 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:36:45.247185946 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:36:45.247257948 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:36:45.366966963 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:36:45.674937010 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:36:45.719805956 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:36:45.866951942 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:36:45.869167089 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:36:45.988650084 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:36:45.988707066 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:36:46.108236074 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:36:53.501852989 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:36:53.621364117 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:36:53.625516891 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:36:53.744826078 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:36:54.049043894 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:36:54.094846964 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:36:54.243029118 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:36:54.245418072 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:36:54.365472078 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:36:54.367984056 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:36:54.487447023 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:37:03.019289017 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:37:03.138771057 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:37:03.138899088 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:37:03.258266926 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:37:03.567446947 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:37:03.616036892 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:37:03.694230080 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:37:03.759560108 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:37:03.760611057 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:37:03.813630104 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:37:03.813699007 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:37:03.881880999 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:37:03.933115005 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:37:04.248699903 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:37:04.298827887 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:37:04.440567970 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:37:04.442200899 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:37:04.562299967 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:37:04.562351942 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:37:04.681847095 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:37:15.329988956 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:37:15.449388981 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:37:15.453485012 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:37:15.573064089 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:37:15.785092115 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:37:15.885922909 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:37:15.886065960 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:37:15.904778957 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:37:16.005667925 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:37:16.077230930 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:37:16.101969957 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:37:16.227869987 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:37:16.227935076 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:37:16.331815958 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:37:16.347476006 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:37:16.376107931 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:37:16.523808002 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:37:16.538342953 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:37:16.657819986 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:37:16.657881021 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:37:16.757442951 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:37:16.777312040 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:37:16.813601971 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:37:16.873205900 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:37:16.874744892 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:37:16.994318962 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:37:16.997538090 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:37:17.116898060 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:37:27.814256907 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:37:27.933602095 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:37:27.937623978 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:37:28.056900024 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:37:28.414840937 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:37:28.516772032 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:37:28.653800964 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:37:28.655706882 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:37:28.774950981 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:37:28.775188923 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:37:28.897845984 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:37:39.454921007 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:37:39.577428102 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:37:39.577636957 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:37:39.697487116 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:37:40.002603054 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:37:40.194272041 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:37:40.194322109 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:37:40.196146011 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:37:40.381380081 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:37:40.381439924 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:37:40.462960005 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:37:40.463021994 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:37:40.583242893 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:37:51.095709085 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:37:51.215562105 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:37:51.215630054 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:37:51.335038900 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:37:51.643435001 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:37:51.707593918 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:37:51.835197926 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:37:51.837330103 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:37:51.959402084 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:37:51.959495068 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:37:52.078886986 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:38:02.736458063 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:38:02.856549978 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:38:02.856856108 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:38:02.976397991 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:38:03.304630995 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:38:03.345323086 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:38:03.496773958 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:38:03.512789011 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:38:03.632246971 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:38:03.632401943 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:38:03.751981020 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:38:07.720766068 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:38:07.840229988 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:38:07.840301991 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:38:07.959827900 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:38:08.268290043 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:38:08.329467058 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:38:08.459413052 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:38:08.463746071 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:38:08.584618092 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:38:08.587946892 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:38:08.707479000 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:38:19.362215996 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:38:19.481549025 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:38:19.481631041 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:38:19.600971937 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:38:19.909811020 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:38:19.954492092 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:38:20.101596117 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:38:20.103642941 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:38:20.223095894 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:38:20.223155975 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:38:20.342575073 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:38:30.611541033 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:38:30.731640100 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:38:30.731848955 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:38:30.851965904 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:38:31.158442974 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:38:31.204602957 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:38:31.356894016 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:38:31.361659050 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:38:31.481015921 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:38:31.481066942 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:38:31.604391098 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:38:42.356442928 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:38:42.475812912 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:38:42.475877047 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:38:42.595125914 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:38:42.905846119 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:38:42.954406023 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:38:43.099796057 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:38:43.101640940 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:38:43.221843004 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:38:43.221921921 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:38:43.357148886 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:38:44.158268929 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:38:44.277523041 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:38:44.277582884 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:38:44.397068977 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:38:44.704731941 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:38:44.751291037 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:38:44.896508932 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:38:44.938149929 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:38:45.057423115 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:38:45.057482004 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:38:45.214580059 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:38:46.393085003 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:38:46.512525082 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:38:46.512605906 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:38:46.632215977 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:38:46.944996119 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:38:46.985735893 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:38:47.136964083 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:38:47.138741016 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:38:47.258606911 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:38:47.258697987 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:38:47.378063917 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:38:54.143556118 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:38:54.262871027 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:38:54.265696049 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:38:54.385094881 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:38:54.691641092 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:38:54.735678911 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:38:54.883498907 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:38:54.885564089 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:38:55.005022049 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:38:55.005136967 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:38:55.124458075 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:39:03.658926964 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:39:03.778434992 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:39:03.778506041 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:39:03.899126053 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:39:04.208861113 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:39:04.251441956 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:39:04.400089025 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:39:04.403165102 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:39:04.522465944 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:39:04.522525072 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:39:04.641947031 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:39:07.408181906 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:39:07.527751923 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:39:07.527816057 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:39:07.648029089 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:39:07.956645012 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:39:08.001450062 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:39:08.149038076 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:39:08.151335955 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:39:08.275729895 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:39:08.275805950 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:39:08.397618055 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:39:08.399924994 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:39:08.520159960 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:39:08.849718094 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:39:08.907660007 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:39:09.041316986 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:39:09.043134928 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:39:09.162691116 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:39:09.163810968 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:39:09.283250093 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:39:19.111305952 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:39:19.231086016 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:39:19.231177092 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:39:19.351172924 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:39:19.659507990 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:39:19.704600096 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:39:19.851512909 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:39:19.852356911 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:39:19.971806049 CET	4449	49742	185.208.158.187	192.168.2.4
Dec 9, 2024 17:39:19.971896887 CET	49742	4449	192.168.2.4	185.208.158.187
Dec 9, 2024 17:39:20.091370106 CET	4449	49742	185.208.158.187	192.168.2.4

Target ID:	0
Start time:	11:35:08
Start date:	09/12/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x6d0000
File size:	803'848 bytes
MD5 hash:	854CA372C90E86BD9A9DCE642D7C1A88
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.1705169063.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:35:11
Start date:	09/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yRnixT.exe"
Imagebase:	0xcd0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	11:35:11
Start date:	09/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	11:35:11
Start date:	09/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yRnixT" /XML "C:\Users\user\AppData\Local\Temp\tmp8110.tmp"
Imagebase:	0x950000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	11:35:11
Start date:	09/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	11:35:11
Start date:	09/12/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x7e0000
File size:	803'848 bytes
MD5 hash:	854CA372C90E86BD9A9DCE642D7C1A88
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000006.00000002.1828540463.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	11:35:13
Start date:	09/12/2024
Path:	C:\Users\user\AppData\Roaming\yRnixT.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\yRnixT.exe
Imagebase:	0x830000
File size:	803'848 bytes
MD5 hash:	854CA372C90E86BD9A9DCE642D7C1A88
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000008.00000002.1758094080.0000000002C8F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 42%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	11:35:16
Start date:	09/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yRnixT" /XML "C:\Users\user\AppData\Local\Temp\tmp92A4.tmp"
Imagebase:	0x950000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	11:35:16
Start date:	09/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	11:35:17
Start date:	09/12/2024
Path:	C:\Users\user\AppData\Roaming\yRnixT.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\yRnixT.exe"
Imagebase:	0x340000
File size:	803'848 bytes
MD5 hash:	854CA372C90E86BD9A9DCE642D7C1A88
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	11:35:17
Start date:	09/12/2024
Path:	C:\Users\user\AppData\Roaming\yRnixT.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\yRnixT.exe"
Imagebase:	0xb0000
File size:	803'848 bytes
MD5 hash:	854CA372C90E86BD9A9DCE642D7C1A88
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	11:35:17
Start date:	09/12/2024
Path:	C:\Users\user\AppData\Roaming\yRnixT.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\yRnixT.exe"
Imagebase:	0x430000
File size:	803'848 bytes
MD5 hash:	854CA372C90E86BD9A9DCE642D7C1A88
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	11:35:24
Start date:	09/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "NotepadUpdate" /tr '"C:\Users\user\AppData\Roaming\NotepadUpdate.exe"' & exit
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	11:35:24
Start date:	09/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	11:35:24
Start date:	09/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp7A3A.tmp.bat""
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	11:35:24
Start date:	09/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /f /sc onlogon /rl highest /tn "NotepadUpdate" /tr '"C:\Users\user\AppData\Roaming\NotepadUpdate.exe"'
Imagebase:	0x950000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	11:35:24
Start date:	09/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	11:35:24
Start date:	09/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout 3
Imagebase:	0x130000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	11:35:24
Start date:	09/12/2024
Path:	C:\Users\user\AppData\Roaming\NotepadUpdate.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\NotepadUpdate.exe
Imagebase:	0x60000
File size:	803'848 bytes
MD5 hash:	854CA372C90E86BD9A9DCE642D7C1A88
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000014.00000002.1922432597.00000000024C3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 42%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	11:35:27
Start date:	09/12/2024
Path:	C:\Users\user\AppData\Roaming\NotepadUpdate.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\NotepadUpdate.exe"
Imagebase:	0x1a0000
File size:	803'848 bytes
MD5 hash:	854CA372C90E86BD9A9DCE642D7C1A88
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000016.00000002.1891236933.00000000025FF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	11:35:28
Start date:	09/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yRnixT.exe"
Imagebase:	0xcd0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	11:35:28
Start date:	09/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	11:35:28
Start date:	09/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yRnixT" /XML "C:\Users\user\AppData\Local\Temp\tmpC1D2.tmp"
Imagebase:	0x950000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	11:35:28
Start date:	09/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	11:35:28
Start date:	09/12/2024
Path:	C:\Users\user\AppData\Roaming\NotepadUpdate.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\NotepadUpdate.exe"
Imagebase:	0x590000
File size:	803'848 bytes
MD5 hash:	854CA372C90E86BD9A9DCE642D7C1A88
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	11:35:29
Start date:	09/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\yRnixT.exe"
Imagebase:	0xcd0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	11:35:29
Start date:	09/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	11:35:29
Start date:	09/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yRnixT" /XML "C:\Users\user\AppData\Local\Temp\tmpC5F9.tmp"
Imagebase:	0x950000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	11:35:29
Start date:	09/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	11:35:29
Start date:	09/12/2024
Path:	C:\Users\user\AppData\Roaming\NotepadUpdate.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\NotepadUpdate.exe"
Imagebase:	0x410000
File size:	803'848 bytes
MD5 hash:	854CA372C90E86BD9A9DCE642D7C1A88
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	11:35:30
Start date:	09/12/2024
Path:	C:\Users\user\AppData\Roaming\NotepadUpdate.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\NotepadUpdate.exe"
Imagebase:	0xfc0000
File size:	803'848 bytes
MD5 hash:	854CA372C90E86BD9A9DCE642D7C1A88
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	11:35:46
Start date:	09/12/2024
Path:	C:\Users\user\AppData\Roaming\NotepadUpdate.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\NotepadUpdate.exe"
Imagebase:	0x550000
File size:	803'848 bytes
MD5 hash:	854CA372C90E86BD9A9DCE642D7C1A88
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000024.00000002.2083701044.0000000002A86000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	11:35:48
Start date:	09/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yRnixT" /XML "C:\Users\user\AppData\Local\Temp\tmp1263.tmp"
Imagebase:	0x950000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	11:35:48
Start date:	09/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	11:35:49
Start date:	09/12/2024
Path:	C:\Users\user\AppData\Roaming\NotepadUpdate.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\NotepadUpdate.exe"
Imagebase:	0x850000
File size:	803'848 bytes
MD5 hash:	854CA372C90E86BD9A9DCE642D7C1A88
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	11:35:55
Start date:	09/12/2024
Path:	C:\Users\user\AppData\Roaming\NotepadUpdate.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\NotepadUpdate.exe"
Imagebase:	0xa90000
File size:	803'848 bytes
MD5 hash:	854CA372C90E86BD9A9DCE642D7C1A88
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000028.00000002.2168725401.0000000002F43000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	11:35:57
Start date:	09/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yRnixT" /XML "C:\Users\user\AppData\Local\Temp\tmp32EB.tmp"
Imagebase:	0x950000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	11:35:57
Start date:	09/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	11:35:58
Start date:	09/12/2024
Path:	C:\Users\user\AppData\Roaming\NotepadUpdate.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\NotepadUpdate.exe"
Imagebase:	0xd30000
File size:	803'848 bytes
MD5 hash:	854CA372C90E86BD9A9DCE642D7C1A88
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	1.3%
Total number of Nodes:	223
Total number of Limit Nodes:	10

Executed Functions

Function 01166F92 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1704735969.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1160000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 910153a87f5dd3080627bca12721c03ec2328e01cb0a1365de746d39287ce494
Instruction ID: 881aa238966dcf233b44e6df01efad3be59c43717b9823d3b6e88e153442f1af
Opcode Fuzzy Hash: 910153a87f5dd3080627bca12721c03ec2328e01cb0a1365de746d39287ce494
Instruction Fuzzy Hash: 5D51B4B0E012099FDB08DFA9C8519EEBBF2FF88304F14846AD419BB264DB359942CF50

Function 01164218 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1704735969.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1160000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d9983f456b9cb637d1ff9f1b6543c18055a245c678185aadd642859d1c822b4
Instruction ID: 953ca1e5d81bcc8244ce14f6944dd4fbbc79f6cc14cc4eb2f198feb94a77725f
Opcode Fuzzy Hash: 5d9983f456b9cb637d1ff9f1b6543c18055a245c678185aadd642859d1c822b4
Instruction Fuzzy Hash: 1E5194B0E012099FDB08DFA9C8509EEBBF6FF88304F54856AD419BB264DB359942CF50

Function 08B07719 Relevance: 8.9, Strings: 7, Instructions: 107
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$dq, xrefs: 08B07784
$dq, xrefs: 08B0789F
$dq, xrefs: 08B07790
LRdq, xrefs: 08B07877
LRdq, xrefs: 08B0786B
$dq, xrefs: 08B07893
8, xrefs: 08B077B3

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID: 8$LRdq$LRdq$$dq$$dq$$dq$$dq
API String ID: 0-252008424
Opcode ID: c2c40ae90b4c2b8eaf856bc103791a5de54872cb30271566ce830c1d7c6988ed
Instruction ID: e97c784c11ba7ab774fe915de5ddaff37a2b40d307b137c0705a8d318b477190
Opcode Fuzzy Hash: c2c40ae90b4c2b8eaf856bc103791a5de54872cb30271566ce830c1d7c6988ed
Instruction Fuzzy Hash: 2231EA30B05305DBDB149A6DC81177DBB72FB84302F1484AAD4069B2C2CF76E842DF59

Function 08B062D9 Relevance: 5.3, Strings: 4, Instructions: 341
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

phq, xrefs: 08B06701
F, xrefs: 08B06994
4'dq, xrefs: 08B066B4
R, xrefs: 08B065A0

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID: 4'dq$F$R$phq
API String ID: 0-3172865906
Opcode ID: b379b30b47036d12ab067f1227664b8f7ae21162d44fdf1b45b9a8d66a6639c3
Instruction ID: badd51758c3294cd08f03f30442930826ab6c66d9897d5a9c06bec33d48cddaa
Opcode Fuzzy Hash: b379b30b47036d12ab067f1227664b8f7ae21162d44fdf1b45b9a8d66a6639c3
Instruction Fuzzy Hash: 22D1E576A00214DFDB05CF98C984E58BBB2FF59315B1A80D9E6099B276C732EC61EF50

Function 08AEF408 Relevance: 3.9, Strings: 3, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hhq, xrefs: 08AEF51C
Hhq, xrefs: 08AEF4D7
Hhq, xrefs: 08AEF561

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID: Hhq$Hhq$Hhq
API String ID: 0-327223379
Opcode ID: 8c3840f80eca4fc17e1c0bccbb15b078df4c35e37ff2d4d8e0eb7825c0e87b2c
Instruction ID: f37d82218529d519a1f38e408835a0de94400b62c55a6500476f7e6737dddf29
Opcode Fuzzy Hash: 8c3840f80eca4fc17e1c0bccbb15b078df4c35e37ff2d4d8e0eb7825c0e87b2c
Instruction Fuzzy Hash: 7A41CE747006408FDB28AF79952072A76EBEFD8209B144CADE416DBB80DF29DC03C761

Function 08B08600 Relevance: 3.8, Strings: 3, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8hq, xrefs: 08B08727
8hq, xrefs: 08B0866F
8hq, xrefs: 08B0867F

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID: 8hq$8hq$8hq
API String ID: 0-1838490158
Opcode ID: 9fc218fd8fe41100c28a8ee6cdba2dc279a237887a14869a0a0ba38cebd2703f
Instruction ID: ea535c621a4f61a574e7487d76827a2592dc9382392869980efd0c99608f904d
Opcode Fuzzy Hash: 9fc218fd8fe41100c28a8ee6cdba2dc279a237887a14869a0a0ba38cebd2703f
Instruction Fuzzy Hash: BB317274E04209DBCB009E5CCD5097E7FB2EB89342B1144BAD52AA73C5DA35CE428FA2

Function 08AE6468 Relevance: 2.7, Strings: 2, Instructions: 224
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hhq, xrefs: 08AE670C
Hhq, xrefs: 08AE66D9

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID: Hhq$Hhq
API String ID: 0-2450388649
Opcode ID: 62df2bb37d46112cfad7511bb8508aca71b0231c025fa789021cf6c9f41e5b5d
Instruction ID: 8e674d3411019fb6483faa2f265c880df1fe1f7f41b86e131833eb354d2c1481
Opcode Fuzzy Hash: 62df2bb37d46112cfad7511bb8508aca71b0231c025fa789021cf6c9f41e5b5d
Instruction Fuzzy Hash: A2812B75B001188FCB18EFA8D594AADB7F2FF98315F248899E405AB790CB35AD41CF61

Function 08AE6818 Relevance: 2.7, Strings: 2, Instructions: 179
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hhq, xrefs: 08AE68F3
Hhq, xrefs: 08AE68AA

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID: Hhq$Hhq
API String ID: 0-2450388649
Opcode ID: 03c047e75715d2bdf1b9d3405e4a806f7c756c1b74d1b24eab3054a22acf9878
Instruction ID: 2fdd14e7eca14862c4032953602047bc97a1114c7232fbe52dd3ee3a7f5657f2
Opcode Fuzzy Hash: 03c047e75715d2bdf1b9d3405e4a806f7c756c1b74d1b24eab3054a22acf9878
Instruction Fuzzy Hash: C051A0347006108FCB14DB79C854A6E7BE6EFE861571588ADE906CB761EF31EC02CB81

Function 08AE0448 Relevance: 2.7, Strings: 2, Instructions: 179
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hhq, xrefs: 08AE050C
Tedq, xrefs: 08AE0609

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID: Hhq$Tedq
API String ID: 0-2068707477
Opcode ID: da00a8fb742923fb5d3110fb32c1da89619f11d61d8067295a592035ed48cf5a
Instruction ID: 38052565dbcc66b9eb72fbbbd67b14ece69b5024c3c850179db5f7e7c3c91851
Opcode Fuzzy Hash: da00a8fb742923fb5d3110fb32c1da89619f11d61d8067295a592035ed48cf5a
Instruction Fuzzy Hash: CA517C35B006258FCB04DB79C854A6EBBE6FFC8711B548969E40ADB3A1DF74DD028790

Function 08B085F0 Relevance: 2.6, Strings: 2, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8hq, xrefs: 08B08727
8hq, xrefs: 08B0866F

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID: 8hq$8hq
API String ID: 0-601589740
Opcode ID: 515b7433e2b920d4ae6cfe6f68c9fbf91d603514c5697aabfa4c3c46aa97ea02
Instruction ID: 7b953e76704b2b8e21bce02fd43d09e9cd97e4c29c931f8827973d2fbd8b35a0
Opcode Fuzzy Hash: 515b7433e2b920d4ae6cfe6f68c9fbf91d603514c5697aabfa4c3c46aa97ea02
Instruction Fuzzy Hash: 5431A474E08205DFCB019F6C8D6157E7FB1EB45342B1144FAD526A73C1DA358E428F96

Function 08B07660 Relevance: 2.6, Strings: 2, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$dq, xrefs: 08B07686
$dq, xrefs: 08B07692

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID: $dq$$dq
API String ID: 0-2340669324
Opcode ID: 570e9461178309ef7b905c2197b1b86980bfb23d3133ee53e05a7860e3746f90
Instruction ID: d7205ca52c17bf98ea8aa0ad63b8822192bc9a6326149927332508366741c8c5
Opcode Fuzzy Hash: 570e9461178309ef7b905c2197b1b86980bfb23d3133ee53e05a7860e3746f90
Instruction Fuzzy Hash: 1521AE70D1A344CFC705DB6C9910666FFF0BB05202B1481EBC40ACB182DE31AC45CF6A

Function 08B0773F Relevance: 2.5, Strings: 2, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$dq, xrefs: 08B07784
8, xrefs: 08B077B3

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID: 8$$dq
API String ID: 0-2343709646
Opcode ID: 4fc27a4cf30595a75a72ec20350e928b7adfc4ae8ab4406a890702f830aec690
Instruction ID: 50234be038592f7c7b00dd2041ec38734bf348856cd1628666dc33e38e123729
Opcode Fuzzy Hash: 4fc27a4cf30595a75a72ec20350e928b7adfc4ae8ab4406a890702f830aec690
Instruction Fuzzy Hash: 43F0A470752305DBE7109B28C8567A8BE71EB40741F1588D9DC056E6C2EEA19891CB51

Function 072E537C Relevance: 1.8, APIs: 1, Instructions: 250
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 072E55BE

Memory Dump Source

Source File: 00000000.00000002.1711658535.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72e0000_file.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 8f26b094e38631d8a520bf6701b48f701b7214cf9d6d25ba7d9b4e3cc475da37
Instruction ID: c8df7d4427a813dfb18e7e9563708e2efac6e89203c142ddff02954e531d2bf6
Opcode Fuzzy Hash: 8f26b094e38631d8a520bf6701b48f701b7214cf9d6d25ba7d9b4e3cc475da37
Instruction Fuzzy Hash: F6A17AB1D2021A8FDB20DF69CC41BEEBBB6BF48314F548569E808A7240DB749995CF91

Function 0116AE59 Relevance: 1.7, APIs: 1, Instructions: 244
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0116B0BE

Memory Dump Source

Source File: 00000000.00000002.1704735969.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1160000_file.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 60a6ffd5a98b8891d2c0cf9d52ce1aa1f5ab22fc9fb4f2729b6c77ad209ce658
Instruction ID: 9f59cfe0cd32e490f9c24f4a66a400ca90a8b72d705e67ae611367d438aa7d38
Opcode Fuzzy Hash: 60a6ffd5a98b8891d2c0cf9d52ce1aa1f5ab22fc9fb4f2729b6c77ad209ce658
Instruction Fuzzy Hash: 2F91CDB0A007458FD729CF29D45079ABBF5FF48304F00896ED48ADB681D736E95ACB92

Function 072E5388 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 072E55BE

Memory Dump Source

Source File: 00000000.00000002.1711658535.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72e0000_file.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: c9c400ae7887f8a1d9e4fb0567c64c93d1d5aa03122827a20fbc24923b807d90
Instruction ID: 253ef79d00536d210dae257cb5f0a41377d4de60b8181fb49847c95bb9d3ccf0
Opcode Fuzzy Hash: c9c400ae7887f8a1d9e4fb0567c64c93d1d5aa03122827a20fbc24923b807d90
Instruction Fuzzy Hash: 9F917AB1D2021A8FDB10DF69CC41BEEBBB6BF48318F548169E808A7240DB749995CF91

Function 0116590D Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 011659C9

Memory Dump Source

Source File: 00000000.00000002.1704735969.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1160000_file.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: fb0b835964ae3077afaa69d103519cad734437c07c7c22d7a741fd95e1c5e6c9
Instruction ID: 3aa23b12ae4048edb9c24c41e176998c9611dbba32a8df82ec47261af54d3da7
Opcode Fuzzy Hash: fb0b835964ae3077afaa69d103519cad734437c07c7c22d7a741fd95e1c5e6c9
Instruction Fuzzy Hash: E341D1B0C00719CBDB28DFA9C885B9DBBF6BF49314F24806AD409AB251DB756946CF50

Function 01165A84 Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1704735969.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1160000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c246aff87047cc559300b1f6d34876e8e6ba9e7ef820a0ccd8f098badb4e3a0
Instruction ID: 477ff8733acabf79efce7c90be17af90bb2cb36b75aab1f72014599c3ac88d74
Opcode Fuzzy Hash: 3c246aff87047cc559300b1f6d34876e8e6ba9e7ef820a0ccd8f098badb4e3a0
Instruction Fuzzy Hash: 9D3120B1C00349CFDB59CFA8C8447EDBBB6EF46314F148089C046AB251E776A916CB51

Function 011644E0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 011659C9

Memory Dump Source

Source File: 00000000.00000002.1704735969.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1160000_file.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 7237dc5dd1755de3d8c0c42f02147d5d978fe8b544f3004ce4768ea5cc119fa0
Instruction ID: 668ae1864e901c87abdc21b7f9df0d2de8756c626b8a87d886078bc1254dd806
Opcode Fuzzy Hash: 7237dc5dd1755de3d8c0c42f02147d5d978fe8b544f3004ce4768ea5cc119fa0
Instruction Fuzzy Hash: 1D41C2B0C0071DCBDB28DFA9C884B9DBBF6BF49314F24805AD409AB255DB756946CF90

Function 072E50F8 Relevance: 1.6, APIs: 1, Instructions: 74injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 072E5190

Memory Dump Source

Source File: 00000000.00000002.1711658535.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72e0000_file.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: c256982b223c663194e3b4fbe1557096c3d30831a18365e71e60c07344c49925
Instruction ID: 1f7e4eaebdeed112160b00c1355435c5b1618f06b4ba89a08d5cf7c5377dc84a
Opcode Fuzzy Hash: c256982b223c663194e3b4fbe1557096c3d30831a18365e71e60c07344c49925
Instruction Fuzzy Hash: A72166B19103099FDF10CFAAC881BDEBBF5FF48310F50842AE958A7240D7789954CBA1

Function 072E5100 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 072E5190

Memory Dump Source

Source File: 00000000.00000002.1711658535.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72e0000_file.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: f7c85dcb64bd96ba4ac6e3949d9c6523cdac5a365c33f31c6949073e9d1728be
Instruction ID: cdbdd8c18f36fd0b72422c6ba48bc51e607829efbb48243cf329994e19e1705b
Opcode Fuzzy Hash: f7c85dcb64bd96ba4ac6e3949d9c6523cdac5a365c33f31c6949073e9d1728be
Instruction Fuzzy Hash: 6F2125B19103099FDB10DFAAC885BDEBBF5FF48314F50842AE919A7241C7789954CBA4

Function 072E4B28 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 072E4BAE

Memory Dump Source

Source File: 00000000.00000002.1711658535.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72e0000_file.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 6221be7bc408cab903da2f45252cce84d57dfc2de64f456fade37cc833d7a5d5
Instruction ID: 917908a249f541667336eb392475bbced1dbcd68d6682873e0b0d5c00457ca90
Opcode Fuzzy Hash: 6221be7bc408cab903da2f45252cce84d57dfc2de64f456fade37cc833d7a5d5
Instruction Fuzzy Hash: 9F2148B1D002099FDB10DFAAC4857EEBBF4EF48320F64842AD459A7241DB789945CFA4

Function 072E51E8 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 072E5270

Memory Dump Source

Source File: 00000000.00000002.1711658535.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72e0000_file.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 41733ff3a08d1eb08dbcc41af9a024ea1b1d1ec961269b179e8bc6512d4e30e3
Instruction ID: eed9c88b1854b4f875e12548678e43908869223d8911c985948f5901f0cec1a9
Opcode Fuzzy Hash: 41733ff3a08d1eb08dbcc41af9a024ea1b1d1ec961269b179e8bc6512d4e30e3
Instruction Fuzzy Hash: D92148B19003599FCB10DFAAC881ADEFBF5FF48320F50842AE918A7240C7389954DFA1

Function 0116D738 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0116D706,?,?,?,?,?), ref: 0116D7C7

Memory Dump Source

Source File: 00000000.00000002.1704735969.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1160000_file.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d7348103ce338d6722017ce1d91f432dd063d38ee770fd78182263292dd74010
Instruction ID: 06925d51aa104c728f06f38e21cc22bde82af1e3f0184c02e17a9e2737455191
Opcode Fuzzy Hash: d7348103ce338d6722017ce1d91f432dd063d38ee770fd78182263292dd74010
Instruction Fuzzy Hash: AD2116B59002489FDB10CFAAD984ADEBFF4FB48310F14801AE958B7350C374AA51CF61

Function 0116B850 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0116D706,?,?,?,?,?), ref: 0116D7C7

Memory Dump Source

Source File: 00000000.00000002.1704735969.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1160000_file.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: cba4492f1456c33d74b9e6530256890f8ee6087f004abb3b39a9a5aa7f2b9c55
Instruction ID: 1bb94489be298c32d7c9e5aafb9a9ad40e2fd18d1ac51dfa33c9444377760d8c
Opcode Fuzzy Hash: cba4492f1456c33d74b9e6530256890f8ee6087f004abb3b39a9a5aa7f2b9c55
Instruction Fuzzy Hash: 022103B59003489FDB14CF9AD884ADEBBF8EB48314F14801AE958B3310D379A950CFA5

Function 072E4B30 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 072E4BAE

Memory Dump Source

Source File: 00000000.00000002.1711658535.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72e0000_file.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: c1fba66dd0894626a6df4163162cdb371d5e8a0664d12c55e3d4be3395de4f91
Instruction ID: 0af52964123425f55edd4877000d8bed9966aeb1e91b479c4c87436ba0de19e2
Opcode Fuzzy Hash: c1fba66dd0894626a6df4163162cdb371d5e8a0664d12c55e3d4be3395de4f91
Instruction Fuzzy Hash: AC2137B1D103099FDB10DFAAC4857EEBBF4EB48324F54842AD559A7240CB789945CBA4

Function 072E51F0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 072E5270

Memory Dump Source

Source File: 00000000.00000002.1711658535.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72e0000_file.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 01100a28def3087a9d764cb74377d94ef36a66256a34813e93b4da476ca8e26e
Instruction ID: 60384769e1ca9d5a9b662be4af23bc4ba709692c07a0eea3074fdb3260874773
Opcode Fuzzy Hash: 01100a28def3087a9d764cb74377d94ef36a66256a34813e93b4da476ca8e26e
Instruction Fuzzy Hash: 1C2139B1D103499FDB10DFAAC845ADEFBF5FF48310F50842AE919A7240C7789954DBA4

Function 072E5038 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 072E50AE

Memory Dump Source

Source File: 00000000.00000002.1711658535.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72e0000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 46f664fb7e8a4c53d19976a9cdd6de3ff2efac415409f3cb385a71007b25c3fb
Instruction ID: e50a3165be44ab0eaff3e60f586bbe4c1b1dba4d42d6dcb1c234d585835835f1
Opcode Fuzzy Hash: 46f664fb7e8a4c53d19976a9cdd6de3ff2efac415409f3cb385a71007b25c3fb
Instruction Fuzzy Hash: 2E2167B19002499FCB10DFAAC845BDEBFF9EF48320F24841AE919A7240D735A554CFA0

Function 072E4A7A Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 072E4AE2

Memory Dump Source

Source File: 00000000.00000002.1711658535.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72e0000_file.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: e28310ab03f20585fde751f841649861b41848dcc43aae44e27e893a5fded006
Instruction ID: 09b4f9ae8c3fcae52f6c5b34146ee280cfd13377256a577b05d79e6d74c83d73
Opcode Fuzzy Hash: e28310ab03f20585fde751f841649861b41848dcc43aae44e27e893a5fded006
Instruction Fuzzy Hash: E71146B19002498FDB24DFAAC8457AEFBF9EF88320F24841AD559A7240CB75A945CB94

Function 072E5040 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 072E50AE

Memory Dump Source

Source File: 00000000.00000002.1711658535.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72e0000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 18ba0903dc9bb35dd01eab33850747138e79c87535a770e7b94f62b04d62e49c
Instruction ID: 1a5bd455a253536beb03b8e43f850c95d3d15c2adfeec2fd64a4ad5d1399af5b
Opcode Fuzzy Hash: 18ba0903dc9bb35dd01eab33850747138e79c87535a770e7b94f62b04d62e49c
Instruction Fuzzy Hash: 05116AB19003099FCB10DFAAC844ADFBFF5EF48324F108419E519A7250C7359554CFA0

Function 072E4A80 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 072E4AE2

Memory Dump Source

Source File: 00000000.00000002.1711658535.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72e0000_file.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 88ab3c835fe471231bdccec220e8c590967b1b90e1d6e5abaea3f9d3c1f5eaf5
Instruction ID: 838894f4945d130de0d7d426412b2fc0a83622ddf84691567748846fb63a28de
Opcode Fuzzy Hash: 88ab3c835fe471231bdccec220e8c590967b1b90e1d6e5abaea3f9d3c1f5eaf5
Instruction Fuzzy Hash: C61125B1D003498BDB24DFAAC84579EFBF9EB88324F24841AD519A7240CB75A944CBA4

Function 072E964A Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 072E96AD

Memory Dump Source

Source File: 00000000.00000002.1711658535.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72e0000_file.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 068c906af56913420aa861561957bd21fc8f00a7b9dfd33c029180213a1c281e
Instruction ID: a0f80c76a09255eac7a3ad3570983bebf70d01df039a70f8512ee4185b14b9ce
Opcode Fuzzy Hash: 068c906af56913420aa861561957bd21fc8f00a7b9dfd33c029180213a1c281e
Instruction Fuzzy Hash: 061118B59003499FDB10DF99D845BDEFFF8EB48320F20841AE958A3210D375A584CFA5

Function 0116B058 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0116B0BE

Memory Dump Source

Source File: 00000000.00000002.1704735969.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1160000_file.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 1c9fa5f0d955d454b9216af8ded8e89732df03430dabd16f4197586b0cf6d5eb
Instruction ID: eb223213ef81804d8be15cf3049875b1de42eed28a6fae199b30f1e7a9cbb5d9
Opcode Fuzzy Hash: 1c9fa5f0d955d454b9216af8ded8e89732df03430dabd16f4197586b0cf6d5eb
Instruction Fuzzy Hash: E21102B5D043498FDB14CF9AC444A9EFBF8EB88210F10841AD929A7200D375A545CFA5

Function 072E750C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 072E96AD

Memory Dump Source

Source File: 00000000.00000002.1711658535.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72e0000_file.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: bf61046bea4fa50607c2ce9eef639d8befb306ac39ce9c7917f18beb50a9c89a
Instruction ID: 0a4fd3eee752a7875347480df98c2792397eb09cc9cdb7cdf0aed887796d08c3
Opcode Fuzzy Hash: bf61046bea4fa50607c2ce9eef639d8befb306ac39ce9c7917f18beb50a9c89a
Instruction Fuzzy Hash: F31103B58103499FDB10DF9AD849BDEBBF8EB48320F10841AE958B7210C375A994CFA5

Function 08AEAE50 Relevance: 1.5, Strings: 1, Instructions: 231COMMON

Download Yara Rule

Strings

Hhq, xrefs: 08AEAF6E

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID: Hhq
API String ID: 0-4210879014
Opcode ID: 11a65b61478375a6cec00423063fe14cbe43f5e920847296dd5b5f6c3ab97a9b
Instruction ID: 9330dadd11f60a30f58ddf0d47b0d0918107b7687f71b8bdf8c0151ea0633f11
Opcode Fuzzy Hash: 11a65b61478375a6cec00423063fe14cbe43f5e920847296dd5b5f6c3ab97a9b
Instruction Fuzzy Hash: 8F918275A002199FCB04DFA8D480AEEB7F5EF88305B14C46AE908EB351EB35ED16CB51

Function 08B0E400 Relevance: 1.4, Strings: 1, Instructions: 182COMMON

Download Yara Rule

Strings

Tedq, xrefs: 08B0E49E

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID: Tedq
API String ID: 0-228892971
Opcode ID: 1e99a197feb0cac788a7edd38b9a7c284a7803b8564273e6983574f80fee48cf
Instruction ID: a65b7b5f1588f4e8342903de33f55439eec2a20b6d8374620b5e3720e25170a3
Opcode Fuzzy Hash: 1e99a197feb0cac788a7edd38b9a7c284a7803b8564273e6983574f80fee48cf
Instruction Fuzzy Hash: B971D2B4E04218CFDB08CFA9C944AEDBBB6FF89301F10946AD419AB3A5D774A945CF50

Function 08B0653C Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

F, xrefs: 08B06994

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: 1162a26624bb9d29e2b6a1eae2f5b72f372d9110f4e6369966a33430a6fab1a6
Instruction ID: dbbf80efc14860011c6dee43d7c239ba7c21122a5ccfa38faac292c8b9183adb
Opcode Fuzzy Hash: 1162a26624bb9d29e2b6a1eae2f5b72f372d9110f4e6369966a33430a6fab1a6
Instruction Fuzzy Hash: 0A515A70A04308CFDB04CFA8C995AA9BBF1FF5A311B1581DAD4469B2A2DB31ED51CF10

Function 08AE3FD0 Relevance: 1.4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

(hq, xrefs: 08AE40C4

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID: (hq
API String ID: 0-4060669308
Opcode ID: 2506f180d1185294f8f4f14992ae3992b61aad52790c8fe49ef7ea24493597e3
Instruction ID: f6cb055354f57181d5c2cb1da939c10a728dbc8ceb88bc7181cacf37e38285d0
Opcode Fuzzy Hash: 2506f180d1185294f8f4f14992ae3992b61aad52790c8fe49ef7ea24493597e3
Instruction Fuzzy Hash: 3E41DF34B00A058FCB04EB6CC454AAEBBF6EF88311F14856AE509DB361EB78DD81C791

Function 08B081F8 Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

$dq, xrefs: 08B0821F

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID: $dq
API String ID: 0-847773763
Opcode ID: 3b5f991eeb5f53d41b68b0d1275a48f8bcacac77772e117f7686f8c54ee4f97e
Instruction ID: 10450c320e9e824f60c3644bbc8e1a16b27f58ed77d88621be0c529282f5e355
Opcode Fuzzy Hash: 3b5f991eeb5f53d41b68b0d1275a48f8bcacac77772e117f7686f8c54ee4f97e
Instruction Fuzzy Hash: 2221422090EB84DFCB12976CAD1016D3FE19B42217B1444FFD45ACB1D6C635CA56CF92

Function 08B09150 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

Tedq, xrefs: 08B091BB

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID: Tedq
API String ID: 0-228892971
Opcode ID: 5d14f58f96a42ae4316ad65c629a86f7be3172ddbbc159f687c7036b970a6792
Instruction ID: ba4b8821adbc75c0b67f9345b7a181daf2e6e1151a57d2b5514d2b26f473cd05
Opcode Fuzzy Hash: 5d14f58f96a42ae4316ad65c629a86f7be3172ddbbc159f687c7036b970a6792
Instruction Fuzzy Hash: 54114C75B0021A8BCB14EBB999006EFBAF6AFC8211B104069C514EB395FB318E01CB90

Function 08AE1ED1 Relevance: 1.3, Strings: 1, Instructions: 33COMMON

Download Yara Rule

Strings

$, xrefs: 08AE1ED8

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: 370aebc5a240e4941c7d976168dee96186d709413bd44570a1770e915ab94cea
Instruction ID: bb94f75c35c7034219f9db451892534f7ebb9b608da710d72383c6793c3ba9ad
Opcode Fuzzy Hash: 370aebc5a240e4941c7d976168dee96186d709413bd44570a1770e915ab94cea
Instruction Fuzzy Hash: 78F05E32604118AFDF08DF98DC41BEE7FE6EB44255F14857AF508D7760E671E9518740

Function 08AE38A7 Relevance: 1.3, Strings: 1, Instructions: 19COMMON

Download Yara Rule

Strings

`, xrefs: 08AE38B0

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 1d71c06b426dc2df8f69d472918684e78329208dbb898bac852d636024420c9f
Instruction ID: 1c0c366770cbd10e2a9b40e0416b0a8c0085c6495290b212fabbc313b55304b5
Opcode Fuzzy Hash: 1d71c06b426dc2df8f69d472918684e78329208dbb898bac852d636024420c9f
Instruction Fuzzy Hash: DEE0C23B0402494ADB428BB1ED02B927BE1BF12612F448876E444C7D30E226C12AC701

Function 08B069B0 Relevance: 1.3, Strings: 1, Instructions: 18COMMON

Download Yara Rule

Strings

I, xrefs: 08B069C4

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 1bd131b98d6aa0737292814929670c12acb41075c7753d843fa79e49de93f8d2
Instruction ID: dc3db1f2784fd0e9a2b7273852987c36854a12d33997f73b67b1898fac49bd40
Opcode Fuzzy Hash: 1bd131b98d6aa0737292814929670c12acb41075c7753d843fa79e49de93f8d2
Instruction Fuzzy Hash: 33D05EE540D3588FCB428B949A622A83FB06A27207B5441D7C9599B791CA244E2AAB52

Function 08B06379 Relevance: 1.3, Strings: 1, Instructions: 16COMMON

Download Yara Rule

Strings

G, xrefs: 08B0638C

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID: G
API String ID: 0-985283518
Opcode ID: e449a25045f2e07ab32a45cc765a1a59f116e3c9919ad58aec9b8859288932db
Instruction ID: 26eaaa39765da304543703992b0085830dc27ee95e8c1ebfd7492391199cd4f5
Opcode Fuzzy Hash: e449a25045f2e07ab32a45cc765a1a59f116e3c9919ad58aec9b8859288932db
Instruction Fuzzy Hash: DED05EE184A244CBC7018B949A2526C7FB0AB22207B2845CBD509876C1CF250E108FE1

Function 08B07B31 Relevance: 1.3, Strings: 1, Instructions: 13COMMON

Download Yara Rule

Strings

(, xrefs: 08B07B3C

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: f29d2ab6649b679b7182c70f4fef5881864cad11078d3ebbbcd34ab777384291
Instruction ID: f312690589f021be709f8c5607220a2079b9b0308f0b6f75c83bf37e89dacb37
Opcode Fuzzy Hash: f29d2ab6649b679b7182c70f4fef5881864cad11078d3ebbbcd34ab777384291
Instruction Fuzzy Hash: 22C01224805908D7C710CBD5DB1227CFBA0AF50107F2052C784099B390CE726E256A41

Function 08B069C0 Relevance: 1.3, Strings: 1, Instructions: 11COMMON

Download Yara Rule

Strings

I, xrefs: 08B069C4

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: d9de81e79d5e945ce71ce32008ec53c5c31c80f67c2a0bf4aac408ac82a2979e
Instruction ID: 2e99fad20a08f76758978c52f7ed675b4ca26dfe93cffb97b6a0fe252067492f
Opcode Fuzzy Hash: d9de81e79d5e945ce71ce32008ec53c5c31c80f67c2a0bf4aac408ac82a2979e
Instruction Fuzzy Hash: FEC08C7050830CEBC640DAC8D80152DBBACDB26266F0002E6C80E03A80DA719F349A82

Function 08B07B38 Relevance: 1.3, Strings: 1, Instructions: 11COMMON

Download Yara Rule

Strings

(, xrefs: 08B07B3C

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 34390799ccb41ec4bb98a8bee3d8bef1a911faeb0b9da4e4b923a2b6bf9ea2ad
Instruction ID: a731dff5cdfc192fb98d2ae24770232e781913131aeecb91e4147539f91a32e7
Opcode Fuzzy Hash: 34390799ccb41ec4bb98a8bee3d8bef1a911faeb0b9da4e4b923a2b6bf9ea2ad
Instruction Fuzzy Hash: 52C08C2040960CE7C750DA9AE81153DFBACDB01116F2002C6C80A83280CE72BE205A86

Function 08B06388 Relevance: 1.3, Strings: 1, Instructions: 11COMMON

Download Yara Rule

Strings

G, xrefs: 08B0638C

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID: G
API String ID: 0-985283518
Opcode ID: e9e73a5f70c8c02521e764ad1afcb3b4c33a9622d8cfc92b4441679a88561ce4
Instruction ID: 29c3b9c06638042b918ac22a73e9ff9dd7bfa299412e17b7c0c6ce1e7f8744cc
Opcode Fuzzy Hash: e9e73a5f70c8c02521e764ad1afcb3b4c33a9622d8cfc92b4441679a88561ce4
Instruction Fuzzy Hash: 39C012B0488208EBC600DA89E90A62CBBA8E712216F0000C9E80E822C0CF716E209EE5

Function 08AE21D0 Relevance: .8, Instructions: 787COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecf4e433d0c287c48f776eca4d4d14e1ce91e280d9cfc3389ea056af86c08fae
Instruction ID: 7e07ad5a94eebe22e5b6b1f3ace303494f10dc6bd4332fd99e748394fc4d57d7
Opcode Fuzzy Hash: ecf4e433d0c287c48f776eca4d4d14e1ce91e280d9cfc3389ea056af86c08fae
Instruction Fuzzy Hash: A9623171E01B458BDB719F78D5883AD7BA5BB42302F105D1EF1EACBB90EB74A4818B41

Function 050DC998 Relevance: .7, Instructions: 729COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1708613080.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64942b1bba9a79d834cee87bf7f837d9e846fff50f7a1566fc417f930c4610ca
Instruction ID: 272e6a50c8097eb2f2cc3099c3b47384e0dd49262f8edbb3179de027096e854c
Opcode Fuzzy Hash: 64942b1bba9a79d834cee87bf7f837d9e846fff50f7a1566fc417f930c4610ca
Instruction Fuzzy Hash: 93723E31910609CFDB14EF68D894AADBBB1FF45304F0182A9D54AA7265EF30AEC5CF91

Function 08B01798 Relevance: .5, Instructions: 529COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1518fe1228e852e4b186c937eda1ec5c6ed04968bc306003ec1ae3a7076119de
Instruction ID: e3679b71a288e8de00063c609d3f7517c53f03a0bdb1bc97cbc85a4b67864c2e
Opcode Fuzzy Hash: 1518fe1228e852e4b186c937eda1ec5c6ed04968bc306003ec1ae3a7076119de
Instruction Fuzzy Hash: 5F42E130D00619CFCB19EFA8C8446DCBBB1FF59300F5186A9D5497B265EB30AA99CF91

Function 050DDE60 Relevance: .5, Instructions: 500COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1708613080.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c95fec1f409000cdd9e38f346d78f469ddf02a4577817adef486d4097755567a
Instruction ID: d281625ffa39eadd71b612e3c8f5213ddb785f4a33f3940ea4d787f8f810e955
Opcode Fuzzy Hash: c95fec1f409000cdd9e38f346d78f469ddf02a4577817adef486d4097755567a
Instruction Fuzzy Hash: 3E221A34A00614CFCB54DF69D894BADB7F2BF88301F5485A9E90AAB365DB30AD45CF60

Function 08AE2210 Relevance: .5, Instructions: 458COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8cbc17b18f7262eb77e3270529e285320fd4a3f2ceb6209aaa33307242c0f71
Instruction ID: 317088d612d675747ce0157da4036b8335ddebb3c0bc7c012b123c57c1fcdfed
Opcode Fuzzy Hash: e8cbc17b18f7262eb77e3270529e285320fd4a3f2ceb6209aaa33307242c0f71
Instruction Fuzzy Hash: 74128EB1901F4A4BD7B15F6896C839EB794BB07301F205D1FF2FACA650E77490828B85

Function 050DCAC8 Relevance: .4, Instructions: 418COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1708613080.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd50537610c901c27cddedd8a85195bc25b0bc715a2c15aba795249179d725e1
Instruction ID: d32a8dc77f45997a722b9c656409ed2705a71091ce7f901e72c8fdf14bc1f13a
Opcode Fuzzy Hash: cd50537610c901c27cddedd8a85195bc25b0bc715a2c15aba795249179d725e1
Instruction Fuzzy Hash: 19124F31A106198FDB58DF68D8946EDB7B1FF55300F0182A9D54AA7269EF30AEC5CF80

Function 08B001D8 Relevance: .3, Instructions: 339COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 023117624b6958bf01c315f84717cf200d039d3b7eb27a7b3dba892aeb0c57db
Instruction ID: 99912772d2fea403c55708eb49316f3536613d53029c7cf8933b94ecd88d33db
Opcode Fuzzy Hash: 023117624b6958bf01c315f84717cf200d039d3b7eb27a7b3dba892aeb0c57db
Instruction Fuzzy Hash: C9B1C230A01209CFCF25EFA9D5506AEBFB6FF88306F2044ADC449AB281DB319952CF51

Function 08B04830 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8948f83b23de63f3ab66df343c17c40ba0b8fdc94996da3f314aed7bd779c9c
Instruction ID: 1591255f50f4e1f555612d9ad1fb76cda4f863b2e1c1c5c6fbea6ac0de176a56
Opcode Fuzzy Hash: a8948f83b23de63f3ab66df343c17c40ba0b8fdc94996da3f314aed7bd779c9c
Instruction Fuzzy Hash: EEF1D971D1061ACBCF10DFA8C854AEEB7B5FF59300F1086A9E549B7254EB30AA85CF90

Function 08B0482B Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63d31d6abeb21fc9b111394fcc5b32ab97973b93b7a3e2ccd601f4aa384ba13d
Instruction ID: 238e1c89bb48dd21748dd02ed28aeef5e5a3e5f9dd2030789b43e106754e68eb
Opcode Fuzzy Hash: 63d31d6abeb21fc9b111394fcc5b32ab97973b93b7a3e2ccd601f4aa384ba13d
Instruction Fuzzy Hash: 55E1DA71E1061ACBCF10DFA8C8549EDB7B5FF59304F1086A9E549B7254EB30AA89CF90

Function 08B04E40 Relevance: .3, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e778a046b67d8dac133294306e29d068352997fef62a5c3f0d7a27105343193
Instruction ID: de8cc3abe5f04b77b4d5655812e47f0b10de336e04cdbc093c133664f094343c
Opcode Fuzzy Hash: 5e778a046b67d8dac133294306e29d068352997fef62a5c3f0d7a27105343193
Instruction Fuzzy Hash: 09C13B31A00219CFCB14EF68C9546ADBBB2FF85305F1485A9D406BB3A0EB34AD85CF91

Function 08AE15A8 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 767a367966eb92ecc8e9e3e758b32cb0af9c32009b0a7b5f8b13f8d15f63db49
Instruction ID: a1b0260951200a038b01877f5e7a43a821e5fb7c55ba10be6da2831b55f5d386
Opcode Fuzzy Hash: 767a367966eb92ecc8e9e3e758b32cb0af9c32009b0a7b5f8b13f8d15f63db49
Instruction Fuzzy Hash: 9CA14E34A007199FCB14DF65C840BAEBBB5FF89300F14859AE949A7351EB70AD82CF91

Function 08AE6950 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d63f75c58c02d8c95a7b77fa9839c40b21307a644fe2c29538c98b250e84e6c
Instruction ID: 011c2c6b75575b0fd14c95ee1de7342547cf19017694179f2a276fd1e5b9578f
Opcode Fuzzy Hash: 7d63f75c58c02d8c95a7b77fa9839c40b21307a644fe2c29538c98b250e84e6c
Instruction Fuzzy Hash: 9A810334710600CFCB14EF28D588A6A7BF6BF99A05B1585A9E506CB775DB72EC41CB80

Function 08AEEBB8 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36e6eff77444fc49efbb9e1e0054b8db0a2071bc5dc5d59baea37241753d7151
Instruction ID: cbf889b638712718d3b3e8ce0cc266a8a4aaed3d460f1f549f6b23e441d8e4c0
Opcode Fuzzy Hash: 36e6eff77444fc49efbb9e1e0054b8db0a2071bc5dc5d59baea37241753d7151
Instruction Fuzzy Hash: 2191E475A0060A9FCB24CFA8D980ADEBBF6FF48310F048969E965D7350D771E961CB50

Function 08AEC188 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1eda04e468b39fe38dad018a18f4c34050d3c43120f9cb4baaf545f6473a5c7b
Instruction ID: 0e7a4dd7bb9604b9d966d3cfc6f3d5400d5166899231651fbc235f854380454b
Opcode Fuzzy Hash: 1eda04e468b39fe38dad018a18f4c34050d3c43120f9cb4baaf545f6473a5c7b
Instruction Fuzzy Hash: 4781A535A10609DFCB04EFA4D888AEDBBB5FF89311F148569F502AB364DB709945CF90

Function 08B03978 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a5d9180f4a656ae8aed007eaf8eb361c88079c45c77c255d1cf84d4d4d7a295
Instruction ID: 2a80164b1800d51a3697de6386915a201db5ea8af84f4c1d8bce03db3c549107
Opcode Fuzzy Hash: 2a5d9180f4a656ae8aed007eaf8eb361c88079c45c77c255d1cf84d4d4d7a295
Instruction Fuzzy Hash: DC815B30A14609DFCB15AF68D8886ADBFF1FF48305F5185A9E046AB3A4EB31D965CF40

Function 08AEEBA8 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f2e37edfc9cb37eb3f053f447dea90f5201f6b99cb6534fa2af3f716f4a042a
Instruction ID: 3163a55eec10529a393de1d4ff0cc2f31bcc42da80d1d2710eade91586976f89
Opcode Fuzzy Hash: 6f2e37edfc9cb37eb3f053f447dea90f5201f6b99cb6534fa2af3f716f4a042a
Instruction Fuzzy Hash: D291E574A0060A9FDB24CFA8C980ADEB7F6FF48310F148959E965D7750D731E961CB50

Function 050DBF10 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1708613080.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fd1c95ac9bc68040052a0212c58736c16ece6e7c22e7c7662918a58f0e296ee
Instruction ID: 499527773f80965e5f8294781c1e6cd8be85786c9731458632a4c9c33ba0289f
Opcode Fuzzy Hash: 1fd1c95ac9bc68040052a0212c58736c16ece6e7c22e7c7662918a58f0e296ee
Instruction Fuzzy Hash: D191187590071ACFCB41DFA8D880999FBF5FF49310B14879AE819AB256E770E985CF80

Function 050DED80 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1708613080.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17274342ad64128978566847d0e7244c7417c1f658ef472607a1289f89fd005e
Instruction ID: d07f4af724ab8239becef69566b9082526761b7ccb832705c2073d43dec25033
Opcode Fuzzy Hash: 17274342ad64128978566847d0e7244c7417c1f658ef472607a1289f89fd005e
Instruction Fuzzy Hash: EB711571B002598FCB05DFB8D4889EDFBF6BF88200F148569E806AB355DB759C41CBA5

Function 08AE1599 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4595e37bf9e13f8ff03940961be8c0c17d43ea8ed9eb84bb2e40f557283b5fe3
Instruction ID: ff3985719993f85afb211550d6d9df948acfe27743dc605c7deb1019255fc54c
Opcode Fuzzy Hash: 4595e37bf9e13f8ff03940961be8c0c17d43ea8ed9eb84bb2e40f557283b5fe3
Instruction Fuzzy Hash: A1911C74A10719DBCB14DF64C840BAEBBB5FF89300F14859AE949A7311EB71AE82CF51

Function 08AEBCA9 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35e223bc1a851832b4cf1ad3e71a4ecaa09a8bc8ab722ee5eff51cc540991d26
Instruction ID: fea95c2395b7111b52858576f82aa3ce67a53fd39182811784365486bee5e328
Opcode Fuzzy Hash: 35e223bc1a851832b4cf1ad3e71a4ecaa09a8bc8ab722ee5eff51cc540991d26
Instruction Fuzzy Hash: 76711A35A007058FCB24CFB9D588A9EB7F1FF48215B14892EE55AE3B44EB34E9458B50

Function 08AE78A0 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ebc1d2815e615e82fa5381df0656863fa449dfcbf5323c0d1e51250783fe837
Instruction ID: 532805717bcfc53ef4d3110f46a148601e51ed875ec37a85ab6ed34044ef0964
Opcode Fuzzy Hash: 2ebc1d2815e615e82fa5381df0656863fa449dfcbf5323c0d1e51250783fe837
Instruction Fuzzy Hash: 55714A31E00609CFDB14DFA9D8587ADBBB1FF89311F14896DE846A7350EB349A45CB90

Function 08AE90D0 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b3bb3875ac95ebd1c97cdf68706d02826e65ce0ff8682e24f93ba9906cc012d
Instruction ID: 8f51d759ade6c5d003932c246daf7e7e3788372c025a346ac82043fd6a5402e3
Opcode Fuzzy Hash: 9b3bb3875ac95ebd1c97cdf68706d02826e65ce0ff8682e24f93ba9906cc012d
Instruction Fuzzy Hash: D381FA35A1470ACFCB00DFA9C980699F7F1FF99300F25D659E559BB211EB70AA94CB80

Function 08AE510C Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fd56e1d436f6685e18c6129aba14f4b97c0f22d13bb3dc70288e78923d9718a
Instruction ID: e1ebdd94ad749b288a69cdb550e7a734e0705ecd7ab618ac5258017e33687d13
Opcode Fuzzy Hash: 3fd56e1d436f6685e18c6129aba14f4b97c0f22d13bb3dc70288e78923d9718a
Instruction Fuzzy Hash: C281EB35A1070ACFCB00DF69D980699F7F1FF99300F25D659E519BB211EB70AA95CB80

Function 050DB291 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1708613080.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a7993ebd0f8202c87096c7e1a2ad8bff6917ddf069f166c4c64dabf57d0d8e2
Instruction ID: a8a78cf4061eb7b2261bb7f8b5bb01fd901249828a5dafb4916cb5549b48a414
Opcode Fuzzy Hash: 7a7993ebd0f8202c87096c7e1a2ad8bff6917ddf069f166c4c64dabf57d0d8e2
Instruction Fuzzy Hash: 2C71BDB9600A008FCB58DF29C588A59BBF2FF8970571589A9E54ACB372DB71EC41CB50

Function 050DB0B0 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1708613080.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 668e60cffb84c278c91fc62e548289a2b26702f40ba508636e7ee7a170cd2371
Instruction ID: 00cc1822755c6ce5b6d310030617ce4675b7bf49f5aeee0e2c32e3034c94211c
Opcode Fuzzy Hash: 668e60cffb84c278c91fc62e548289a2b26702f40ba508636e7ee7a170cd2371
Instruction Fuzzy Hash: 1771A2B4A052068FCB44CF69D5849A9FBF1BF4C314B4986A9E80ADB312D734EC85CF90

Function 08AE9698 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9995e5849e0204bb79989b0d6903eee1583666be3b7c32d2878d8b1d35185bc
Instruction ID: d2c5cae02bf5c0da39a2e5980173265a8d46460fd78af0be07aa9f29bfbd9a9c
Opcode Fuzzy Hash: c9995e5849e0204bb79989b0d6903eee1583666be3b7c32d2878d8b1d35185bc
Instruction Fuzzy Hash: 3D71F374E00209DFDB14DFA9D488B9EBBF1BF88315F248469E819A7661DB30A845CF60

Function 08AECA28 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2263435c9021e8f1a2fa924f65ba5d3f45a7f826e8b54e6f1686de28c8a4496d
Instruction ID: b65b5931f058c8f915db3e91d4e9ed87b5750390bafb733a5d7052ce635ff41d
Opcode Fuzzy Hash: 2263435c9021e8f1a2fa924f65ba5d3f45a7f826e8b54e6f1686de28c8a4496d
Instruction Fuzzy Hash: 2F51AD307102008FCB14DB69D594BAEB7FAAF88716F10496DE109DB7A1DB75ED41CB90

Function 050DDE50 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1708613080.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11d279648a9c06d114ce33d004173b2d0c617afa1b9f68ff1c7d55206f2d640d
Instruction ID: daf872f6bf01d6287c646bb1de037c1f6c6dad889223c501f510f6bb1a088ec1
Opcode Fuzzy Hash: 11d279648a9c06d114ce33d004173b2d0c617afa1b9f68ff1c7d55206f2d640d
Instruction Fuzzy Hash: 17516B307103008FCB14DF69D894BADB7F6BF89311F0485B8E90A9B3A5DB30A845CB61

Function 08AE8EB8 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 474c0e7d137e416923c628b8fa20daa6ae9f5304516932916f7ce41d75daa9d5
Instruction ID: 0fff99cadfcafba4e6b33c331231be51b71e9d7acb9c2ca2fa271d359784764c
Opcode Fuzzy Hash: 474c0e7d137e416923c628b8fa20daa6ae9f5304516932916f7ce41d75daa9d5
Instruction Fuzzy Hash: 9D61F531D00609CECB01EFA8C8549EEFBB1FF89300F44C65AE5556B224EB75AA85CB81

Function 08AE8EC8 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13caa2335bbb9e8ee8363b7b063ee9d066eecb08c8e3e8dd80dab8356fae2fae
Instruction ID: cc4cc34292506ed57beed9293a7ba51a2382bd8cea6888c82e934844192f29d5
Opcode Fuzzy Hash: 13caa2335bbb9e8ee8363b7b063ee9d066eecb08c8e3e8dd80dab8356fae2fae
Instruction Fuzzy Hash: C761E631D00709DECB01EFA8C854AEEFBB1FF49300F40C65AE5556B264EB75AA85CB81

Function 08AE8CA8 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ee3480db2d390b7cb5e84dd62e5f367f0eaa2ac01e252db99ab51624de6775e
Instruction ID: 8328fbbf5fd15fb23482af2001883e071f6d49e7c376a2b3879057427e371613
Opcode Fuzzy Hash: 5ee3480db2d390b7cb5e84dd62e5f367f0eaa2ac01e252db99ab51624de6775e
Instruction Fuzzy Hash: BF512B35B00608CFCB04DFA8D884A9DBBF6FF89700B1485A9E509AB361EB31ED45CB50

Function 08AE8C99 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 694c8895957b0e23343d0955e65ccc45e7783d38706f5246b36be15f309a3f22
Instruction ID: 84363a3e822a22a0cb71b75b72a269c8b757d64798340f30669dd9efe7abfba4
Opcode Fuzzy Hash: 694c8895957b0e23343d0955e65ccc45e7783d38706f5246b36be15f309a3f22
Instruction Fuzzy Hash: EB512A35B10608CFCB05EFA8D884A9DBBB6FF89700B148569E509EB361EB31ED45CB40

Function 050DED70 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1708613080.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 951b8269587ff774e5d685a6204f53e8c70da1d04b69c3cec1cf41414a2e7411
Instruction ID: 2e6e888d34ac6e6ac4ef85cc7b716784c7243a8ac43579d078d7e12ac7d24364
Opcode Fuzzy Hash: 951b8269587ff774e5d685a6204f53e8c70da1d04b69c3cec1cf41414a2e7411
Instruction Fuzzy Hash: 5F514D71B002558FCB05DFB8D4889DDFBF6BF88200F148569E8069F361DB759841CB51

Function 08AE50FC Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f42faffd56a09a76339dc776daa88de33e44dcf3b9f05d985fc8c462f282ee19
Instruction ID: 33d3070c02dbef6cfa553d9fa49e7804cd60f9d8d77d5fd795c00440a26b8297
Opcode Fuzzy Hash: f42faffd56a09a76339dc776daa88de33e44dcf3b9f05d985fc8c462f282ee19
Instruction Fuzzy Hash: 3F51F5B5A0030ACFCF00DF68D5809DEBBB1FF48311F14892AE815AB204E730E955CBA1

Function 08AECA18 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d410eca8f4c01f5938a8a9355fefab15bddcbee58b45416ea08ffd3ceb1ad2c
Instruction ID: dd16bec8760379df74b63fbe71215c461cfa0f276b71eefe52fa7edb5aafe38e
Opcode Fuzzy Hash: 1d410eca8f4c01f5938a8a9355fefab15bddcbee58b45416ea08ffd3ceb1ad2c
Instruction Fuzzy Hash: 4041BA307102059FCB14DB68D494BAEBBFAAF89615F10496EE009EB761CB76ED41CB90

Function 08B00B34 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68b0885710b32eb2a6fa67558d643f97b26ec518e65158adde4a186b8bdf1d2b
Instruction ID: 46016ce63be21ef308227551f71639ee6866b14ef5cf74f5f86606e4575bc342
Opcode Fuzzy Hash: 68b0885710b32eb2a6fa67558d643f97b26ec518e65158adde4a186b8bdf1d2b
Instruction Fuzzy Hash: 0641B170E045169BCB0EAFACCD546AA7FF0FB44342F5844AAE442EB2D4FA71D9118E90

Function 08B09374 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2642b44fa0fc0ded081cca6512a9c0ebb99959c843759a59114686b1250d6c2e
Instruction ID: 499af5ded9632d0415b3680bed52e12fe430c4bb97787d765c581fcfed282b65
Opcode Fuzzy Hash: 2642b44fa0fc0ded081cca6512a9c0ebb99959c843759a59114686b1250d6c2e
Instruction Fuzzy Hash: 47416030A15309CFCB118F6DD890AAEBFB1EB45202F0480A9E1979B2D2D735E946CF51

Function 08B01587 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1869a2d9a2ee935a7d4bd0058495319230b952c0298e16403276d15ab6f07210
Instruction ID: 76570c0b3346f046d4a8c84904132dc58348134c502cbd8b0d005a22eb28367b
Opcode Fuzzy Hash: 1869a2d9a2ee935a7d4bd0058495319230b952c0298e16403276d15ab6f07210
Instruction Fuzzy Hash: F241C270E005169FCB0EAFACCD446A97FF4FB44342F5844AAD443A72D5FA30D9118E90

Function 08B03768 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5374cf75911cdc743cbdd44792ac659eff9db10866fa3fbdf6db87b695832322
Instruction ID: 1acc145efc514bef42529bb9d3a641ce3ac7df05f5fcd2177167c211f6129e48
Opcode Fuzzy Hash: 5374cf75911cdc743cbdd44792ac659eff9db10866fa3fbdf6db87b695832322
Instruction Fuzzy Hash: 45416A34A106089FDB14EFA8D854AADBBF2EF89311F1485A9E401FB3A1DB70EC41CB50

Function 08B00C10 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9e0802cf1e71c0ae2592606537f41e17794e0a9737e340668bffa82096f969d
Instruction ID: 1e6e17f60c6815329f82498071357372c0f071af045c4c0c6e4539090d27f4a7
Opcode Fuzzy Hash: b9e0802cf1e71c0ae2592606537f41e17794e0a9737e340668bffa82096f969d
Instruction Fuzzy Hash: 9F413834A106089FDB14EBACD854AADBBF2EF89311F1485A9E441BB3A1DB71E845CB50

Function 050DEB54 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1708613080.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70474ad810a823fef5508d72d232d9652f6fd5a3ec42bedf4c222489aec96120
Instruction ID: 1cdd9804b6d192da4bcca53019077c01dd043961f836bb5718a09fda97f4b1d1
Opcode Fuzzy Hash: 70474ad810a823fef5508d72d232d9652f6fd5a3ec42bedf4c222489aec96120
Instruction Fuzzy Hash: B23170317002058FCB64EF7DE844AADB7FAEF89625B1445A9E51BCB3A1DB31D801CB61

Function 050DA5D0 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1708613080.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2c3d44db84daa1536ae3e2cd4e988361d352309cc17dfa409ed054d8c7f0d9b
Instruction ID: 06abfe5364a42216fce5dc0e1b8a51206f0c6353e7eeaf39e64b3fcee9517b80
Opcode Fuzzy Hash: b2c3d44db84daa1536ae3e2cd4e988361d352309cc17dfa409ed054d8c7f0d9b
Instruction Fuzzy Hash: C3413D34A10709CFCB04EF68D894ADDBBB6FF89304F008569E5156B325EB71A946CB81

Function 08B001CB Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46e053da93782d7121aeba71ee856410f9fde0c2f438f7506c054c6de2f81a50
Instruction ID: 4f8bc1464b0fbbdf9db1da80aa86332dddee79a16702b29bf07d844f42908f4c
Opcode Fuzzy Hash: 46e053da93782d7121aeba71ee856410f9fde0c2f438f7506c054c6de2f81a50
Instruction Fuzzy Hash: 6F415530E05208DFDB25AFA5D9446ADFFB2FF88305F258498E441BB256CB3188A1CF41

Function 050DA5E0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1708613080.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a34088dea451da017dc6d7394bedb70c497e2a028cc6e182d23f83c0d857f5a0
Instruction ID: deb43e747e2ff2c4fa50a148e6a8ce58f12f2678cf6107b603151b9e0dcd0234
Opcode Fuzzy Hash: a34088dea451da017dc6d7394bedb70c497e2a028cc6e182d23f83c0d857f5a0
Instruction Fuzzy Hash: 2F411D34A10709CFCB14EF68D8949DDFBB6FF89304F008569E5196B325EB71A946CB81

Function 08AE03AC Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d4ca4758d0f9899c8dece5c4f82e72eaccea7c521b2ac1e7783d3d027f16e39
Instruction ID: c3137e806a337ccead841b447a9c04f45c80a2a5378e4efecbfd5f171554c70f
Opcode Fuzzy Hash: 6d4ca4758d0f9899c8dece5c4f82e72eaccea7c521b2ac1e7783d3d027f16e39
Instruction Fuzzy Hash: 6A3139B5A002089FCB14DFA9D885A9EBFF5EB48311F50886AE509A7310D774A950CBA4

Function 08AEAE41 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0808803fbdf6880be05b675b45d123534f303187a42959511cb99de23057f26e
Instruction ID: f5aa0f415b2fba3b4d5dc0df3627537dc6162989b6d6a891972984d937a2e6d7
Opcode Fuzzy Hash: 0808803fbdf6880be05b675b45d123534f303187a42959511cb99de23057f26e
Instruction Fuzzy Hash: 6B31AB35A002088FCB04DF64C984AEE7BF6EF89305F1584A9E905AB762EB35ED05CB50

Function 08B0619C Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e4153d1068716196c8806a63a2721431ae1eb42e26cd83271ee0b26a66a7652
Instruction ID: 3bb825b1ab2bcd89646c43632abdcbcb6c62431be4a6dd9ae038ed4abee9f357
Opcode Fuzzy Hash: 3e4153d1068716196c8806a63a2721431ae1eb42e26cd83271ee0b26a66a7652
Instruction Fuzzy Hash: 2B31B030A04308CFD704DE9CD5517AE7BB2EBAA316F14849AD416AB3C2CB35DD968F91

Function 050DA4C9 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1708613080.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e4a4e6b6c4f414e39df35173da931b1c9141c18901f2ffdc53156253d329600
Instruction ID: b69e102f68e508cd66140b2f9b882cad40d81e525daec639641f981ea73c0f41
Opcode Fuzzy Hash: 9e4a4e6b6c4f414e39df35173da931b1c9141c18901f2ffdc53156253d329600
Instruction Fuzzy Hash: 4A317C31B01619DFCF04EB64E8448DDFBB6FF88210B048669E905AB364EB31AC45CB91

Function 050DB09F Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1708613080.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe2bfa4652167c06c00c3d72f935a6809885609c503927883388c1f24de3073d
Instruction ID: 01c9b891c63e54ec89883e801bf51cf341789dd2c5df41091e62a8e490a31330
Opcode Fuzzy Hash: fe2bfa4652167c06c00c3d72f935a6809885609c503927883388c1f24de3073d
Instruction Fuzzy Hash: 1641E775A042068FC754CF68D584AA9FBF1BF49300B4986A9D84ADB351D730E885CF90

Function 050DF1E0 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1708613080.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaec96b2e58af3c6a06003bec263e0e51815221ac02a5f404f491f1940075fc7
Instruction ID: 3f420a0ad34eb3f26c2ba01f9c54c5dc295136d7d20cd6117a7020910eb24270
Opcode Fuzzy Hash: aaec96b2e58af3c6a06003bec263e0e51815221ac02a5f404f491f1940075fc7
Instruction Fuzzy Hash: 7A317175B006059FDB18DB69D8449AEB7F5EF8C320F1580A9E906E7361DA31EC01CBA0

Function 08AEA188 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74bad85dc9d17e344cdda8ffd3d8926280cd68e8265d151fcf91ff7adf047906
Instruction ID: 1055a5f3d308f8e964236a0610bedd2da5f079b5b55e9edb1e1411c844917662
Opcode Fuzzy Hash: 74bad85dc9d17e344cdda8ffd3d8926280cd68e8265d151fcf91ff7adf047906
Instruction Fuzzy Hash: 4E31A130B012218FCB14DF78C844B6E77F6AF95206B14886DE906DB765DB31EC01CB51

Function 08AEA177 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a945542341de378956f6c7f4d8a2e8bfb8d5b30f5d421698417cc4a3cf214d5f
Instruction ID: fa57254373602025c88899c5b7fb6d281f2cff7aa09fcce7a7a3869045e791d7
Opcode Fuzzy Hash: a945542341de378956f6c7f4d8a2e8bfb8d5b30f5d421698417cc4a3cf214d5f
Instruction Fuzzy Hash: 7C31B1307002218FCB05DF68C840B6EB7B6EFA5216F14886DE806DB761DB32EC01CB51

Function 08B06D24 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8deda42cdbb490cbfa97d761dc06b510853d46c487d2aedaeb5cbebc6a553a24
Instruction ID: fb55cb9e257e2a55c3a76a045ad9f0dbde399dcebe0e7bffa7275b5abb772cd5
Opcode Fuzzy Hash: 8deda42cdbb490cbfa97d761dc06b510853d46c487d2aedaeb5cbebc6a553a24
Instruction Fuzzy Hash: B121AD75E103154BCB04EBB889486BFBFA6FFC8251B544D6DE41997380EE349D028AA0

Function 08AE4F4C Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3853e150de0f0fb0ba4953175574a38ca5afd1d3771222794dcc7897ccd701ef
Instruction ID: 164fde53bac81ec940ae9405c838b7bfa5c8a17a34318ccd64ba29bf046c4983
Opcode Fuzzy Hash: 3853e150de0f0fb0ba4953175574a38ca5afd1d3771222794dcc7897ccd701ef
Instruction Fuzzy Hash: 40310B35A50219DFDB04DFA8D884EECB7F5FF88701B1185A9E805AB761C730A804CB90

Function 08B06E20 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd6ca6ed0514c38c2d75a37b0c21ff1506c2889393381b7dd23c04ddbdeb7667
Instruction ID: 046e2f7b174efb22475d48b34b4a3eee9ada6353da3245dabe4ff73ec23e5a68
Opcode Fuzzy Hash: dd6ca6ed0514c38c2d75a37b0c21ff1506c2889393381b7dd23c04ddbdeb7667
Instruction Fuzzy Hash: 7E215E70B24315CBDF049F6CD52926EBFE2AB96742B1048A9E467D73C4DE308C918FA5

Function 08B00006 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f66328218ec7929c6f9806f858297d4c44bfdc72ed7f799a51d3e99d0b011c65
Instruction ID: 99d1c8c1f40bbee178d82dc35438b9658a82276277af6e95bf3a99d76750cb19
Opcode Fuzzy Hash: f66328218ec7929c6f9806f858297d4c44bfdc72ed7f799a51d3e99d0b011c65
Instruction Fuzzy Hash: 4621CC65A0E7C95FC7136B38CC282947FB09F43211B2A44DBD094DB1F3E168881ACB62

Function 08AE03F8 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 612f326cfd0a625feeeaaba6fbec3d5d766a8c967478f19c3c05c9b840e3e843
Instruction ID: 645ec44a119901c2bc366ce450972509f4ddcc7ef7c41496f4bdc5eba2c89886
Opcode Fuzzy Hash: 612f326cfd0a625feeeaaba6fbec3d5d766a8c967478f19c3c05c9b840e3e843
Instruction Fuzzy Hash: 72317AB5904348DFCB10DFA9C848AAEBFF4FB48311F50886AE809A7701D774A940CFA1

Function 08AEE300 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53450901f39735565e69611fba4a835e65335984f152f06a40bec9d155737b93
Instruction ID: 6bdc8d430e5ead7b01610be0d15fa3eaf595910dc0743e6a36b004f684943ab9
Opcode Fuzzy Hash: 53450901f39735565e69611fba4a835e65335984f152f06a40bec9d155737b93
Instruction Fuzzy Hash: C12107367006118FEB38CB65C4C26BE77E6EBC4311F18846EE546D3794C634ED918761

Function 08B05D28 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa253423f9e48b9bc45e4dfec5dca4d33c3a92e285742df3469f2c2cc5a3a69c
Instruction ID: e7c409b51b1e2fb9993be19dae125200882cfce05177074965adedf7ebab54aa
Opcode Fuzzy Hash: aa253423f9e48b9bc45e4dfec5dca4d33c3a92e285742df3469f2c2cc5a3a69c
Instruction Fuzzy Hash: 7A3107B4E1120D9FCB10DFA8D8949EEBBF5EB48301F50856AE515F7690E7309A41CFA1

Function 08B06E10 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c040faa024d1024c68549753aa6cb52acba3e084d93588da1ee18c6277ea085b
Instruction ID: bc8988022e482ccc25c2077b827a1dd7e0fcc51aec17df2a4a912243156611cb
Opcode Fuzzy Hash: c040faa024d1024c68549753aa6cb52acba3e084d93588da1ee18c6277ea085b
Instruction Fuzzy Hash: D1213C74A14315CFDB049BB8D52926EBFE1BB96742B1048A6E467D73C0DE308C618FA6

Function 08B0B8E8 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ffc99b31f867f441dbef392739d50f5f254d986b0599b1b18eb378fdfcef8d2
Instruction ID: a19aa01f92bcf87b4ddd1cacd4a6b969079214cd0cb854f88ef7eb559ccf9e9e
Opcode Fuzzy Hash: 9ffc99b31f867f441dbef392739d50f5f254d986b0599b1b18eb378fdfcef8d2
Instruction Fuzzy Hash: 2321C730B0C218DBDB184A9D84117367A66FBC4333F5484AAD4076B3D5DE71CC418F52

Function 08AEC17B Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abdbe9c6714fc3baf59d6fbc36736ba760fb22dc2b5e38ee078df502019c5ac0
Instruction ID: 8e3106a08ee4b5dcfa0015cf373c2723efe900e72f434f010260a056c59ec2cc
Opcode Fuzzy Hash: abdbe9c6714fc3baf59d6fbc36736ba760fb22dc2b5e38ee078df502019c5ac0
Instruction Fuzzy Hash: 89319634A10709DFDB14EFA4C984AEDBBB6FF85311F048569E501AB364EB709986CB90

Function 08B0B771 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7a633d4fbe91920ed005c91ee67159addb053c8791205332d6dccdd84a97046
Instruction ID: e9b1d082afcbe72731c6438ae9245faa6ac3c0a60f0872d0bc9a6b29a0bb3e48
Opcode Fuzzy Hash: a7a633d4fbe91920ed005c91ee67159addb053c8791205332d6dccdd84a97046
Instruction Fuzzy Hash: 9E219F60A09355CBC7158FAC84906797FB4EB49323F0484EBD926872E3D724D901AF96

Function 08B06269 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a24f985288d1e2f2191e8288dc3b2c6e2ea02c3c0369da28edb13f45d40328a8
Instruction ID: 7744e35fc6a00fc4fc50c83ae7448f447e43b94a631733d7187d86bed9ab14f3
Opcode Fuzzy Hash: a24f985288d1e2f2191e8288dc3b2c6e2ea02c3c0369da28edb13f45d40328a8
Instruction Fuzzy Hash: 52319F30A04218CFD704DE9CD55176E7BB2EB9A316F1484AAD416EB3C2CB35DD668F81

Function 08AE0418 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0f45edcfb046b85eb897229ffc8a5ceb5bc9b0b2086f1a3df55370059134074
Instruction ID: 1291eff3e896b766b69157add371e280776bacb2dd02441af5c0619e05763efd
Opcode Fuzzy Hash: c0f45edcfb046b85eb897229ffc8a5ceb5bc9b0b2086f1a3df55370059134074
Instruction Fuzzy Hash: 7E21F6367016554FDB05DB79CC50A6A7BF6EF8A61070985A9F405CB362DE70DC01C790

Function 08AEE310 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9265b86bf0caa512ae0d6f491da7cd07797d938752c5bbcc762eb1b3d116e089
Instruction ID: 0d211443ec286b1af9e8adccb2ea5270c0bf1b061e1513834db37262286d867a
Opcode Fuzzy Hash: 9265b86bf0caa512ae0d6f491da7cd07797d938752c5bbcc762eb1b3d116e089
Instruction Fuzzy Hash: 5D2105367106118FEB38CB69C88167EB7E6EBC4321F28842DE546E3B94C634ED918761

Function 08B000E8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d50f0e6b304950ece776eb777bc66807a32e66ed41817936cc0849f2ed9c4a2
Instruction ID: ac77298be33919f6203108eb3d7519e6dc5d12b4d408c2311d01e2a2b37d124a
Opcode Fuzzy Hash: 6d50f0e6b304950ece776eb777bc66807a32e66ed41817936cc0849f2ed9c4a2
Instruction Fuzzy Hash: 28219230A04A05DBDB157B69C8446EFBF71EF41203F5049AAE485672D4EB31D962CF91

Function 08AECDE1 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3f131cb2b1a42343e8e61d0be139595454c6e35161882a0d48963e3e554bfa6
Instruction ID: d8ba45d31f16357cab99cf49cef369ae9f1b79c1d0fb46384a336fba31bde5f0
Opcode Fuzzy Hash: d3f131cb2b1a42343e8e61d0be139595454c6e35161882a0d48963e3e554bfa6
Instruction Fuzzy Hash: 9C216B35A002188FCF04EB68C995AED77F2FF89715F1544A8E401BB761DB399C01CB65

Function 08AEF3F8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae2cc4880cc74d17b4ce75603ef9cca758db45eaa02b4ab266861157da543092
Instruction ID: e03c44295541d310b07f7a5fa7f8bc63acd254fd40644a6a6e1c15d33641479d
Opcode Fuzzy Hash: ae2cc4880cc74d17b4ce75603ef9cca758db45eaa02b4ab266861157da543092
Instruction Fuzzy Hash: 0C214D703017018FD728AF79955072773EAAFC920AB544DACE9669BF94EF31E842C660

Function 08AE3FC1 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d376cafaee3d94e44bb8bcf77494716daf91f9cdcfcc87e0c367a5d70addae3
Instruction ID: c69f18249d6696205e1cb583f8fcbbfaaa7dbc2585631d043663fe26d53c9f8c
Opcode Fuzzy Hash: 6d376cafaee3d94e44bb8bcf77494716daf91f9cdcfcc87e0c367a5d70addae3
Instruction Fuzzy Hash: 3E217A34B00605CFCB00EB68C585AAEBBF6EF88301F14856AE509DB361EB749D85CB91

Function 08B02E80 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b59a53b7b58999dcd8609a97bbdda9f172a358fb3a72ee2172ab3a108b491e4
Instruction ID: 20f43a354336c861b5a28b79ac7a5dc003d211a70beb1e3dd3c5bfeb0a886c9c
Opcode Fuzzy Hash: 3b59a53b7b58999dcd8609a97bbdda9f172a358fb3a72ee2172ab3a108b491e4
Instruction Fuzzy Hash: 3E215E35E106198FCF11EBACD4486AEBBF4FF88351F0085AAE859E7350EB309945CB91

Function 00F7D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1704452985.0000000000F7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f7d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3916f8ea6173565e38bcb39fc5a596b68227c4609eb27eaefc832190c69595b2
Instruction ID: 99f8583ef8cc78c0e7c23dd91b97e5e47a74a9feb191197008259346fdeb84a2
Opcode Fuzzy Hash: 3916f8ea6173565e38bcb39fc5a596b68227c4609eb27eaefc832190c69595b2
Instruction Fuzzy Hash: 672124B2500200DFCB05DF04C9C4B16BF75FF98324F60C56AD80E0B246C336E816E6A2

Function 08B0B8E2 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce38f7fd944d198465a576e275d561c9e60bd8f3724f2eef1a05699333678cb6
Instruction ID: fab3722c1e41c4ba77996451e9a36d28cd9abf29105d442e99476bd1a5d4995f
Opcode Fuzzy Hash: ce38f7fd944d198465a576e275d561c9e60bd8f3724f2eef1a05699333678cb6
Instruction Fuzzy Hash: DE21C330B0C214EBDB144A8C88017767A66EBC1733F5584EBD4576B2D5DB71DC418F42

Function 08B04639 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b428c6eb253bd022fcec61a1bf8662438d05bfac001fa058d105540ab122cbb
Instruction ID: a530c49ac977343923022620087c734a93bce27c72ebe9a2a764a83c9cd53cb8
Opcode Fuzzy Hash: 4b428c6eb253bd022fcec61a1bf8662438d05bfac001fa058d105540ab122cbb
Instruction Fuzzy Hash: 8A212175B002098FCB54EF69D8949AEBBF9FF88200B508179D905E7355EB30E945CBA0

Function 0109D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1704537210.000000000109D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_109d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b1d1c0e34bbe8a7fe2e90fc0aaf7f57b7c4dca093917217fe15f3d44ca5c974
Instruction ID: 6234e3be985808b339d42a57260911b766d50b18daebd568c02f282427302f12
Opcode Fuzzy Hash: 0b1d1c0e34bbe8a7fe2e90fc0aaf7f57b7c4dca093917217fe15f3d44ca5c974
Instruction Fuzzy Hash: D1210371644300DFDF15DF58D894B16BBA5FB84354F20CAADE98A0B282C33AD407DB61

Function 0109D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1704537210.000000000109D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_109d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a0d97205a7b3a21ebbd43c9ef285dea0a0b9e0f08e10d68322fcfd7ea7fd3d7
Instruction ID: fa997baeced8c58809c1dd58a19055391648297effd3788a8e4ab61158f206c2
Opcode Fuzzy Hash: 1a0d97205a7b3a21ebbd43c9ef285dea0a0b9e0f08e10d68322fcfd7ea7fd3d7
Instruction Fuzzy Hash: 8B2125B1644200EFDF05DF98D9D0B25BBA5FB94324F20C6EDE98A4B282C336D406DB61

Function 08AE9DB4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25f9708bc1a4dc7597c4f21c9776c339fc59c7dc3884ad770c95682d3a082cfb
Instruction ID: 26c369625f74401148220cec0b166f9326e8d1cf8bc5961c8b556b71d702d89d
Opcode Fuzzy Hash: 25f9708bc1a4dc7597c4f21c9776c339fc59c7dc3884ad770c95682d3a082cfb
Instruction Fuzzy Hash: 2D21C235A10305DFCB14DF29C4847AABBB2FF84321F54C92DE8199B650E735E954CB50

Function 08B0141F Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b73ad22e2055cc357177ed0342eccb574d49a22556eb94fd89ca9350780a860
Instruction ID: 471a62f4a59dce3780ad04f5a4290da8c5ee141158f36d33e104db32a536f0c1
Opcode Fuzzy Hash: 1b73ad22e2055cc357177ed0342eccb574d49a22556eb94fd89ca9350780a860
Instruction Fuzzy Hash: 01317C30900609CFCB04EFA8D9546ADBBB1FF45305F00855DE0856B260EB31A948CF91

Function 08B04648 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9318b745b6769e20356fda05da98daf0f7388f04b141c65fa16f93c7afc91b33
Instruction ID: de1c32c999b65a427771f51024bab7abb753052dd935701429c6d6f6f6003482
Opcode Fuzzy Hash: 9318b745b6769e20356fda05da98daf0f7388f04b141c65fa16f93c7afc91b33
Instruction Fuzzy Hash: 03212F75E002098FCF54EFA9C8849AEB7B9FF88300B508569D905A7345EB30A945CBA0

Function 08AE95D8 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d620e7e8e1c13186918ee4e759c5117acdc3bbac5b4107472d7e9ec6f3171559
Instruction ID: a6e42573cfcdd208aeeaea0ab340ac9b3dcb1f9fa74eb5878b76ae205eb97e08
Opcode Fuzzy Hash: d620e7e8e1c13186918ee4e759c5117acdc3bbac5b4107472d7e9ec6f3171559
Instruction Fuzzy Hash: B71130357007148BD615AB6DF5585AEBB9BEFC4622B18086BF10AC7A60CE25DC82CB51

Function 050DD4D8 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1708613080.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 396dae3d92ee8edd88ee046bae567d5ee5050bd815a0659850d999d2ff5f8af3
Instruction ID: 048fec3654b49ebb4ca0e9fdfcce666d677b60d162efd2e5111e38d71bd5a92b
Opcode Fuzzy Hash: 396dae3d92ee8edd88ee046bae567d5ee5050bd815a0659850d999d2ff5f8af3
Instruction Fuzzy Hash: 38215032A106099FCB11EF6CD84099DFBF4FF59354B50C26AE958A7204EB31E998CB91

Function 08B05D18 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4de2c5efe4769751a8755e5ec4c4d96467ef2bf1323dcd2eae332a0c1c7720bb
Instruction ID: 78ec5f1dc3f75f1370cc56172bddd61323c5ffb10af7ca90269b134a158bffbe
Opcode Fuzzy Hash: 4de2c5efe4769751a8755e5ec4c4d96467ef2bf1323dcd2eae332a0c1c7720bb
Instruction Fuzzy Hash: 2E21F6B4E102099FCB50DFA8D4956EEBBF1EF48301F1085AAD415F7684EB349A81CF61

Function 08AE064C Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7368a7960bbadc1b3ac831c7fb6107818269ef81f41c225c52bccb629a1a11a7
Instruction ID: 4b8a9a5d958067028aef6d953860236cc0d5c2aa399f14da51bf9252f0983933
Opcode Fuzzy Hash: 7368a7960bbadc1b3ac831c7fb6107818269ef81f41c225c52bccb629a1a11a7
Instruction Fuzzy Hash: 2A31EEB0C017589FDB20DFA9C988B8EBFF5BB48714F24841AE408BB641C7B55985CFA0

Function 08AEC840 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dc52ccb847a9186fe8bc02371a1947393514c26f18231fabf4d7c9b741e9057
Instruction ID: a2b1d1ff642d6f2f605747851ec03239c1d5c5236e7e7679c11e30f9a8909bc3
Opcode Fuzzy Hash: 1dc52ccb847a9186fe8bc02371a1947393514c26f18231fabf4d7c9b741e9057
Instruction Fuzzy Hash: CE21E5B5D113099FDB10CFA9D984A9EFBF4FB48324F14842EE819A7740D375A944CBA4

Function 08AECF90 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c41391d377c0f528f605884f554c0a8797e758bfe51735404109d31ff80393cf
Instruction ID: b99ca17ecbd321fce98451ccccc72087758cd1ba7ea9389e02edbea108e4f0de
Opcode Fuzzy Hash: c41391d377c0f528f605884f554c0a8797e758bfe51735404109d31ff80393cf
Instruction Fuzzy Hash: FE1190363006108FC714AB28D844B6EB7E9EF89616B14456DF406D7360EF30EC02CBA1

Function 08AE9E14 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0b0b3479033bd2afcefa26db9ff365d6214f07928f3055cf25fe431d6e86faa
Instruction ID: 0d3a8aa6cfd81d6455086eb500db608b6ce51edfd6e1c2d04b41f971eb39303a
Opcode Fuzzy Hash: f0b0b3479033bd2afcefa26db9ff365d6214f07928f3055cf25fe431d6e86faa
Instruction Fuzzy Hash: FF21F2B1D113099FDB10CF9AD984A9EFBF4FB48320F10842EE819A7600D379A944CBA4

Function 050DF1D1 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1708613080.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dd5591e848f5db871c4ce2c82e547353b7c8cacdcc31b5b630c17eb21cf7747
Instruction ID: 039212f64a8ec7cd8cc0cde4a17c9ccbeb001ea02ec26210cb965ef63c2d3669
Opcode Fuzzy Hash: 6dd5591e848f5db871c4ce2c82e547353b7c8cacdcc31b5b630c17eb21cf7747
Instruction Fuzzy Hash: 36114F757042049FDB18DB59D844DAEB7F6FF8C320B1580A9E90AE7361DA31EC01CBA0

Function 08AE0658 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a9e845c2016d66997a3eeafe23a91fd4ec66b7f71ed1a1554d388578c455312
Instruction ID: 344dfcfcab13f2c9e35375fa1f9084b19ef72a7f729e92d5dddc8b72d6c57872
Opcode Fuzzy Hash: 1a9e845c2016d66997a3eeafe23a91fd4ec66b7f71ed1a1554d388578c455312
Instruction Fuzzy Hash: 8621DBB0D116189FDB20DF99C988B8EBFF5BB48714F24841AE408BB680C7B55885CFA0

Function 050D70F4 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1708613080.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55db73a3df9aca30e925eb7e6921787ac13f529c973f0883f86fad377943bb22
Instruction ID: 739161bbeb1bed145a5f3ddc0c1cf3062e67e56b56a29b17272dada5a92eced5
Opcode Fuzzy Hash: 55db73a3df9aca30e925eb7e6921787ac13f529c973f0883f86fad377943bb22
Instruction Fuzzy Hash: 6C11E93734470E4F9B68DA2AE88097EB3D7FFC5621B08547AE447C7660CA60E841C760

Function 08B01478 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e395a5b6708d431c32f033373255b1bec9d74e7eea3a664225d2d27e3fffc3
Instruction ID: 89aebb48520f210a88aba914622483652a0558bd0858fc38b39231adaf81aec6
Opcode Fuzzy Hash: 05e395a5b6708d431c32f033373255b1bec9d74e7eea3a664225d2d27e3fffc3
Instruction Fuzzy Hash: 7A217F30900609CBCB14FFACD9556EEBBB5EF49305F00866DD4467B290EB35A948CB91

Function 050DFCD0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1708613080.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a124a72386e9fd4a1c7d974eadb106f4d1dc0281d3c28e78e68a699511f34bb
Instruction ID: 87a2e72e0e921faab97a9175f7d09e698828c537388e5a24bcddf5bb4f3a263b
Opcode Fuzzy Hash: 2a124a72386e9fd4a1c7d974eadb106f4d1dc0281d3c28e78e68a699511f34bb
Instruction Fuzzy Hash: 8C11E332304A054FD369DB24D45275EBBEFFB89740F10C53AD186CB689CB71A8418791

Function 08AE8B00 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a84573be0990a08390e29035425cf65851fd9ba28c7d0d2def204f8e9759996c
Instruction ID: 0c9f346b3c6b03d3a82b5e172c3fda61de23c0f110bd63ccd68f627850eb1681
Opcode Fuzzy Hash: a84573be0990a08390e29035425cf65851fd9ba28c7d0d2def204f8e9759996c
Instruction Fuzzy Hash: EF117C71E0020DCBDB14AFA8D5547EEBBB2EF88311F148939E8057B640DB759985CBA0

Function 08AECE08 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b49f1e13a9ecc3eb558a1d5dd33b98ef36fb3714b0cf3e43e0233968b44ddc8
Instruction ID: f117a38d05a86c08bd68de82d5372728f67d78faf987eac5925cefb195ba60db
Opcode Fuzzy Hash: 6b49f1e13a9ecc3eb558a1d5dd33b98ef36fb3714b0cf3e43e0233968b44ddc8
Instruction Fuzzy Hash: 32212435A10218CFCB08EBA8C994AEDB7F2FF88315F114468E401BB7A1DB799C01CB64

Function 08AECFA0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 590c4f5bbcd82cd764f115c9dd3155493487059b5915e19e513244e8e11f87ba
Instruction ID: 95cd77522664306767386b516c2daffafefa58a81625168ff5d781944d041156
Opcode Fuzzy Hash: 590c4f5bbcd82cd764f115c9dd3155493487059b5915e19e513244e8e11f87ba
Instruction Fuzzy Hash: E11191353106108FC704EB3CD844A6EBBE9EF89616B14456DF406DB360EF309C01CBA0

Function 08B00040 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cd35aee41514ab2a9e9d599c65787f665223fce85417f9bc8819eaf7551d7f4
Instruction ID: 928777482f068640eefc2bcfaabba3258e357a89fdb5b0313ed56d561893e26f
Opcode Fuzzy Hash: 6cd35aee41514ab2a9e9d599c65787f665223fce85417f9bc8819eaf7551d7f4
Instruction Fuzzy Hash: 9C11C671F0450AEBCB517A99D9442EDBFB0EB41342B7048E5C099B32E4F63185368FD5

Function 08B0ED18 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46e282d8726756422e058815066832559a4603f01b405dc52fbafce6308979a9
Instruction ID: feb676ee4ed4d94dc8139d800a1eb378032388c10fc7d6c5116c48290f182ec2
Opcode Fuzzy Hash: 46e282d8726756422e058815066832559a4603f01b405dc52fbafce6308979a9
Instruction Fuzzy Hash: E62106B8E0920DDFCB50CFA9C181AAEBBF5EB48301F609599D809A7751D770DA40CFA1

Function 08B09220 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f64e8182424b34b357479bc190f8320b4fdab2a7595cc9acce1b59ae04ee902
Instruction ID: c49487dfe039060199976d426419796372d9a350e19e61acfa4aaf776fcf56f3
Opcode Fuzzy Hash: 7f64e8182424b34b357479bc190f8320b4fdab2a7595cc9acce1b59ae04ee902
Instruction Fuzzy Hash: 681102B9A007058B8B11EBB88C405BFBBF6EFC4151714896DD418D7381EB7089068B60

Function 08AE8550 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5653524f83ab63523105a8e1598df487eda4cc610c4e63a906116711ffe63b53
Instruction ID: 292f1d0b96a9e79ff2eb52919a77b1f572318acec49f2306b09d7cfeb230083c
Opcode Fuzzy Hash: 5653524f83ab63523105a8e1598df487eda4cc610c4e63a906116711ffe63b53
Instruction Fuzzy Hash: 30110A705047089FD720DB25C844B5A77F9DF95306F00497EE105D7A61CB34E98ACBA1

Function 00F7D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1704452985.0000000000F7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f7d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction ID: d9dba09e63b6604054ca689b4b973060a0a6447aab7a95cd59fbbbcc1f439dac
Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction Fuzzy Hash: 9B112676904240DFCB06CF00D5C4B16BF72FF94324F24C2AAD8090B256C33AE85ADBA2

Function 08AE1AD0 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07ee9aba94171d91c59995e0ddfd72784912602a6ff3a1d6a427452e07b36a3c
Instruction ID: 8fb6777a0298a3464d5483c04e0c5b194ebfbd4c4d2f4cf599222a4b55b088a1
Opcode Fuzzy Hash: 07ee9aba94171d91c59995e0ddfd72784912602a6ff3a1d6a427452e07b36a3c
Instruction Fuzzy Hash: F82112B69043499FCB10DF9AD884ADEBFF4FB48321F54841AE919A7300C374A954CFA5

Function 08AEC670 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 192c66a67f8ba20a8c9c1f6c8dd0be68d38e188857c5d38db9e796c8b1f34d45
Instruction ID: 1c689c0d3b89a063ad39ab6d69feab71234157f8a8078f7511c204ad2eea891a
Opcode Fuzzy Hash: 192c66a67f8ba20a8c9c1f6c8dd0be68d38e188857c5d38db9e796c8b1f34d45
Instruction Fuzzy Hash: 3F1100B5E002099FCB44DFADC4409AEBFF5FF88210B10816AE918D7311E7319915CB90

Function 050DE721 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1708613080.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c0ea48a870c9433259e8571e1e7e38be82f427f1e29418e05254315ce7e5f0f
Instruction ID: 98efd738adbab468efaac98fca7032c1b64196d78d0cd7160ff1b2bb6e8070a5
Opcode Fuzzy Hash: 3c0ea48a870c9433259e8571e1e7e38be82f427f1e29418e05254315ce7e5f0f
Instruction Fuzzy Hash: E011A1347043408FC315DB69E898A6EBBF6FF89215B1844AEE41ACB321CB75EC05C750

Function 08AE6250 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9147860cf8bd26ad8325e6553b167182a3cbb87a33417f663072fd971450e57
Instruction ID: 40ed0fa9bb966c2b9b625f2c92778ded1617c50088faf62658afd68522551bde
Opcode Fuzzy Hash: d9147860cf8bd26ad8325e6553b167182a3cbb87a33417f663072fd971450e57
Instruction Fuzzy Hash: 9E115A353006108FC719EB68E850B6A73A6AFE4312B14CC6DE00A8B665DB31EC42CB90

Function 050DFCE0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1708613080.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36e751b0350bb270f25271cb75ddaa7eb34847f7dd6f381a995b446b2163b0b6
Instruction ID: 4b33f29eeb0113fc442402bea9d3dcaeebd5b50e6ed07435199f640ce80f5581
Opcode Fuzzy Hash: 36e751b0350bb270f25271cb75ddaa7eb34847f7dd6f381a995b446b2163b0b6
Instruction Fuzzy Hash: 4D11C4313146054FD368DA28D44175FB7DFFB88740F10C539D186C7788CBB1A8418791

Function 08AE8601 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f84fc3b4b07bfe989184b59df4b0142d797473a6181a812b66a666dac8bfa99
Instruction ID: c87e904b13537c9128da263d45fdd99047faad82829b7e90f1cb8f4e5e11b190
Opcode Fuzzy Hash: 9f84fc3b4b07bfe989184b59df4b0142d797473a6181a812b66a666dac8bfa99
Instruction Fuzzy Hash: 640145313043048FCB105B29E800A9E73B6DFC6217B0408BEE208CBA61CE39DC47C7A1

Function 0109D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1704537210.000000000109D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_109d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction ID: f80071078b47b6574573888f30faaa580991e52b0c366c27512e309d141802c8
Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction Fuzzy Hash: 3411BB75944280DFDB02CF54C5D4B15BBB2FB84224F24C6EDD8894B296C33AD40ADB61

Function 0109D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1704537210.000000000109D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_109d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction ID: 79d449d4f7eb2e3f87e9de2953e0a49599f8e3a0fee4ef82e77a073c9faedec0
Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction Fuzzy Hash: A511BE75544280CFDB12CF58D5D4B15BBA2FB84314F24C6AAE84A4B696C33AD40ADB61

Function 08AE8560 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a46dfbe2b5cf0c661165d5d0ccae5cf9363ed01a5051ad79c43f6f1b050850cd
Instruction ID: 0097b5a699ac8f4358adc6a532cc868a665ea391a6fde3d6a2682e493911a185
Opcode Fuzzy Hash: a46dfbe2b5cf0c661165d5d0ccae5cf9363ed01a5051ad79c43f6f1b050850cd
Instruction Fuzzy Hash: F011A0706003189FDB24DB2AD844B5A73F9DF94316F10496DE109D7A61CF34E98ACBA1

Function 050DFF30 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1708613080.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a860e4c6eade900fde42d1b3b04382a79cc8e93061fedf0f64fcbb230713adf
Instruction ID: 11ccfbb40b66e20b70ec722b81a83b1f89603b90c281fa087aea724a74ea5065
Opcode Fuzzy Hash: 1a860e4c6eade900fde42d1b3b04382a79cc8e93061fedf0f64fcbb230713adf
Instruction Fuzzy Hash: 98015E323083968BDB54E676F5067BFF6EEAF86254F048069990BC6284EF34D841C7B5

Function 08AEC680 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9666da2c575e380d92b46dde40634aa30e7949c2e46bbc17b9ac7e95420bd6e7
Instruction ID: f310fc515a8a0abf422f08f961cf9c8fca5d8f567f01849af60e8c5a2da26045
Opcode Fuzzy Hash: 9666da2c575e380d92b46dde40634aa30e7949c2e46bbc17b9ac7e95420bd6e7
Instruction Fuzzy Hash: CE11CBB5E0021A9F8B44DFADC8409AEFBF5FF8C310B10816AE918E7315E7309911CBA0

Function 050DECE5 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1708613080.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 345791bf20879fd472e5108ee4a248be865f2bf36efe5d4e17bc2f31caa9ff0d
Instruction ID: 66cdaa6b149ed9ddea0ef8c6b0ab4181fb7d6fc038ac2ddaab8496b38cf1d781
Opcode Fuzzy Hash: 345791bf20879fd472e5108ee4a248be865f2bf36efe5d4e17bc2f31caa9ff0d
Instruction Fuzzy Hash: C1017131304B605FCB59AB38E41876DB7E9BF96A10F1845AAD806CF351DF25CD0287A1

Function 08B04D30 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc5f52fc0a74c01fafccf0779d53dc3c1a70485154f2aa449969780d772f2748
Instruction ID: d77833389ff4bce5856df1f68565221ab3a682225cdcc9ba3c65befb01d92876
Opcode Fuzzy Hash: cc5f52fc0a74c01fafccf0779d53dc3c1a70485154f2aa449969780d772f2748
Instruction Fuzzy Hash: FD115E7190020AEFCF10CF98D8519EEBFB8EF05311F1085AAEA04E7241D630AE11CBA5

Function 08B03BEF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f500a06e496d28b7aefb99bec302a9596fc59969b3f17ef53e8aa41190a3431
Instruction ID: ed9bbf9b8b3be53765817647b84721b16abb20b86e7599b2f60eb97f492ff47e
Opcode Fuzzy Hash: 0f500a06e496d28b7aefb99bec302a9596fc59969b3f17ef53e8aa41190a3431
Instruction Fuzzy Hash: 0F115A74D003098FDB04EFA8C8527AEBBB1AF49354F008669D815F7391DBB59A468B91

Function 00F7D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1704452985.0000000000F7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f7d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a0ad2b65d0374f7a5dccc96784b56223792bf7d2ccd5c7e04d23d89b8c206e8
Instruction ID: d6876d5e473e505ebe6479bd55dc346d69b2f218a4697857250d9bc4c2394ea8
Opcode Fuzzy Hash: 9a0ad2b65d0374f7a5dccc96784b56223792bf7d2ccd5c7e04d23d89b8c206e8
Instruction Fuzzy Hash: A401F7724043409AE7185F19CD84B26BFE8DF95335F58C51BED1D0A282C6399842E7B2

Function 08AE98E0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25414a3ea25573cc7b7c58c57f5a69cf0c8e14b55ceb2734d63cfcb73e0b5ae7
Instruction ID: ac14b9d2730e284b2cc5363ee48ec2e9702ede42234e68c2adee51e61fac00e4
Opcode Fuzzy Hash: 25414a3ea25573cc7b7c58c57f5a69cf0c8e14b55ceb2734d63cfcb73e0b5ae7
Instruction Fuzzy Hash: 6EF0B433744E1843D92977BDF5063FDBA999741A27F0C492AE50EC5EB1CA0599410296

Function 08AE62A0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e23b94e898baa0846d2fb32e05c69d7da57858f6c85f067233adee7a2d57b1c
Instruction ID: 77849104823da7a60c29d93734a439a6b48dc583231a481c7e0a75e73cc381df
Opcode Fuzzy Hash: 5e23b94e898baa0846d2fb32e05c69d7da57858f6c85f067233adee7a2d57b1c
Instruction Fuzzy Hash: AE01AD393406058FD718DB2DC421B6B73E6AFE4601B25882DF946CBB20DA31EC02C7A0

Function 08AE075C Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e3ebf7a645763c22cc06c3f42c4458866804aa37fb4863ed922fc892ee4e06a
Instruction ID: cdb7733459404d389f95fd0fc3f3fe61250ab62b69a6a62ceba47d43043aca9b
Opcode Fuzzy Hash: 5e3ebf7a645763c22cc06c3f42c4458866804aa37fb4863ed922fc892ee4e06a
Instruction Fuzzy Hash: 88113C71801A09DFDB11CF69C58979DBFF1BB48311F24C459E818AB290C7B08981CF90

Function 050DA818 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1708613080.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 494f6573b7545b5c1674525efbb12d85cc086b51e2da7f6126d82ad53b8bb98d
Instruction ID: b7689e04201c6ab5386ba435679ab3101d88d4f53e1730572e8a12209500ee5d
Opcode Fuzzy Hash: 494f6573b7545b5c1674525efbb12d85cc086b51e2da7f6126d82ad53b8bb98d
Instruction Fuzzy Hash: 79012931A007048FC728EF39D44459EB7F6FF86340B54C96ED9468B260EB31E942CBA1

Function 08B03C00 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b50cfa41546ab10285d58f357261efd7864e315dad78ced98477492de77efdd
Instruction ID: 6a19cf3a90b93954c47b71d5b4a9ceb59c68aaf51529f3161e63991b5c47132f
Opcode Fuzzy Hash: 8b50cfa41546ab10285d58f357261efd7864e315dad78ced98477492de77efdd
Instruction Fuzzy Hash: 0A016974D0030A8FDB04EBACC8117AEBBF1EF49344F008669D415F7394DBB59A458B91

Function 08B070F9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b87931624aee930ee658540073dd73a33362cd6bec8323dc07d0616eb6dbffbd
Instruction ID: ae2e0d4ba06c4fdb99fb4ec1f11ea24bcc24a09e034b29f9a2e727c0b5c0322a
Opcode Fuzzy Hash: b87931624aee930ee658540073dd73a33362cd6bec8323dc07d0616eb6dbffbd
Instruction Fuzzy Hash: A101F174A483889FC7019A78C9106A9BF719B46303F14D0EED5059F2C6CB3BE887CB51

Function 08B01718 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40e8516202a9c9bf5a5916bf05a62492070f3c83bbb0fbd6e5796091edac88b1
Instruction ID: cf2ec826b868571f1ff0638fde8f7e2f46b3640e53e189e847ac156228b6e0c6
Opcode Fuzzy Hash: 40e8516202a9c9bf5a5916bf05a62492070f3c83bbb0fbd6e5796091edac88b1
Instruction Fuzzy Hash: C801243290434A9FCF019F78DC444DAFF3AFF8A308F00866AE0456B112E770A499CB90

Function 050DA808 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1708613080.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8d035fd220149f1132e2c4ce24e4a94d8f9c699d0d411e77bdace5d56c677e9
Instruction ID: 13cd6211ca330900738d8e635063fdc088ac80823eccfcbf813dc677f06069c0
Opcode Fuzzy Hash: c8d035fd220149f1132e2c4ce24e4a94d8f9c699d0d411e77bdace5d56c677e9
Instruction Fuzzy Hash: 5F01BC31A007048FD724EF38D40469EF7F2EF96340F54896DD9428B261EB30E942CBA1

Function 08AE7F30 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71d2405b15099a0d162760e77a15db9e7c2b549bf1462e2266c83243293eaaba
Instruction ID: ff8e1515060f202ca868360220d95ad8e940eb29630271278320ae24a25de6db
Opcode Fuzzy Hash: 71d2405b15099a0d162760e77a15db9e7c2b549bf1462e2266c83243293eaaba
Instruction Fuzzy Hash: D6112770E0834ACFDB44DFA8C054BBEBBF1AF09305F1584A9E858AB391D7799941CB61

Function 050DED00 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1708613080.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acfd63b237cf7a2b9ef957d36800e407d8baba3f91e04288ac4961fd8d8a5c36
Instruction ID: 8ba91f026afc38a3172110a0f34fa99a029a5cb67b3794aed62bbd722f4d04a1
Opcode Fuzzy Hash: acfd63b237cf7a2b9ef957d36800e407d8baba3f91e04288ac4961fd8d8a5c36
Instruction Fuzzy Hash: 59F06235300B204FCB69A738E418A6EF7DEBF89A10B144969D81ACF390DF25DD0287E5

Function 050DAFDF Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1708613080.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27461dd51469b18e9348725f19652a33bb4e9780839ddca61b75f741779c6541
Instruction ID: af12ec4c613c89be97b166c7e79e979689aa8712f82804a53602579b194a2be2
Opcode Fuzzy Hash: 27461dd51469b18e9348725f19652a33bb4e9780839ddca61b75f741779c6541
Instruction Fuzzy Hash: 1FF022723007101FDB009AAAF88454ABFE9EFC432530449BAF00A87311CE60DD4AC790

Function 08AE89FF Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcf0ed4a5dcdb8d3b1b220e93880cf463864baa32242c689a80a539b390922ac
Instruction ID: 3ebf6d7822f603cc4d84b416c46b463bd740e049f751783804eb739d23bf6767
Opcode Fuzzy Hash: bcf0ed4a5dcdb8d3b1b220e93880cf463864baa32242c689a80a539b390922ac
Instruction Fuzzy Hash: 94F0AF343002109FDB24AB2AD844A5AB3FAEFC6719F11457AE509DB766CA75EC06C790

Function 08AE62B0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cd2d0785f3512d2f8e25c87d3d9bfcf52e67884803cc5be160c95aef4744273
Instruction ID: 128d84f9c5e0711f02d73404459bc3ab5126cc9c69c0b091405db41657857115
Opcode Fuzzy Hash: 9cd2d0785f3512d2f8e25c87d3d9bfcf52e67884803cc5be160c95aef4744273
Instruction Fuzzy Hash: 1AF03C383406058FCB68EB6DD060A6E77E6AFE4612715886DF586CBB64DE31EC02C790

Function 08AED360 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51e24db8da1eb6a8ec7e48e98241d381772ed4267cb827d6477c67763e2e2c86
Instruction ID: 45815f8f9b58c54918d37a184fccff107ff88243a852b12f3d9f26b771374118
Opcode Fuzzy Hash: 51e24db8da1eb6a8ec7e48e98241d381772ed4267cb827d6477c67763e2e2c86
Instruction Fuzzy Hash: DB01F432910B088BCB017F7CDC1059DBB74EF93222B01872AF884A7350EB30D994C791

Function 08AE9550 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b70ca8690b126c4bd3f4548fbfe93c89f7e62384077ed59b824d7d8cb5ccc48
Instruction ID: c447a99137995ab062153597d32c72aaf70bb0986e1caf0c97a146ba34ab4ffe
Opcode Fuzzy Hash: 9b70ca8690b126c4bd3f4548fbfe93c89f7e62384077ed59b824d7d8cb5ccc48
Instruction Fuzzy Hash: E0F0B430300B2A47EF1E3674D8257BF6B994F45A06F58181DF946C7E81CB95DC0A87E5

Function 08AE0768 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 813823644d87c3dedcd6cb26f15642fe2c6c418b81b411474eb6f87778737eaa
Instruction ID: 9a2f4803163a50dad34e1ba9d018946916a784b1f690f6121cf72584ee9a0605
Opcode Fuzzy Hash: 813823644d87c3dedcd6cb26f15642fe2c6c418b81b411474eb6f87778737eaa
Instruction Fuzzy Hash: C2011B70901A08DFDB14CF5AC48879EBEF5FB88361F24C429E818AB290C7B48981CF94

Function 050DABDB Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1708613080.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce794aac6c3b1f356f3fff9f4bc11e10085a62b002c6d287db19acecddbca544
Instruction ID: 5728b373b8bde4b0cc8aeab3c78e942da482b981cc65a9d8a4fb57a4eae6358e
Opcode Fuzzy Hash: ce794aac6c3b1f356f3fff9f4bc11e10085a62b002c6d287db19acecddbca544
Instruction Fuzzy Hash: D801D131B087088BCB15B674E8146EEF775EFD1260F0849ADD94567310EF30A98187E1

Function 08AE94E8 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebe682b7380451dcf0cbb3d7d5c6873e574098164217cd44fa4954f2efd0624f
Instruction ID: 6a03f815263615b2b0de7ed6147bb90eeecfbcef69f4a9b9110cf7901b198112
Opcode Fuzzy Hash: ebe682b7380451dcf0cbb3d7d5c6873e574098164217cd44fa4954f2efd0624f
Instruction Fuzzy Hash: 24F0AF752057006FD710DF2AE880A56FBE9EF89224B10C43EE84DC7721DA31EC009750

Function 08AEA6F1 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8164f9ee1565609a1662c0ff7b329c39591efef6926a2b08fcaf90860ee9aafe
Instruction ID: bcde184d188c8fa92b63c45c4396d4e3f1bd32e9a2c3af5078dbc90ba9140405
Opcode Fuzzy Hash: 8164f9ee1565609a1662c0ff7b329c39591efef6926a2b08fcaf90860ee9aafe
Instruction Fuzzy Hash: 1D016D75240A14CFE314DB38D854B5A77A9EF84655F00885DE44AAB361CB31F807CBA0

Function 08AE511C Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59bb26d1714d717ff23a00e5f97010163f903a4714a39a7ac04abdc6a39f541c
Instruction ID: b8eeec380c3da532dfd3e2b4f716bb757628a986f33b7f0aee37097638a150e7
Opcode Fuzzy Hash: 59bb26d1714d717ff23a00e5f97010163f903a4714a39a7ac04abdc6a39f541c
Instruction Fuzzy Hash: C5F06D75301601AF8714EF5EE880A5BBBE9EF99325700C82AF95EC7720DA31EC408B64

Function 08AEE3E8 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f2319bea5e5494002cf36f3a10fe3f98d52e09f14fc6297ac7fdd30fb54e4f5
Instruction ID: e7f16a833133e50c5a545c7869c61ab95f2b308292cb90e23c4a5690d88bb1a7
Opcode Fuzzy Hash: 5f2319bea5e5494002cf36f3a10fe3f98d52e09f14fc6297ac7fdd30fb54e4f5
Instruction Fuzzy Hash: 44F0C831A107189FCB10EB69D844C9FBBF8EF95300744456BE54497321D730AD05CBA2

Function 08B04DB0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af5970a8496db24f2f697ae2f1ece4c598adc454ff7850e745f8a190f251e2ec
Instruction ID: 2c826d4e0b7d6e75c3b5a4745ac8ca9507f2ac7d7c0ae6cbe469888b7b6add4d
Opcode Fuzzy Hash: af5970a8496db24f2f697ae2f1ece4c598adc454ff7850e745f8a190f251e2ec
Instruction Fuzzy Hash: DBF02B33A0061C97CF04AAA8D8142DDB7B5EF89710F00C629EE55B3290FF30AA55C7E5

Function 08B04DC0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 062501ec1c35fa89d80acb0e9d413ef8349cefa5e661d7abe3b515bb62e4d46d
Instruction ID: ec993fa0797c20ce1473409cfe1b4265e70f42c24d56c3951db1f73652768b32
Opcode Fuzzy Hash: 062501ec1c35fa89d80acb0e9d413ef8349cefa5e661d7abe3b515bb62e4d46d
Instruction Fuzzy Hash: 3401D131A0062D87CF04AAA8D8144DEB7B5FF88200F408529E915B3284EF306A19CBE1

Function 08B01728 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4df2167c6fafe63ec0f4964b6b10067d2176748913a0bfcd1b31c8f065b4b879
Instruction ID: 7c081c72e0a8d3caa91d7a4ae8455d3a01dea4154f09d203860fbf1c79b2a7a6
Opcode Fuzzy Hash: 4df2167c6fafe63ec0f4964b6b10067d2176748913a0bfcd1b31c8f065b4b879
Instruction Fuzzy Hash: F001D132A1070A9FCF14AFA8D8448CEFB7AFFD9304F10C629E10527210EB70A599CB90

Function 08AE73D1 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2354c893ba2bc9dfa610318a22f4d58d4c276c4d6612d613fd1e5b454d28db14
Instruction ID: 3a98674025ea90b21545f90bb098066b59c5c94147cc866c23d73ce5dc7c8f53
Opcode Fuzzy Hash: 2354c893ba2bc9dfa610318a22f4d58d4c276c4d6612d613fd1e5b454d28db14
Instruction Fuzzy Hash: A1F0AF317052189FCB19AB79E41862E3BAAEB8131AF00886DE44687341DF359806CB51

Function 08AEBC33 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c48963a08814e319e38cc41944ca18d139e1fb1681f8ef919a21b83d660f294
Instruction ID: 2d32348575d016ab9468ff33e052893c591299e6448145fa3356fda42678e67b
Opcode Fuzzy Hash: 7c48963a08814e319e38cc41944ca18d139e1fb1681f8ef919a21b83d660f294
Instruction Fuzzy Hash: 3FF0273670D7910FC7559B28E8507A87B6A8FCB622F0E44F7E045CBB93CD648C0693A5

Function 08B00E93 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8a38e5b3913ead16efdd7e83a4d47a8e0b1d0131c70ab9f1d137ba555906e88
Instruction ID: 23673dd4dddbb7b314ddc897afc30b829e373a31f3a3ad13d256cade93e6fb6b
Opcode Fuzzy Hash: d8a38e5b3913ead16efdd7e83a4d47a8e0b1d0131c70ab9f1d137ba555906e88
Instruction Fuzzy Hash: F7F0F631A00605D7C704BA78D4257AEB6F6DF84600F90046AD502A7784CFB59E068BE6

Function 08B04E31 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2e6f85bb0026d2f5276679fca41c9f4a9e3c7081f45c2f6ac3b8848048f0559
Instruction ID: 6d7ce6c73befd2a9ed07b3d84e1fcd6f0580cef71f1b3d604faf234418ca83f6
Opcode Fuzzy Hash: e2e6f85bb0026d2f5276679fca41c9f4a9e3c7081f45c2f6ac3b8848048f0559
Instruction Fuzzy Hash: 92F0A73170070897C714EE79E841B5AFBAAEBC5251F50457EEA09E3640EE31FC46C664

Function 08B082BC Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a74958f9235c919563e4249d53aafeab4df409732ef9582542ca5e64f8d46cd
Instruction ID: 9f09fce7dacf0fb774e1a2ff45ab20dd4fa924f412024599535233f87391a552
Opcode Fuzzy Hash: 4a74958f9235c919563e4249d53aafeab4df409732ef9582542ca5e64f8d46cd
Instruction Fuzzy Hash: 51F0909080EA84EFCB02465C5C2007D3FA4DA6B28334405FAE587C71D1E5209A40CBE2

Function 050DABE8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1708613080.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 697acdd849a63cffa51c2b34536ac64fb2bc23f80a7d058181a9c20a7da8a91c
Instruction ID: 540406641e153475af4859dff71a5b9f327eff05aa4c45f7808d5a0caa2a1b36
Opcode Fuzzy Hash: 697acdd849a63cffa51c2b34536ac64fb2bc23f80a7d058181a9c20a7da8a91c
Instruction Fuzzy Hash: F1F0CD31B047088BCB15BA78A4144EEF776EFD5260F044AADD94A27210EF30A98287E6

Function 00F7D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1704452985.0000000000F7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f7d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37fb74829ca6c077826a07a2f484f6e71adb32995d3eab68ecc1c3192c04467e
Instruction ID: 156f761e8156644d1ab5003bc01e44af33e87df6a52f9618b5d80a58a0af04cc
Opcode Fuzzy Hash: 37fb74829ca6c077826a07a2f484f6e71adb32995d3eab68ecc1c3192c04467e
Instruction Fuzzy Hash: 5BF0AF314043409AE7148E19CC88B62FBA8EF95734F18C05BED0C0A286C6799841CAA1

Function 08AE8A10 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a94a60111df553369e589fb2137f333f399f2260a7aff42565e965e697472c28
Instruction ID: 426a5dc4e05a38fa836df44f1801b44c1a660a2d8b13633bbac114b431e02fb7
Opcode Fuzzy Hash: a94a60111df553369e589fb2137f333f399f2260a7aff42565e965e697472c28
Instruction Fuzzy Hash: ACF090303003109FCB24AB2AD444A5AB3FAEFC5615B11457EE509D7372DA75EC46C791

Function 08AED370 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f985035be8e267d623986d4c8d8fee3ee60909a561686d2e9c2fe33486af7ed0
Instruction ID: 496c82836a6cba354234c036fb7b1493de00948d4bf63d2c3f263ae51a4c399c
Opcode Fuzzy Hash: f985035be8e267d623986d4c8d8fee3ee60909a561686d2e9c2fe33486af7ed0
Instruction Fuzzy Hash: 21F06231920B099BCB047F7CDC1099DBB74EF96261B40872AF98467650EB30D5A4C790

Function 08AEF793 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7175236b68cc83f63f2f398869cfc92d9aaa2a3f60faa91c449226b3de69160
Instruction ID: 5bb1aecfdc0947915d746554df100147edb53de73216aaa1b4ae5b49761ece16
Opcode Fuzzy Hash: e7175236b68cc83f63f2f398869cfc92d9aaa2a3f60faa91c449226b3de69160
Instruction Fuzzy Hash: 94F0A7367049245BCB0CEA29E444B6E7BEEDFC8A147044059E409D3360DF37DD528794

Function 050DDC5F Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1708613080.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40a8301be652085d23f8c490e7c391a09b54de3885a2a2c5386a69cc56ee9923
Instruction ID: 79ea5cf38310e9559e55529a5970aad2054bac09c2eea1bd392c123c85ee975e
Opcode Fuzzy Hash: 40a8301be652085d23f8c490e7c391a09b54de3885a2a2c5386a69cc56ee9923
Instruction Fuzzy Hash: 7CF0E23630460A4FC718DF2AE844E5AB7E6BFC4510B0960ADE80ACB720DAA0CC41C760

Function 050DAC66 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1708613080.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 754c2b5507d0a6c723a943b30f1d5915c38e1740aa035ebc1701109d312ee66b
Instruction ID: a372dbcfd098d89724ab4b8156edceafb01fb668ea947d441a2a090e111a2b4d
Opcode Fuzzy Hash: 754c2b5507d0a6c723a943b30f1d5915c38e1740aa035ebc1701109d312ee66b
Instruction Fuzzy Hash: 44F0B4313007148FC7259B2AE48496EBBBAFFC8325705055DE00A87364DB32EC82CB90

Function 08AE5150 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79c158d72c48abb47f8501db247c5bb3bcc2ff9be6762561bce3ca93aa77537b
Instruction ID: af29dea8ec4ec2c3ddc25ceb89c498fa98855044e51e66de9c7f3a0c9818c73d
Opcode Fuzzy Hash: 79c158d72c48abb47f8501db247c5bb3bcc2ff9be6762561bce3ca93aa77537b
Instruction Fuzzy Hash: 15F0A0B13000105F8204A66DE888C2BBBEDEFDAA71311416AFA09C73B1C9209C0182B4

Function 08AE8A70 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6647d49985de1ec6dec5bb9b94f4d821404128c56d091074dadb0d8f76c59c3d
Instruction ID: 0b562b42a1e42d34a911df16efce7d758e7e7a1459d0bd518239b65888268cc7
Opcode Fuzzy Hash: 6647d49985de1ec6dec5bb9b94f4d821404128c56d091074dadb0d8f76c59c3d
Instruction Fuzzy Hash: AAF0A0726013199BDB04AEA5EC41B9BF769EFC5724B004626E904B3306D772BC458690

Function 08AE03BC Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f77f05a0c64cc5a29ec8aafe74059e5e76c7c5ccafecc70b151a62174829599
Instruction ID: 22ea1f24b4f02c35989a4a74d303c5a1e96125cc883341603e4e22d423d40f1a
Opcode Fuzzy Hash: 7f77f05a0c64cc5a29ec8aafe74059e5e76c7c5ccafecc70b151a62174829599
Instruction Fuzzy Hash: 8DF0A0317053584FD7096778D9197793FB9DB42701B0088A6F942C7682E928EC428265

Function 08AE9560 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58a613dd0143a61ad7990135eaaf78e6d5c1d490276697e4a3ab15399bcc7be7
Instruction ID: 9457d09eba363921db60253d7bde5b967ab141c62eca06e79d5edb1a31f229b8
Opcode Fuzzy Hash: 58a613dd0143a61ad7990135eaaf78e6d5c1d490276697e4a3ab15399bcc7be7
Instruction Fuzzy Hash: 87F0A73030471A43EF2D337494247BF379A4F48606F180C1DF45686E81CF95D84987E5

Function 08B00EA0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c355aae0a7701667a314a9958d83f2b985b41ea736bcce8eb7607eed88beb494
Instruction ID: 19f0c7792f114adb67a79743cc48466ec73c43e2d26fe2022deb98c17c7fb2e9
Opcode Fuzzy Hash: c355aae0a7701667a314a9958d83f2b985b41ea736bcce8eb7607eed88beb494
Instruction Fuzzy Hash: 19F0B430B0060597C704BA68D4247AE7AF6DFC4600F50046ED502AB7C4CFB55E058BE6

Function 050DAC68 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1708613080.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3780c586c0e4f78388474a4ffd9363d139f54f8a186c009d01ab842250a5d6e5
Instruction ID: 6320ab399ef2f8eb8ebed4dc5d1597a51f092029fbf9415408e55d347158614e
Opcode Fuzzy Hash: 3780c586c0e4f78388474a4ffd9363d139f54f8a186c009d01ab842250a5d6e5
Instruction Fuzzy Hash: 34F0B4313007148FC6249B1AE44492EBBEAFFC8325744055DE00A87364DB32EC82CB90

Function 08AE73E0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82906d977c86b256640f047493d50553196eb9f3879d42daa7c3288d66710a41
Instruction ID: f05b978cf43743ee9d61183046d7cc72e65570418d6c11064238ee225a75cc75
Opcode Fuzzy Hash: 82906d977c86b256640f047493d50553196eb9f3879d42daa7c3288d66710a41
Instruction Fuzzy Hash: DEF05E35705218DFCB19AB79E41866E7BAAEBC4716B10892DE04687740DF359802DB94

Function 08AEA700 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcecfeaeffe9660cb408afaec565969e93a242a49887855e35aab1c21b6f45fa
Instruction ID: 4ee4fd8e7dad5c791a29471eb11265f4694165f988f122c2fa7882fbbfd7545e
Opcode Fuzzy Hash: fcecfeaeffe9660cb408afaec565969e93a242a49887855e35aab1c21b6f45fa
Instruction Fuzzy Hash: F9F04974200650CFE314DB39D494F5A77E9EF88255F00886EE54A9B361CB32F806CBA0

Function 08B05E60 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 765f83b42bade5d6b28a7a3a8ab156a82d8839f3f75379ab7737907b340b446e
Instruction ID: 4aad5dfcb23d52f5b746a28a5090d324e002ec65b4b84a86005a4c95f73de021
Opcode Fuzzy Hash: 765f83b42bade5d6b28a7a3a8ab156a82d8839f3f75379ab7737907b340b446e
Instruction Fuzzy Hash: ACF0F0B191920ACFCB319BBCE8558A83FB1EB5520274005D7E006E69A0E720CA01CF00

Function 050DB047 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1708613080.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cb6d0f4fda4bdfd4874a59c103e4ca3adb35a25ba0d9a9574105228333f19e7
Instruction ID: 7d60538468a45c90a293cb102b1f2ec669d987920b42e1828d5fd29adbd89d9c
Opcode Fuzzy Hash: 4cb6d0f4fda4bdfd4874a59c103e4ca3adb35a25ba0d9a9574105228333f19e7
Instruction Fuzzy Hash: 80F0E735210610CFC714DB68D688A597BF5EF4A715B1549D9E40ACB372CB72EC41CB80

Function 08AE9951 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38fcfbdf31147941467a7a31ed6d23eece83c27ca228e116f96c0b95edf59922
Instruction ID: 8664db860e7102179c5af996181ea35cb689a3f53bc39833ca6b3a11a67c8e2e
Opcode Fuzzy Hash: 38fcfbdf31147941467a7a31ed6d23eece83c27ca228e116f96c0b95edf59922
Instruction Fuzzy Hash: D4F06D393505148FC704AB68E44DF2A73FAEBC9A15B1A81AAE909D7761CE61AC028790

Function 08AEF7A0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64a9235637ad2f249cc1d8fbaed9534c62f95bb3bdeadf002d223e83bb234590
Instruction ID: c832554b0aefd756a1ec518ea40252c277cfee5f4187a9532b7392de3a0fd065
Opcode Fuzzy Hash: 64a9235637ad2f249cc1d8fbaed9534c62f95bb3bdeadf002d223e83bb234590
Instruction Fuzzy Hash: 16E06D357049259F8B1CAB6EA44492E7BEEDFC8A64300406EE40AD7360DF37DD528B95

Function 08B016EC Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bacfd3876ac6274c2d57d0acb917b23345d2f733ed5b191ef0a4f13a328de158
Instruction ID: 82f6bc0aa631204f0e1b42857c9168f4b46971f2ea94d4d959218f2282d0cec5
Opcode Fuzzy Hash: bacfd3876ac6274c2d57d0acb917b23345d2f733ed5b191ef0a4f13a328de158
Instruction Fuzzy Hash: F4F0E277A2851D8FCF056F28E8042CC7F32EB92206F08C0AAE0419A1A7D6348559DB50

Function 08AE3818 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38ace9340832afc565a525e28c80c67b39ddb79ace976df1e09313f120579790
Instruction ID: 94d52321a28fc8daf6735e311ac30e8abe990ea34b36988d727bcfffe1e491d9
Opcode Fuzzy Hash: 38ace9340832afc565a525e28c80c67b39ddb79ace976df1e09313f120579790
Instruction Fuzzy Hash: 1AF0DAB0D0430A9FDB44DFA9D845BAEBBF4FB48300F5049A9E918E7740D77495408BD0

Function 050DFDB8 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1708613080.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fa5853128c31288df26ece46daf88772139b4ace39c93e6534e48e8f33d6da3
Instruction ID: a60bff4c9f2a1bbbc203c19dfc4ab71a0f74b53fe379eaea482d2838bb1d7620
Opcode Fuzzy Hash: 4fa5853128c31288df26ece46daf88772139b4ace39c93e6534e48e8f33d6da3
Instruction Fuzzy Hash: C6F0E232A005599FCB10DF69E8083DEBBF4FB44214F044465C99AD3201D3346A1ACF80

Function 08AEA657 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 721d89de0d7307b22a53ccf20a254c952c0b5bc585eb7227f73442f8e9b63b73
Instruction ID: f1231c6a7c9f5b8693f60a370dae8e6417789d6c537ff6f2a44261aae90f3c2d
Opcode Fuzzy Hash: 721d89de0d7307b22a53ccf20a254c952c0b5bc585eb7227f73442f8e9b63b73
Instruction Fuzzy Hash: D2E012B63000105F9604966DE988D6AB7EDDFC967531541AAF509CB3B1CA608C01C674

Function 050DB058 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1708613080.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5f436635cf7873d667a2c8eb250628a0cccc8ef4d7ae05bcb65b991d41ebddd
Instruction ID: 3c8b40e13518f6d78974c1083d0a5ab679690733ecb3e9856480ac7bf1e7b6c0
Opcode Fuzzy Hash: d5f436635cf7873d667a2c8eb250628a0cccc8ef4d7ae05bcb65b991d41ebddd
Instruction Fuzzy Hash: 43F0B2342006108FC718DB28D598D59BBE5EF49B1571585A9E10ACB372CB72EC40CB80

Function 08AE380B Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0193a301ec561567f871caf999d5347803120b2766a605aebfbd97f47c535936
Instruction ID: bdb5fe140b1c78e90f73678cccbcf1a04373af20e4eabd3093ec5ef56b45f47d
Opcode Fuzzy Hash: 0193a301ec561567f871caf999d5347803120b2766a605aebfbd97f47c535936
Instruction Fuzzy Hash: 39F049B0D0434A9FDB14CFA8C845AAEBFB0BB09324F148A99E421D7791C7B58041CB80

Function 08AE2178 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae3acc6bb081bcd273e78ba52bc2ceed27b03f474b404b03e894bf2622eb71ba
Instruction ID: 2f8ae8d2cfa48354779c8a03df80f26cf3aceed5d5e0163e5ed228f08116924a
Opcode Fuzzy Hash: ae3acc6bb081bcd273e78ba52bc2ceed27b03f474b404b03e894bf2622eb71ba
Instruction Fuzzy Hash: 1BE06D37211524868324DB48F8815B9B3A9E748666318C466F51CCBA24F222D882C790

Function 08AE8A80 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4136236a186405372d6b7aead1ebcc256d6757be5c347efcf92a4fb4486b7df4
Instruction ID: d286430ed4e543c319c4805958b0bb7c966495ed0e538c3dd65a1e3107974edc
Opcode Fuzzy Hash: 4136236a186405372d6b7aead1ebcc256d6757be5c347efcf92a4fb4486b7df4
Instruction Fuzzy Hash: 61E092727003159BDB04AF55EC8099BF769FFC8324710063AE919B7306DB726C84C6A0

Function 08B0A4BA Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e48ac42e92852f920ffb6eafd34050b071269d24fb7d5107714bf8dd2c1c67e1
Instruction ID: bc1572b37faa7c0b028f8dab6fac8e54dca2e7ecd6493e03046678d9cfbe10d7
Opcode Fuzzy Hash: e48ac42e92852f920ffb6eafd34050b071269d24fb7d5107714bf8dd2c1c67e1
Instruction Fuzzy Hash: EDF09A34A82305ABCF009BA8D80A9ADBF71FB45301F009215E5026A2D1CBB08815CB40

Function 08AEFA2F Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6dc06430c53e731d9e0d079d66706fee26ede4e920cf8be4d885d2e2ebc9a5f
Instruction ID: 2c79103aca07b799c52c3c7eb28858ac4bcb7a1a445ba8fd1ae30f5ae3029537
Opcode Fuzzy Hash: f6dc06430c53e731d9e0d079d66706fee26ede4e920cf8be4d885d2e2ebc9a5f
Instruction Fuzzy Hash: E4E0D831700B584FD714A624D51571A77D5EF44615F0209ADF885C7FA0DFE4EC128B81

Function 08AEA6A8 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28a6c4bb8dc8ca7f1c9fedca991c9fb09e51a5128cdd55799f7b20d4006909f8
Instruction ID: eecf18708bf9aafe730e5a78e0bfedf7d453e0f2a5f579db8c83e617f1428cb3
Opcode Fuzzy Hash: 28a6c4bb8dc8ca7f1c9fedca991c9fb09e51a5128cdd55799f7b20d4006909f8
Instruction Fuzzy Hash: 05E0ED313413248FCB19AF78E014AE97399EF49256B1548BEE50E8B651CB31A901CB91

Function 08B0EF60 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac8cc22ebd0aa783bdd33ad643112a7622e69a4055f591cad469eb0a52324393
Instruction ID: 541eb44b868e1bdd994a8598b04724fa6a97cc1f8082aee2b56ed14efcd899c8
Opcode Fuzzy Hash: ac8cc22ebd0aa783bdd33ad643112a7622e69a4055f591cad469eb0a52324393
Instruction Fuzzy Hash: ACF01574D0A308EFDB04DFA8D1059ADBBB9EB49301F1084A9D848A3351D3359A50DF40

Function 050DF2DE Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1708613080.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b76efb86478ed585aa3c42f5ad032f6160e85d6d8c10c8dcfeb221de0f3c143d
Instruction ID: 8d2e239885328e675a58b77991714df7b54bf7e09cd2b9e15cf353f473545333
Opcode Fuzzy Hash: b76efb86478ed585aa3c42f5ad032f6160e85d6d8c10c8dcfeb221de0f3c143d
Instruction Fuzzy Hash: B0E0ED357001059FCB08CF5DD484DAEF7F5FB8C224B2180A9E519D7321E6319D05CA50

Function 08AEC130 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19ce97ab65ff348fa285596e3bdb97f48fb50f9f4e04aedf54ec7e5858f24782
Instruction ID: 57d47fdd9e6b30da60819e176b1688a061e3980efe8ac8a8c985df4b950fbddb
Opcode Fuzzy Hash: 19ce97ab65ff348fa285596e3bdb97f48fb50f9f4e04aedf54ec7e5858f24782
Instruction Fuzzy Hash: 48E04F32424A0CEEDB40EF38C9467D9BBE8AB05215F40C669E948E9500EB31E2958FD2

Function 08B0B660 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c04b936559ba6a2e46f1db144a0e812cfb64e091d224136014811f631b76ace
Instruction ID: ef38c6129bfa4dee230a1a42c45e8e4e4084d338422b29054f8070a5aec20599
Opcode Fuzzy Hash: 7c04b936559ba6a2e46f1db144a0e812cfb64e091d224136014811f631b76ace
Instruction Fuzzy Hash: 42E065B1DCD2D4CFC70546B855211B1BFA8AE4A37632E85DFC44A871D6EE2688098F62

Function 08B00650 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57abc7cf86f18a406934452d4dd9dc6d8c91a9b17eb1905a1f87e9ca9d813589
Instruction ID: b5af552d58c88d67f383222560b49a533f8eb201a53ff76d4a2582ac305efc96
Opcode Fuzzy Hash: 57abc7cf86f18a406934452d4dd9dc6d8c91a9b17eb1905a1f87e9ca9d813589
Instruction Fuzzy Hash: 25E0923060A341CFC32AAB3CD4105167BF5AF5620171488FED05ACB762CB32EC81CB41

Function 050DFDC8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1708613080.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04346fd3b5dc0df9d0385fea20266e212c2586411762bfb9f62f17241da11cbc
Instruction ID: dcf85ad2b58483b6c3b3707c8180eeed5b2112ae0d636d9355c1cc6702682b0c
Opcode Fuzzy Hash: 04346fd3b5dc0df9d0385fea20266e212c2586411762bfb9f62f17241da11cbc
Instruction Fuzzy Hash: 38E06D36A002199FCB10EA6DE8086DEB7F9FF88311F008529D95AD3340D734AA19CF90

Function 08AE9960 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cbf0dc9a453a871bc9a9bdba2cc83400257387b62033ee1e7cac26ba97478f3
Instruction ID: df5f33c90cea8f3ae8d447bd1b5f88132f0fc4a0d7515ba1ae5ea4151dbce38a
Opcode Fuzzy Hash: 9cbf0dc9a453a871bc9a9bdba2cc83400257387b62033ee1e7cac26ba97478f3
Instruction Fuzzy Hash: E9E01A393201148FC704AB6DE458D6A77EAEFC9A2171581EAE509C7361CE61AC028B90

Function 08AEBC60 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68d20d72d017b38429edd0ef0af2cb3d323579959895aa1b6b976870af047136
Instruction ID: 6bf661a2e157f66016ee05fecca52abb29a0add06b18dfc5bfdea679ffb95721
Opcode Fuzzy Hash: 68d20d72d017b38429edd0ef0af2cb3d323579959895aa1b6b976870af047136
Instruction Fuzzy Hash: 74E0CD313145110BC714A50DD404A6D334F9FCD93271944F6E105CBB51CD61DC014395

Function 08AEA6A1 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3265d009a096c3d1c4d825cd3b9d77970208a4b34b5141e16b388c47eeaed44c
Instruction ID: 14b634a3e01eee72987c7d3a5ac725a5a85664476359d9a8aa861b32aeed6ee3
Opcode Fuzzy Hash: 3265d009a096c3d1c4d825cd3b9d77970208a4b34b5141e16b388c47eeaed44c
Instruction Fuzzy Hash: E6E04F313013549FCB289F38E844BAAB3A8AF0A655B1588BDF90ACB751CB31F801CB50

Function 08B005EF Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85d2d1202e8ef3ad6f1dfc98f412896a2f7e9c344683c9f13a769fe7a341cfa6
Instruction ID: 806d9fbf5a94b6f468b5cb4a80d984726cc97320ff02ab386f98a4ad2c36dd62
Opcode Fuzzy Hash: 85d2d1202e8ef3ad6f1dfc98f412896a2f7e9c344683c9f13a769fe7a341cfa6
Instruction Fuzzy Hash: 41E026B06023944BCB01F6B8E85139AB695FBC0AA2F444839E008DB389DF249C92CBC1

Function 08B03728 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30e79389c06e82f544361b35c5ad9f15f3d130e8f3ff9b46f78c08b3a977f4fe
Instruction ID: 94d8755fd3587c0683a8c67ceb4c1e153fb0df6bcb2d99963e91200ecea4d07a
Opcode Fuzzy Hash: 30e79389c06e82f544361b35c5ad9f15f3d130e8f3ff9b46f78c08b3a977f4fe
Instruction Fuzzy Hash: 4BE02B3B14251046D6209414ED43BD43351FB85201F2CC955E440E7284C029F8C34551

Function 08AE6F59 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e13a23d9201bd121307a871a49b15e1eba5694683fb82c0f54bf987c1a94a3e9
Instruction ID: 4b6c5f1a7422a1c246c9dd68dfcb98015b65de84185b8e7a60869872cc38912d
Opcode Fuzzy Hash: e13a23d9201bd121307a871a49b15e1eba5694683fb82c0f54bf987c1a94a3e9
Instruction Fuzzy Hash: CDE0CD22348AA41BC7162724E41933C3F698F42A06F0940AFF445CB782CFA94D1343DF

Function 08B0B698 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1a7e3b71f4aadf2d9c678c2048246df7dd6d3ede8b1196838bc2549eb3a7465
Instruction ID: 4087f1c892e5f1c287b290faa1cc4a66c0cfa7e9873d21d401236689ee0a8634
Opcode Fuzzy Hash: b1a7e3b71f4aadf2d9c678c2048246df7dd6d3ede8b1196838bc2549eb3a7465
Instruction Fuzzy Hash: A7E048B0D05208DFC710DBE89651661BEB1E744322F2044DAD90E975C4DA228D964F55

Function 08B00643 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 537f4aa3367a2b4b2b0027f1cc7326964e1f88171905f14e5b35e7655653d94b
Instruction ID: a510729f30784d95dac8b497d290413cec10d0223e5e5e6180fcc4d072f30c63
Opcode Fuzzy Hash: 537f4aa3367a2b4b2b0027f1cc7326964e1f88171905f14e5b35e7655653d94b
Instruction Fuzzy Hash: 5AE0D830601700DFC329EF29D404B1677E6EF41315F1188BDD04987750CB76E880CB40

Function 08B00C00 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00cd51decf9f2566db9c465cdcefc3129141d4ebaa00e132b454ff893f122085
Instruction ID: f55762e489ad583f815e55b94e743914d4a9f6181edd5df7a5852d9326d72368
Opcode Fuzzy Hash: 00cd51decf9f2566db9c465cdcefc3129141d4ebaa00e132b454ff893f122085
Instruction Fuzzy Hash: 3CD02B3B24511045D520A51CADC1BD83BC1FBD8306F28CC86E080D7284C429C4C74A01

Function 08B074E0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56d29f874dacfe4ce488e1fcfe392d8bedbf870d9cd2ede6018275faa611b2ff
Instruction ID: b44088fe973b62b19386d60288b985be5b942da14cecd1b74718050d8aacd922
Opcode Fuzzy Hash: 56d29f874dacfe4ce488e1fcfe392d8bedbf870d9cd2ede6018275faa611b2ff
Instruction Fuzzy Hash: 4AE09234109345CFC305DB68C86566ABF71EF46200F15C4DAD4A68B2D3CE35B80ACB56

Function 08AE21C1 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0940c3750db381af43a0f71b7ce71ceae017fb7f282741455f58417990d4e00
Instruction ID: 7a0385536e7061c1d5f2f276adbad45343a307c16a149235fb60c1083e5d14a7
Opcode Fuzzy Hash: b0940c3750db381af43a0f71b7ce71ceae017fb7f282741455f58417990d4e00
Instruction Fuzzy Hash: E5E0C232D14124CFE320AB8CEC00BD47799EB00322F569965F669E7A50C375FC818B90

Function 08AEFA40 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65897809004258f268146b42bb20bd5d18d9c5d7abe3852a9552cebed3b073a6
Instruction ID: 460daa65bdc5aa60cee078cc4b7a56dcb0fa5efd6c6d49910e849d613e7789ff
Opcode Fuzzy Hash: 65897809004258f268146b42bb20bd5d18d9c5d7abe3852a9552cebed3b073a6
Instruction Fuzzy Hash: CCE08C30300B248FCB24A628D144B1A33DAAF88656F01089DF8468BBA0DFE09C418B80

Function 08AED321 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b424e937f7116d248d545e4ea9b5663386da67ed3bd59c834e1985629c8dc0b
Instruction ID: d3159ec8382415b55a5a233d1dda2cd6e8e7f28e0b6fdc6485bc62bc7a5d0258
Opcode Fuzzy Hash: 0b424e937f7116d248d545e4ea9b5663386da67ed3bd59c834e1985629c8dc0b
Instruction Fuzzy Hash: 1CE0DF3210818E9FCB02CE64D942BDD7FB0EB02221F0882C4FD509A293DB368756EB41

Function 08AE8667 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d1fbc4cc053c7deb23d515b837c885b67c8381d3b25f6b39cd3f6a49fb4dc35
Instruction ID: 302fd06bb322f0a4c555f386e3e214c090ee41a10b6e26bde0d4758542776a99
Opcode Fuzzy Hash: 5d1fbc4cc053c7deb23d515b837c885b67c8381d3b25f6b39cd3f6a49fb4dc35
Instruction Fuzzy Hash: 74E08631608740CFC7155B24E0547D53762AF86205F1548EBE589CBB91C7759C42CB61

Function 08AEA770 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83f746cf47ef20d35812a02ba24ce02d42bbe0fa4424f097a58c87f8b87e8c99
Instruction ID: 44724471188f924454e12b03842e27fc2c216684457835378229130c16c8ef53
Opcode Fuzzy Hash: 83f746cf47ef20d35812a02ba24ce02d42bbe0fa4424f097a58c87f8b87e8c99
Instruction Fuzzy Hash: D3D0C94B44E2C14EE70307B49C323906F340F12905B9D92D280D087663C0086926D73A

Function 08B0B6A8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57d870ff035b7af7b1707033d850cd24128cb9c3a920849a48ae615ab1a6e2be
Instruction ID: 48d58c7a71eb7eb7e1887810ffe25df7ace6e0e48a35c2eb1353d53f6e9ba59e
Opcode Fuzzy Hash: 57d870ff035b7af7b1707033d850cd24128cb9c3a920849a48ae615ab1a6e2be
Instruction Fuzzy Hash: 22D012B0E0930CEBC710DADC9611935FEA9DB44363B1044D5E90A972C4DA61DD814F96

Function 08B09938 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e73898cf18b585faefd7ccb8e0d919110a29743677d15c0732a87b0b2d83f2b7
Instruction ID: 863553439f150e9cbcc3e4edfd97c4e0068e83b635ddbc6d50c244b71100544c
Opcode Fuzzy Hash: e73898cf18b585faefd7ccb8e0d919110a29743677d15c0732a87b0b2d83f2b7
Instruction Fuzzy Hash: 79E06534A09209DFCB118FA8C8508AABFB2AF40305B04849AF6610B2A3C732D955CF81

Function 08B0AEC2 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a72d3b3a8319043d89610f0bfbf112136bddc6c2f23daa9bece809cc12e49ff6
Instruction ID: 9e353148f1e72169f1e651a078e33373edab63efad41b4acc4bd3d0ef103a325
Opcode Fuzzy Hash: a72d3b3a8319043d89610f0bfbf112136bddc6c2f23daa9bece809cc12e49ff6
Instruction Fuzzy Hash: D4E0126190C375DBC200DA6C541423FBE90A785347B30ACD7D47F96EC1D932D9809F92

Function 08AEC0F8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee905d6f017f18d67221dfe86ffebcd06e848440e77193bcf72f98686b2ca605
Instruction ID: 1847d3a541e37e551fb6bd8444393ce095401bf84b75477fa44bf8435392f91e
Opcode Fuzzy Hash: ee905d6f017f18d67221dfe86ffebcd06e848440e77193bcf72f98686b2ca605
Instruction Fuzzy Hash: 3DD05E72060B088FCB00BB38ED06FA5B7B5EF55B04F444690E504A7B26E724FD518A51

Function 08AE2121 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47719a3af273741fa038400a59178d19a9a1af038f8e1dde9117f9e59ee624f2
Instruction ID: 3ac813748efec0b7b840a45b33ba7672dc4d3922ef2a70be6c34fd7c982b8769
Opcode Fuzzy Hash: 47719a3af273741fa038400a59178d19a9a1af038f8e1dde9117f9e59ee624f2
Instruction Fuzzy Hash: 55D02E3218061C8BD7088B70D90ABE93761EF44B22F098829E84A8BAA2D339E14A8540

Function 08AED330 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eaba4bc5f3d770123b16e1b5acb7b15ea35c21668772561d72f92891036aa30
Instruction ID: f23e98c29cb5c4e4364508539512d80c1c834963a6e23cf234a46ddd17d69f90
Opcode Fuzzy Hash: 9eaba4bc5f3d770123b16e1b5acb7b15ea35c21668772561d72f92891036aa30
Instruction Fuzzy Hash: 55E0EC3190110CEFCF00DFA4D8458ADBFB5EB44201F508595FC04D7251E7319B649B91

Function 08B0EF08 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afcf6f12f5e08ed10a7a1ca5e205a23f313faba5231638c2cbab81494409ef43
Instruction ID: 9ab4590a75039bdb50e4002e6f2a2cbc1831f7138ad196dfa86b99debf1678d8
Opcode Fuzzy Hash: afcf6f12f5e08ed10a7a1ca5e205a23f313faba5231638c2cbab81494409ef43
Instruction Fuzzy Hash: B1E092B0D4420ADFE740EFBDC945A9EBFF0BB08600F1189A9D019E7361E7749A058F91

Function 08AEC808 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58970e53c0ab601cf5b4c852ea046a1a521b85863254ffcbadb6da9262c34a53
Instruction ID: 19b5926d26280d7b51b223b299a7c545c7211d380a8aa4154b2579b855f6f827
Opcode Fuzzy Hash: 58970e53c0ab601cf5b4c852ea046a1a521b85863254ffcbadb6da9262c34a53
Instruction Fuzzy Hash: C3D0A73B9005586BDB41DFF0C742B46BF60AF45644B0CC49AE55C9B320D621E527D790

Function 08AEC140 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4efd70bb33e15a7e58f5cecdee4e4a56d631db48e6457230d8322f5f6cea6fad
Instruction ID: 19c056695e7318d91f81dbdba265a26d781b7b3faadad44b7cc2e117dae665d2
Opcode Fuzzy Hash: 4efd70bb33e15a7e58f5cecdee4e4a56d631db48e6457230d8322f5f6cea6fad
Instruction Fuzzy Hash: 7CE0E23182060CDE8B40BF78D944299BBE8AB15221F40C92AE80C9A500EA30D2A98F91

Function 08AE6F68 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cda31eb05003fdaa0d8ea2fd93bb50f40ae0c14a21474c0bdbdb63947561af5
Instruction ID: 3af33dc4df316773c0c986aeafe88bd20f2a3b9f53edbeb4972fd8e5d72e5097
Opcode Fuzzy Hash: 6cda31eb05003fdaa0d8ea2fd93bb50f40ae0c14a21474c0bdbdb63947561af5
Instruction Fuzzy Hash: 2BD0C936744938138A1A3768A52927D765D8B85A53748446AF50ACBB80CF990D5343DE

Function 08B09319 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74623f150ab52ad6ff34f9b0b203b0ab5e889ca41e95fc6841d2e2423b4814b2
Instruction ID: 229e2b7f66bae14041b1680f7693b910d4de5a7f354dd4386ca188a4eb118bbc
Opcode Fuzzy Hash: 74623f150ab52ad6ff34f9b0b203b0ab5e889ca41e95fc6841d2e2423b4814b2
Instruction Fuzzy Hash: 18D0C9B47DC204C7FE14167D953963ABEA267C0357B5044E2F05B8AACBEE26D841CE17

Function 08AE7CA3 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 249acca4afc3415b816e0bcc6dd4b4f9b806bbecd0aaab5164823fc71e9fca06
Instruction ID: 04302094de4bf0d4cfde11434e73b2654b7413a6e35e56775bcdf0994fe100aa
Opcode Fuzzy Hash: 249acca4afc3415b816e0bcc6dd4b4f9b806bbecd0aaab5164823fc71e9fca06
Instruction Fuzzy Hash: 05D0A932300224AF8604AA58E804CEE77A9DBA9A203400066FA08CB330CA61DC02C7D4

Function 08AE1DAC Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e213d5ae4504f2bd3efa5a79935b0ce1d77e0a989bf0594785c1a7394c95988
Instruction ID: b49360818b79f2f50cd1e24ae7c95e3f7d7ac0d25f529183f048656a00342596
Opcode Fuzzy Hash: 2e213d5ae4504f2bd3efa5a79935b0ce1d77e0a989bf0594785c1a7394c95988
Instruction Fuzzy Hash: A8D0A730164704CFC300FB2CD9459747BB4FF95709B404991F109A7221EB20FC548B41

Function 08AE7D2B Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc714b0ee13ad470d64ab565883d54119eec6c6b33c4d51cf0db2fb4f3858aea
Instruction ID: 4b76acf594a778e10a25731be54b902130b559886c03e7d4ec6aaacc357b55e8
Opcode Fuzzy Hash: dc714b0ee13ad470d64ab565883d54119eec6c6b33c4d51cf0db2fb4f3858aea
Instruction Fuzzy Hash: 84D0A731200128A7CB142A25F4483FE3A58D740662F048429F505C5640CF288841DBD4

Function 08AE7CA8 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fab759c191405b8852e5c079784c4261c09f08a733a86eaee31539f883bc9d1e
Instruction ID: 1eff9c1deff4a8294b1e980e735bb7639aad5ad24a0671ba2e06907190659570
Opcode Fuzzy Hash: fab759c191405b8852e5c079784c4261c09f08a733a86eaee31539f883bc9d1e
Instruction Fuzzy Hash: 35D0C9327402249F8604AA58E414CAD77A9DB99A617414066F909CB331DA61DC52C7D4

Function 08AE7D30 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec5030da1d858047400a2adc06b300a39e079e9d1da6e82985af4bbbcff549c4
Instruction ID: 7e338c762127d938bbcfe43775f376a75998b7c143c01b6bc61e0bfcb6d70057
Opcode Fuzzy Hash: ec5030da1d858047400a2adc06b300a39e079e9d1da6e82985af4bbbcff549c4
Instruction Fuzzy Hash: F3D0C931200128ABCB152A65B4487FE7A98AB41662F048429F55986690CF688952DBE5

Function 08AE8610 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 653a7e0a33d2e325c977cea6510b09d5cd2353563f0c3675b9e1e28dbe4c3b8c
Instruction ID: 4c266e2494e6033f52988d7e5efbfbfea8ce6512acff538b841dbb6ae9d2521d
Opcode Fuzzy Hash: 653a7e0a33d2e325c977cea6510b09d5cd2353563f0c3675b9e1e28dbe4c3b8c
Instruction Fuzzy Hash: DCC08C32700128970608214FF4048AE768EDACE936308003BF30DC33008E9A4C0302E9

Function 08AE8678 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 706c2e4337118f5cba7f1eca4b635eb3694a9508ae1d534e8a51bcf9f7a9f4b0
Instruction ID: e31c95a3c9d7ad51f68dd18645494763f596454aabdbe61ec19ada80f1615d6f
Opcode Fuzzy Hash: 706c2e4337118f5cba7f1eca4b635eb3694a9508ae1d534e8a51bcf9f7a9f4b0
Instruction Fuzzy Hash: 38D05E31200314CFC3246A25E004B9A739AAB86216F5044AEE44A42B408B796C41CB91

Function 08AEC818 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dd16e809ac8319cf48205736e8dfa402ad704cb0b9785b2d29f053570073c0d
Instruction ID: 94a6818f847fd819ba1a500faa3e166dbbad243eaaedf488c8cc99fdfb366928
Opcode Fuzzy Hash: 3dd16e809ac8319cf48205736e8dfa402ad704cb0b9785b2d29f053570073c0d
Instruction Fuzzy Hash: CAC012361002187B8B01AB85D900C87BFADAF49654308C056F6088B221E622E92297E0

Function 08AEE2B1 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14b72c358df7fd451ad824eaa2e4b71a3b83ebb434f14c87b3682a2bc15d9a42
Instruction ID: 5a4b3346e2715bda5f42f2cab4fc7fe8429ef743240fb80ab82ec0df0fb892f2
Opcode Fuzzy Hash: 14b72c358df7fd451ad824eaa2e4b71a3b83ebb434f14c87b3682a2bc15d9a42
Instruction Fuzzy Hash: 56C012D5C58B0059E212B63064532AD7F30AB22201F8149A1DCC517590F914157A82A3

Function 08B05E42 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f1e1bf8f96e6ec5bf44e5415dc0076dabd0c30bab42c5e75f78fd7abc290fe8
Instruction ID: cbe379a564e2ea732c1cd928f9aa10336349a5b0a642996d5989ad5318ecd4ad
Opcode Fuzzy Hash: 6f1e1bf8f96e6ec5bf44e5415dc0076dabd0c30bab42c5e75f78fd7abc290fe8
Instruction Fuzzy Hash: EFC08C7900E7C88FC3031B682C2A4723F78486360231610C3E2D99EAB3E60448648FB2

Function 08B09118 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 000691702d873afdc9bfa79d5d72faa832719842e78bca3ebd718d8d68b87138
Instruction ID: 4b7829e946ff0c76cb608321c022b91af969af3c2c9ea06a6b1540e15442a401
Opcode Fuzzy Hash: 000691702d873afdc9bfa79d5d72faa832719842e78bca3ebd718d8d68b87138
Instruction Fuzzy Hash: 98C08CEA80B6C02FCB4313608C208853FF0AE3331AB2A81D3D240AFA72C040C438CB31

Function 050DFD91 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1708613080.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29b08d2181e568a13e647d10f39f1a50bed073ea1be13815cc6312ab83934ab9
Instruction ID: d34c2a4026d455f5f75840dc494877365168d8d74ad76a3b6c8b0fa909bfd2cb
Opcode Fuzzy Hash: 29b08d2181e568a13e647d10f39f1a50bed073ea1be13815cc6312ab83934ab9
Instruction Fuzzy Hash: AED0A9B240D3C08FE702CF20A800242BFF4AF9210470A88EFC8808F2A7D234E801C7A0

Function 08AE7863 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa1de094f8c07f3759d8cae72bf4e19eea41cc68f343ea84b3754cfb9087affb
Instruction ID: 33dc59dc2a5a12edc48ab391b8d9b43e07fb115bae90e147b93b08f189c13ae6
Opcode Fuzzy Hash: aa1de094f8c07f3759d8cae72bf4e19eea41cc68f343ea84b3754cfb9087affb
Instruction Fuzzy Hash: BBD012B65141004FC344FF38EC4965EBAF6AB88201F45CD3D9589C3700E930C5188752

Function 08AEE2D8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 280adfb6dcebd908df26c0a85a3cfa2018ffa05f944c018428a967e0ba33afe7
Instruction ID: 9dc20535390a06dfc7362b5f23399c578ec9aa76ca9060b2c63eaa64243e1c23
Opcode Fuzzy Hash: 280adfb6dcebd908df26c0a85a3cfa2018ffa05f944c018428a967e0ba33afe7
Instruction Fuzzy Hash: A8D05E35144348AFCB01DF24E445ED67B69EF85324F2584BAE9885BA33C232E915DB41

Function 08B09820 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1da98428729622e21c8f8b574c4b09bba81240f0ddacecde0561888f00127e50
Instruction ID: 3fe43b3404a83d83c4016b3bbef4788e1574f565246e22ebd42452ce66fca95c
Opcode Fuzzy Hash: 1da98428729622e21c8f8b574c4b09bba81240f0ddacecde0561888f00127e50
Instruction Fuzzy Hash: C1C08C8A12EFE00BA303923008202826F2219236013AA46A2D38186143C0801909C333

Function 08B0D9F8 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98610f6914da94ab1b8705d9ac523c9acc7277894dca592fa74a4d6c83c60059
Instruction ID: baf3817800bf8d4d0623077c40e74ac1c98e7a12a9e176ad59c400559dbe1628
Opcode Fuzzy Hash: 98610f6914da94ab1b8705d9ac523c9acc7277894dca592fa74a4d6c83c60059
Instruction Fuzzy Hash: 14C08C3000B308ABE2082BD8B40F324BB6CA701302F588018A10810092BB785040CE51

Function 08AEE2E8 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d6f2623337c38ef8749255ff78b3cbedb78fba73e040c9434c39499d8169e63
Instruction ID: 61412fa5721fa0801f19765b42d0f6ac58f054d2697597a3f249e516f761f0d5
Opcode Fuzzy Hash: 1d6f2623337c38ef8749255ff78b3cbedb78fba73e040c9434c39499d8169e63
Instruction Fuzzy Hash: 87C00235140108AFC740DF55D445D95BBA9EB59660B1180A1F9484B722C632E9119A90

Function 08B06D04 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3b7f5b95e44822b2cda70f5872f3d4f9fe6704b76e4213a22f6007f7c050bf8
Instruction ID: 836c31df5a316fd3566702aeb5230a8fd8d7bb07cbacccc66152fcb107437304
Opcode Fuzzy Hash: e3b7f5b95e44822b2cda70f5872f3d4f9fe6704b76e4213a22f6007f7c050bf8
Instruction Fuzzy Hash: 04C09B79126208FEC605FB58C584C5A7FE1FF66702740CCD2B14546171D631C439EF15

Function 08AE8810 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77abfe73f061f7320bacc4c982dd34dfd1c9396b4f0e0a7d7ad47143f0397d05
Instruction ID: 784c1e59f27e2ef879e8fdd6fb01ad359b0f053532de13d879ee194407341a3a
Opcode Fuzzy Hash: 77abfe73f061f7320bacc4c982dd34dfd1c9396b4f0e0a7d7ad47143f0397d05
Instruction Fuzzy Hash: 80B0928B8492C04ACE02017098323729A3047A35C4F0E18A1C8D0AA743E20588029631

Function 08AEA160 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b281311ea3364982aecb9270968c927e409ce6ed1c3f6c9745588b3327521091
Instruction ID: 78fcb134c2a8d375e39df63ec083bb51152ce9b320be2b6f346fd2f706885045
Opcode Fuzzy Hash: b281311ea3364982aecb9270968c927e409ce6ed1c3f6c9745588b3327521091
Instruction Fuzzy Hash: C1B01223C8280A43FF040920C70B3C893218BC860AF14C2109C60D4523CA00F447A612

Function 08B06DAC Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7524faaaa30a894167a35e1c2ecfac3e2ea55275091b64dc5dc8542ecccc4b2d
Instruction ID: d656b42158289f473a7724af334f07d9b1a376ea2e2709985bdcb3365e8ddada
Opcode Fuzzy Hash: 7524faaaa30a894167a35e1c2ecfac3e2ea55275091b64dc5dc8542ecccc4b2d
Instruction Fuzzy Hash: C4B012B9176701A640006AE88984F3E7C60FBB2742F40CC1272C901141C4709426F61B

Function 08B05E50 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56555fa0660285d28b553183a82c772baf5a7b6ab624d73ce615f706bf14970e
Instruction ID: 1841a12c6391f75bbcabec95b9ffa256589da2f8360570a1522fc44e149bc96b
Opcode Fuzzy Hash: 56555fa0660285d28b553183a82c772baf5a7b6ab624d73ce615f706bf14970e
Instruction Fuzzy Hash: 8AA0113800828C8AC2202288300B03A3F2C8880A023000082E2AE28C88AA20A8B00E88

Function 050DFCB0 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1708613080.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 356f606e23ea9c4b3548430fa6d735f13e56455b026236c936e7ee3af13784f5
Instruction ID: 294ce22374d60a620d688b2c709c2d9a4e2fd2d294da61845c6a6f2a0980e5b2
Opcode Fuzzy Hash: 356f606e23ea9c4b3548430fa6d735f13e56455b026236c936e7ee3af13784f5
Instruction Fuzzy Hash: D0C0922260A7C48CDA41DBB0AA083C93F65F75224CF8D45EDC1891A003DBAD220ED3A3

Function 08B0B8C9 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712908788.0000000008B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22b9a82c30b4c3fb4e0cc79affd0009b85df7ca7e3bfe6c4c03eed26e70f1d11
Instruction ID: da7e3cfac2e8fc393e9b71cd1e2a64bcf5ed7b9be86a520166da34d0c5033118
Opcode Fuzzy Hash: 22b9a82c30b4c3fb4e0cc79affd0009b85df7ca7e3bfe6c4c03eed26e70f1d11
Instruction Fuzzy Hash: 3FA022F0008B08C20C00228C302B0383FA82F002F330008C0F02F000F38F32C880BC00

Function 08AE6443 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a15557cfce05d89d8dd79d0d2ea3b17313a21be1b3858bd765dfdefecb913990
Instruction ID: 0e0dde1ba115500a52842492433685b2962bb4aba2de31c60a0ee5d586deccd0
Opcode Fuzzy Hash: a15557cfce05d89d8dd79d0d2ea3b17313a21be1b3858bd765dfdefecb913990
Instruction Fuzzy Hash: 35B0123540054C12CE200311DE2D7413AA0C7C0300F44996C904645300C14464049501

Function 08AE882A Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6947c0cf4e58e81377a101666259f9a07c60bac5dd7845200b12bae5f6827132
Instruction ID: 7448c52b230fdc181f0c4c41b50dc340b9865f0a66921a94de40a14ec7fcdbba
Opcode Fuzzy Hash: 6947c0cf4e58e81377a101666259f9a07c60bac5dd7845200b12bae5f6827132
Instruction Fuzzy Hash:

Non-executed Functions

Function 072EB188 Relevance: .4, Instructions: 413COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1711658535.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4c59ebe89eef46e07b1edcd009cbdade2f56f9bedcc6be877a55d2a1534461b
Instruction ID: 0b7bba5330575b2f9f650d7950315b12fc476b9fffc5ff8f20df17790b1922fb
Opcode Fuzzy Hash: b4c59ebe89eef46e07b1edcd009cbdade2f56f9bedcc6be877a55d2a1534461b
Instruction Fuzzy Hash: DAE1CDF07116128FDB29DB7AC460BAE77FAAF89304F54846DD14ADB290DB35E802CB51

Function 072E2620 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1711658535.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 911296ee3c97cdbcfc9e4198bca812b57be458e734fe096a78d704358da8c706
Instruction ID: 9584ebea7a0eb198e00b2919250132cc65008e350d2b720c68fc0d1bb84a4f2f
Opcode Fuzzy Hash: 911296ee3c97cdbcfc9e4198bca812b57be458e734fe096a78d704358da8c706
Instruction Fuzzy Hash: F1E116B4E106198FDB14DFA8C580AAEFBF6BF89300F248169D419AB355D730AD81CF60

Function 072E4C08 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1711658535.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd3570b996d41d82a2600e93cb9b425d1dbd3a328072b9681ef1f9b5a123f9fa
Instruction ID: 5dbe1168db63a43fd52064ff090541104fde00278c059e9491c96ff418fd4389
Opcode Fuzzy Hash: fd3570b996d41d82a2600e93cb9b425d1dbd3a328072b9681ef1f9b5a123f9fa
Instruction Fuzzy Hash: BAE10AB4E102598FDB14DFA9C5909AEBBF6FF89304F248169E418AB355D730AD81CF60

Function 072E2A58 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1711658535.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9040d59e25d0e1979050eed25768a74aff0c5f2c5f1d8a98439f5771a6c09d4
Instruction ID: 9f6d65bc05b520bff2f4c4c5be0abcb32a40bdd78dda40da39cbf69dd1b70ff4
Opcode Fuzzy Hash: c9040d59e25d0e1979050eed25768a74aff0c5f2c5f1d8a98439f5771a6c09d4
Instruction Fuzzy Hash: 04E1F7B4E106198FDB14DFA9C580AAEFBF6BF89304F248169D419AB355D730AD81CF60

Function 072E4258 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1711658535.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0f7981737237c6e4d4c303b7dba79335e5f11e509f869704950936ecd8b0a06
Instruction ID: 6dcaf0e4fb60bbd1c1192d746321709ded20a6cae4d084efca12d4a7cbb591dc
Opcode Fuzzy Hash: a0f7981737237c6e4d4c303b7dba79335e5f11e509f869704950936ecd8b0a06
Instruction Fuzzy Hash: 50E10BB4E102598FDB14DFA9C5809AEFBF6BF89304F648159E818AB355D730AD81CF60

Function 072E21E8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1711658535.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3986b99d9dac82d1f6a8a21897203aebb47f29e36048d68ff259746dbdbd7e3f
Instruction ID: ed2e4c8f303aae4fe485ede5a207cdbc6dd39a167ceeb3797ac12a3e349fa0b6
Opcode Fuzzy Hash: 3986b99d9dac82d1f6a8a21897203aebb47f29e36048d68ff259746dbdbd7e3f
Instruction Fuzzy Hash: 2EE106B4E10619CFDB14DFA9C590AAEFBF6BF89300F248169D419AB355D730A981CF60

Function 08AE0FE8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f5fb9ad9de86517b853c29eb4c836f05a5dbe2882f1db696739558688f1e118
Instruction ID: aa8c04b00d4a72b4fd291de8c87c3c1c519e256a0db8f8a5cab5b234dd78d659
Opcode Fuzzy Hash: 5f5fb9ad9de86517b853c29eb4c836f05a5dbe2882f1db696739558688f1e118
Instruction Fuzzy Hash: CBD11635D20B5ACACB00EB64D99069DB7B1FF95300F60D79AE0097B224EF706AC5CB81

Function 0116D424 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1704735969.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1160000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82f4d716adbf7caf2734925036a34fae7655e872b68640f300d95cb7dedc1b11
Instruction ID: ba1e70bf1766e70edbb47e170911782c949e2aed5fd74eb1692fc6bf8435653a
Opcode Fuzzy Hash: 82f4d716adbf7caf2734925036a34fae7655e872b68640f300d95cb7dedc1b11
Instruction Fuzzy Hash: 7CA1B232E0021ACFCF19DFB4D85059EBBB6FF85304B15816AE801AB265DB32D966CB40

Function 08AE0FF8 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db3f2ab54cac76de0be7a987e696574b793db5e42b2b1ed781a3c1146b2c51fa
Instruction ID: fe81060ef5b576c3f19150ca3be17638c3ba55cb0450940e98cbb31d669e5457
Opcode Fuzzy Hash: db3f2ab54cac76de0be7a987e696574b793db5e42b2b1ed781a3c1146b2c51fa
Instruction Fuzzy Hash: C2D10535D2075ACACB00EB64D99069DB7B1FF95300F60DB9AE0097B224EF706AD5CB81

Function 072E21B9 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1711658535.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63b60e38f4260b2a997389b3d6423978b19d342421a97af231f89e92d2b48a62
Instruction ID: ff1021c6d9d4cf1cc5bb171448872ec949a7c6b0e162ce2a8c45620fc17f1332
Opcode Fuzzy Hash: 63b60e38f4260b2a997389b3d6423978b19d342421a97af231f89e92d2b48a62
Instruction Fuzzy Hash: 86512BB1E146198FDB14CFA9C9505AEFBF6BF89300F2481AAD418AB356D7309D41CF61

Function 072E4BF8 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1711658535.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62dea6298edc3772853a0f331a5fb8f086096ed3acaf7b2968c802050f9fa96d
Instruction ID: a2003209ff45eaac28092da6a4d28835cf2e7b57442d0e905008bcf462b1bdea
Opcode Fuzzy Hash: 62dea6298edc3772853a0f331a5fb8f086096ed3acaf7b2968c802050f9fa96d
Instruction Fuzzy Hash: D8512CB4E102598FDB14DFA9C5805AEFBF6BF89304F24816AD418AB315D7319D41CFA1

Function 050D1418 Relevance: 41.7, Strings: 33, Instructions: 437COMMON

Download Yara Rule

Strings

4'dq, xrefs: 050D1612
4'dq, xrefs: 050D17EB
4'dq, xrefs: 050D1540
4'dq, xrefs: 050D167B
4'dq, xrefs: 050D19A3
4'dq, xrefs: 050D1563
4'dq, xrefs: 050D1793
4'dq, xrefs: 050D186F
4'dq, xrefs: 050D172A
4'dq, xrefs: 050D18C7
4'dq, xrefs: 050D19CF
4'dq, xrefs: 050D1586
4'dq, xrefs: 050D1843
4'dq, xrefs: 050D16C1
4'dq, xrefs: 050D189B
4'dq, xrefs: 050D14FA
4'dq, xrefs: 050D15A9
4'dq, xrefs: 050D15CC
4'dq, xrefs: 050D16E4
4'dq, xrefs: 050D1817
4'dq, xrefs: 050D1977
4'dq, xrefs: 050D1707
4'dq, xrefs: 050D17BF
4'dq, xrefs: 050D151D
4'dq, xrefs: 050D1658
4'dq, xrefs: 050D174D
4'dq, xrefs: 050D1770
4'dq, xrefs: 050D194B
4'dq, xrefs: 050D15EF
4'dq, xrefs: 050D169E
4'dq, xrefs: 050D18F3
4'dq, xrefs: 050D1635
4'dq, xrefs: 050D191F

Memory Dump Source

Source File: 00000000.00000002.1708613080.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50d0000_file.jbxd

Similarity

API ID:
String ID: 4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq
API String ID: 0-2998797874
Opcode ID: 64ebd6d0f14ce3d22195479b487dc6b9945619ba30848c0a45fabe311ebc0cb3
Instruction ID: 6f6c9e80252ebd657a451780824c6959e167686f5c06708cc0764df40d74f00e
Opcode Fuzzy Hash: 64ebd6d0f14ce3d22195479b487dc6b9945619ba30848c0a45fabe311ebc0cb3
Instruction Fuzzy Hash: CB121A70A0032A9FCB1CEFB5E85179E77B2FF90305F5085A9D019AB269DB302D85DB85

Function 050D1428 Relevance: 41.7, Strings: 33, Instructions: 434COMMON

Download Yara Rule

Strings

4'dq, xrefs: 050D1612
4'dq, xrefs: 050D17EB
4'dq, xrefs: 050D1540
4'dq, xrefs: 050D167B
4'dq, xrefs: 050D19A3
4'dq, xrefs: 050D1563
4'dq, xrefs: 050D1793
4'dq, xrefs: 050D186F
4'dq, xrefs: 050D172A
4'dq, xrefs: 050D18C7
4'dq, xrefs: 050D19CF
4'dq, xrefs: 050D1586
4'dq, xrefs: 050D1843
4'dq, xrefs: 050D16C1
4'dq, xrefs: 050D189B
4'dq, xrefs: 050D14FA
4'dq, xrefs: 050D15A9
4'dq, xrefs: 050D15CC
4'dq, xrefs: 050D16E4
4'dq, xrefs: 050D1817
4'dq, xrefs: 050D1977
4'dq, xrefs: 050D1707
4'dq, xrefs: 050D17BF
4'dq, xrefs: 050D151D
4'dq, xrefs: 050D1658
4'dq, xrefs: 050D174D
4'dq, xrefs: 050D1770
4'dq, xrefs: 050D194B
4'dq, xrefs: 050D15EF
4'dq, xrefs: 050D169E
4'dq, xrefs: 050D18F3
4'dq, xrefs: 050D1635
4'dq, xrefs: 050D191F

Memory Dump Source

Source File: 00000000.00000002.1708613080.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50d0000_file.jbxd

Similarity

API ID:
String ID: 4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq
API String ID: 0-2998797874
Opcode ID: 0a0b528c13d211ea824995112b9c4a08b774f0d623459a4264e59cffaf70434a
Instruction ID: 4a5d2ede466c3e447c7acf0b316b594ccde9f8159d6ae028c33961d3bc024007
Opcode Fuzzy Hash: 0a0b528c13d211ea824995112b9c4a08b774f0d623459a4264e59cffaf70434a
Instruction Fuzzy Hash: 26121A70A0032A9FCB1CEFB5E85179E77B2FF90305F5085A9D009AB269DB302D85DB85

Function 08AEDAA0 Relevance: 6.3, Strings: 5, Instructions: 68COMMON

Download Yara Rule

Strings

4'dq, xrefs: 08AEDB0E
4'dq, xrefs: 08AEDB31
4'dq, xrefs: 08AEDB77
4'dq, xrefs: 08AEDB54
4'dq, xrefs: 08AEDAEB

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID: 4'dq$4'dq$4'dq$4'dq$4'dq
API String ID: 0-2424647854
Opcode ID: 23c6ca80980bdfb1476acd6cd25c8ab440271f24c17bd88c30afa8eba2484c11
Instruction ID: 2bbf13e58c6c106ec22fe2e4a339aff4c7f6b949732ea0f7a3413e46b2df3b4d
Opcode Fuzzy Hash: 23c6ca80980bdfb1476acd6cd25c8ab440271f24c17bd88c30afa8eba2484c11
Instruction Fuzzy Hash: 4D215870A0020A9FCB0CEBA9D9516EF77B2FF84301F508469D109BB6A9EF315E45CB91

Function 08AEDAB0 Relevance: 6.3, Strings: 5, Instructions: 62COMMON

Download Yara Rule

Strings

4'dq, xrefs: 08AEDB0E
4'dq, xrefs: 08AEDB31
4'dq, xrefs: 08AEDB77
4'dq, xrefs: 08AEDB54
4'dq, xrefs: 08AEDAEB

Memory Dump Source

Source File: 00000000.00000002.1712786013.0000000008AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ae0000_file.jbxd

Similarity

API ID:
String ID: 4'dq$4'dq$4'dq$4'dq$4'dq
API String ID: 0-2424647854
Opcode ID: faf618e22bcffb8d3c5a116a4b0cada58a12e7d4dad185a68bfce1230ab4b09d
Instruction ID: 02cf72dd21e0fc62f3370d24273a6970ff60308563908dbad0ce623deccdab4c
Opcode Fuzzy Hash: faf618e22bcffb8d3c5a116a4b0cada58a12e7d4dad185a68bfce1230ab4b09d
Instruction Fuzzy Hash: B9214570A0020A9FCB0CEBA9D9516EF77B2FF84301F508469D109AB6A9EF315E45CB91

Analysis Process: file.exePID: 7252, Parent PID: 2008COMMON

Execution Graph

Execution Coverage:	24.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	100%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 02B32E73 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 450
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 02B33351

Strings

D@, xrefs: 02B33286
D@, xrefs: 02B33247
4|iq, xrefs: 02B33275

Memory Dump Source

Source File: 00000006.00000002.1830914753.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b30000_file.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID: 4|iq$D@$D@
API String ID: 2706961497-1499252293
Opcode ID: edc88af40859488629b9002420a8f14614e1fcfc92ab50d8440ca74c0b5fa0bf
Instruction ID: 7bb232c4de6f311923fbacc7920a81ff21ff5028489dffccb9455b0d554eaf3d
Opcode Fuzzy Hash: edc88af40859488629b9002420a8f14614e1fcfc92ab50d8440ca74c0b5fa0bf
Instruction Fuzzy Hash: EEE1DF35F003454BDF55CABE9CD03AF72E3AFC8224F5882A9D956DB794EB3499019780

Function 02B332C8 Relevance: 1.6, APIs: 1, Instructions: 63
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 02B33351

Memory Dump Source

Source File: 00000006.00000002.1830914753.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b30000_file.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: f106ca5490b2252aa7a7e4a40a21f5351b60cc8f5b204ef7f01b74b998af34eb
Instruction ID: 18899d4113e4cc9ef287520582cae0f5c0848b41fd0b18e5dbe929429a19bdb9
Opcode Fuzzy Hash: f106ca5490b2252aa7a7e4a40a21f5351b60cc8f5b204ef7f01b74b998af34eb
Instruction Fuzzy Hash: DD2114B1D013499FCB10DFAAD984ADEFBF5FF48310F60842AE519A7250C775A900CBA1

Analysis Process: yRnixT.exePID: 7400, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	9.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	171
Total number of Limit Nodes:	7

Executed Functions

Function 0124D4E8 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0124D576
GetCurrentThread.KERNEL32 ref: 0124D5B3
GetCurrentProcess.KERNEL32 ref: 0124D5F0
GetCurrentThreadId.KERNEL32 ref: 0124D649

Memory Dump Source

Source File: 00000008.00000002.1757178406.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1240000_yRnixT.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 402db8ae09ce28a29dcdf5dab12ded7280993cc79fb0cc4c92ac61d2d8186071
Instruction ID: 013761ed32c4d5af83bf6e043c821071e62badfbe8d7c6ae85de67ec24ca58f7
Opcode Fuzzy Hash: 402db8ae09ce28a29dcdf5dab12ded7280993cc79fb0cc4c92ac61d2d8186071
Instruction Fuzzy Hash: 0C5168B0D003498FDB18DFA9D548B9EBFF1BF49314F24849AD409A7390DB345984CB65

Function 0124D4F8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0124D576
GetCurrentThread.KERNEL32 ref: 0124D5B3
GetCurrentProcess.KERNEL32 ref: 0124D5F0
GetCurrentThreadId.KERNEL32 ref: 0124D649

Memory Dump Source

Source File: 00000008.00000002.1757178406.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1240000_yRnixT.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: f83644da6752fa76e55589b38a395b8897af70ad59715e4b3add349184881094
Instruction ID: 5e96ff91af999910eaec15d15501748bc88e190552e9878f18792b342742e968
Opcode Fuzzy Hash: f83644da6752fa76e55589b38a395b8897af70ad59715e4b3add349184881094
Instruction Fuzzy Hash: 4E5145B09003098FDB18DFAAD549B9EBBF1BF89314F208459E419A7290DB349984CB65

Function 0703537C Relevance: 1.8, APIs: 1, Instructions: 250
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 070355BE

Memory Dump Source

Source File: 00000008.00000002.1762930077.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7030000_yRnixT.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 206c464cf9d982782768078b5e171b4f7048039ea9f24bd6e66d2a2114631b36
Instruction ID: e5cd27c553b763b8ea403539568720cd15fa301fc29488906fe105a8cab5be73
Opcode Fuzzy Hash: 206c464cf9d982782768078b5e171b4f7048039ea9f24bd6e66d2a2114631b36
Instruction Fuzzy Hash: 94A16BB1D0021A8FEB14CF68CC417EEBBF6AF48314F14866AE809A7250DB749995CF91

Function 07035388 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 070355BE

Memory Dump Source

Source File: 00000008.00000002.1762930077.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7030000_yRnixT.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6e6e08252c87d6f2fa640e1ba5b66045606c6fe0fca4e90d99f6e132346312e3
Instruction ID: 2c934edc2b1643add9553671fb019db7641af9190597e95b3b4b5ce06f0a021e
Opcode Fuzzy Hash: 6e6e08252c87d6f2fa640e1ba5b66045606c6fe0fca4e90d99f6e132346312e3
Instruction Fuzzy Hash: 08914BB1D0021ACFEB14DF68CC41BAEBBF6AF48314F148669E809A7250DB749995CF91

Function 0124AE59 Relevance: 1.7, APIs: 1, Instructions: 233
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0124B0BE

Memory Dump Source

Source File: 00000008.00000002.1757178406.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1240000_yRnixT.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 402c0e02a001e2a5460d8e0fa471ac5f67b08e3c1c7d80ac008147a488d6a145
Instruction ID: 54014b68e865423cb8ad2320b8c880625a177718c28c396398c5b1ec099f2514
Opcode Fuzzy Hash: 402c0e02a001e2a5460d8e0fa471ac5f67b08e3c1c7d80ac008147a488d6a145
Instruction Fuzzy Hash: 49919CB0A10B468FE729DF29C44075ABBF1FF48304F04896ED59ACBA91D775E845CB90

Function 0124590D Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 012459C9

Memory Dump Source

Source File: 00000008.00000002.1757178406.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1240000_yRnixT.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: badba7f240d4eb74fe83e323ae4f25dc52f872038da5dff916919dd5634ac85f
Instruction ID: d9d8300f241847bdf9a5f89c6056f395469c61fa005a323698ef9b033fa73efe
Opcode Fuzzy Hash: badba7f240d4eb74fe83e323ae4f25dc52f872038da5dff916919dd5634ac85f
Instruction Fuzzy Hash: FE41F2B0C0071ACFDB28DFA9C884B8DFBB5BF4A314F20816AD459AB251DB756945CF90

Function 01245A84 Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.1757178406.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1240000_yRnixT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73a1a2051afe183cb7542fd52d40b8e78edd0d9a8420385c394bb50594a18189
Instruction ID: 1a5b3d246de1eec507fb3440caee4f282f2fb4716f1fc632b8779a85c062569a
Opcode Fuzzy Hash: 73a1a2051afe183cb7542fd52d40b8e78edd0d9a8420385c394bb50594a18189
Instruction Fuzzy Hash: 3D310EB5C1434ACFDB15CFA8C8453ADBBB0EF46320F24418AC196AB291C775A946CF81

Function 012444E0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 012459C9

Memory Dump Source

Source File: 00000008.00000002.1757178406.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1240000_yRnixT.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: a44b8879190ba67f3e47bcf8843030c57cc21994e2a50535564fdf8c94e92c1d
Instruction ID: 057b316a38c9a6e300fa1729c053481d66a37ab3e3f47d67a89485ce49e331d7
Opcode Fuzzy Hash: a44b8879190ba67f3e47bcf8843030c57cc21994e2a50535564fdf8c94e92c1d
Instruction Fuzzy Hash: 1641EFB0C10719CBDB28DFA9C885B8EBBB5BF49304F20806AD509AB251DBB56945CF90

Function 070350FF Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07035190

Memory Dump Source

Source File: 00000008.00000002.1762930077.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7030000_yRnixT.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 3c28b11526575f0c63e6987be9bdc9a6bc9150a17fc8375d35f3f3335dc1c8d8
Instruction ID: 07b18e3d16a99dea9fb334ceecdea576473692f06c46b71ed4368a3378e99e4a
Opcode Fuzzy Hash: 3c28b11526575f0c63e6987be9bdc9a6bc9150a17fc8375d35f3f3335dc1c8d8
Instruction Fuzzy Hash: 2F2157B19003099FCB10CFAAC885BDEBBF5FF48310F10842AE918A7350D7789954CBA4

Function 07035100 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07035190

Memory Dump Source

Source File: 00000008.00000002.1762930077.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7030000_yRnixT.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 50fab8c66a4041705f5985afbd5934a0f880c255e00a478ead666848a60ed8ae
Instruction ID: 7542aa194b933147164573ffc2523964010833af9b84d72f2bf829d68b80a923
Opcode Fuzzy Hash: 50fab8c66a4041705f5985afbd5934a0f880c255e00a478ead666848a60ed8ae
Instruction Fuzzy Hash: 8B2155B19003099FCB10CFAAC885BDEBBF5FF48310F10882AE918A7350D7789954CBA4

Function 070351E8 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07035270

Memory Dump Source

Source File: 00000008.00000002.1762930077.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7030000_yRnixT.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 7d4b1d3bc21ec5db70d61f45abe2e85f0883ffdf8b54fa9984fd874ccf9a62fa
Instruction ID: 2bfa4bdb09afd78daf75386e9b299418ef77334f5bdd5bd98a2da5db2c5e64c5
Opcode Fuzzy Hash: 7d4b1d3bc21ec5db70d61f45abe2e85f0883ffdf8b54fa9984fd874ccf9a62fa
Instruction Fuzzy Hash: 912148B19003499FCB10DFAAC845ADEFBF5FF48320F10842AE919A7251C7389954DFA4

Function 07034B2F Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07034BAE

Memory Dump Source

Source File: 00000008.00000002.1762930077.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7030000_yRnixT.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: b2df0ad6ff9f38d5d25d4590251980c8e6d8b4b0b813b50b69df5238a017f6e4
Instruction ID: a0d0f1bed15ef455f3e2f5ab9df23a195321991f3d8c4eafd1903c9c29f09185
Opcode Fuzzy Hash: b2df0ad6ff9f38d5d25d4590251980c8e6d8b4b0b813b50b69df5238a017f6e4
Instruction Fuzzy Hash: 862149B19003499FDB10DFAAC4857EEBBF8EF48324F14842AE559A7240CB789945CFA5

Function 07034B30 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07034BAE

Memory Dump Source

Source File: 00000008.00000002.1762930077.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7030000_yRnixT.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: cbec9f23ddfe43af2b0fa663842484ff5de1f7fdf7fc065285633109a5cb67b8
Instruction ID: 60dfd4a1c00cda54c910c7785e8334d79b576c2b1a4ba333e2bec1f64b3aa7df
Opcode Fuzzy Hash: cbec9f23ddfe43af2b0fa663842484ff5de1f7fdf7fc065285633109a5cb67b8
Instruction Fuzzy Hash: 6E2149B19003499FDB10DFAAC4857EEBBF8EF48324F14842AD559A7240CB789945CFA4

Function 070351F0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07035270

Memory Dump Source

Source File: 00000008.00000002.1762930077.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7030000_yRnixT.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 1ea939f94c4a9c318335613e1e0aa1916828dba9887e030ce548a7a7569d0420
Instruction ID: 6ab0229afa4cc167a7be19740fc0789a037934b78fde1737d2f04fb61a145442
Opcode Fuzzy Hash: 1ea939f94c4a9c318335613e1e0aa1916828dba9887e030ce548a7a7569d0420
Instruction Fuzzy Hash: 062128B19003499FCB10DFAAC845ADEFBF5FF48310F50842AE519A7250C7789954DBA4

Function 0124D738 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0124D7C7

Memory Dump Source

Source File: 00000008.00000002.1757178406.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1240000_yRnixT.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 309a39a5cad0ce51e733697f1ae0914c2c991667d74d6fedb21f7b3eb5a301bf
Instruction ID: 09bcea8671ac588ca1b684b59beeac0d32087f60459639f7b73dacf909cbee70
Opcode Fuzzy Hash: 309a39a5cad0ce51e733697f1ae0914c2c991667d74d6fedb21f7b3eb5a301bf
Instruction Fuzzy Hash: 212114B5900248DFDB10CFA9D984ADEBFF4EB08310F14841AE958A3251C378A940CF60

Function 0124D740 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0124D7C7

Memory Dump Source

Source File: 00000008.00000002.1757178406.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1240000_yRnixT.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 03608b159536e32d8a7067f58050a2df8ca57bee977bbef04df827715a1e1674
Instruction ID: 9eba55229dd50497f3587d65be4064f487ebbfd5119c59c89b087240cdb9a892
Opcode Fuzzy Hash: 03608b159536e32d8a7067f58050a2df8ca57bee977bbef04df827715a1e1674
Instruction Fuzzy Hash: 8521E4B59003499FDB10CF9AD884ADEBFF4EB48310F14841AE918A3350D378A944CF64

Function 0703503F Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 070350AE

Memory Dump Source

Source File: 00000008.00000002.1762930077.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7030000_yRnixT.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0332886c7dab315931dce4ca0a2729d30218b543fa43beca6c5c14f7209f705e
Instruction ID: d0e3ecbcb7c8882578f9078c00163c707daefcdb3afe0de98a3aaba93faed08c
Opcode Fuzzy Hash: 0332886c7dab315931dce4ca0a2729d30218b543fa43beca6c5c14f7209f705e
Instruction Fuzzy Hash: F11167B19003499FCB10DFAAC845ADFBFF5EF88320F10841AE519A7250CB75A950CFA1

Function 07035040 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 070350AE

Memory Dump Source

Source File: 00000008.00000002.1762930077.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7030000_yRnixT.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e074391e79c5d519eb4a350c1437c0a50dc46ff92767fd298887ca1316c8d148
Instruction ID: cf850e0d6541971fb360ec4039e7b228d2e044ce9d09245e77aae11326a0b78e
Opcode Fuzzy Hash: e074391e79c5d519eb4a350c1437c0a50dc46ff92767fd298887ca1316c8d148
Instruction Fuzzy Hash: 5A1167B19003499FCB10DFAAC844ADFBFF5EF88320F108419E519A7250CB75A950CFA0

Function 07034A7F Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07034AE2

Memory Dump Source

Source File: 00000008.00000002.1762930077.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7030000_yRnixT.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 110716324ee0264ca7ddd4f97c4f828d9468bda35f3a545a4bd25bf2f08bf8ca
Instruction ID: f8f8223ece000459f1ea6bb45d4a8d5970c447f48443d9cc6fddf534c5a5ce43
Opcode Fuzzy Hash: 110716324ee0264ca7ddd4f97c4f828d9468bda35f3a545a4bd25bf2f08bf8ca
Instruction Fuzzy Hash: 42112BB19003498FDB10DFAAC4457EEFBF9EB88324F14841AD519A7240CB75A944CB95

Function 07034A80 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07034AE2

Memory Dump Source

Source File: 00000008.00000002.1762930077.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7030000_yRnixT.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 4b71a213455b90bf58fbb57342f543cf7c513f8de3fe2c1d25cbea4a382cf9c9
Instruction ID: 5a44cd3f859aab771855557fa0f6163ab0c1b460f375cb1c2a8a3f600810a26f
Opcode Fuzzy Hash: 4b71a213455b90bf58fbb57342f543cf7c513f8de3fe2c1d25cbea4a382cf9c9
Instruction Fuzzy Hash: 0D1128B19003498FDB10DFAAC4457AEFBF9EB88324F24841AD529A7240CB79A944CB94

Function 07036818 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 070389DD

Memory Dump Source

Source File: 00000008.00000002.1762930077.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7030000_yRnixT.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 0ba8dbfb57e32e9022753cfc346647693c8522373b69366d657aabecea3f9980
Instruction ID: 393b32b25504aadbc7f5ff2b73ecc0f818dbbd5639cd51029f0d846edd03a0dd
Opcode Fuzzy Hash: 0ba8dbfb57e32e9022753cfc346647693c8522373b69366d657aabecea3f9980
Instruction Fuzzy Hash: B61133B5800349DFCB10DF8AC849BDEFBF8EB48320F14855AE518A3240C379A944CFA5

Function 0124B058 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0124B0BE

Memory Dump Source

Source File: 00000008.00000002.1757178406.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1240000_yRnixT.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 22f2f460dbe3c596ba7a0b2d024c532e129e86ce96aa27f18e29257bb583b05f
Instruction ID: 7bbcc4fb3b559eec86bdf785d8ae40730b837c6825479d0b898df1a461c6e823
Opcode Fuzzy Hash: 22f2f460dbe3c596ba7a0b2d024c532e129e86ce96aa27f18e29257bb583b05f
Instruction Fuzzy Hash: F5110FB5C003498FDB14CF9AC444A9EFBF4EF88324F10841AD529A7210D379A545CFA1

Function 0703897F Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 070389DD

Memory Dump Source

Source File: 00000008.00000002.1762930077.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7030000_yRnixT.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: f8d35c5edf9cd0085abe6e5eb21de239f55f5b5c510208acf535a3098074c9bb
Instruction ID: 05c2340f30802f35069095d6c956f6823318b2e6b70fe59924e2e1ffc74d4575
Opcode Fuzzy Hash: f8d35c5edf9cd0085abe6e5eb21de239f55f5b5c510208acf535a3098074c9bb
Instruction Fuzzy Hash: F91103B58003499FDB10DF9AD845BDEBBF8EB48320F10845AE518A3240C379A984CFA5

Function 011ED3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1756864865.00000000011ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 011ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11ed000_yRnixT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47835e748f600c023287924a4e383176820ca8aaa5958873d66e8d3e1a1ecd31
Instruction ID: d9e16873892a83230fe72f470e3468cd82df4030995b905c6b42102c15f05d2b
Opcode Fuzzy Hash: 47835e748f600c023287924a4e383176820ca8aaa5958873d66e8d3e1a1ecd31
Instruction Fuzzy Hash: 4E2136B1504604DFDF09DF88E9C8B56BFE5FBA4324F24C568E90A0B646C336E456C7A2

Function 011ED4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1756864865.00000000011ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 011ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11ed000_yRnixT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a679dcf027cca54d47bd632954884a1565906301f534ffb577e5b67d15bbd1cb
Instruction ID: 81b5fcd76890f6e50e471c99b6ba49033e33e2bb837340e1a9ba25472f1fdaca
Opcode Fuzzy Hash: a679dcf027cca54d47bd632954884a1565906301f534ffb577e5b67d15bbd1cb
Instruction Fuzzy Hash: E0213671500600DFCF09DF98E9C8B26BFB5FB94318F24C569D8090B246C336D416CBA2

Function 011FD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1756939586.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11fd000_yRnixT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50173b852ddaca93f7741daab1c993aa5acc5502735c45e12605af47e58afcb2
Instruction ID: ff38e4e149fed3bb782ae8e68c466ed718b76e85dade4b8d942e3d27d7ea77c9
Opcode Fuzzy Hash: 50173b852ddaca93f7741daab1c993aa5acc5502735c45e12605af47e58afcb2
Instruction Fuzzy Hash: BF21D375604200DFDF19DF58E984B26BBA5EB84354F24C66DDA0A4B346C736D407CA62

Function 011FD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1756939586.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11fd000_yRnixT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 145d1fb16c7e6a44a1fa077f4d328b2db8d0d86b28d146678bb16c0b915fc4a5
Instruction ID: 220a79771b0f26671a1dd44d77c3fa0080a6592be8490adacde0f821a4cf08a6
Opcode Fuzzy Hash: 145d1fb16c7e6a44a1fa077f4d328b2db8d0d86b28d146678bb16c0b915fc4a5
Instruction Fuzzy Hash: 2121F875504200DFDF09DF54E5C4B25BBA5FB84324F24C56DEA0A4B252C336D406CAA2

Function 011FD006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1756939586.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11fd000_yRnixT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23ae21f3584077048050e1e0c649ab0d541cd17d72089d6e7a47535b8eb1b58d
Instruction ID: d1e5a59b47ed4c8e12b0728c1b79257341886ddad09a09cdcb79da4b47a4396a
Opcode Fuzzy Hash: 23ae21f3584077048050e1e0c649ab0d541cd17d72089d6e7a47535b8eb1b58d
Instruction Fuzzy Hash: 4D21AE755093808FDB07CF24D994B15BF71EB46214F28C5EED9498F6A7C33A980ACB62

Function 011ED3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1756864865.00000000011ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 011ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11ed000_yRnixT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction ID: 81e209c52e2a1d5a83475b0eb79940054c2c3cb8ed0ad309a3e7839d60136d3b
Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction Fuzzy Hash: DD11D276504640CFDF06CF44D5C4B56BFB1FB94324F24C2A9D9090B656C33AD456CB91

Function 011ED4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1756864865.00000000011ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 011ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11ed000_yRnixT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction ID: 4b60628cd04ce6a562012c6439c0be3727b6f61c41126b4f467f0868e03145ab
Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction Fuzzy Hash: 3611DF76504280CFCF06CF54E9C8B16BFB2FB84324F24C6A9D8090B256C336D45ACBA2

Function 011FD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1756939586.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11fd000_yRnixT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction ID: 734f8a708612cefc65c6df911ff99e3e799c637d2b10c81d4fec17010b14c817
Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction Fuzzy Hash: 3511BE79504240DFDB06CF54D5C4B25BB71FB84224F24C6AED9494B296C33AD40ACB92

Function 011ED745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1756864865.00000000011ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 011ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11ed000_yRnixT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e38268bec3eb24a84dbcf259cf2da5f56f65968c897e776586db60efe88f96bc
Instruction ID: 63701e2835bf53bb346ff0531ae133ced1b7c0683ee9d1788fe8e4df8578ac3e
Opcode Fuzzy Hash: e38268bec3eb24a84dbcf259cf2da5f56f65968c897e776586db60efe88f96bc
Instruction Fuzzy Hash: 2801F771444B809AEB185FD9DC88B26BFD8DF51329F08C51AED190A282D7399840C7B2

Function 011ED744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1756864865.00000000011ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 011ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11ed000_yRnixT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 707bf52f521af857264287bd8b8ab6e6a0eebf6919b0d0ae62a007041476a0c8
Instruction ID: da2b09e17b2e9073df84ddc55ae76c2e0e12dfdcc0ee3fb3817c7c526e09c4ca
Opcode Fuzzy Hash: 707bf52f521af857264287bd8b8ab6e6a0eebf6919b0d0ae62a007041476a0c8
Instruction Fuzzy Hash: 93F0C2314447809EEB148F99DC88B62FFD8EB51338F18C05AED080A286C3799844CBB1

Analysis Process: yRnixT.exePID: 7580, Parent PID: 7400COMMON

Execution Graph

Execution Coverage:	11.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	160
Total number of Limit Nodes:	17

Executed Functions

Function 00D32E7B Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 458
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 00D33359

Strings

4|iq, xrefs: 00D3327D

Memory Dump Source

Source File: 0000000D.00000002.4134752732.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_d30000_yRnixT.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID: 4|iq
API String ID: 2706961497-2430316698
Opcode ID: dcedb500b437af5a28633b99ad1395eb5dd1353f5ddce5b692a2f998ddd6633f
Instruction ID: 3166ebbf1e7b8963ef176cec4988bf9092e3c5a700f8a2feb637e95b5d65387c
Opcode Fuzzy Hash: dcedb500b437af5a28633b99ad1395eb5dd1353f5ddce5b692a2f998ddd6633f
Instruction Fuzzy Hash: D5E1BF35F043454BDB68CABD8ED03AE76A7AFC8320F6C8229D955DB384EA74DE015760

Function 00D33397 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 99
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 00D33359

Strings

dhq, xrefs: 00D333AF

Memory Dump Source

Source File: 0000000D.00000002.4134752732.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_d30000_yRnixT.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID: dhq
API String ID: 2706961497-2324836203
Opcode ID: b3e81e5b2a0d987ab0ea8d5bca76aa984403018e9601fd835d8e4c1c563fa38a
Instruction ID: e1e232f288ccc32e273255de33275215879a9b5b5bf1fafa52cedeb0af699fc0
Opcode Fuzzy Hash: b3e81e5b2a0d987ab0ea8d5bca76aa984403018e9601fd835d8e4c1c563fa38a
Instruction Fuzzy Hash: CC418BB49093898FCB02DF69D8806DEBFF1BF49310F14846AE459E7251C7345905CBA1

Function 02B0AAF1 Relevance: 1.8, APIs: 1, Instructions: 329
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000D.00000002.4138076579.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2b00000_yRnixT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45fdeca35d34b46a31c8e84ea3e862d743242532e6be61ec6eaeb9a549a166b3
Instruction ID: cab571224b73dc017ed260fa9cb67126889f43c4a41c40c433a514a63dcc3724
Opcode Fuzzy Hash: 45fdeca35d34b46a31c8e84ea3e862d743242532e6be61ec6eaeb9a549a166b3
Instruction Fuzzy Hash: E9D17B71A00309DFDB15DFA9C888BADBBF2FF44304F15C999E509AB2A1DB70A945CB40

Function 00D332D0 Relevance: 1.6, APIs: 1, Instructions: 63nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 00D33359

Memory Dump Source

Source File: 0000000D.00000002.4134752732.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_d30000_yRnixT.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 9cf94ecb30b7bce56a518e3586ee3eea7df3d7310326956856e5e0d4d6332a29
Instruction ID: f06910a7521e39c41e4f687332f043a774c9a66c9ed42d29db9e8703f508fc92
Opcode Fuzzy Hash: 9cf94ecb30b7bce56a518e3586ee3eea7df3d7310326956856e5e0d4d6332a29
Instruction Fuzzy Hash: 662114B1D003099FCB10DFAAD984ADEFBF5FF48310F20842AE519A3250C775A900CBA0

Function 00D3ABEB Relevance: 6.1, APIs: 4, Instructions: 134
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00D3AC76
GetCurrentThread.KERNEL32 ref: 00D3ACB3
GetCurrentProcess.KERNEL32 ref: 00D3ACF0
GetCurrentThreadId.KERNEL32 ref: 00D3AD49

Memory Dump Source

Source File: 0000000D.00000002.4134752732.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_d30000_yRnixT.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 3c3c5e724b07667dd5160cb1555a1e53e1bc2ff5d811c8b7aff95a8d3329606a
Instruction ID: 8fb03ddadc50286721b468d28acd6ea1503594384fe64554bcaa05da1a758243
Opcode Fuzzy Hash: 3c3c5e724b07667dd5160cb1555a1e53e1bc2ff5d811c8b7aff95a8d3329606a
Instruction Fuzzy Hash: 3B5186B4A003498FDB44DFA9D588BAEBBF1EF88314F248459E009A73A1D7755948CF62

Function 00D3ABF8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00D3AC76
GetCurrentThread.KERNEL32 ref: 00D3ACB3
GetCurrentProcess.KERNEL32 ref: 00D3ACF0
GetCurrentThreadId.KERNEL32 ref: 00D3AD49

Memory Dump Source

Source File: 0000000D.00000002.4134752732.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_d30000_yRnixT.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 794450ae1dbae7ad9d7d1f13d9bd7c1d015c78a997df892b1766d88064cbaf49
Instruction ID: 04caf828e359deddbc9b790f41c8f2567ae6624f63cf1368a92749d1c705da26
Opcode Fuzzy Hash: 794450ae1dbae7ad9d7d1f13d9bd7c1d015c78a997df892b1766d88064cbaf49
Instruction Fuzzy Hash: 315187B4E003098FDB44DFA9D548B9EBBF1EF88314F208459E109A73A0D7756988CF66

Function 02B0359A Relevance: 1.7, APIs: 1, Instructions: 202
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02B037FE

Memory Dump Source

Source File: 0000000D.00000002.4138076579.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2b00000_yRnixT.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 7beee550a60119a1002dea751fa9e07adfbb89bff5ecc0aab50e0d0cfb9eab5a
Instruction ID: 0678d0402aac9aa99d9c0f677e83804cef4bc5cc853203807f91dd3703eac1ec
Opcode Fuzzy Hash: 7beee550a60119a1002dea751fa9e07adfbb89bff5ecc0aab50e0d0cfb9eab5a
Instruction Fuzzy Hash: 36813470A00B448FDB25DF69D08579ABBF1FF88304F0089ADD48AD7A90DB75A949CB90

Function 02B05784 Relevance: 1.6, APIs: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02B058A2

Memory Dump Source

Source File: 0000000D.00000002.4138076579.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2b00000_yRnixT.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 2de2c73868487a5e46ba334bffb7486633caa840f14877ecdeaf6e4de277e0b6
Instruction ID: 3ab1331c1703af98319fe91fbf4a283f87ab50bdc298bea22b249531536e9fd7
Opcode Fuzzy Hash: 2de2c73868487a5e46ba334bffb7486633caa840f14877ecdeaf6e4de277e0b6
Instruction Fuzzy Hash: 2A51EFB1D003089FDB15CFA9C984ADEBFB1FF88310F64816AE819AB250D775A845CF90

Function 02B05790 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02B058A2

Memory Dump Source

Source File: 0000000D.00000002.4138076579.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2b00000_yRnixT.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 4b6db40eac0902f319bd914c9dad39b78af3f4bb18666189a775a1009d75ed6d
Instruction ID: 4c1de812fdc6ab154428ae66abf005df81a2d3a9de2ece3b5b332b666a7a3195
Opcode Fuzzy Hash: 4b6db40eac0902f319bd914c9dad39b78af3f4bb18666189a775a1009d75ed6d
Instruction Fuzzy Hash: 9141CEB1D103099FDB15CF99C984ADEBFB5FF88310F64812AE819AB250D770A885CF90

Function 02B066B4 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 02B07F91

Memory Dump Source

Source File: 0000000D.00000002.4138076579.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2b00000_yRnixT.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 8fafc7f2add3ca5c4c9c5ce93520f11e9ed5e34f3b553b6fa3f7e469dcd756c9
Instruction ID: 143a7dc692c71809b8587e1184096b3f1c4999fab443348aa619e2e7a4b7f41e
Opcode Fuzzy Hash: 8fafc7f2add3ca5c4c9c5ce93520f11e9ed5e34f3b553b6fa3f7e469dcd756c9
Instruction Fuzzy Hash: FE4128B4A003498FCB14CF99C488AAAFBF5FF88314F24C499E519A7361D774A840DFA0

Function 00D3AE40 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00D3AEC7

Memory Dump Source

Source File: 0000000D.00000002.4134752732.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_d30000_yRnixT.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1cd284a7625918c3632be6d2705ba95bb70fb7256075158cb22d96e287112623
Instruction ID: 21d02278c2742176f2c5affbe7813ebc8e063ceaee31e1f843d4e61d1afa5314
Opcode Fuzzy Hash: 1cd284a7625918c3632be6d2705ba95bb70fb7256075158cb22d96e287112623
Instruction Fuzzy Hash: A521E4B5D00208DFDB10CF9AD884ADEBBF5EB48320F14841AE958A3350C374A944CFA1

Function 00D3AE38 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00D3AEC7

Memory Dump Source

Source File: 0000000D.00000002.4134752732.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_d30000_yRnixT.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: caacc8626020ca908b7e04b2d02a524997a72f9bf72da48a35c14986e3378621
Instruction ID: 179a473a5155be0ef88752eaa90342a5d3b93ba7fd118ee5821d2214b6e504d0
Opcode Fuzzy Hash: caacc8626020ca908b7e04b2d02a524997a72f9bf72da48a35c14986e3378621
Instruction Fuzzy Hash: AC21E0B5D01209DFDB10CFA9D985ADEFBF5EB48320F14841AE958A3350D378A954CFA1

Function 00D33738 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

SetWindowsHookExW.USER32(00CC45D0,00000000,?,?), ref: 00D352FB

Memory Dump Source

Source File: 0000000D.00000002.4134752732.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_d30000_yRnixT.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 18b646aad6ebb626d6a57db0964379396a335554ef02168e2880ac24fd369c9e
Instruction ID: 37cdb5a03de0294f52ce50a69087ba6e9fb6928d58bb6fa974935fe077d19639
Opcode Fuzzy Hash: 18b646aad6ebb626d6a57db0964379396a335554ef02168e2880ac24fd369c9e
Instruction Fuzzy Hash: 422104B5D006099FCB14DFAAD844BEEBBF5EB88310F14842AE459A7250C774A944CFA5

Function 00D35278 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SetWindowsHookExW.USER32(00CC45D0,00000000,?,?), ref: 00D352FB

Memory Dump Source

Source File: 0000000D.00000002.4134752732.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_d30000_yRnixT.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: aed8e23b3dd7915405777024b9da579edde8ec119903a33e33a73d675f6da959
Instruction ID: fff090b70475090faf0844d4b0f126c6c048b2d286a22aa3f8a9a98f14b1e8dc
Opcode Fuzzy Hash: aed8e23b3dd7915405777024b9da579edde8ec119903a33e33a73d675f6da959
Instruction Fuzzy Hash: 182134B5D002498FCB14DFA9D844BEEFBF5EF88310F14841AD429A7290C774A945CFA1

Function 02B0AFF8 Relevance: 1.6, APIs: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,?,?,?,?), ref: 02B0B068

Memory Dump Source

Source File: 0000000D.00000002.4138076579.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2b00000_yRnixT.jbxd

Similarity

API ID: MessagePeek
String ID:
API String ID: 2222842502-0
Opcode ID: 593d1f040f29e9006ad148cf4a84ae1ef279ed13af9a134e42bdbbd72e5ce8e6
Instruction ID: 38d8bd5be6373417bae3f8db7f4259abe1afb85d864f20c992ef5b6e45276fd9
Opcode Fuzzy Hash: 593d1f040f29e9006ad148cf4a84ae1ef279ed13af9a134e42bdbbd72e5ce8e6
Instruction Fuzzy Hash: D51103B5C002099FCB10DF9AD985ADEBBF8FB48320F10806AE568A3251C378A544CFA5

Function 02B0B000 Relevance: 1.6, APIs: 1, Instructions: 52windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,?,?,?,?), ref: 02B0B068

Memory Dump Source

Source File: 0000000D.00000002.4138076579.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2b00000_yRnixT.jbxd

Similarity

API ID: MessagePeek
String ID:
API String ID: 2222842502-0
Opcode ID: f7ede09e3c6e7686d138ace591a0ea3f2e6ecab5161409fe215c1d71d6061004
Instruction ID: 3c24f39b7c69762568b6c10b2efd8a2c061eafa7692750ef431195ffbeb05b1f
Opcode Fuzzy Hash: f7ede09e3c6e7686d138ace591a0ea3f2e6ecab5161409fe215c1d71d6061004
Instruction Fuzzy Hash: 3811E4B5C002499FDB10DF9AD984BDEBBF8EB48324F10846AE518A3251D378A544CFA5

Function 02B03798 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02B037FE

Memory Dump Source

Source File: 0000000D.00000002.4138076579.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2b00000_yRnixT.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 1ccc24650f3ca27b8929d1d59baf6addaeb23c579c48caaa83106b167dd75e13
Instruction ID: b5ef21e1917d73b4bf90a0195f897675c263d870ca9720471e3cf8b722533b7a
Opcode Fuzzy Hash: 1ccc24650f3ca27b8929d1d59baf6addaeb23c579c48caaa83106b167dd75e13
Instruction Fuzzy Hash: 2D11E0B6C003498FCB10DF9AC448BDEFBF5EB88324F1084AAD429A7250D379A545CFA5

Function 02B0A410 Relevance: 1.5, APIs: 1, Instructions: 47comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 02B0A46D

Memory Dump Source

Source File: 0000000D.00000002.4138076579.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2b00000_yRnixT.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 0a411246c99dddbf7ebe0b647258ad558fbcc8326b8f35234decd7ed378ab64a
Instruction ID: dee028ff9a2f7b06313564a61a7ca905427a0c4be398cfe2d442c271a73005f3
Opcode Fuzzy Hash: 0a411246c99dddbf7ebe0b647258ad558fbcc8326b8f35234decd7ed378ab64a
Instruction Fuzzy Hash: 3C112EB59003588FCB20DFAAD488BDEBFF4EB48320F248459D559A7250C378A944CFA0

Function 02B09608 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 02B0A46D

Memory Dump Source

Source File: 0000000D.00000002.4138076579.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2b00000_yRnixT.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 4991e84c75f0f98d0e0acd6a6d1a4366bafd19c38d25be32f415941d24d5f4a5
Instruction ID: d705f1e49aee45af459707426b4ab80f6a7dd7cfe50cc2977f62a39b83753c29
Opcode Fuzzy Hash: 4991e84c75f0f98d0e0acd6a6d1a4366bafd19c38d25be32f415941d24d5f4a5
Instruction Fuzzy Hash: AF1115B5D003488FCB10DF9AD489B9EFFF4EB48324F148459D619A7241D374A944CFA5

Function 00CCD0FC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4134267284.0000000000CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_ccd000_yRnixT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 778b107b0fef5e6199ca52c4942a28e1bbe34d43f7962ca05adf5b73e6d3ca32
Instruction ID: 8217c43d61daf987e7435d227f0f396c79c954f11b9db48567d3e42e1f17a621
Opcode Fuzzy Hash: 778b107b0fef5e6199ca52c4942a28e1bbe34d43f7962ca05adf5b73e6d3ca32
Instruction Fuzzy Hash: 1B21F5B5604204AFDB05DF14D9C4F2ABBA5FB94324F28C97DD80B4B292C336D846CA61

Function 00CCD01C Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4134267284.0000000000CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_ccd000_yRnixT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d6562deb54ad2bab446bf22c416771d001fced588cd67876f1daa130b66e8f
Instruction ID: 6fb9084074b81b8a3c0cff1f8ca0b449ea0c124dcbfa3ae20fa279ff56f35b83
Opcode Fuzzy Hash: a3d6562deb54ad2bab446bf22c416771d001fced588cd67876f1daa130b66e8f
Instruction Fuzzy Hash: BB21B071604300DFDB14DF28D9C4F26BBA5EB94314F24C67DD94A4B391C236D847C662

Function 00CCD005 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4134267284.0000000000CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_ccd000_yRnixT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 697d9f474097b74a2f5a3c2492da1b9b016ac072c4ee6678edee098279dc1919
Instruction ID: 8b6a0b7bda20b94f036ae1034faf001c07c3081f084f7055f4dee2c7ca08a21d
Opcode Fuzzy Hash: 697d9f474097b74a2f5a3c2492da1b9b016ac072c4ee6678edee098279dc1919
Instruction Fuzzy Hash: 662162755093808FD712CF24D594B15BF71AB46314F29C5EED8898B6A3C33A984ACB62

Function 00CCD0F7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4134267284.0000000000CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_ccd000_yRnixT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction ID: 93c9a130b65406758175d8a9108789297d024ce8fd330dcdfbaf99f2ddec06c0
Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction Fuzzy Hash: 9F11DD75504280DFDB06CF10D9C4B19BBB2FB84324F28C6ADD80A4B296C33AD94ACB61

Analysis Process: NotepadUpdate.exePID: 7816, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	10.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	195
Total number of Limit Nodes:	5

Executed Functions

Function 07FB7719 Relevance: 8.9, Strings: 7, Instructions: 107
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8, xrefs: 07FB77B3
$dq, xrefs: 07FB789F
LRdq, xrefs: 07FB7877
$dq, xrefs: 07FB7784
LRdq, xrefs: 07FB786B
$dq, xrefs: 07FB7893
$dq, xrefs: 07FB7790

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID: 8$LRdq$LRdq$$dq$$dq$$dq$$dq
API String ID: 0-252008424
Opcode ID: 90b4ac7f51ab2974798c186949bd1a81627e817b4b7058900e30078e9ef961ca
Instruction ID: b046aceb730208b362e3b87492ed4088db8510878232f7c3898dffdcea92dd65
Opcode Fuzzy Hash: 90b4ac7f51ab2974798c186949bd1a81627e817b4b7058900e30078e9ef961ca
Instruction Fuzzy Hash: 5731B6B5B14106CBEB34BA6AD8117FA7762FBC5301F288427E5069B385CA74C941C771

Function 07FB62D9 Relevance: 5.3, Strings: 4, Instructions: 342
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

F, xrefs: 07FB6994
4'dq, xrefs: 07FB66B4
R, xrefs: 07FB65A0
phq, xrefs: 07FB6701

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID: 4'dq$F$R$phq
API String ID: 0-3172865906
Opcode ID: fe16d3d1c81799f7f8c3e1e8099dcc2c6297bad35fe60f49040b3d6d668b0d6d
Instruction ID: 92583574a4a35b91b66c0d3300528994b885f0f166628576c6c0bc169029fae1
Opcode Fuzzy Hash: fe16d3d1c81799f7f8c3e1e8099dcc2c6297bad35fe60f49040b3d6d668b0d6d
Instruction Fuzzy Hash: DCD1E676A00114DFCB16CFA9C984DA9BBB2FF4D314B1A8098E6099F276C732DC61DB41

Function 07F9F408 Relevance: 3.9, Strings: 3, Instructions: 143
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hhq, xrefs: 07F9F4D7
Hhq, xrefs: 07F9F51C
Hhq, xrefs: 07F9F561

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID: Hhq$Hhq$Hhq
API String ID: 0-327223379
Opcode ID: 71f782c703599ec34129af8a1812b6be6d887abb815e91d7ae12c82fd25ac550
Instruction ID: e94a56f08f60c302e8e6a29230b1301afac047c706fab94d1bb1bda7da16b89c
Opcode Fuzzy Hash: 71f782c703599ec34129af8a1812b6be6d887abb815e91d7ae12c82fd25ac550
Instruction Fuzzy Hash: 3341FFB07043418BEB68AF79841062A7AEBEFC5308B18487CD556CB784EF38DD42C762

Function 07FB8600 Relevance: 3.8, Strings: 3, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8hq, xrefs: 07FB8727
8hq, xrefs: 07FB867F
8hq, xrefs: 07FB866F

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID: 8hq$8hq$8hq
API String ID: 0-1838490158
Opcode ID: 17d58dfaa6e22a23921c5935fdc07554fdfd66986c1a6400d5e138cca0d3103d
Instruction ID: a452a65f238194e2a10d7feaff9cd78e483b03b7c8a59f3315430685b5a7a515
Opcode Fuzzy Hash: 17d58dfaa6e22a23921c5935fdc07554fdfd66986c1a6400d5e138cca0d3103d
Instruction Fuzzy Hash: 7531C9F5A1410ACBCB209A56C5509FF76BBE7CE3C4F284426D607A7380DA34CD428BE1

Function 07F96468 Relevance: 2.7, Strings: 2, Instructions: 211
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hhq, xrefs: 07F966D9
Hhq, xrefs: 07F9670C

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID: Hhq$Hhq
API String ID: 0-2450388649
Opcode ID: d13cdc885f8af79818b35bd265cf43cd233186a19068669ac5265d0920ac2a24
Instruction ID: fc687624ce4f85c1243983ed8f9416c1664b4d3572231a54bfac54d7179aaf97
Opcode Fuzzy Hash: d13cdc885f8af79818b35bd265cf43cd233186a19068669ac5265d0920ac2a24
Instruction Fuzzy Hash: 85712A75B001198FDB05EFA8C5549AEBBF2EF89310B2444A9E406EB7A1CB35ED41CF61

Function 07F96818 Relevance: 2.7, Strings: 2, Instructions: 207
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hhq, xrefs: 07F968F3
Hhq, xrefs: 07F968AA

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID: Hhq$Hhq
API String ID: 0-2450388649
Opcode ID: fda2acce5166e27bc6c7386743217b2c6978cef1b951d59e69ed1187d2f176dd
Instruction ID: e54e2a83292f70efc9e15a90090b3a5d1345c780d9244ae7199f0bcdefb1793d
Opcode Fuzzy Hash: fda2acce5166e27bc6c7386743217b2c6978cef1b951d59e69ed1187d2f176dd
Instruction Fuzzy Hash: 5F619AB4B002118FDB14EB79D8948AEBBA6FF8961471945B9E906CB361DF31DC02CB91

Function 07F90448 Relevance: 2.7, Strings: 2, Instructions: 178
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hhq, xrefs: 07F9050C
Tedq, xrefs: 07F90609

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID: Hhq$Tedq
API String ID: 0-2068707477
Opcode ID: afebf4dd0e34b0dab1fda54a60bab2426ef092c81cf20808ed38aa513141765d
Instruction ID: 78ce078cdd27572fb9b338c18c47d61328e24627ec8c02be66468e20f8204f25
Opcode Fuzzy Hash: afebf4dd0e34b0dab1fda54a60bab2426ef092c81cf20808ed38aa513141765d
Instruction Fuzzy Hash: 8C519C71B002268FDB05EB79C85496EBBE6EFC9320B548569E50ADB3A1DF34DD028790

Function 07FB85F0 Relevance: 2.6, Strings: 2, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8hq, xrefs: 07FB8727
8hq, xrefs: 07FB866F

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID: 8hq$8hq
API String ID: 0-601589740
Opcode ID: 34af3b58d4a3f3ab448a679b9f8a6cee7fb46a08b0efde361b7dc28f44e62559
Instruction ID: b6d506e739cb059f1d974ab58dacb3af9b9657293f0895e46497dc1ab0686462
Opcode Fuzzy Hash: 34af3b58d4a3f3ab448a679b9f8a6cee7fb46a08b0efde361b7dc28f44e62559
Instruction Fuzzy Hash: A031E8F1A14106CBC7219A66C5505FE7BBBE7CE380F18446AD607A7341D634CD428BE2

Function 07FB7670 Relevance: 2.6, Strings: 2, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$dq, xrefs: 07FB7686
$dq, xrefs: 07FB7692

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID: $dq$$dq
API String ID: 0-2340669324
Opcode ID: c2c6acf45c445e1a976709706d3f5102bf455415fa128888cd518df631c8bd73
Instruction ID: 6a8905e9c0819b908b1609b92ad9d578520aec20940501a949fed6fc8a25a318
Opcode Fuzzy Hash: c2c6acf45c445e1a976709706d3f5102bf455415fa128888cd518df631c8bd73
Instruction Fuzzy Hash: AF1193F1A2A205DFC365EA6ED9102E6BFB6B78E204F1941B7D409CB642D730C941C7B2

Function 07FB773F Relevance: 2.5, Strings: 2, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8, xrefs: 07FB77B3
$dq, xrefs: 07FB7784

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID: 8$$dq
API String ID: 0-2343709646
Opcode ID: ab370821da8a7dad4f45a6587d687ca90a8263d34443faa8db1fd0fd248b22c8
Instruction ID: c2d951d685086b0380a2e1bd81a376a1ced5e1f5273f9b8c7c279d7dfd19e4b2
Opcode Fuzzy Hash: ab370821da8a7dad4f45a6587d687ca90a8263d34443faa8db1fd0fd248b22c8
Instruction Fuzzy Hash: 74F0A4B1B54202DBE730AA21C8127D87662AF80700F298856DC019F681E6A08990CB61

Function 06A7537C Relevance: 1.7, APIs: 1, Instructions: 244
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06A755BE

Memory Dump Source

Source File: 00000014.00000002.1952777759.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6a70000_NotepadUpdate.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: c2c22b3cb828294491ce099c3b956a4ed121e09ba0777825725d585eb9d24320
Instruction ID: bc8ab778d3af2ae0aab4cfead03bb64b485f9ba1ae18f5923b3e1facf80c33f6
Opcode Fuzzy Hash: c2c22b3cb828294491ce099c3b956a4ed121e09ba0777825725d585eb9d24320
Instruction Fuzzy Hash: 98A16B71D002198FDB60EF68CC417EEBBB2FF48314F1485A9D809A7250DB749A95CF91

Function 06A75388 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06A755BE

Memory Dump Source

Source File: 00000014.00000002.1952777759.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6a70000_NotepadUpdate.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 62e023f507238c7b6752faa4ac1fa24ac33f345d299650eab70429003d30a7de
Instruction ID: c01673511a76d78716a9dfcad5faae5c443e775736cbc3b2e8daf2654654dc84
Opcode Fuzzy Hash: 62e023f507238c7b6752faa4ac1fa24ac33f345d299650eab70429003d30a7de
Instruction Fuzzy Hash: 36917A71D002198FDB60EFA8CC417EEBBB2FF48310F1485A9D809A7290DB749A95CF91

Function 008AAE59 Relevance: 1.7, APIs: 1, Instructions: 237COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 008AB0BE

Memory Dump Source

Source File: 00000014.00000002.1918873066.00000000008A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8a0000_NotepadUpdate.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 1eaf97cd693f0c77d5554d9bf5706fe207f50d001e4a8cc9db201b13ccb7a060
Instruction ID: a04b21b34e87cfd372064e70c2405677387381c3b394833f771c57a79c7038ef
Opcode Fuzzy Hash: 1eaf97cd693f0c77d5554d9bf5706fe207f50d001e4a8cc9db201b13ccb7a060
Instruction Fuzzy Hash: 6A9179B0A00B458FE729DF29D44079ABBF1FF89304F04892ED08AC7A41D775E94ACB91

Function 008A590D Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 008A59C9

Memory Dump Source

Source File: 00000014.00000002.1918873066.00000000008A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8a0000_NotepadUpdate.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 1080dbc08d37470d77f7bd67a3b82ba62710f165302103b6b25d838102978c26
Instruction ID: d8493fdc3dfe1b50b7933df04b8e38b32f7131fc5c9a0ae7e89ed44f34546f52
Opcode Fuzzy Hash: 1080dbc08d37470d77f7bd67a3b82ba62710f165302103b6b25d838102978c26
Instruction Fuzzy Hash: AE41C1B0D00719CBDB24DFA9C884ACDBBB1FF89314F24816AD409AB251DB756986CF90

Function 008A44E0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 008A59C9

Memory Dump Source

Source File: 00000014.00000002.1918873066.00000000008A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8a0000_NotepadUpdate.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 615d5cf55ad1d66eb965112e514a1a102a9f304852f8bf308cc5ea7a90fb8e3f
Instruction ID: bfa11629a9b2b09d6fea5e184a5b4d89e1f3c4b64ab717ca90e642fe433dd7f5
Opcode Fuzzy Hash: 615d5cf55ad1d66eb965112e514a1a102a9f304852f8bf308cc5ea7a90fb8e3f
Instruction Fuzzy Hash: 0941CFB0D0071DCBDB24DFA9C884A9EBBF5FF89314F20816AD409AB251DB756985CF90

Function 008A5A84 Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1918873066.00000000008A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8a0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c85c97990dca8522a8fcc5f7e1e4a821a175d6f3d531b9f396cd8e5d3b7b5bc
Instruction ID: 84cd11bd5b2b2a1df3258cd260470974060880807e78d974990d0c20d7ee7af1
Opcode Fuzzy Hash: 6c85c97990dca8522a8fcc5f7e1e4a821a175d6f3d531b9f396cd8e5d3b7b5bc
Instruction Fuzzy Hash: FF31ECB1C00B59CFEB20CFA8D84469EBBB0FF42324F14414AC406AB691C775AA8ACB41

Function 06A750F8 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06A75190

Memory Dump Source

Source File: 00000014.00000002.1952777759.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6a70000_NotepadUpdate.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 8de542cbab1b369072db659d86815ce4a3fbecdeef7eb1fa3f26a54445b981dc
Instruction ID: 498cb84256d8e6888df2a148d0817531f0e5d8f0806c7334bdf8bc3b1213d483
Opcode Fuzzy Hash: 8de542cbab1b369072db659d86815ce4a3fbecdeef7eb1fa3f26a54445b981dc
Instruction Fuzzy Hash: 8E2157B1D003499FCB10DFAAC885BDEBBF5FF48310F10842AE959A7240C7799954CBA4

Function 06A75100 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06A75190

Memory Dump Source

Source File: 00000014.00000002.1952777759.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6a70000_NotepadUpdate.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 28e5dc8d873979e4bf5007176a41e94664d28d0ff460f18c39c8db8072684e6b
Instruction ID: afcd083957a3e9e2ffd80e7a167af201874df55609641aea71fce1d652888038
Opcode Fuzzy Hash: 28e5dc8d873979e4bf5007176a41e94664d28d0ff460f18c39c8db8072684e6b
Instruction Fuzzy Hash: 142125B1D003499FCB10DFAAC885BDEBBF5FF48310F10842AE959A7240CB799944DBA4

Function 06A74B28 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06A74BAE

Memory Dump Source

Source File: 00000014.00000002.1952777759.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6a70000_NotepadUpdate.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: d5e89bc6e123d9258048cb5a6fe6f1ceab5182aefcb3179ef298adbe25fe5776
Instruction ID: d7d0de1897b4636ad9201ef5684dbb6df864f761a52457d681e943fc0bac54cc
Opcode Fuzzy Hash: d5e89bc6e123d9258048cb5a6fe6f1ceab5182aefcb3179ef298adbe25fe5776
Instruction Fuzzy Hash: 81215C71D003099FDB50DFAAC8857EEBBF4EB88310F148429D459A7241CB78A945CFA4

Function 06A751E8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06A75270

Memory Dump Source

Source File: 00000014.00000002.1952777759.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6a70000_NotepadUpdate.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 97b68ce777d77073a9116123f9de90af2bf247a41227a73d00a35f9488bc42ef
Instruction ID: de9298ee66a83dd3fad5dfb587c989711b77c93916519b30a625a6d9a0f641c0
Opcode Fuzzy Hash: 97b68ce777d77073a9116123f9de90af2bf247a41227a73d00a35f9488bc42ef
Instruction Fuzzy Hash: AC2139B1D003499FCB10DFAAC885ADEFBF5FF48310F508429E559A7240C734A954DBA4

Function 008AD738 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,008AD706,?,?,?,?,?), ref: 008AD7C7

Memory Dump Source

Source File: 00000014.00000002.1918873066.00000000008A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8a0000_NotepadUpdate.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 238bd4ffbd766f245e2da1a4b0f16dbe3c53c02db9ac02b48bfdd35d66bad0bb
Instruction ID: abede5610b05aa1c4c81b5639ab94cf71f709a04bdfddfa10cb39435f4fd1e7c
Opcode Fuzzy Hash: 238bd4ffbd766f245e2da1a4b0f16dbe3c53c02db9ac02b48bfdd35d66bad0bb
Instruction Fuzzy Hash: E82103B5900348AFDB10CFAAD984ADEBFF4FB48310F14801AE958A7250C374AA45DFA4

Function 008AB850 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,008AD706,?,?,?,?,?), ref: 008AD7C7

Memory Dump Source

Source File: 00000014.00000002.1918873066.00000000008A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8a0000_NotepadUpdate.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 3ba8cba424b90774b588b92c3f7292123d134cc783d8454e7a4e99a4b6c8d1ae
Instruction ID: 78354ad7b89f0f19c4ee4c67e1372e9b5be900cb36d43e79734e013b9950a6fb
Opcode Fuzzy Hash: 3ba8cba424b90774b588b92c3f7292123d134cc783d8454e7a4e99a4b6c8d1ae
Instruction Fuzzy Hash: B721F2B59003089FDB10CF9AD884AEEBBF4FB48310F10801AE919A3750C374A944CFA4

Function 06A74B30 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06A74BAE

Memory Dump Source

Source File: 00000014.00000002.1952777759.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6a70000_NotepadUpdate.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: b6f61ba4b6b35cfbd3ac9a16fa849d13996f9c461a715104961028367223132e
Instruction ID: 47422d6fd18efb5c36cb38613e32b0770385e5f9b6b1344c64fa7cda3dad3dce
Opcode Fuzzy Hash: b6f61ba4b6b35cfbd3ac9a16fa849d13996f9c461a715104961028367223132e
Instruction Fuzzy Hash: FC214C71D003098FDB50DFAAC8857EEBBF5EF88324F148429D559A7241CB78A945CFA4

Function 06A751F0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06A75270

Memory Dump Source

Source File: 00000014.00000002.1952777759.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6a70000_NotepadUpdate.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 0d04dcfd7e2b24e9edeacf63b734cf5f933abb71dd1d6ae526ef68f1422ecf18
Instruction ID: 83ba63937a0e3480f01114df37b0972c27230c4fd7523f2d02b2b5ca2daf8d9b
Opcode Fuzzy Hash: 0d04dcfd7e2b24e9edeacf63b734cf5f933abb71dd1d6ae526ef68f1422ecf18
Instruction Fuzzy Hash: E12128B1D003499FCB10DFAAC845ADEFBF5FF48310F50842AE559A7240C739A944DBA4

Function 06A75038 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06A750AE

Memory Dump Source

Source File: 00000014.00000002.1952777759.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6a70000_NotepadUpdate.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 089b91d1ecdfbf929e433919e6d7d28ddddac3fe4ae9a01fe91cf422e36d0de0
Instruction ID: b46629d631518cea10168cf0fcbf5278fd32d0992bb8ab6499884fde992bd48e
Opcode Fuzzy Hash: 089b91d1ecdfbf929e433919e6d7d28ddddac3fe4ae9a01fe91cf422e36d0de0
Instruction Fuzzy Hash: 4D1144769002089FCB20DFAAC845BDEBBF5EF89324F148419E519A7290CB35A944CFA0

Function 06A74A7A Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06A74AE2

Memory Dump Source

Source File: 00000014.00000002.1952777759.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6a70000_NotepadUpdate.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 557631e220a1c4cfb85da0c45cf85f6de03c474e2469cdc081e809140d240608
Instruction ID: c8da73729625afde6855f1aa84370a72c328362a7ee128bd348978ca3a931640
Opcode Fuzzy Hash: 557631e220a1c4cfb85da0c45cf85f6de03c474e2469cdc081e809140d240608
Instruction Fuzzy Hash: 8B1158B5D003488FCB14DFAAC8457EEFBF5EB88324F24841AD559A7240CB75A945CFA4

Function 06A75040 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06A750AE

Memory Dump Source

Source File: 00000014.00000002.1952777759.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6a70000_NotepadUpdate.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2007fc1dbd3c745003a50ffb2db15ebad906197ca4ec399be84209d8f275a947
Instruction ID: 93481ffda0fd1b58f40f63f36cc2874093f972113ee13cf3be40a6a5aec84ccc
Opcode Fuzzy Hash: 2007fc1dbd3c745003a50ffb2db15ebad906197ca4ec399be84209d8f275a947
Instruction Fuzzy Hash: F01156719002089FCB10DFAAC845ADEBBF5EB88324F108419E519A7250CB35A944CBA0

Function 06A74A80 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06A74AE2

Memory Dump Source

Source File: 00000014.00000002.1952777759.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6a70000_NotepadUpdate.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 4dfd55951a511ac656eab73eb4138a55a657d7e893dd352040e05e215703dc65
Instruction ID: 9b4ad8da8cd94d3698a4d8d6a5ebdd547c2dd0084a677a449837b4bb5d59dc3c
Opcode Fuzzy Hash: 4dfd55951a511ac656eab73eb4138a55a657d7e893dd352040e05e215703dc65
Instruction Fuzzy Hash: 93113AB1D003498FCB10DFAAC8457DFFBF5EB88324F24841AD519A7240CB75A944CB94

Function 06A7663C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06A78C0D

Memory Dump Source

Source File: 00000014.00000002.1952777759.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6a70000_NotepadUpdate.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: eb0b28f091f381c55a6a021c96108922114b3163d849ddef66c14c4440c3371b
Instruction ID: c5ab42d9028331dc65c395fc7c7187275867b7477ea9da868d99a0d3d1877efd
Opcode Fuzzy Hash: eb0b28f091f381c55a6a021c96108922114b3163d849ddef66c14c4440c3371b
Instruction Fuzzy Hash: 601106B5800349DFDB10DF9AD849BDEFBF8EB48310F108459E518A7250C379A944CFA5

Function 008AB058 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 008AB0BE

Memory Dump Source

Source File: 00000014.00000002.1918873066.00000000008A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8a0000_NotepadUpdate.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: ae271387d8d65a2138523c71c6d2347b5665d1a604cd003fd80b7bf0359881d9
Instruction ID: 32b8121732cedb2c9a1cfc55ea338fb14d17041cbe50953a94f1068754fa11b9
Opcode Fuzzy Hash: ae271387d8d65a2138523c71c6d2347b5665d1a604cd003fd80b7bf0359881d9
Instruction Fuzzy Hash: 0D110FB5C007498FDB10CF9AC844A9EFBF4EB89320F10841AD529A7640D379A545CFA1

Function 06A78BA8 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06A78C0D

Memory Dump Source

Source File: 00000014.00000002.1952777759.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6a70000_NotepadUpdate.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 37c9ca059e24709859873ed7c0cbeeffde0eac2d300bb33357428c484ed54d79
Instruction ID: 8a528b82ee202804291e1a8f7623eb4a872e0bc751170e18ebe91f33acffd196
Opcode Fuzzy Hash: 37c9ca059e24709859873ed7c0cbeeffde0eac2d300bb33357428c484ed54d79
Instruction Fuzzy Hash: 311103B5900349CFDB10DF9AD989BDEFBF8EB48310F10845AE919A7240C379A584CFA5

Function 07F9AE50 Relevance: 1.5, Strings: 1, Instructions: 230COMMON

Download Yara Rule

Strings

Hhq, xrefs: 07F9AF6E

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID: Hhq
API String ID: 0-4210879014
Opcode ID: f8ba8f2e7d1627f13a29b8628efb30b867a3f8bec5cb69c61cf62dc9ceca06ac
Instruction ID: 5d4227b6a073771f4f87dadc83fe54b35d892fed1fdbca84e9de853dd08f4e04
Opcode Fuzzy Hash: f8ba8f2e7d1627f13a29b8628efb30b867a3f8bec5cb69c61cf62dc9ceca06ac
Instruction Fuzzy Hash: 0E918F74A002198FDB04DFA8D4809AEBBF6FF89314B14C06AE905EB351EB35DD46CB61

Function 07FBE400 Relevance: 1.4, Strings: 1, Instructions: 182COMMON

Download Yara Rule

Strings

Tedq, xrefs: 07FBE49E

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID: Tedq
API String ID: 0-228892971
Opcode ID: 6568689b813dc5f624ed3994f4bb23b874961fd05161a3d1140949958d5029fb
Instruction ID: e320d0bf98c352b8d53b6c35abf988940edc8d7fcaabf3b85c534c7b8b5624f6
Opcode Fuzzy Hash: 6568689b813dc5f624ed3994f4bb23b874961fd05161a3d1140949958d5029fb
Instruction Fuzzy Hash: 3571E3B5E14218CFDB18DFAAC884AEDBBB6FF89300F149029D40AAB355DB709945CF50

Function 07FB653C Relevance: 1.4, Strings: 1, Instructions: 138COMMON

Download Yara Rule

Strings

F, xrefs: 07FB6994

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: 50d859e5fce9d1a5ad6942d255c08ce1799ede07ab05e6495a889b0abf62947b
Instruction ID: 620039c6c7e8ee6992ff8483d628f81edbc6f8b041a62a678c95bf16d5a2db62
Opcode Fuzzy Hash: 50d859e5fce9d1a5ad6942d255c08ce1799ede07ab05e6495a889b0abf62947b
Instruction Fuzzy Hash: 80518DB1A05204DFCB14CF65C994AA9BBF1FF4A310F1980AAE509DF2A2DB35ED41CB11

Function 07F93FD0 Relevance: 1.4, Strings: 1, Instructions: 119COMMON

Download Yara Rule

Strings

(hq, xrefs: 07F940C4

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID: (hq
API String ID: 0-4060669308
Opcode ID: 69307e5045a8ff5c591c0c4f88eda3deb0d3503b2061e67d088f84f36e1dc77d
Instruction ID: 01701ded234843eea285a809eeee84995d45432631a10b47ad7e44a010e5f051
Opcode Fuzzy Hash: 69307e5045a8ff5c591c0c4f88eda3deb0d3503b2061e67d088f84f36e1dc77d
Instruction Fuzzy Hash: 8141D170A006458FDB45EB6CC4046AEBBF6EFD9310F1841AAD109DB361DB70DD86CB91

Function 07FB8208 Relevance: 1.3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

Strings

$dq, xrefs: 07FB821F

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID: $dq
API String ID: 0-847773763
Opcode ID: 5f37dcbbb9021e2429c259816b0d894d7201e432839305486835a672566e86be
Instruction ID: 0fe131962a4801b0e039a566976a4568926eae82b8542b55a9adf65cfa59710e
Opcode Fuzzy Hash: 5f37dcbbb9021e2429c259816b0d894d7201e432839305486835a672566e86be
Instruction Fuzzy Hash: DD11E4F291EA84EFC731A666D9101E53FED9BC32C4F1C40BBD50ACA542C236C80286E3

Function 07FB9150 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

Tedq, xrefs: 07FB91BB

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID: Tedq
API String ID: 0-228892971
Opcode ID: d8a9eaaa23de638f70737a078f68ab1b13cf090dc3f3a0241dbb3d9c3e56469b
Instruction ID: 2f34511ebcff3d1514356915a67d10bff24727480321b4e6014fd3a19859b909
Opcode Fuzzy Hash: d8a9eaaa23de638f70737a078f68ab1b13cf090dc3f3a0241dbb3d9c3e56469b
Instruction Fuzzy Hash: 65114CB1F0021A8BCF14EBBA99006EEB6F2AF88310F144029C514EB254FB319E11CBA1

Function 07FB7660 Relevance: 1.3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

Strings

$dq, xrefs: 07FB7686

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID: $dq
API String ID: 0-847773763
Opcode ID: 28710641df14d865f560a03ba358fc696b31375c34b5a632d2a890b2d2aa8504
Instruction ID: 01fb6739a079e447c1bed3f8378dbaa32c86299e04655a4463364d6c17d3df0a
Opcode Fuzzy Hash: 28710641df14d865f560a03ba358fc696b31375c34b5a632d2a890b2d2aa8504
Instruction Fuzzy Hash: E50162F1A29102DFC335AA29D4502E1FBA2B78E204F0982B7D4098B542D734CD44CBB2

Function 07F989FF Relevance: 1.3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

Strings

W, xrefs: 07F98A0D

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID: W
API String ID: 0-655174618
Opcode ID: ccb51596cd37f7d319b6fe74333b1ce7c36c7bf6ffa8028d97fb9d37571ccf53
Instruction ID: 925b2cc5aa50914e8ec99ade3f2e612a9a2f42b3c4a27a738de006ed51352389
Opcode Fuzzy Hash: ccb51596cd37f7d319b6fe74333b1ce7c36c7bf6ffa8028d97fb9d37571ccf53
Instruction Fuzzy Hash: C6F0AF307002118FDB24AF29D044A5AB3EAEF8A715F1045BAE106CB762CB71DC468B81

Function 07FB6379 Relevance: 1.3, Strings: 1, Instructions: 21COMMON

Download Yara Rule

Strings

G, xrefs: 07FB638C

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID: G
API String ID: 0-985283518
Opcode ID: 4d7cfec61a71d36bdc0617bd02e946de0dccd422b632d79dc295b4fe72b593b4
Instruction ID: 6de09fea93f6f4d77141a78b29b4738159d95c83e94ce88d32c815362c2e2d84
Opcode Fuzzy Hash: 4d7cfec61a71d36bdc0617bd02e946de0dccd422b632d79dc295b4fe72b593b4
Instruction Fuzzy Hash: 15D05BB644D248DFC311D695E8155DABF789703211F0C41CBE509C76D1C7641F0856F2

Function 07FB69B0 Relevance: 1.3, Strings: 1, Instructions: 21COMMON

Download Yara Rule

Strings

I, xrefs: 07FB69C4

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 0ab65f92e5df612d653fab7d62216bccd23221049179006f418a35a93ae56055
Instruction ID: 438fbe61104a3032bc6d56f2e67e0ba6d9c0295225752cb4363c89a2ec5f1969
Opcode Fuzzy Hash: 0ab65f92e5df612d653fab7d62216bccd23221049179006f418a35a93ae56055
Instruction Fuzzy Hash: F9D012D251D249DFC7229B61AC112EA7BA49B03255F0801D7D8D8CB182DA294B1897A3

Function 07FBAEC2 Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

P, xrefs: 07FBAEC4

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID: P
API String ID: 0-3110715001
Opcode ID: 8b26bf8eb4797a74f804736c735f223f868a3dbdcd4574e64b069d77e61f62e6
Instruction ID: 92212eee4c8c2b95ee8ab6a63613e0170adc48a7180a7be561afa1071a95fb9b
Opcode Fuzzy Hash: 8b26bf8eb4797a74f804736c735f223f868a3dbdcd4574e64b069d77e61f62e6
Instruction Fuzzy Hash: EEE08CF3B28084DAD2709AEB50001F6B690A38B211F08C8C798AB5BA41D67299009B93

Function 07FB7B29 Relevance: 1.3, Strings: 1, Instructions: 19COMMON

Download Yara Rule

Strings

(, xrefs: 07FB7B3C

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 329ac69dd903a4d66b859df0c12ebf55d1bc4157f766c3307c292422411533b5
Instruction ID: 5f4ab4fd76f5af6d97ac3843f34e97d60b2d0040a6e7b33345481c4cc21d0d16
Opcode Fuzzy Hash: 329ac69dd903a4d66b859df0c12ebf55d1bc4157f766c3307c292422411533b5
Instruction Fuzzy Hash: F9D0C25200E7848BC312D7629C112E9FFA09B43310F0881CBC44487182C6210A0897A3

Function 07FB6388 Relevance: 1.3, Strings: 1, Instructions: 11COMMON

Download Yara Rule

Strings

G, xrefs: 07FB638C

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID: G
API String ID: 0-985283518
Opcode ID: eb6efdf4d36a2242ca225676dd231a0279699a186d650fe6485d0469effd6ecf
Instruction ID: bd906dbf4897950f95be2b1a4843a0e52a19319897400c385c2f735b556db209
Opcode Fuzzy Hash: eb6efdf4d36a2242ca225676dd231a0279699a186d650fe6485d0469effd6ecf
Instruction Fuzzy Hash: 83C012F1408108EBC610DA82E8099ACB7A8E702221F080089E90E82280CB756E04AA81

Function 07FB7B38 Relevance: 1.3, Strings: 1, Instructions: 11COMMON

Download Yara Rule

Strings

(, xrefs: 07FB7B3C

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 34390799ccb41ec4bb98a8bee3d8bef1a911faeb0b9da4e4b923a2b6bf9ea2ad
Instruction ID: eb4086953719c5341f4c25fdda79d199343562490bdfa56ccb066eab2613c292
Opcode Fuzzy Hash: 34390799ccb41ec4bb98a8bee3d8bef1a911faeb0b9da4e4b923a2b6bf9ea2ad
Instruction Fuzzy Hash: DAC08CA140920CE7C760EA9BEC019ACF3ACDB92314F088287980943200CB319E105AA2

Function 07FB69C0 Relevance: 1.3, Strings: 1, Instructions: 11COMMON

Download Yara Rule

Strings

I, xrefs: 07FB69C4

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: d9de81e79d5e945ce71ce32008ec53c5c31c80f67c2a0bf4aac408ac82a2979e
Instruction ID: 6f0648e6a1a0c46f716886b87410975e878cd962d8a4652c80f61d0ac47a55e0
Opcode Fuzzy Hash: d9de81e79d5e945ce71ce32008ec53c5c31c80f67c2a0bf4aac408ac82a2979e
Instruction Fuzzy Hash: D1C08CF260D20CEBC620DAA2D8015ADB3ACD702614F0802E6980D83600CA319E149282

Function 07F92220 Relevance: .8, Instructions: 753COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be8051717246b1e8a548e0653a6d748d58fe792a64afe8e04843587e0d47aeef
Instruction ID: 3e7c4c6fcfae46a48ccf3bf6dff39d51dbe749163ea2c860e6317f3d86d2106e
Opcode Fuzzy Hash: be8051717246b1e8a548e0653a6d748d58fe792a64afe8e04843587e0d47aeef
Instruction Fuzzy Hash: 866201F1E00B479BEF759F7495983AD76A2FB42304F14593FC1EACA290EB3494818B42

Function 07FB1798 Relevance: .5, Instructions: 528COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f1f6f61d300d082314d99ae1050c6b2f2cf76548a04cd950ac9a5c6e47596a9
Instruction ID: f51e24a64102e4f24fc45b876fa819cbcf91575e84ee7032ce1550d92f7e0adc
Opcode Fuzzy Hash: 4f1f6f61d300d082314d99ae1050c6b2f2cf76548a04cd950ac9a5c6e47596a9
Instruction Fuzzy Hash: 2D42F270D1061DCFCF25EFA9C8546DCBBB1BF49300F518299D5497B264EB30AAA9CB81

Function 07F921C1 Relevance: .5, Instructions: 484COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d8dca96ce63fc8164ebbdc8bfef41b318504a64f2bf0d07d532dcc001920ff0
Instruction ID: 17430b4e4e35569073ef952f4a1e070d7efc9a0db81d84ebb3cd41363e093d36
Opcode Fuzzy Hash: 3d8dca96ce63fc8164ebbdc8bfef41b318504a64f2bf0d07d532dcc001920ff0
Instruction Fuzzy Hash: 6422A0F1D05F479BEB715F64A68839EB690BB07314F245D2FC0FACA251E73490868B86

Function 07FB01D8 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d07432bbfd3af93a644ebc2d844553f138e7ea935a92633f8cf8cca8b714b3d
Instruction ID: fdf8a024c9c5d489630b116ec1861e42bbc9803b1c2e8403c7b53ea33452d284
Opcode Fuzzy Hash: 7d07432bbfd3af93a644ebc2d844553f138e7ea935a92633f8cf8cca8b714b3d
Instruction Fuzzy Hash: 2CB19DB1E05209CFDF21DFA6C8846EEBBF2FF89300F284469D10AA7651DB319955CB52

Function 07FB4830 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b3dc0c3c0138b6a86565c2b23a0a1b6bf7fc4e90e0422f05a265d4721610db7
Instruction ID: f98b335ac5989494c66046f5198e3a37f49b1a5d610382585754f94aebe92975
Opcode Fuzzy Hash: 2b3dc0c3c0138b6a86565c2b23a0a1b6bf7fc4e90e0422f05a265d4721610db7
Instruction Fuzzy Hash: 06F1E871D1061ACBCF10DFA8C954AEEB7B5FF59300F1086A9D949B7215EB30AA85CF90

Function 07FB481F Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cace2d9690ea89e6c0ead2d6e6c8c13deda833346095996eac363e9cdd4cde4
Instruction ID: fa0d625f9a634ee0c37052e28d84e475b3ef915951e0a8eee8b9cb4ddfcb65d1
Opcode Fuzzy Hash: 1cace2d9690ea89e6c0ead2d6e6c8c13deda833346095996eac363e9cdd4cde4
Instruction Fuzzy Hash: B7E1FA71D1061ACBCF10DFA8C944AEEB7B5FF49300F1086A9D909B7215EB30AA85CF90

Function 07FB4E40 Relevance: .3, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea177b56c4e2040f091e2e319c0e87cd61d496a9ecd5fd07bac5cbe80e93a0d9
Instruction ID: 7062b1b5a17184ebaab7d5e82706d1c78b71bf0721454ffa0b8093867a801de9
Opcode Fuzzy Hash: ea177b56c4e2040f091e2e319c0e87cd61d496a9ecd5fd07bac5cbe80e93a0d9
Instruction Fuzzy Hash: C1C16D71E10219CFCB24DF69C8546EDB7B2BF85304F1885A9D406BB361EB34AD85CB91

Function 07F915A8 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddfbf8a6988c9b8733af90884011d20c51eda825fd18e2dbb20e9adc03cec595
Instruction ID: d3a38932d3334299e1a0ff4df335c837d4c15296956ed8e7993b61d960c0799e
Opcode Fuzzy Hash: ddfbf8a6988c9b8733af90884011d20c51eda825fd18e2dbb20e9adc03cec595
Instruction Fuzzy Hash: FAA15F74A00319DBDB14DF64C850BAEBBB5FF89300F1481AAE949A7351EB309D86CF91

Function 07F96950 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a6420b524696148835a70640d815af4d3c19634df9cf6e9b597074e3a608611
Instruction ID: 1f4040baad50233c45f5f344fa5ed47d85f628aaa92db6c758f7da3192143944
Opcode Fuzzy Hash: 8a6420b524696148835a70640d815af4d3c19634df9cf6e9b597074e3a608611
Instruction Fuzzy Hash: 5E8112747106008FDB18EF28D5989A97BF6FF89B05B1581A9E506CB376DB72EC01CB81

Function 07F9EBB8 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a2c380a3f9e99a63b126d060a4b0d5a25e0e05ca265953335d263da688b0eac
Instruction ID: edefaebb997850713484d1ba667087e3641055eeb8e716ceb5216648a9f3a197
Opcode Fuzzy Hash: 9a2c380a3f9e99a63b126d060a4b0d5a25e0e05ca265953335d263da688b0eac
Instruction Fuzzy Hash: C291C3B5A0060A9FDF25CFA8C980ADEB7F6FF48310F188529E965E7254D730E951CB50

Function 07F9C188 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b0c6d333ae0697b0b08549ea04d1e8d466e109d7507aa13649e36f28480641d
Instruction ID: 8d48a877e71183cae8062e664a1acea2317c32b4448f5d0919b881fadba24959
Opcode Fuzzy Hash: 3b0c6d333ae0697b0b08549ea04d1e8d466e109d7507aa13649e36f28480641d
Instruction Fuzzy Hash: BE818E71A10209DFDF14EFA4D8949EDBBB5FF89300F148569E502AB364EB70A945CFA0

Function 07FB3978 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6298034d778060fc7ac16584305930cca80e1aa5198ee2a1c392bbf4bac7711d
Instruction ID: c61b35f48103b2cf2c867c3d48e38611184c149fbe95687c77181391c7b54124
Opcode Fuzzy Hash: 6298034d778060fc7ac16584305930cca80e1aa5198ee2a1c392bbf4bac7711d
Instruction Fuzzy Hash: 6481D3B1E5010ADFCB21EF69D8886ECBBB5FF45300F298069E041A72A4EB30D964CB41

Function 07F9EBA8 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc43c702d8f930e7430b493569276f3b2b7273fdf4737075e4a7489009f8b311
Instruction ID: 4ed1723347a49f3878624ca7f50420ca7b8e4bc1cabd8faba174a0709f0c443a
Opcode Fuzzy Hash: bc43c702d8f930e7430b493569276f3b2b7273fdf4737075e4a7489009f8b311
Instruction Fuzzy Hash: B291C2B5A0060A9FEB25CF68C580A9EB7F2FF48310F188529E965E7354D730E951CB50

Function 07F91599 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce0e0c98c781aad22d3aebcf3900744bfa2e75b81e803d4789e06dd543a57bde
Instruction ID: d4ffd19dc029d8fd97e4dc0e10a206a952c460b3b9d9834ef87499880f26be2e
Opcode Fuzzy Hash: ce0e0c98c781aad22d3aebcf3900744bfa2e75b81e803d4789e06dd543a57bde
Instruction Fuzzy Hash: BB912D74910719DBDB14DF64C840BAEBBB5FF89300F14819AE949B7210EB31AE86CF91

Function 07F9BCB0 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9a0370503d61c6fc7e06e99dd865d54df0c79eada0f581459aaf8bbef0d6a5c
Instruction ID: 5e7a37f14df8c794bdc30b07863ce7a8b20391a6735b2e0fb52012b24f8bdf42
Opcode Fuzzy Hash: c9a0370503d61c6fc7e06e99dd865d54df0c79eada0f581459aaf8bbef0d6a5c
Instruction Fuzzy Hash: 837119B5A007058FDB20DF79E98469EB7F5FF48210B14893EE55AD3700DB34E9458B51

Function 07F978A0 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8b3ae1f9e14e68c05ad0f10bd58d5181198854057cd702ad6f4c0f762a129db
Instruction ID: 1f680c954a9143ef6f3c67677069878b60e1691e28e4f197bd9603dc37dc5c83
Opcode Fuzzy Hash: a8b3ae1f9e14e68c05ad0f10bd58d5181198854057cd702ad6f4c0f762a129db
Instruction Fuzzy Hash: A8713B71E106098FEF14EFB9C8546AEBBB1FF89305F148179D446A7350EB34AA45CBA0

Function 07F9510C Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76cf8c1e4ccdafde26d9b07f792a309503ba4edd6cdccc7d4716d1ba6bdc4a79
Instruction ID: 7cde7b8254f9c30ef7b9a84a78ab55f0a6f02508e6c20924d52622b15940267e
Opcode Fuzzy Hash: 76cf8c1e4ccdafde26d9b07f792a309503ba4edd6cdccc7d4716d1ba6bdc4a79
Instruction Fuzzy Hash: E281EA31A1470ACFDB00DF69C980599F7F1FF9A300F25D65AE519BB211EB70AA95CB80

Function 07F990D1 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fcaf4219e421e85bd10db8a6919a7770dd3dcdd3ea8db5f9dbb0f692eaaac3c
Instruction ID: cde1ef7242c1c8432f05333e6f4bf6e74f408ba10d42d1cf022aa441152c47ce
Opcode Fuzzy Hash: 1fcaf4219e421e85bd10db8a6919a7770dd3dcdd3ea8db5f9dbb0f692eaaac3c
Instruction Fuzzy Hash: 4281D931A1070ACFDB10DF69C980599F7F1FF99300F25C659E559BB211EB70AA95CB80

Function 07F99698 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63b9d058c1181b8e3059a09d65243e3133ff2c1be1f36f894a771ddd1ef5c997
Instruction ID: bd5d55bfc9cdcccda1c2306386d643082ff89abbeea7193b1fea94e1f9b15679
Opcode Fuzzy Hash: 63b9d058c1181b8e3059a09d65243e3133ff2c1be1f36f894a771ddd1ef5c997
Instruction Fuzzy Hash: 577106B4E00209DFEB14DFA9D488A9DBBF1FF88314F19846DE415A7251DB70A885CF61

Function 07F9E45B Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35a89de62b55c53aa8cd044cf32eb78af752f9256eba3f7e420fe20c8f037fbf
Instruction ID: ca448832a6b4751fd1404a310d006ef710051a32feeeca6409e77c105846605d
Opcode Fuzzy Hash: 35a89de62b55c53aa8cd044cf32eb78af752f9256eba3f7e420fe20c8f037fbf
Instruction Fuzzy Hash: 566148B6A10209DFDF04DFA8D8809ADBBB1FF89314F144269E905AB355EB31E851CB91

Function 07F9CA28 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c200918cb1bfdbb92afdc23353937b81f324e83c84a2e5aee9797920ff32d58b
Instruction ID: f0459fff43b343585140739a7da9d3702d4853e9fd9fdb1e863d2b19bf69c61b
Opcode Fuzzy Hash: c200918cb1bfdbb92afdc23353937b81f324e83c84a2e5aee9797920ff32d58b
Instruction Fuzzy Hash: 91518CB0B002018FEB15DB79C494BAAB7E6EF89704F184579E00ADB7A1DB75EC41CB61

Function 07F98EB8 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a935d0e4d7a270a03890f63856d10a2a4af17d77dcf70d5470e510ffdea8981
Instruction ID: c3fd4b57dcad1da3aac0b23ff44f10d553880703a6d032dafcd76609b88e36cb
Opcode Fuzzy Hash: 1a935d0e4d7a270a03890f63856d10a2a4af17d77dcf70d5470e510ffdea8981
Instruction Fuzzy Hash: 11611771D00609CEDF01EFA8C8509EDFBB1FF89300F05C66AE5556B264EB71AA85CB81

Function 07F98EC8 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71c2fd395f49290d6780b92a9eb263b2b7ffbbfddd544df35cd0ef8b0dedff46
Instruction ID: cf4291e983e08ecc5d217a21873e9328e6cf17bc2ab4ec4fe02b95e9c4698d19
Opcode Fuzzy Hash: 71c2fd395f49290d6780b92a9eb263b2b7ffbbfddd544df35cd0ef8b0dedff46
Instruction Fuzzy Hash: 36610771D00609DEDF01EFA8C8409EDFBB1FF89300F05C65AE5556B264EB71AA85CB81

Function 07F98CA8 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e0df4c074d7f6dbbb9fc3eae0f315a79d878de6dd922be2fde4cb48107bbe95
Instruction ID: f011a7c75c371cd1ce2d257a0ca4741c9a07a4fe42bb3116b6bf72463624c7fd
Opcode Fuzzy Hash: 6e0df4c074d7f6dbbb9fc3eae0f315a79d878de6dd922be2fde4cb48107bbe95
Instruction Fuzzy Hash: 86514C75A00609CFDF15EFA8C88499DBBF6FF89304B14816AE509AB361EB31ED45CB41

Function 07F9BCA0 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17a78a0942214380e8af59c9cdb7cff857607e6d64d86042071e78fd5c78e960
Instruction ID: cb0e551e70e869c6657187695321aa4769468a6486a36364d1e7664354879794
Opcode Fuzzy Hash: 17a78a0942214380e8af59c9cdb7cff857607e6d64d86042071e78fd5c78e960
Instruction Fuzzy Hash: 745117B5A007068FDB64DF78D984A9EBBF1FF48210B048A2EE85AD3751DB34E905CB51

Function 07F98C99 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b78309f32f0a10547128812e1ff7c55824f5cba15ad50c483612f77e5b09eb3
Instruction ID: 52b3ef6a36131be60e7b35c98881014e22ddcf7c92553e625d8a48efaa11e16d
Opcode Fuzzy Hash: 2b78309f32f0a10547128812e1ff7c55824f5cba15ad50c483612f77e5b09eb3
Instruction Fuzzy Hash: F2515871A00609CFDB15EFA8C89499DBBF6FF89300B15816AE509AB361EB31ED45CB41

Function 07F950FC Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7a411c54a5efee9be11f70b3f706903547017d344eb0374d6267a659657e78a
Instruction ID: 28526d0efb525a3d0d464624c314c29830fcb13394ffa7a9a5902d41d3cbb78e
Opcode Fuzzy Hash: c7a411c54a5efee9be11f70b3f706903547017d344eb0374d6267a659657e78a
Instruction Fuzzy Hash: 9C51E4B5A0120ACFDF10DFA8D5809DEB7B1FF89314F15C52AE815AB204E770E954CBA1

Function 07FB1587 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a51be83354ac82052a74d3930b6d5b64e88c1dbbef6532c54405458ac899d235
Instruction ID: 38ef5df172d323fb42a58ee4a6d37a1f560fe86ef9685cf9e195729fac3520f4
Opcode Fuzzy Hash: a51be83354ac82052a74d3930b6d5b64e88c1dbbef6532c54405458ac899d235
Instruction Fuzzy Hash: C241B5F2E2011EDFDB25AFAAC9B56EE7BB1EB49340F1C0526D402E7255E730C911CA91

Function 07F9CA18 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d113817d146132f33888db15dc20d9f7a82e537284f1da5a31f75d472aa10cd
Instruction ID: 6bf2b421aae834a56ad98ffb8a7764583893b09b91f76cafacff029ed544c637
Opcode Fuzzy Hash: 9d113817d146132f33888db15dc20d9f7a82e537284f1da5a31f75d472aa10cd
Instruction Fuzzy Hash: 784189B0A002019FEB14DF79C494BA9BBF6EF89304F184569E40ADB761CB75EC45CBA1

Function 07FB9373 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b790dbd2ee0bc0ad38803493250bc0ace82f886fa85d103afc55443b1d24794
Instruction ID: 4ed79b166b157b5a454b0b76e0ed62549d10742338c73cb3296754b5152d2dca
Opcode Fuzzy Hash: 7b790dbd2ee0bc0ad38803493250bc0ace82f886fa85d103afc55443b1d24794
Instruction Fuzzy Hash: 634181B1E5420ACFCB21CF6AC8D0AEE77F1AB45301F188025D35797251D7B9E986CB51

Function 07FB0B34 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e23f2ef9df848f393f14cfd0556f1235b00c80292eaf48f056199d537211a4ed
Instruction ID: 293eccdda182554fb29dc255c534dd26280fd2983ca80a1cb966861434d42cb2
Opcode Fuzzy Hash: e23f2ef9df848f393f14cfd0556f1235b00c80292eaf48f056199d537211a4ed
Instruction Fuzzy Hash: 5041E6F2E2011FDBDB21AF6AC9657EA3BF2EB49340F1C0426D402E7254F730C9108A91

Function 07FB3768 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8296956b9ba6dc389d865b4a8c4d81d5f4958d43dc6629b385dff64da4eed599
Instruction ID: 970e21eb714f897f157a5d1018cb1c9f2c4778f49a8800694d068eaf729d6aa4
Opcode Fuzzy Hash: 8296956b9ba6dc389d865b4a8c4d81d5f4958d43dc6629b385dff64da4eed599
Instruction Fuzzy Hash: BC414871E012099FDB14EFA9D850A9DBBB2FF89310F198569E441AB3A0DB70E944CB91

Function 07FB0C10 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2be8636b019bcc078b5cb341a0b14fc84e2976017f401a6212e703636e74a89
Instruction ID: da5f1a5e6d78f9e92cba5ffb5ecb03af7d0f8ff3af92211bcb6c9c337cc63c1f
Opcode Fuzzy Hash: c2be8636b019bcc078b5cb341a0b14fc84e2976017f401a6212e703636e74a89
Instruction Fuzzy Hash: 4F413C71E112099FDB14DFA9D850AADBBB2FF89310F198569E441BB3A0DB70E844CB91

Function 07FB0E18 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb1a8fb09b139745676bee0b523d1686dd06c56021cee043b6961fe99d341c4b
Instruction ID: 829c3eb37168aebeef35f1ed7a0dd37f7c5b715df39f3b72f7f7c6ca27acc793
Opcode Fuzzy Hash: fb1a8fb09b139745676bee0b523d1686dd06c56021cee043b6961fe99d341c4b
Instruction Fuzzy Hash: 8B21F2A28193B25FE7136F2C98302DB3FE18F97611F09098BC0859F192DC249949C3EB

Function 07FB01CB Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f934aaa8eac3835d45fb75133d7cc402b06ee8a2177bc73b1271aca14bafaba4
Instruction ID: d1d206b09040ed74fd632d1dbff40e750a9f203ed4d94851409cf6989c469780
Opcode Fuzzy Hash: f934aaa8eac3835d45fb75133d7cc402b06ee8a2177bc73b1271aca14bafaba4
Instruction Fuzzy Hash: 434122B1A05218DBEF219FA5C9989EDBFB2FF48300F294158D4417B26ACB3198A5DF41

Function 07FB6175 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81ccd62f2083e4289fd0b2703fc5afd9b61fab89287ad12b3e6df8413da1e6f0
Instruction ID: 63716ad2115c40c59d0e8fe963fbeb619fe5e207583f540e097a53f17ea079b4
Opcode Fuzzy Hash: 81ccd62f2083e4289fd0b2703fc5afd9b61fab89287ad12b3e6df8413da1e6f0
Instruction Fuzzy Hash: FE41C2B1A04114CBEB10DF99C4516EF77F2EB8A314F1C8469D506EB346CB31ED468B92

Function 07FB6D24 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd441966e23f0eaca024244613d24bb747b219dac1d8877b358baee82c3f72f0
Instruction ID: ff4d24c4c827d53a2d8d1465aa721d0b0ea9434ed0adb1f374af0fe11e7e09b8
Opcode Fuzzy Hash: bd441966e23f0eaca024244613d24bb747b219dac1d8877b358baee82c3f72f0
Instruction Fuzzy Hash: F531B3B2F14215CBDF24EB7688546BF77BAEFC5210F584829D516C7280EE74EC068692

Function 07F95208 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fcec9e124eaa49b59b008957aecbd090dae60bbe5f9f7991c5dcbbc7dfac743
Instruction ID: 2ddccc35b4d23e1977c80b1b1c5d14f4138884c410340b7c08283ddd0b53a7c6
Opcode Fuzzy Hash: 9fcec9e124eaa49b59b008957aecbd090dae60bbe5f9f7991c5dcbbc7dfac743
Instruction Fuzzy Hash: 6B31B2B17006119FEB14EB39D948A6E7BE9EFC9714B188569E406CB360DF70EC01CB91

Function 07F903AC Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6425758de21446623d3278646101d7612937488cc1e191470e9cf82724454938
Instruction ID: 2504c18a2c4d5bc87b0dfd1b9d9bf5891630eea440b051dbd240bf12b0df2b05
Opcode Fuzzy Hash: 6425758de21446623d3278646101d7612937488cc1e191470e9cf82724454938
Instruction Fuzzy Hash: 4F3158B5A0420DAFDF10DFA9D844ADEBFF5EB48320F14842AE519E7210D735A944CFA5

Function 07F9AE41 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 466fbde5ada2510881edd649574fb319c96436bcd15ac8efcc6b77bc729164f1
Instruction ID: 61fa96a8597d57b5903bfac6c2df79f4e1b4385a87eaf30afc934346a7ff626a
Opcode Fuzzy Hash: 466fbde5ada2510881edd649574fb319c96436bcd15ac8efcc6b77bc729164f1
Instruction Fuzzy Hash: 47318B75A002098FDF04DF64C984ADE7BF6EF49304F1580A9E901AB362EB35ED04CB51

Function 07F9A177 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a52c7a7afba2f2e2d7ca12541a52fec2414991601158c720b1f384f3f710f77e
Instruction ID: 4e78155961eecfb62ac7307aacc5fdccfb9395396eea1dff73604f96985f71a6
Opcode Fuzzy Hash: a52c7a7afba2f2e2d7ca12541a52fec2414991601158c720b1f384f3f710f77e
Instruction Fuzzy Hash: 8531B0B0A01202CFDF45DF69C8406AE77F6EF86210B2880BAD805DB265DB71DD45CB61

Function 07F96320 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c513f95a452aab8d3b28d002a0142b0b912c6306ff3c52411bc2f97f3e6eece1
Instruction ID: 7a7f05756af3e498fe1a58f8be026826dcef525602f2f603c96c04a94d221737
Opcode Fuzzy Hash: c513f95a452aab8d3b28d002a0142b0b912c6306ff3c52411bc2f97f3e6eece1
Instruction Fuzzy Hash: 6D316FB2B002019FEB25DA69D400A5A7BE6EF85350F19407DE549CB761EB71EC02DB91

Function 07F9A188 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9ce7e38b070001b8b4d5eced0922580e0597b5aebcda93340555f963d9c9afa
Instruction ID: 0e5a8878253b045472eeced48c74b56c2a430b4f9db9a4e2e713693333a8f8a1
Opcode Fuzzy Hash: c9ce7e38b070001b8b4d5eced0922580e0597b5aebcda93340555f963d9c9afa
Instruction Fuzzy Hash: 7731B0B0B00212CFEF55DB68C84066E77E6EF85211B288079D806DB365DB71DC41CB91

Function 07FB6E10 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 234b13e5d4b602c42d893358455112e43b64c01afc69bca164493fc82b4502c9
Instruction ID: e86c2c6a97bc8618e519a56dbf4e8229adccbc7d8ebedb8f48c6bb4c36765adc
Opcode Fuzzy Hash: 234b13e5d4b602c42d893358455112e43b64c01afc69bca164493fc82b4502c9
Instruction Fuzzy Hash: 42219CF2A141158FCB219BB6D4181AFBBF5EB86301F144426E617D7392DE399C028BE6

Function 07F94F4C Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab0f26bed1cfc859cce67fd63e4c9bed1ce940040ed4d304548233ef6c3642e0
Instruction ID: ef8428d19711eada05833c7789656316fa958edcb1c6a18d042bad0ae1298b78
Opcode Fuzzy Hash: ab0f26bed1cfc859cce67fd63e4c9bed1ce940040ed4d304548233ef6c3642e0
Instruction Fuzzy Hash: 73311775A20219DFDB04EFA9D880DECB7B5FF88710F1585A9E805AB321C730A844CBA0

Function 07FBB771 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc75120a87bff916846624c9feebb0fbaf2bfc5389e1f595e590345f2fa2e119
Instruction ID: 37a452e24c1053bd2366e38f66e3505345c48c797de7e33d7ebe74ea4a315d62
Opcode Fuzzy Hash: dc75120a87bff916846624c9feebb0fbaf2bfc5389e1f595e590345f2fa2e119
Instruction Fuzzy Hash: E12194F6A2D695CBC7318F6EC4906F97BB4FB0B211F1C80AFD5528B241D624D906C792

Function 07FB6E20 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53052ba4ffba3106c6cf68dbd873b3dea69e5994417c971f289e614f3b600a33
Instruction ID: 566c1c2f36fc0b0b404e17355481ecb71edef5cd816dacca3b7d67a70a5ccb48
Opcode Fuzzy Hash: 53052ba4ffba3106c6cf68dbd873b3dea69e5994417c971f289e614f3b600a33
Instruction Fuzzy Hash: 2621B1F2B14115CFCB259FAAD4181AF7AE9EB86301F144425E617C7391DF359C028BD6

Function 07F98601 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af1d4ada7908bb5fe079ace684bfaf7c3acc37596a3a50eec4bbeede961492cb
Instruction ID: 0010db69c962ae7fb02ccd8f0bbf976d7872bcdd45950d4b3dc0de7c3adef3b4
Opcode Fuzzy Hash: af1d4ada7908bb5fe079ace684bfaf7c3acc37596a3a50eec4bbeede961492cb
Instruction Fuzzy Hash: E22168B160C390AFEB228B25DC5065A7BB4EF87271B1C04BFD181CB1A2C6259C4EC762

Function 07F9C17B Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9b70e08a2796900fe853f16214a91e4fca928a2486b5a68b9802f34f763ded1
Instruction ID: 8e93c5753e2ad86c8235c4d08e4c72219dae86c6016124bf2df244c3173b1597
Opcode Fuzzy Hash: d9b70e08a2796900fe853f16214a91e4fca928a2486b5a68b9802f34f763ded1
Instruction Fuzzy Hash: 1D3198B1A10609DFDF14EF75C9949EDBBB5FF85300F048529E501AB264EB70A946CB90

Function 07FB61A9 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e391e9c2d5a7adf989faf1b0c76560d0b26966779e1cba680545c17513e99104
Instruction ID: fdb8450289a9addae81538bbe1b6ddd56da7aa4f8a0102a269ad8ebdf5b069b2
Opcode Fuzzy Hash: e391e9c2d5a7adf989faf1b0c76560d0b26966779e1cba680545c17513e99104
Instruction Fuzzy Hash: 1B31D1B1A04104CFEB109B9AD4517EA77F2EB8A314F1C8469C506EB342CB35DD468B82

Function 07FB5D28 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbee48acac76d3a8758144b35c84f80431a2d4445a08749b3ef97612489cafb0
Instruction ID: 73a2467dd9e9ea663dfde83e34b655471596a0bd7898199ec94c995921e2554d
Opcode Fuzzy Hash: bbee48acac76d3a8758144b35c84f80431a2d4445a08749b3ef97612489cafb0
Instruction Fuzzy Hash: 673123B4E1421A9FCF50DFB9C8905EEBBF2AB48300F548529E516E7240EB349A548BA1

Function 07FB5D18 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96a01663cacfd936ed54a7aaa834cf0b897c9320f7b5a9a6e707409d6fd00f96
Instruction ID: a152bad0294263a0d0142aac4ef15d02e1a4539e5dc34e649b98b79a43c57990
Opcode Fuzzy Hash: 96a01663cacfd936ed54a7aaa834cf0b897c9320f7b5a9a6e707409d6fd00f96
Instruction Fuzzy Hash: 8931B8B5E1421A9FCF50CFBAD8502EEBBF1EB48300F044566D501E7240E7389A948BA1

Function 07F903F8 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dae8f760b2c8c876e0d8e0ee7f44c20e88ca85e20c61bf5393a6d2b597acd944
Instruction ID: 452b86d459b7deafdfc67e4f930c06bdc1416bd9d988cddca3d81ce7bf438d10
Opcode Fuzzy Hash: dae8f760b2c8c876e0d8e0ee7f44c20e88ca85e20c61bf5393a6d2b597acd944
Instruction Fuzzy Hash: 333169B190434D9FDF10CFA9C844A9EBBF4EB49310F54846AE919A3241D734A944CBA1

Function 07F9E300 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48d8cfe9c880641b07ba436e4c7a2199d0447776ad8fe030584cc9ee97a77715
Instruction ID: 934ccaa7aeea1e860250261900fee2e8faf294431d5208acea09a82245c47863
Opcode Fuzzy Hash: 48d8cfe9c880641b07ba436e4c7a2199d0447776ad8fe030584cc9ee97a77715
Instruction Fuzzy Hash: 80212877B006108FFF28CA29C48297E7BE6EBC4310B288479D546D7795C634ED81D761

Function 07FBB8E8 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0c5eabfd77593814836e5c96b87c37baea0dcfce3ef22a10a4ef525edd60dfe
Instruction ID: 0608f4fdc5de30c2bc656838ed88864d8728b823d72da9c9ce2b68d1a210b387
Opcode Fuzzy Hash: e0c5eabfd77593814836e5c96b87c37baea0dcfce3ef22a10a4ef525edd60dfe
Instruction Fuzzy Hash: 6021D3F1F18215DBD7345A6B88117FA72ABEBC2351F6C842AD8479B394CA71DC418782

Function 07FB6269 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d02e2423ff36b2a9dd0df609a652d5125c02921fdc82fdeede10e063bc046fb0
Instruction ID: ba40fab0a6ef16274853a3d956f92b759e3f0da733a7db2caffa40ed43e03049
Opcode Fuzzy Hash: d02e2423ff36b2a9dd0df609a652d5125c02921fdc82fdeede10e063bc046fb0
Instruction Fuzzy Hash: 2031DFB1A04114CFEB609F9AC4517EBB7F2EB8A314F1C8469C506EB342CB35DD468B92

Function 07F9E310 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ca7220485fb7890e929b14d3eef4d9a0e82c6e1653aae00b6e59afb2d8efb8b
Instruction ID: 76f98e403a9c82dbf66556709f06a31e5fb95d85d881c157591771611c5b6d55
Opcode Fuzzy Hash: 0ca7220485fb7890e929b14d3eef4d9a0e82c6e1653aae00b6e59afb2d8efb8b
Instruction Fuzzy Hash: 6521F677B106108FFF28CA69C88297EBBE6EBC8310B288439E546D3754C634ED80D761

Function 07FB00E8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9db0d405e82d01817e8ff7ebf5951db38fe2dd94a5bdf325d4ee1d64299b5b2c
Instruction ID: 75081fdab3871fd80e6973c57bec251ceca8ad3402cdcc49b312ac078f1218d5
Opcode Fuzzy Hash: 9db0d405e82d01817e8ff7ebf5951db38fe2dd94a5bdf325d4ee1d64299b5b2c
Instruction Fuzzy Hash: 3121A4F1E10206DBDB396B66C8445EFBB71EF82220F58856AC48667244FE31D951CBA1

Function 07FB2E80 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29cf43f27b51a16625e850199cceb62d6a7c634a0a84c5187cd0150d1cdc7012
Instruction ID: 6dd799e76a4e6179f73996bf2e373c6947cbe45bae0d2167ddcd7353203362ea
Opcode Fuzzy Hash: 29cf43f27b51a16625e850199cceb62d6a7c634a0a84c5187cd0150d1cdc7012
Instruction Fuzzy Hash: BC213D75E106198FCF11EBA9C8446EEB7F5FF88310F04426AE919E7260EF709945CB92

Function 07FBB8E2 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 005d32491b2389814957d8c059f9b44a7cbde580c4dda2f2f57ab53d448420e7
Instruction ID: f79cff9d83abaa782ad8ec2a6af1bcfcfb0b2d76e5c6ad3f9bfeb2183e5f4cfd
Opcode Fuzzy Hash: 005d32491b2389814957d8c059f9b44a7cbde580c4dda2f2f57ab53d448420e7
Instruction Fuzzy Hash: AC21C0F2F18215EBD7355A6BC8117FA72AAEB82714F5C8067D8476B294CA71D8018782

Function 07F93FC1 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b00697b16419098073132af6bb8e1ced986edc51358d13da8e798acd5890e76
Instruction ID: 14d1ad40aa5da4a17749c5065c76065886f0435548a40aaa1443a512020717db
Opcode Fuzzy Hash: 1b00697b16419098073132af6bb8e1ced986edc51358d13da8e798acd5890e76
Instruction Fuzzy Hash: 1D215A74B00605CFDB04EB68C844AAEBBF6EF89300F19416AE519DB361DB719D85CB91

Function 0061D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1873558250.000000000061D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0061D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_61d000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1a39b4f05395d4eec78934acdef1dc57bbff436287f83f9dad92da8f856cffe
Instruction ID: 7a9a75bd1239aaa896f12618d89a1c5d88bd990ab05b5817e3211b0751ba919a
Opcode Fuzzy Hash: b1a39b4f05395d4eec78934acdef1dc57bbff436287f83f9dad92da8f856cffe
Instruction Fuzzy Hash: 822106B1504240DFCB05DF14D9C0B66BFA7FB94318F28C569D8090B356C336D896D7A1

Function 07F90418 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32bf1913a566f5d5b7516639898b72540232e9b8102ba674d95e2b5596525f3c
Instruction ID: ed2207a51f31d19733133020a8d93ed53d3516b0b8b891fe53069a0d0b508d43
Opcode Fuzzy Hash: 32bf1913a566f5d5b7516639898b72540232e9b8102ba674d95e2b5596525f3c
Instruction Fuzzy Hash: 7A21F271B042624FEB06DB39CC6496E7BE6EF8A210B0944AAE905CB322DE30DC00C790

Function 07FB0006 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cfb5a26ff3f189a6f2d9599278685ab5b8ccccf13d089238aebef7d41d34869
Instruction ID: 4265167e7b07dd49c931b6b4e0b9890ac7e5c73ab0e9558b18dfbe837ca9ccdf
Opcode Fuzzy Hash: 6cfb5a26ff3f189a6f2d9599278685ab5b8ccccf13d089238aebef7d41d34869
Instruction Fuzzy Hash: 231157B2E093429FC7631B61DC005D67FF0EF032A0B1D04EBC085E71A2E634890A8B90

Function 07F9F3F8 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 185371b82b86ae0c8b5b83cd51b4f2e88f9b5416c13a207e823ff7490787e78e
Instruction ID: 75b7dc9680198c98be34ae13595a14983ea6d1a4119dceb3d3f64abf2d4f65a4
Opcode Fuzzy Hash: 185371b82b86ae0c8b5b83cd51b4f2e88f9b5416c13a207e823ff7490787e78e
Instruction Fuzzy Hash: DD214FB07003028BEB38AB79D450A3673E6AFC5609B18487CD966CB794EF31EC46CB51

Function 0062D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1873676334.000000000062D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0062D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62d000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab87515459dec658006dc142a20f4388d5f151c50c6d3faeb8d676d4dae51331
Instruction ID: a29aee0b9dad2f665b9872ccf3f55ded3f407df05429de1926894d4138f26072
Opcode Fuzzy Hash: ab87515459dec658006dc142a20f4388d5f151c50c6d3faeb8d676d4dae51331
Instruction Fuzzy Hash: FF210771604600EFDB05DF14E9C4B25BBA6FB94314F24C66DDA0A4B391C336D906CF61

Function 0062D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1873676334.000000000062D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0062D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62d000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99363feef2f591330a6387f9d1267df4e665dffea8e2b6500ac9347f716799bc
Instruction ID: 2043a45b9440efd859d0891913d6623cf519a142804f0a2ef6c5c7c7ed727be2
Opcode Fuzzy Hash: 99363feef2f591330a6387f9d1267df4e665dffea8e2b6500ac9347f716799bc
Instruction Fuzzy Hash: 8E21F275604640DFCB14DF14E9C4B26BBA6FB94314F24C96DD90A4B3A6C33AD847CA61

Function 07F99DB4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deab356a4b9b40a10344b890658c44a16664ed85cb3c5c8e1a7690a788edc287
Instruction ID: 601f890321df4162f6078090d7a994a79243d672b9ee9d74ae0797982bb5e85b
Opcode Fuzzy Hash: deab356a4b9b40a10344b890658c44a16664ed85cb3c5c8e1a7690a788edc287
Instruction Fuzzy Hash: 00210771A10206DBEF14DF25C4446AABBF2FF84315F14C439D8099B250D735E944CB61

Function 07FB4648 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e65cbeb876afc87b1fa1cb4474844aeec37584265b5681ad2458d6e213938e2
Instruction ID: 1b1c18bac2307c9d7ea469c870dc6fad6cd4f1bcdb874207f734fc2b1415e1e4
Opcode Fuzzy Hash: 8e65cbeb876afc87b1fa1cb4474844aeec37584265b5681ad2458d6e213938e2
Instruction Fuzzy Hash: 77212FB5E0020A8FCF54EF69C9848EEF7B5FF89300B118269D905A7311EB30A945CBA0

Function 07FB4639 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc9767ecd5e7ce72fd6738f70e6b6b1487436dbc81ed3909e5f2bdc927518550
Instruction ID: a8c8c2c4a46356a41af249e2d261adb4a9a986b0383c0bc857ce841a00de6a59
Opcode Fuzzy Hash: fc9767ecd5e7ce72fd6738f70e6b6b1487436dbc81ed3909e5f2bdc927518550
Instruction Fuzzy Hash: A3213DB5A002058FCB54EF69C8949EEB7F9FF89310B104179D905E7351EB30A945CBA0

Function 07F995D8 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bec7e7c7526ec5245fe3b14fce8ce401940d4a9ea86da375f26e1d13949aff98
Instruction ID: 570fa35b3fa4a1c72757c515b583407722872d7347954dc3abce1846c40443a5
Opcode Fuzzy Hash: bec7e7c7526ec5245fe3b14fce8ce401940d4a9ea86da375f26e1d13949aff98
Instruction Fuzzy Hash: A7119172B00500CBEB29A76EE45446DB79BEFC462672D447AE00AC7660CF65FC828B91

Function 07F9CF90 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ddd375619e808b784051585059718b7dd23e0e358934ee78fafe8e7da3c0638
Instruction ID: fa1e048b0d19e526b209761007832d5e6093475286d7f5b9182b4f87238aa56a
Opcode Fuzzy Hash: 3ddd375619e808b784051585059718b7dd23e0e358934ee78fafe8e7da3c0638
Instruction Fuzzy Hash: 4811D0767006108FDB54AF2CD844AAEBBEAEF89225B14456DE006DB360EF309C41CBA0

Function 07F9C840 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63fcadcbbacc427bbeefb9e3b32a53d79d9e36836982ca9e9e986c308f18438c
Instruction ID: e8161533aecd23a0cd3d1bde11eb8b32d8ad247f06a842f28f74396ad64207d6
Opcode Fuzzy Hash: 63fcadcbbacc427bbeefb9e3b32a53d79d9e36836982ca9e9e986c308f18438c
Instruction Fuzzy Hash: A021E6B5D013099FDB10CFAAD884A9EFBF4FB48310F54842EE959A7340D375A944CBA4

Function 07FB6C87 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6ad56ea0f04c42b053ae31bd2a5ad979c507691729c7b670ad696f09023ef57
Instruction ID: 64b6f406004c27320eac9ad5647a0616f900d272d8ab66cc16f968a554ee339a
Opcode Fuzzy Hash: a6ad56ea0f04c42b053ae31bd2a5ad979c507691729c7b670ad696f09023ef57
Instruction Fuzzy Hash: 111121A641E3E24FD313AB38A8A52C17FA19F62565F1904DBD1C48E0A3E519444BC3AB

Function 07F9064C Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cef5848b2bee7cd3e816f46c1833fc37ae21451179868ae75508a64360d05fb8
Instruction ID: ebadf7f2fe46bb1d04fce4c8787fb77702ffcb9b6647f5d5589f9a2f8b4a57ad
Opcode Fuzzy Hash: cef5848b2bee7cd3e816f46c1833fc37ae21451179868ae75508a64360d05fb8
Instruction Fuzzy Hash: D231E3B1D11259DFDB20DF99C588B9EBFF5BB48310F24806AE408AB241CBB59985CF51

Function 07F90658 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2d6950692c74c084deffebe9b2982a5f2851c4b06e77fd7560b158095f9bd93
Instruction ID: 17225be9d41d99c9064fe5591839be7554cf4e79a2afa062683582dd86ea1caf
Opcode Fuzzy Hash: d2d6950692c74c084deffebe9b2982a5f2851c4b06e77fd7560b158095f9bd93
Instruction Fuzzy Hash: 7F21D3B0D11219DFDB20DF99C584B9EBFF5BB48314F248029E408B7240CBB59845CFA5

Function 0062D006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1873676334.000000000062D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0062D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62d000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f24638d95e0078305084bfdd2b3a18fe22b9ac4a13c0138946c8dc03bd4092a
Instruction ID: 5949cb8193da1914c6a3ceb83c804f7b7185acda00ca25c990c3b2ba31d2d913
Opcode Fuzzy Hash: 1f24638d95e0078305084bfdd2b3a18fe22b9ac4a13c0138946c8dc03bd4092a
Instruction Fuzzy Hash: F42165755087809FCB12CF14D994715BF71EF46314F28C5DAD8498F2A7C33A9856CB62

Function 07FB1478 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8acad4df6d6aec468dac310e7bc44b5331b289d0062171cab715bf76f0c0d48
Instruction ID: eb216dacd992be9d2ecfa6ad1fe913f140792d0c05686ddc3c2bfc556c655fc9
Opcode Fuzzy Hash: b8acad4df6d6aec468dac310e7bc44b5331b289d0062171cab715bf76f0c0d48
Instruction Fuzzy Hash: E0213E70910608CBCB15EFA8C9557DEB7B1EF4A300F14866DD446BB650EB71A948CB92

Function 07F9C848 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b32f4162c3a00d386398529a3ad97202d88e4ce114c789599f16773c24292457
Instruction ID: b75be828a02b03e0344b8a21c1cdddc8a2c49935c90966793d40f70b8c635bbc
Opcode Fuzzy Hash: b32f4162c3a00d386398529a3ad97202d88e4ce114c789599f16773c24292457
Instruction Fuzzy Hash: 8021E2B5D013099FDB10CFAAD884A9EFBF4FB48310F14842EE519A7340D375A944CBA4

Function 07FB9220 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e66838ddcbb649e2673e9250b3b77b45e8c208c7cc5e113f4faf1569b46f63ec
Instruction ID: e4518b32b7cfa07a429b8dd11d334b0c75b96baea439382b27d6d23434de89dd
Opcode Fuzzy Hash: e66838ddcbb649e2673e9250b3b77b45e8c208c7cc5e113f4faf1569b46f63ec
Instruction Fuzzy Hash: FF11E3B5E002168B8B25DB798C404FFB7B6EFC82607194929D918D7340EE709D0A8761

Function 07FB0040 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cd35aee41514ab2a9e9d599c65787f665223fce85417f9bc8819eaf7551d7f4
Instruction ID: a7bfe7453af7cdd1bab973a7715132c67c6f05877edaabb23b073686ef3fb648
Opcode Fuzzy Hash: 6cd35aee41514ab2a9e9d599c65787f665223fce85417f9bc8819eaf7551d7f4
Instruction Fuzzy Hash: 2A11C6F2F01106EBCF616A96D9445EEBFB0EB41380F6848A5C099B3194EA3185348FD5

Function 07F9CFA0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 448c9b307cedc8b08d89b927811a605bbf5235f6454ecf62e225dbdd55eb8e99
Instruction ID: 90c636f1d37e68d6fd2ec2930dfe1eb95081b1cba5e5f6a1ec27f59b25d28e14
Opcode Fuzzy Hash: 448c9b307cedc8b08d89b927811a605bbf5235f6454ecf62e225dbdd55eb8e99
Instruction Fuzzy Hash: 9A11CE767006108FDB14EB2CD844A6EBBEAEF89225B14446DF006DB360EF30AC41CBA0

Function 07F9CE08 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9ff89a6df1453f31858fee676d8efb3232cacb8775b7ee739921d05425e45cf
Instruction ID: 8faf4683959f644f253a66c66e9f749a64bff2a5991e4ce4caed136b5b0a576a
Opcode Fuzzy Hash: a9ff89a6df1453f31858fee676d8efb3232cacb8775b7ee739921d05425e45cf
Instruction Fuzzy Hash: 84210475A00218CFDF48EBA8C854AADB7F2FF88314F154068E402BB361DB35AD01CB65

Function 07F98B00 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cde821ebff9c2f6439a67931d4837e71acef49098f85a923bc1c8f0f32eee3fe
Instruction ID: c343fed33c14a57204bd952b22babfed735a458fabd1b57c7e8051405c761ec3
Opcode Fuzzy Hash: cde821ebff9c2f6439a67931d4837e71acef49098f85a923bc1c8f0f32eee3fe
Instruction Fuzzy Hash: DE11AFB2D00209CBEF10AF68C8146EEBBB1EF89351F18853AD8057B240DB759945CBA0

Function 07FBED18 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7b18be7b78ce1fcf548a91872a06ec2d121add643bd7ef2165e5fc517761131
Instruction ID: d3a808bee9c86e298bb3cca8261de3c2597f36cb06347d69eaa9610c9e5d053b
Opcode Fuzzy Hash: c7b18be7b78ce1fcf548a91872a06ec2d121add643bd7ef2165e5fc517761131
Instruction Fuzzy Hash: 5521D8B8E08209DFCB50DFAAC180AEEBBF5AF4D300F649059D819A7711D7B09A40CF91

Function 07F9C66C Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06dbcec5729fc28b7d10d0471add152c8543e29b21f21718ad06f63e22bbd289
Instruction ID: bda0eef2eddccb7e7b1ffe750e7cec51ef8dd59720113d8320dfc05a838c47bc
Opcode Fuzzy Hash: 06dbcec5729fc28b7d10d0471add152c8543e29b21f21718ad06f63e22bbd289
Instruction Fuzzy Hash: 0021FE75E002099FCB44CFADC8809AEBFF1FF89310B10816AE959E7311E7349911CBA1

Function 07F9C651 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6bb2eb0469fb7a801a3cf78c9de86537f80314b5cf970b9a3425b8a77cda53f
Instruction ID: 3a0be28c88ebbafbb989071e1dfe7d2d3a56d8c40fbbe90feed929a9698d6a63
Opcode Fuzzy Hash: d6bb2eb0469fb7a801a3cf78c9de86537f80314b5cf970b9a3425b8a77cda53f
Instruction Fuzzy Hash: F121B7B5E0061A8FCB44CFADC4449AEBBF1FF88310B14816AE919E7355E7359912CB90

Function 0061D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1873558250.000000000061D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0061D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_61d000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction ID: a2a9bc1671d6abd306f803f8683177e80e73a4d686eb7d12f8860bad2d07a0a1
Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction Fuzzy Hash: 1911B176504280DFCB16CF14D5C4B96BF72FB94324F28C6A9D8490B656C336D85ACBA1

Function 07F91AD0 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 291771b67737120ebe147dc0436b782485dcf7dc2abb37eb3ad8bcd2a8ab1490
Instruction ID: fc8ed5b2d1da404a859d9e7c155db585044dfc9ad6e5c9000acd8c260a9b1f53
Opcode Fuzzy Hash: 291771b67737120ebe147dc0436b782485dcf7dc2abb37eb3ad8bcd2a8ab1490
Instruction Fuzzy Hash: 312133B580430D9FDF10CF9AD844ADEBBF4FB48310F50842AE929A3240C374A954CFA4

Function 07F98550 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5e6e821e83b8e67ca380bc22c1dabaa5e789c780d94f86574ca176860d7cd92
Instruction ID: 90f5b717890c82dafc40a176d9982211144ed06911ac9c37dd8b6363375c2fc4
Opcode Fuzzy Hash: c5e6e821e83b8e67ca380bc22c1dabaa5e789c780d94f86574ca176860d7cd92
Instruction Fuzzy Hash: A71123B1900300AFEB20DF19C800B5A77F5EF96322F04447DD042C7662CB30E98ACB92

Function 0062D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1873676334.000000000062D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0062D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62d000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction ID: 54678a1dcae63e0cdb4c2d85541977fcca86be63cfc67ac4361a594fb7b2b1c7
Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction Fuzzy Hash: 6711A975904680DFDB02CF10D5C4B15BBA2FB84324F24C6A9D9494B396C33AD80ACF62

Function 07F98560 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ed58d6fdb01cce954c77e6c785160e30404e1753d1e50e0efd45c1b85b4cbb2
Instruction ID: 48dec2ba7024c5e02abac01f8411e557e80a15c00413ba236ae588953da749c2
Opcode Fuzzy Hash: 0ed58d6fdb01cce954c77e6c785160e30404e1753d1e50e0efd45c1b85b4cbb2
Instruction Fuzzy Hash: 2111C6B1A003149FEB24DB29C440B5A77F5DF96366F14457DD006C7661CB70E98ACB92

Function 07F9C680 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 052866f3402757b9894087baafe9d8c2c3224e8d741a44dd5442ea929538a099
Instruction ID: 55b8b25f2b94e4db9c12a8bbe4442b41d5e78bb8c9e16b2eca87c5696fd3d781
Opcode Fuzzy Hash: 052866f3402757b9894087baafe9d8c2c3224e8d741a44dd5442ea929538a099
Instruction Fuzzy Hash: 7F119BB5E0051A9F8B44DFADC9449AEFBF5FF8C310B10816AE919E7315E7309911CBA1

Function 07FB70F8 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc6da49189d7e69b29291b19fac5ccf7b5b62ff4bc80ad13252fe1ddada30b39
Instruction ID: e1c7e44d0dc0500e9401253ff5acf6dfa87c61db202ddf5c10329a88e1174dc0
Opcode Fuzzy Hash: bc6da49189d7e69b29291b19fac5ccf7b5b62ff4bc80ad13252fe1ddada30b39
Instruction Fuzzy Hash: F101D2B494D2849FC722AA71C8216E97FB19BC7324F0880AFD4455F682D76AC487DB72

Function 07FB3BEF Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 394593b264a51f11681f7d9eb7a283be101bffef4335b77fbcd6eb3518105c86
Instruction ID: a8b470b162f0e93cf0b117b747e7fb303b59d72d43d3803f37a9fdbfa1c82352
Opcode Fuzzy Hash: 394593b264a51f11681f7d9eb7a283be101bffef4335b77fbcd6eb3518105c86
Instruction Fuzzy Hash: AA11E5B0D0020A8FDB04EF69C8416EEBBF1EF45314F144629C915FB394DB759946CB91

Function 07FB6D50 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0da0a7234b5d9e7fd06bf35cd3140ed89336129bbefe24bab08b58699da7936c
Instruction ID: fd277dc4c3f5ab22e2fb7fd1fb2839e26f239f0051ead26af0358baf844f6108
Opcode Fuzzy Hash: 0da0a7234b5d9e7fd06bf35cd3140ed89336129bbefe24bab08b58699da7936c
Instruction Fuzzy Hash: A7011A9281E3E29ED3039B29AC603C57FA19F63954F4A05DBD5C48E0E3D5144849C3A7

Function 0061D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1873558250.000000000061D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0061D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_61d000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2c6e83724856f25309210d43e7fd55384ad81076fbca212802b0f9b60231d16
Instruction ID: baeee0489ba92e7c77c6fbf9b7488a44cb73bb8630f29a939e1198cdae4ff021
Opcode Fuzzy Hash: e2c6e83724856f25309210d43e7fd55384ad81076fbca212802b0f9b60231d16
Instruction Fuzzy Hash: 8501F2710083409AE7209A29CC88BE6BFD9DF51325F1CC91AED090A2C6D6799881DAB1

Function 07F962A0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 497d9a9d0b5c939d60dd4967962533294d692e4e1a80c2fbe2da791000342d92
Instruction ID: 1336c5e8ad845cc514d1828a6082cf077befbec8d63bafada49c6f2d8bdb2a94
Opcode Fuzzy Hash: 497d9a9d0b5c939d60dd4967962533294d692e4e1a80c2fbe2da791000342d92
Instruction Fuzzy Hash: C601A2B57006018FEB15DA29C410D6B77E6BFD6210719807DE585CB321DA31EC06DBA1

Function 07F9075C Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d70b6ab3bc54a509378bbfea0cedddfaeac796e8776b8818297e00eeff831c8
Instruction ID: b134e713c09012bb022eb8f59a083aa8ca384cb31381b075646d0082a8a274a2
Opcode Fuzzy Hash: 2d70b6ab3bc54a509378bbfea0cedddfaeac796e8776b8818297e00eeff831c8
Instruction Fuzzy Hash: FB11FEB1D0120ADFEB15CF55C4487AEBFF1AB49364F28C069D4589A290D7758984CF91

Function 07FB1718 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c7d03f4bf7a7a5854f22a2eb73b4684ad9ad9ff33ac05a62ab5bc013de49dfb
Instruction ID: 4aa99e2a39ffa013f6172fff5fda5f47b7a66e8d978c2400f9d71ab027079e06
Opcode Fuzzy Hash: 0c7d03f4bf7a7a5854f22a2eb73b4684ad9ad9ff33ac05a62ab5bc013de49dfb
Instruction Fuzzy Hash: 5D01DE3291034A9FCF119B74DC844D9BF36FF96308B14876AE04566111E674A49ACB90

Function 07FB4D40 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7716aac37c6b6d06217e33b0f97fa1c1353e7a2398cc7fc5f1d8dac6296ebb82
Instruction ID: ff932aa9e4d9ed9b25b859696778fbbdd45a35a6df58bb4b87fe16d23917920f
Opcode Fuzzy Hash: 7716aac37c6b6d06217e33b0f97fa1c1353e7a2398cc7fc5f1d8dac6296ebb82
Instruction Fuzzy Hash: 41011AB2D1020AABCF50DF99D9419FFBBB8EB08310F10412AE914F7201E730AE108BA1

Function 07FB3C00 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c334958907c35c5f6e60065a817807dd0705b1ab5fba66e5accf4b201f1f623
Instruction ID: 6f4839cdab7126f94389d695e37fac7a6e6bea25f10fe9e9d4380f92b0129b8d
Opcode Fuzzy Hash: 4c334958907c35c5f6e60065a817807dd0705b1ab5fba66e5accf4b201f1f623
Instruction Fuzzy Hash: 25019EB0D0020A8FDB04EFA9C8117AEBBF1EF49304F148629D515F7394DB75AA41CB91

Function 07F97F30 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a569e457d8b56a1bb712fd614fe056e4625b865802a3b0d2a98c88b2b48965d2
Instruction ID: cf94426109adf0593fdae72f798dc49f4f8deaeab67c3baf42ee995ff6ab9f56
Opcode Fuzzy Hash: a569e457d8b56a1bb712fd614fe056e4625b865802a3b0d2a98c88b2b48965d2
Instruction Fuzzy Hash: 99114CB0D0430ACFDB40DBA8C045BBEBBF1AF06304F1880B9D458AB351D7399541CBA1

Function 07F998E0 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab3c79a9ebe64a4f52ddf7224ad6534b3b4cd33d6037a082eaa38e86d394a354
Instruction ID: 6ae83d237a683c110545883a27826a1e1a4fa1bf6f249a7137b8d3a4ccd3653c
Opcode Fuzzy Hash: ab3c79a9ebe64a4f52ddf7224ad6534b3b4cd33d6037a082eaa38e86d394a354
Instruction Fuzzy Hash: 67F096B364462987FF36ABACA4012BCB6CDD7C0735F19047ED14D85590CB55A9914285

Function 07F90768 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7be6feba1cc28a982c854b4af28c88f99469d52ba4daa162b31af7ed8d3372a5
Instruction ID: 348a4d40e90169f524560bf746b1d01177959192594271e42e4f99af3459adf7
Opcode Fuzzy Hash: 7be6feba1cc28a982c854b4af28c88f99469d52ba4daa162b31af7ed8d3372a5
Instruction Fuzzy Hash: 8B01DEB1D1120ADFEB15CF5AC4487AEBEF5AB48360F28C169E4189B290CB758944CF95

Function 07F962B0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 990d8bcff38c5f9c6f737289bb1878983385e23a1150a1f5c8f38341c7d44452
Instruction ID: 32e532d519d40a8bf32d3f1087dbadcbbb337510f0f2f92c25a12b63592c5853
Opcode Fuzzy Hash: 990d8bcff38c5f9c6f737289bb1878983385e23a1150a1f5c8f38341c7d44452
Instruction Fuzzy Hash: E1F08CB57006058FEB18EA2EC450D6F77E6BFC4210719803DE946CB324DE31EC029B91

Function 07FB4D30 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59f67f5e95ab0afcb4dd55fa80b59e8b0b96b7ae4a48c06fa0dd7120a9423829
Instruction ID: c6a82ed4d6847557ef7427d49b727830f96bc945dad915d663f31296330a426c
Opcode Fuzzy Hash: 59f67f5e95ab0afcb4dd55fa80b59e8b0b96b7ae4a48c06fa0dd7120a9423829
Instruction Fuzzy Hash: CC014FB290020AABCB20DF98D845AEFBB78EB08310F10413AF908B7201D7315A118BA0

Function 07F9BC33 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ae1e0fd8e4272030dd4e3b300b9351b5262df48034e2c98a108a1842fb54f90
Instruction ID: 3ff44ca7ec334baebbf77645e625295c5eea995a69a83c795b484916f5a0d5e6
Opcode Fuzzy Hash: 2ae1e0fd8e4272030dd4e3b300b9351b5262df48034e2c98a108a1842fb54f90
Instruction Fuzzy Hash: D5F0B46231E3D14FD71657289C206A97F668FC7614F0E40F7D085CB2A7D9548D1683A6

Function 07F9D360 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02fc695038e0252fdc392d140efca07622b4927916675da5c641f361c1c99d55
Instruction ID: a156283e1c81e8e2de99be25fbc12e751fd1cb766709aa7be9d5594907d372ef
Opcode Fuzzy Hash: 02fc695038e0252fdc392d140efca07622b4927916675da5c641f361c1c99d55
Instruction Fuzzy Hash: AF01D1729147058BDB017F3CDC10899BBB4EF93222B05832AE880AB350EB30D594C7A2

Function 07FB1728 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bab99c94a728efc81d6602b62981b93447b284a1c75a3b843380d1fd5fbc545e
Instruction ID: d25d672e9e6b79b944c759caca7cad0bd026da0fa5dd418dfb3363fc87ac76e2
Opcode Fuzzy Hash: bab99c94a728efc81d6602b62981b93447b284a1c75a3b843380d1fd5fbc545e
Instruction Fuzzy Hash: 7601863291070A9BCF14AF65DC448DAFB76FFD9304F11C729E10567210E770A595CB90

Function 07FB82BC Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9635c12aa788ff27a2f45f245f13cebc9b7bed2f70a59f786b51baa7127dd891
Instruction ID: 9a4cc63d0e9ea59977c940856a13adcc9979959b88767a8c7cbdce39a798ee73
Opcode Fuzzy Hash: 9635c12aa788ff27a2f45f245f13cebc9b7bed2f70a59f786b51baa7127dd891
Instruction Fuzzy Hash: 98F090E741EAC0EFC322866698210F53FACE9D71C0B4C06A7E647CA652D1248A0583F3

Function 07FB4DC0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5177ecdc69b79b192de10f598dd45d5a8ee66f2e7e8bed8167c981c2ee8ddd19
Instruction ID: 6ccb8d6f5c1d764251631755893662417844d05541c7fce5f3f9e9f0d4550667
Opcode Fuzzy Hash: 5177ecdc69b79b192de10f598dd45d5a8ee66f2e7e8bed8167c981c2ee8ddd19
Instruction Fuzzy Hash: E1018131A1062D87CF15ABA8DC144EEB3B5FF89310F018525D915B7254EF706A19CBE2

Function 07F99550 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d66c71ee5cdfcd90f82e1afe94e99412728e881117fcb3a4866afde2a64110f
Instruction ID: f88fe82612cfa77175a5900a75b7f6dded06412fd0d18bb2f2e56e3db5547340
Opcode Fuzzy Hash: 1d66c71ee5cdfcd90f82e1afe94e99412728e881117fcb3a4866afde2a64110f
Instruction Fuzzy Hash: D5F02BB030072267FF6AA664C82476F33D59F84714F58043DD545C75D2DBE0E88287C6

Function 07F994E8 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 077aee8106b4a64cada8f26a3e55df329427ffd1b98a717a4e5b534f237a749d
Instruction ID: 8d19f90b2f62821db3fba8d656a80be9a55b8b597e2c357881ad553e15090370
Opcode Fuzzy Hash: 077aee8106b4a64cada8f26a3e55df329427ffd1b98a717a4e5b534f237a749d
Instruction Fuzzy Hash: EBF0C2B6200600AFD710DF2AE880A9AFBE5EF98364B14C43DE48ED7311D670EC55CB50

Function 07F9511C Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70630764ae330cfd9eec2b8ea53528ec38fb1c6cad6d0ba44398efe9ffac484a
Instruction ID: bdcdc6db8ee7b1a4ae039602f25c1528a34eb3a299a9740584439b05afe0d5c7
Opcode Fuzzy Hash: 70630764ae330cfd9eec2b8ea53528ec38fb1c6cad6d0ba44398efe9ffac484a
Instruction Fuzzy Hash: 7FF049B1204611AF9704EF5ED88095ABBE9EB99320700C43AE55EC7310DA30EC548BA4

Function 07F9A6F1 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56587bb76fcf995d5acedd087eaa7d4c5f03b8eb9220e401afaed499a908748b
Instruction ID: a4f80d599243b12ad6a5845781520cd010e4ca662d8698d34c1cce1225ae7bbd
Opcode Fuzzy Hash: 56587bb76fcf995d5acedd087eaa7d4c5f03b8eb9220e401afaed499a908748b
Instruction Fuzzy Hash: A9014B74600700CFE350DB38D440B5A7BE5EF85725F10886EE48A9B321DB71E846CB61

Function 07F9E3E8 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00daddfd9f8b30192ff715cfb29e61bf7ff56e02e9868217b2906e599e2f33f8
Instruction ID: 468164160f9d722874af2ae03a9758efd73bdc83b14e88f4c68f158492fa50be
Opcode Fuzzy Hash: 00daddfd9f8b30192ff715cfb29e61bf7ff56e02e9868217b2906e599e2f33f8
Instruction Fuzzy Hash: 58F0C871A107149FC710EF69D884CCEBBF8EFCA310701416BD54597320E7306915CBA2

Function 07F973D3 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b625674ff307281965a29e79f99bf6f78a504bde31c98aa9d562e763f7808c56
Instruction ID: 87245a5227117fdc2aca106e4e39bde6bafd6d48a5f98f7246b76bd27f835f1d
Opcode Fuzzy Hash: b625674ff307281965a29e79f99bf6f78a504bde31c98aa9d562e763f7808c56
Instruction Fuzzy Hash: 32F0C231A053109FDB25AB74E41456E7BE6EBC5315B14887EE146C7341CF34A906CB71

Function 07FB4DB0 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 873d184cde08e8234a5bc0acb74ae56e2216a5869e899adad9069e8222f5899e
Instruction ID: 308d2aa8a867a3817f9f992da2aecfb2aa9a54ee5c0316e4d9e71b67f252a0fc
Opcode Fuzzy Hash: 873d184cde08e8234a5bc0acb74ae56e2216a5869e899adad9069e8222f5899e
Instruction Fuzzy Hash: 27F0C2329006189BCF14AB68D8142DEB3F5EF89310F008529D99577240FF706A14CAE2

Function 0061D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1873558250.000000000061D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0061D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_61d000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78ddffc671ff1e9391e78da9098c83d102c9f8c6fcfe7ed6db8e34ca725832b2
Instruction ID: 54a86a889ea91ef887a1df8e5c6cdbb52a4781a20f3f4366506bd84510cd9121
Opcode Fuzzy Hash: 78ddffc671ff1e9391e78da9098c83d102c9f8c6fcfe7ed6db8e34ca725832b2
Instruction Fuzzy Hash: CFF062714043449AE7109E1ACC88BA2FF99EB91734F18C45AED484A2D6C379A884CAB1

Function 07F9F793 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 084a5c3fbb7472baf09e876ac2b5796acb9393a580acb0d459b03cd6365846d5
Instruction ID: 6c4ec44868434a49730332b7799144cfe63df7f73883794e8c3318ecc8fc02b2
Opcode Fuzzy Hash: 084a5c3fbb7472baf09e876ac2b5796acb9393a580acb0d459b03cd6365846d5
Instruction Fuzzy Hash: 97F0E9307046105FCB09AB2DD454A6E7BEAEFC961030440ABF405C7361DF259D01C796

Function 07FB70E8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10718c4fb3e252a5fda61fd4fda0119d7a7c1fbc07a5c152f6b833f9b6939f42
Instruction ID: 83f7542d1b4cb8cbe40e2d312b1fcb5e84f22d82ac1c8b4b4e11ebff9fa7de25
Opcode Fuzzy Hash: 10718c4fb3e252a5fda61fd4fda0119d7a7c1fbc07a5c152f6b833f9b6939f42
Instruction Fuzzy Hash: CBF0B47199D1D08EC3126621D8112B07F628BC3319F18C0ABC4994E583C22ACA43EB72

Function 07FB4E31 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fab2db2987f5e478f0f81c00003e8d4919570d82a124b523773cdbb95914f0a
Instruction ID: fd64d9100a7f3aae49db07d91778c246b2665840e8f812b201195ebc2c34725a
Opcode Fuzzy Hash: 4fab2db2987f5e478f0f81c00003e8d4919570d82a124b523773cdbb95914f0a
Instruction Fuzzy Hash: 19F027716003059BD720DFAAD841A5BFBE9EFC5360F20453EE54893204EF30EC41C6A1

Function 07F9D370 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77480e3ed12daef5851eda10e7f961f38af45ce8c846775a05c4037c095f4f1e
Instruction ID: 75748b42050042f6232fa35b60c45999f964f9652bacfed2dd927e88687e9708
Opcode Fuzzy Hash: 77480e3ed12daef5851eda10e7f961f38af45ce8c846775a05c4037c095f4f1e
Instruction Fuzzy Hash: D7F06231920A0497DB007F7CDC1089DBBB4EF97262B44832AE9846B354EB30D594C791

Function 07F98A10 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b54d374868b19a515b71cb3ec7ab7533996d33e9626dae77ff217e9435d009ee
Instruction ID: 2b69baed735118ba4b3c9e01022874ea77f1bf570f78b8d115902bc6c4ec8d0a
Opcode Fuzzy Hash: b54d374868b19a515b71cb3ec7ab7533996d33e9626dae77ff217e9435d009ee
Instruction Fuzzy Hash: ECF090307003109FDB24AB2AD44495AB7FAEFCAB25B140579E10ACB372DB71EC46C791

Function 07FB0EA0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b06b0394aa452fa41fa97a4568db5eeebee5614fb239f1e2cc1010943e419f1
Instruction ID: 448fb405ff4c7fd69653d8cc816464a4e43096d4c7ff0d6c012714fc23fdec08
Opcode Fuzzy Hash: 7b06b0394aa452fa41fa97a4568db5eeebee5614fb239f1e2cc1010943e419f1
Instruction Fuzzy Hash: 1CF0B471B1021597D714BEA5C4206EF76E7DFC4610F14046ED402BB384DEB5AE0587E6

Function 07F99560 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4399b658a7532c614e51ee4dafe10014787e3a07c112bc8972e96d592fc75628
Instruction ID: 2668f8a108fd63d5ad0f29fdb17f163c08dbcb0562f813bc5a9fcf15d7eb091b
Opcode Fuzzy Hash: 4399b658a7532c614e51ee4dafe10014787e3a07c112bc8972e96d592fc75628
Instruction Fuzzy Hash: 65F0E2B070061263FF696279882537F33CA9FC5710F4C043DE50AC2A92CFD1E8828286

Function 07F95150 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c9c56afcd7c029ff3191f49531bc458f07b1cf84613621301a2c441b6beb712
Instruction ID: fcabe8bd2e61a9eaa814ea461822ca8a87401ed44779e90d11a1364c9fa15317
Opcode Fuzzy Hash: 1c9c56afcd7c029ff3191f49531bc458f07b1cf84613621301a2c441b6beb712
Instruction Fuzzy Hash: ADF0A0713100105FA204966DD888C2ABBEDEFCA674711416AF509C73B0CA60DC0182B4

Function 07FB5E60 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c7ee3147e1cf156ca85fbd529537ac7904611a6fb8daf95ece789f24b4d3fdc
Instruction ID: d70ac802e82de352daa9e97c6ec03d8056aad0d70b53128ad92ed30f17f3a06e
Opcode Fuzzy Hash: 1c7ee3147e1cf156ca85fbd529537ac7904611a6fb8daf95ece789f24b4d3fdc
Instruction Fuzzy Hash: 3CF024F2E2C2168FCB22CBBADC500EC3BB1DF1A201B480192E006D7524E724D621C702

Function 07F9A700 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a6698c2193cd70ee3763f47853dc12ddacf9e68a792ddcae35d53896a09cfb3
Instruction ID: d2c18fbe0cddad7f05b233b3fe7e77fb2d6bb5e5c084c1a2fdeb273cd2db493a
Opcode Fuzzy Hash: 7a6698c2193cd70ee3763f47853dc12ddacf9e68a792ddcae35d53896a09cfb3
Instruction Fuzzy Hash: 4AF04974600650CFE314DB39D454F5A7BEAEF89355F00886AE54A9B321DB31EC06CBA1

Function 07F973E0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb9d3f310e0014424f61342a064610657b4ea92a066581073ff784b423437bc
Instruction ID: 29e638bfc6eb66b7184521f3fb685de731a233edd497b44b6a24af2f38e94822
Opcode Fuzzy Hash: dbb9d3f310e0014424f61342a064610657b4ea92a066581073ff784b423437bc
Instruction Fuzzy Hash: F6F05E31B042259FCB28AB79E41866E7BEAEBC4315B14887DE146C7341CE34A9428BA5

Function 07F91ED1 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d8525f21269d1c0c53c181baf13cc349ebb4d2e10c6baf1e6c73d67b4cfc255
Instruction ID: 5b81f7eab5291f8ba0fde9dfb430cef146deac70ba4ae55083ca4d3402e70528
Opcode Fuzzy Hash: 7d8525f21269d1c0c53c181baf13cc349ebb4d2e10c6baf1e6c73d67b4cfc255
Instruction Fuzzy Hash: B3F0827260410AAFEF58DF98DC45AEEBFE6EF44324F18807AE108D7260E7719951CB54

Function 07F903BC Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2d83a4b1281dc3e081128ad732abe42747a9a84f824a0f3b02e2c0e9ce9b7c0
Instruction ID: 2ef7d77a295a58bf73d32476af73995379dfce49b131539b1f446854e1bb40cf
Opcode Fuzzy Hash: b2d83a4b1281dc3e081128ad732abe42747a9a84f824a0f3b02e2c0e9ce9b7c0
Instruction Fuzzy Hash: 1FF0E5717083489FEB065B7898785BA3FE5EF53358F14487BE482C7252FA28EC4183A1

Function 07F98A70 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ac174d183e12f38410da4c23c675be4b683a3bdd750183896e06a5921625412
Instruction ID: 91418cd3b2126b70534cf427561b00b296b8800a39e03c315d92bce736c7d0f9
Opcode Fuzzy Hash: 7ac174d183e12f38410da4c23c675be4b683a3bdd750183896e06a5921625412
Instruction Fuzzy Hash: 59F0A7327003159BDB10AF55EC4069BB7E9EBC5324B104539D90437342D7717904CA90

Function 07F9F7A0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2514edc00e6061c491ce6e709c88937dab3186bb6489b70f0fbfd616fe69d8e6
Instruction ID: 0916b510c0a05d811030bfacd3a975dc66f3252b64e08623979be767e46d90ca
Opcode Fuzzy Hash: 2514edc00e6061c491ce6e709c88937dab3186bb6489b70f0fbfd616fe69d8e6
Instruction Fuzzy Hash: E3E0E5347044205B9F08AB6DD404A6E77EAEBC9B10300406AF409C7760CF31DD028B96

Function 07FBA4BA Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b1972403cfbe91fa45c08a68a2bc0069d2d400307e481645b8ae9f1bb858995
Instruction ID: 2c0f10908a973b6da6f2f3d0985308530695d96c8433f46fec57c66d02f48d24
Opcode Fuzzy Hash: 8b1972403cfbe91fa45c08a68a2bc0069d2d400307e481645b8ae9f1bb858995
Instruction Fuzzy Hash: 98F09074A85345EFCB119BB4CC099EDBB72BF46300F04C126E612A62D1C774981ACB11

Function 07F99951 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de828ca668fa950a84485be928ee6b0f6e0a08c4816f888ad00d905a159bd83c
Instruction ID: 6a90f1035a4af4160957a43aef8e4c37e663ef65f301580c6d047a4b86b89aef
Opcode Fuzzy Hash: de828ca668fa950a84485be928ee6b0f6e0a08c4816f888ad00d905a159bd83c
Instruction Fuzzy Hash: 0AF06D34310210CFC704AF68D448E6A77EAEFCD721B2680BAE549D7361CE75AC028B91

Function 07F93818 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8814049477f56714b1240fdbee6957e8e8947006cbdddd82983440ec2581da7
Instruction ID: 9d122c2b6a226f159ee85c99d7d7fb01558d9ec4e34cf5cd9392ff7e488e7e0e
Opcode Fuzzy Hash: d8814049477f56714b1240fdbee6957e8e8947006cbdddd82983440ec2581da7
Instruction Fuzzy Hash: DBF0B7B1D0420A9FDB48DFA9D845AAEFBF4FF48310F1045A99918E7240D77495408BD0

Function 07F9380B Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3178a26ac49b3bdb88022017f4a620d5f27afd57b2fdfab9d2ebf34c79667bc
Instruction ID: 84048984978b11ebd2585a538f4c8971079b1eba704c606766db21f205a5c604
Opcode Fuzzy Hash: f3178a26ac49b3bdb88022017f4a620d5f27afd57b2fdfab9d2ebf34c79667bc
Instruction Fuzzy Hash: 08F0E2B1D0020A9FEB58DFA9C845AAEBBF4FF08300F1089A9D514E7200EB748680CF90

Function 07F98A80 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57f4a3b5aaadedb694d247b9cc4d69362278343dbcb7f6358b73977d791d89e3
Instruction ID: f6658dd34610cc8e0634fbb40244e5dfa5a8b6e2a066fcabc8c25df0641bc2f2
Opcode Fuzzy Hash: 57f4a3b5aaadedb694d247b9cc4d69362278343dbcb7f6358b73977d791d89e3
Instruction Fuzzy Hash: C0E092727003159BDF14AF55EC8099BB7A9EBC9324710063AE9197B346DB7278048A90

Function 07F92178 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c0c1e07b1be5dbb907d937503203ce523b42a21be9724fe47ac4bc7eb2d4d08
Instruction ID: 3dccfde6d8b8cc1c152041489f54082e45a47e39f3c55ad85961af6cf4caf1d6
Opcode Fuzzy Hash: 8c0c1e07b1be5dbb907d937503203ce523b42a21be9724fe47ac4bc7eb2d4d08
Instruction Fuzzy Hash: EBE06D33B41524D79714DF88F8804B5B3A9FB4866A3188466E60CDA610E332D862C780

Function 07FBEF60 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84fc856ea70871d3f4204957e5440a819e8472424657ef02da5976b19281e7f5
Instruction ID: c493ce30791cf0154b153d5bd4a0a67f1284122098524333762abc90d351e518
Opcode Fuzzy Hash: 84fc856ea70871d3f4204957e5440a819e8472424657ef02da5976b19281e7f5
Instruction Fuzzy Hash: 1BF039B4E09308EFCB10DFA9D4049EDBBB9EB0A300F5080A9D81893300D731AA50EF40

Function 07F9A6A8 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01d690f72be6229e461b38be84a6fda82ec64921f2dfd69a651ddcf3812dcb9
Instruction ID: c36ebc4655921e4166183743fa997ec1644ca442594315bc23ae0752e3e5ddf8
Opcode Fuzzy Hash: f01d690f72be6229e461b38be84a6fda82ec64921f2dfd69a651ddcf3812dcb9
Instruction Fuzzy Hash: F0E01231341315CFDB29AB78E4149EA7399EF49259F1544BEE50AC7251CF35E801CB91

Function 07FB0650 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e5d2293a1023909491ad05525d0346948fb0e3ff3a66778b5f2d1feaad35991
Instruction ID: 78be16870321c6a4ac872a1ba963a91772f784bf0f1204bfdc686e64bbe78372
Opcode Fuzzy Hash: 6e5d2293a1023909491ad05525d0346948fb0e3ff3a66778b5f2d1feaad35991
Instruction Fuzzy Hash: 78E06D30609351CFC3269B38C8104127BE5AE4620030888FAD05ACFA62CA71EC80C742

Function 07FBB698 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27b339e08776ce11b7db2f5f660f64eccfa7c9a2f0ba5e163a0c781a3697ff6d
Instruction ID: d7078807bb09ae88dd7d7fafb83f906a9bbe003f345c3fb822bdf453a9ac88cb
Opcode Fuzzy Hash: 27b339e08776ce11b7db2f5f660f64eccfa7c9a2f0ba5e163a0c781a3697ff6d
Instruction Fuzzy Hash: 07E0D8E2928208DFC3309A5195161F57BA78B0E300F0440D5D90A87984E551DC1143D3

Function 07FB0643 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b8bf442332c7e21c346e18e3524b18e74ff26d17c3936d8600a1eb9d7b8e91d
Instruction ID: ff13fb070a7b3e64096026e99bcefa714b36422e6fdbc433c952122d400b05a9
Opcode Fuzzy Hash: 5b8bf442332c7e21c346e18e3524b18e74ff26d17c3936d8600a1eb9d7b8e91d
Instruction Fuzzy Hash: 42E0D831606350CFC3269F28D4008527BB5EF4731431444FEE4068B732CA72EC90CB96

Function 07FB05EF Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 934b3cbbfcb838572d03d2c8f49b9d9fe54c2d8be13747791b7b975946ed9922
Instruction ID: a91d0b2b06cb2095653c6174a43ae34d0af31439ec1f10a57cc7414a649e373d
Opcode Fuzzy Hash: 934b3cbbfcb838572d03d2c8f49b9d9fe54c2d8be13747791b7b975946ed9922
Instruction Fuzzy Hash: 0BE092306063A58FC602BE68A8502AB7BE59BC1521F04086AE4889F166DB2419498FE6

Function 07F9A698 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 497e08dea3e5e65ee11863d2499666a85d2bd6b030c64e063aa3a4b5c66b504e
Instruction ID: b39183981b7a2143218059e2b99f5723b9497726499eef43a9a4dfa6682c4c40
Opcode Fuzzy Hash: 497e08dea3e5e65ee11863d2499666a85d2bd6b030c64e063aa3a4b5c66b504e
Instruction Fuzzy Hash: 52E09230641311CFEB699F38D5007937395AF09219F1988BED44ACF251CF31E811CB40

Function 07F9BC60 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1873a0e2c1facee528c62f3cc0d7ca52e4d87a50fa5250123558b9acebaacce
Instruction ID: 46803ee4665bab8d88020e3ce25d9078391fe621c85667c559839329c47bacca
Opcode Fuzzy Hash: d1873a0e2c1facee528c62f3cc0d7ca52e4d87a50fa5250123558b9acebaacce
Instruction Fuzzy Hash: CDE02B723105520BDB28A90DE80097E338FDFC9A21B1D40F6E105CB766CD21EC0243D5

Function 07F9FA2F Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95a8b4cc1152824af1faf39fdbd5bbe2aadcdded5315e1e57231776c28525caf
Instruction ID: 6061c22c81b249a5834ea6b4c87189885ddb7f87bd7437a52a7a07d569082f39
Opcode Fuzzy Hash: 95a8b4cc1152824af1faf39fdbd5bbe2aadcdded5315e1e57231776c28525caf
Instruction Fuzzy Hash: 68E09AB1A00B508FEB54AE28D414B1A77E9AF44324F16086DE986C3661EBA8DC408F82

Function 07F99960 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e22d327faba7a47c48ef6afde39b7a7e42be6d7b72132ab367fc82223402f733
Instruction ID: 7ca10f134e8e70e78cb4454d888bf46268159d4e6378f8fbc79e8e37f9055f3b
Opcode Fuzzy Hash: e22d327faba7a47c48ef6afde39b7a7e42be6d7b72132ab367fc82223402f733
Instruction Fuzzy Hash: 46E04F353201108FC704AB6DE448C6977EEEFCDA2171580FAE509CB361CE71AC028B91

Function 07F9D321 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f936da03440eb8673d18dff4d68e4137fcd8ef801b532e0aede65740e6e619b2
Instruction ID: f68a1e4acdffcc74951375346eaf8830353e18810e35200f9d6893b99afe806d
Opcode Fuzzy Hash: f936da03440eb8673d18dff4d68e4137fcd8ef801b532e0aede65740e6e619b2
Instruction Fuzzy Hash: 02E06D3180928DAFCB02CFA4DC409A97FB1EB06201F0482D6EC84DA192E3758B69DB61

Function 07F9C130 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fb5b138c3de865bb7caa232c7aed100c20db95cb80d28f746ef32ba86419905
Instruction ID: bab9b95b0190c5183676ff93ab8a26091cfa4a1a811779854077431f45eabd6c
Opcode Fuzzy Hash: 3fb5b138c3de865bb7caa232c7aed100c20db95cb80d28f746ef32ba86419905
Instruction Fuzzy Hash: AEE01271810709DFDB51EF38C801699BBF8AB05224F50C539E98895110EB31E2D4DF92

Function 07F96F5B Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ede7e17eb718a2b52606bb71ec89604b37fa4cb3e987a4c31f43b42494ec898b
Instruction ID: 334d5eba104dbf4851d1abfd50ef6cf79ac5b86f9e885b29e1258059bb400a6f
Opcode Fuzzy Hash: ede7e17eb718a2b52606bb71ec89604b37fa4cb3e987a4c31f43b42494ec898b
Instruction Fuzzy Hash: AFE0C272748B654BEB0B2764A8290BE3B68CF4251970800BBF406C7292EF180E1243DB

Function 07F97840 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1c779e28b884e0e00af01600e976717921e157c1bb78b9eeb1d3fe9927aa980
Instruction ID: 3a9232c1fe05f5b5faabf887dc6498ff492ec512062208278903a646b119ad9d
Opcode Fuzzy Hash: f1c779e28b884e0e00af01600e976717921e157c1bb78b9eeb1d3fe9927aa980
Instruction Fuzzy Hash: 2EE06D8258E3D01BD717C67418587967FB68BA7108F5D80EECA868E183D41A443B9352

Function 07FB3728 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 952cf6418f9319c6b86576111f33fd7acc1ba3da8f23b077dee80ee2ed537304
Instruction ID: 895d4777085bc703f0d98ebcfcddf1df8471ec73e9c26f63df66387e310715b5
Opcode Fuzzy Hash: 952cf6418f9319c6b86576111f33fd7acc1ba3da8f23b077dee80ee2ed537304
Instruction Fuzzy Hash: 93E0C277545220CBD6B08911ED437C67391FF85211F39894AE0C5D7044CA3ADA928B92

Function 07FBB660 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b736ee52c9bd625db756955ed38fa078d2ec462151d77b4049bdd3a9efe8fbb5
Instruction ID: 75100509c7a3b744a71fb539522887c39383b5d170df7798c281b3ec5ec6e489
Opcode Fuzzy Hash: b736ee52c9bd625db756955ed38fa078d2ec462151d77b4049bdd3a9efe8fbb5
Instruction Fuzzy Hash: 86D017E616E284EFC22646A394241F57BA7D94F204B1D44CBC98A8B0A2C906CE264763

Function 07FB74E0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f739394897c7a7e242904d80673112031ea3f6cb0d514370ff78e27cbc0d77ff
Instruction ID: eb8e107a0210550053ca31765f59354c5c0ee66c71f8001ca56740576783b65a
Opcode Fuzzy Hash: f739394897c7a7e242904d80673112031ea3f6cb0d514370ff78e27cbc0d77ff
Instruction Fuzzy Hash: 00E092B4109241CFD311AB74C8656AA7BB1EF86204F18C4CBD0968B393CA30E80AC762

Function 07FB0C00 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea90a37c8a68b50b1e64745fb491a8a94b53508b01e7cb2ba689efd850ae2036
Instruction ID: 20b6d63144fa50194897a650b4b97ceeee905b74a53c74f60fa3b767a50cb0a9
Opcode Fuzzy Hash: ea90a37c8a68b50b1e64745fb491a8a94b53508b01e7cb2ba689efd850ae2036
Instruction Fuzzy Hash: A8D02EBBAA912086DA70951ABDC23DA3381FFDA301F3D8C46E080DB044C93AD88A4241

Function 07FBB6A8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88083653530d31b20326276a794fdcdf98c7a2e2297d6703b4960c6d7a91888d
Instruction ID: 0966de3d73ffcf529402972cb7d3cc5a9675ed169f5af498ab0094a27a4e5664
Opcode Fuzzy Hash: 88083653530d31b20326276a794fdcdf98c7a2e2297d6703b4960c6d7a91888d
Instruction Fuzzy Hash: 38D0C2F2628208EB8330CA5656125A236AB9B4E300F1440D59A0AD7684EA61DC0147E3

Function 07FB9300 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0754c90de9114a23bbcfca12c7dac67293e535401c6f3fd13c5dc8bad5c213b
Instruction ID: 9ed01af509889ae2bb9efe4a2103a869323f870531ecbf71e24f67b205b91c1b
Opcode Fuzzy Hash: f0754c90de9114a23bbcfca12c7dac67293e535401c6f3fd13c5dc8bad5c213b
Instruction Fuzzy Hash: 38D012F332C114C7C934D27354287FA72AD5782604F5C0012530B855E6E9E9F809A163

Function 07FBAEC8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ba1fe2aa2908c01f82ff429962f630a58529f3c6fc7d043a06e5d71edb7e473
Instruction ID: 246be8d70cefb1ef3ee8e49d6937d80bc6cc5c202212bdccfb2f4659b00576b3
Opcode Fuzzy Hash: 3ba1fe2aa2908c01f82ff429962f630a58529f3c6fc7d043a06e5d71edb7e473
Instruction Fuzzy Hash: 5ED017E3A3C148EB4270DAEB54000F6B6D8A28B241F08C893989B97A01DA62E8009793

Function 07FB9898 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66416c00f774c7d5c5852db2419a314611abe089b7d88caa7955b152df8f5350
Instruction ID: a82dcb579c2b31b4a3c31cfbe563d2fee47e67ebff148ff30be0a2fbca36d1c3
Opcode Fuzzy Hash: 66416c00f774c7d5c5852db2419a314611abe089b7d88caa7955b152df8f5350
Instruction Fuzzy Hash: 4CE0C2D786E2C5E9D311C2768410AD6BF74AB13310B1D41A7E3C6A9043D054A9089273

Function 07F9FA40 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65897809004258f268146b42bb20bd5d18d9c5d7abe3852a9552cebed3b073a6
Instruction ID: eefd10299b76a5c9729b716a342827f11c8d409556fd4e64fe323cde77483fd6
Opcode Fuzzy Hash: 65897809004258f268146b42bb20bd5d18d9c5d7abe3852a9552cebed3b073a6
Instruction Fuzzy Hash: 41E0C270B007248FDF14AA28D404A1A33D9BF48654F050069F946C7760DFE0DC408BC2

Function 07FB9938 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aafc2ca52007d3326f618c8d9b348dd57b7c9a13985693ff8c95e6503c6eed45
Instruction ID: f0d52cec4b8cceb311f6a8119e2d52472c938cc4c901195c23aaf8570d4ad05e
Opcode Fuzzy Hash: aafc2ca52007d3326f618c8d9b348dd57b7c9a13985693ff8c95e6503c6eed45
Instruction Fuzzy Hash: 34E06DB1949246CFCB21DF74C850DE9BB767F41308B08C456F6A11B152C771E855CB81

Function 07F97D20 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24530336ae52a253f84de7a08ecd244f9d72c11d6d0772181c52cea2b690fa61
Instruction ID: 434a130941146eddbf86036db385dd8fd6a99813234397d6339b5bd5850e39e3
Opcode Fuzzy Hash: 24530336ae52a253f84de7a08ecd244f9d72c11d6d0772181c52cea2b690fa61
Instruction Fuzzy Hash: 2BE0C2B0600210DBDB006E74A5087EB3B999B55326F08403FE808C9255CB3A8963CBE4

Function 07F97C97 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7beb2e80e361893f96b8032cbe9e73b1616dda599da60e8c45812f604697d03c
Instruction ID: a8f3fe8af997ddcc471ed4e4871b86fe9c66bd0d336da6afd11708cc05e345d4
Opcode Fuzzy Hash: 7beb2e80e361893f96b8032cbe9e73b1616dda599da60e8c45812f604697d03c
Instruction Fuzzy Hash: 57E0C7313091609FC3089B68A0888D87FB9CFAA220B0000ABE808CF322CA228C03C3D0

Function 07FBEF08 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8d73f34ba59b06beb0c0503e86f0e13ce964e8745bdc8c804812634167ebbfc
Instruction ID: bbd105f334470b2ae3e7606a3fe88e4da693ca5688c3a0a040eaf6430422576a
Opcode Fuzzy Hash: a8d73f34ba59b06beb0c0503e86f0e13ce964e8745bdc8c804812634167ebbfc
Instruction Fuzzy Hash: 27E046B0D00209DFD740EFBAC904A9EBBF0BF08300F1484A9C029E7211E7709A048F80

Function 07F9A770 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cc862b152a5d05d6080eb0d1b704296c58e1986db97963c58f6301926b0138d
Instruction ID: dad4240d01c34d0ee262a29af9a8845c376b700bff3765be57b82d3f60acb0ed
Opcode Fuzzy Hash: 0cc862b152a5d05d6080eb0d1b704296c58e1986db97963c58f6301926b0138d
Instruction Fuzzy Hash: 9ED0C92A00E3C18FE7830BA498313903FF85F13111B5981EAD2E48F463E6580956DF2F

Function 07F98667 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcad010d01d93c84c969b4d8f0b5909276864d401638010befab83c3e3331ad2
Instruction ID: 7e85fb12bbb640f83aeff90c0bb2b4e7c641427edb0272ad0921d987751017ba
Opcode Fuzzy Hash: fcad010d01d93c84c969b4d8f0b5909276864d401638010befab83c3e3331ad2
Instruction Fuzzy Hash: 9DE08C32208600CFEB159B28A4147E67796EF86246F2904BED08A8F791CB325C42CB92

Function 07F9D330 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40373b0f55748bbd0ab52897acfbc643c5e1d87bb30d0186dc32115b4c5383bc
Instruction ID: 54099dbbd0dfbad93c10c2b85ae0e7d57ebb6698a880841332204a08c58c5699
Opcode Fuzzy Hash: 40373b0f55748bbd0ab52897acfbc643c5e1d87bb30d0186dc32115b4c5383bc
Instruction Fuzzy Hash: 14E0E23180110DAFCB00DFA8D8448ADBBF5EB48201F5085A6ED08E2251E3319BA8ABA1

Function 07FBB8B0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4970731df5657d574dcf264f773721e29c40ad30ac2a2caf275a584aad875817
Instruction ID: 00cb7f767cd8b08942983cf3cc5cabd2dbeb0e2ab6562d8084a82204b012b897
Opcode Fuzzy Hash: 4970731df5657d574dcf264f773721e29c40ad30ac2a2caf275a584aad875817
Instruction Fuzzy Hash: 6AD0C9E701D6989BC6231662A4590E57B346D03110B09009BEA1E95972C508CE2782A3

Function 07F96F68 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a441260b5edc9ddae346699c6bec842e02fa9829e485338ec43ff9b6ff8c862
Instruction ID: 05dfbee717c8358aa2afed7c3a33a57c22c8910cc375a1643f0081288fd98553
Opcode Fuzzy Hash: 5a441260b5edc9ddae346699c6bec842e02fa9829e485338ec43ff9b6ff8c862
Instruction Fuzzy Hash: 2BD0C972B4492A439E1E3798B82957D7659CB85A16748007AE91AC7280EF690D1202CE

Function 07F9C140 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00a91273638531fd54ce438c2e3683377a4b25f27cd5ae489e9b07ce176511e5
Instruction ID: f9087ee408d19d2d69429232f1985250330a845c64c779b20d40eac2f6775c2b
Opcode Fuzzy Hash: 00a91273638531fd54ce438c2e3683377a4b25f27cd5ae489e9b07ce176511e5
Instruction Fuzzy Hash: 0FE0E27181060CDE9B40AE79D9441A9BBE8AB16261F40C53AE80C9A110EA31E2E8CB95

Function 07F92121 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53754b22529acb638c8fee2d4f147812d0c5a2e4b9d45f38a2a232de66b5fec3
Instruction ID: 11c3eda6201a0e4dec48f64c17ce7e2cdf5fdfb04b0da10e04903746dae18b64
Opcode Fuzzy Hash: 53754b22529acb638c8fee2d4f147812d0c5a2e4b9d45f38a2a232de66b5fec3
Instruction Fuzzy Hash: 44D0C27560020ADBEB14AE34D808BB637A5EB00614F10847AEC0187242E775E8918610

Function 07F9C808 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e550d9e49878920c59bb2a4621ea24db65a3cedffc74d85298d7945ae08d7ca0
Instruction ID: 8716c7ae8464747e5aa16d175b13301e1a225789da3e26b3a6cc6b47d5572c0b
Opcode Fuzzy Hash: e550d9e49878920c59bb2a4621ea24db65a3cedffc74d85298d7945ae08d7ca0
Instruction Fuzzy Hash: 6FD02B32508644AFCB219F60C800A42BFE8DF46310F18C05EE0CC4B111E2B2D461DBD2

Function 07F91DAC Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36435f9dac3cbb39b723d7d3c42eeda738970ee6519ac62b0b526eea78ee0244
Instruction ID: c0c7c66ab0141cb55b10ca963a4c6d443004f428ef7ddc0a56e30f1d06de0249
Opcode Fuzzy Hash: 36435f9dac3cbb39b723d7d3c42eeda738970ee6519ac62b0b526eea78ee0244
Instruction Fuzzy Hash: 00D05E31164704CFD700EF2CD8458657BA4FF46705B050992E109AB221EB20F8548A45

Function 07F9C0F8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12de1aeb52cbc178c1f8d91024a4f9a9dd54e0eb43f1442ddc324a6b74f26a34
Instruction ID: 6b8b98019f1fef1bc7be6c471fe9d6b1dafb8a838d7125657259c219072c6174
Opcode Fuzzy Hash: 12de1aeb52cbc178c1f8d91024a4f9a9dd54e0eb43f1442ddc324a6b74f26a34
Instruction Fuzzy Hash: 2CE0C7724207008FD700BF28E800A95BBF4FF05310F000A88E0806B221F724EE408A00

Function 07FB9118 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a1c639ba94598b2f00a3e5f31a25e91f0180074db671faa6468ba5deda19591
Instruction ID: 13f5695ee7061bd279f54cecb152c3ae9478afbf4786ba1c4a7dfdba758e8809
Opcode Fuzzy Hash: 2a1c639ba94598b2f00a3e5f31a25e91f0180074db671faa6468ba5deda19591
Instruction Fuzzy Hash: 3CC08CBB02A2826FC70317A0AC118C2BF60BE2723830A81D3E040DA87384088B2C9373

Function 07FB5E41 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffba3a02eae1eb4b0f91bd74ab5d428d87ce047e9ae7d5a76cf27fe5eed4b327
Instruction ID: 830953992e8543a98ecb6c4aa082cb359361bd0d897098a90ee26542ac0dafd4
Opcode Fuzzy Hash: ffba3a02eae1eb4b0f91bd74ab5d428d87ce047e9ae7d5a76cf27fe5eed4b327
Instruction Fuzzy Hash: 93C0127B06D7C59FC22706A3382A0F63F280883960B0900E3E18ACB12692084A6883B3

Function 07F98678 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c1e259476b800e9677105af8778369339d4784880b570575834436154a87335
Instruction ID: ade72bf8cf28dea5ac051a25ccacb55619fd2f19b6c59855e1c2c09aa33251c7
Opcode Fuzzy Hash: 9c1e259476b800e9677105af8778369339d4784880b570575834436154a87335
Instruction Fuzzy Hash: 71D0A731204310CFD7256A25E414B967399FF87351F54407EE44A877908B756C41CBD2

Function 07F98610 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc8b2932ae9c99d614c59d5a0407c0896f754fde2ddcc3ccc42e9e358575cf27
Instruction ID: f04df7cb623d0d43de3e5496549d013a40c6cea2490b7ce05cfd3a401ab76714
Opcode Fuzzy Hash: cc8b2932ae9c99d614c59d5a0407c0896f754fde2ddcc3ccc42e9e358575cf27
Instruction Fuzzy Hash: E5C04C72714625930B19315EB8148AE7A9EDACEA71319407BF71DC33509E955C1243EA

Function 07F97D30 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b2ab6f0b812f523fa9710de108b92d0d131572e5dd4da0571b5da0862582730
Instruction ID: 01af61f7ba7dcef01a96c5c5d825de576a9d776eccbf27426af898e38f173c4b
Opcode Fuzzy Hash: 9b2ab6f0b812f523fa9710de108b92d0d131572e5dd4da0571b5da0862582730
Instruction Fuzzy Hash: A7D0A9B1700224ABDF042E65A4086FA3A98EB42662F088036E909C2280CF398C41CBE4

Function 07F97CA8 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afe463fadac615cfd445cc02b199162a5ab008d10cb2fe64eef3d37e0eea3950
Instruction ID: 8923a6b35b0fc3fc06b3ba352e02dd0ddce2129ac2e565b1e578b04815ac75ec
Opcode Fuzzy Hash: afe463fadac615cfd445cc02b199162a5ab008d10cb2fe64eef3d37e0eea3950
Instruction Fuzzy Hash: FED0C9327441249F8604AA58D800CAD77ADDB996613414066F905CB331CA61EC52C7D4

Function 07FBB670 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7408e9a2c2f0931a6b39c36d237aaf0bfb44f61bb0bd991bf3276036be11aa9
Instruction ID: 383b927a05b73ac847a626f16eb9c467da22a74c64ec98284f46775010fe8eb1
Opcode Fuzzy Hash: a7408e9a2c2f0931a6b39c36d237aaf0bfb44f61bb0bd991bf3276036be11aa9
Instruction Fuzzy Hash: 34C012D327C208EA0538519798341BA328F968F200F2804C28A4F81181CE02CC2009A7

Function 07FB9820 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ee08c6c9abbbc932863cc81744f57152d6ce7bec4591f978f4f6f67fd47b872
Instruction ID: eb09c9399d27af6e429248f621fc24dbe7282d6437f458c6c76e270ab3230df5
Opcode Fuzzy Hash: 4ee08c6c9abbbc932863cc81744f57152d6ce7bec4591f978f4f6f67fd47b872
Instruction Fuzzy Hash: F2C08C0F12D7C04BE303423098119D3BF30595362535E42A3D18194083C0040B0CF233

Function 07F938B8 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe29197c6b3c6917c816665541202eab55241ecefdab48167b1bbfab2c31b09f
Instruction ID: a587f7aeb8f1eb3f2e29e9f86e66af6ef7ed8cdc907a2df40502c6227ddcea83
Opcode Fuzzy Hash: fe29197c6b3c6917c816665541202eab55241ecefdab48167b1bbfab2c31b09f
Instruction Fuzzy Hash: A3D0123724010D9F9F40EEA5E840D52B7DDFF146007448832E504C7121E621E434D752

Function 07F9E2B1 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d03295248877a0f2999bb4026c14b2685b967bc80f31b0a7b9dbbda376616fd
Instruction ID: 02f0cf80db04cd5b5af0b85957f96969a777069b8e9d98e646fa90fcc6e0315e
Opcode Fuzzy Hash: 0d03295248877a0f2999bb4026c14b2685b967bc80f31b0a7b9dbbda376616fd
Instruction Fuzzy Hash: 61D022A1C886000AE302752028420EC7B20EE93104F4202B5CC810A180F958217F93E3

Function 07F9E2D8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e1dfe97dbda6ffd218048a58dda5343ef0dfc92b7db7a4b372664413d209632
Instruction ID: f9a92816527e0fc032a5532fbc30c6ab8de935280589c84544acc5d0a9aed323
Opcode Fuzzy Hash: 7e1dfe97dbda6ffd218048a58dda5343ef0dfc92b7db7a4b372664413d209632
Instruction Fuzzy Hash: 93D05E35104144DFCB11DF64D099EEA7B62EF94328F248099E8855B623C233E827CB01

Function 07FBD9F8 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2e8f85bf15dff4d3c91c07fe4a912dedaee17b68f281daab6626c4a801b7b2f
Instruction ID: 0523470e25165b0d29ed7fb7162990768e070671a00dcafb07d85c65a513a733
Opcode Fuzzy Hash: b2e8f85bf15dff4d3c91c07fe4a912dedaee17b68f281daab6626c4a801b7b2f
Instruction Fuzzy Hash: A8C04CF02467158BC6147B95B90D36CB7696B05356F588114A60942551ABB05450CB56

Function 07FBB8C0 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 237d18ecf9dcbaff23d6303f92e62021c93380f5050ed5f0d712dc5cf74424ed
Instruction ID: 9930a979609d2430c52cae1a610fa10583dcfaab280227780fceeb168c3b97bf
Opcode Fuzzy Hash: 237d18ecf9dcbaff23d6303f92e62021c93380f5050ed5f0d712dc5cf74424ed
Instruction Fuzzy Hash: 2AB012F703CA0CC608712187601D4F9335C7E03600F4C005DE30F10C720A01D87340D2

Function 07F9E2E8 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d6f2623337c38ef8749255ff78b3cbedb78fba73e040c9434c39499d8169e63
Instruction ID: 61412fa5721fa0801f19765b42d0f6ac58f054d2697597a3f249e516f761f0d5
Opcode Fuzzy Hash: 1d6f2623337c38ef8749255ff78b3cbedb78fba73e040c9434c39499d8169e63
Instruction Fuzzy Hash: 87C00235140108AFC740DF55D445D95BBA9EB59660B1180A1F9484B722C632E9119A90

Function 07FB6DAC Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4dfc35bd3b9e7052a2279a5275d53992a09ddbb8928bfbbd4500a096fa37a21
Instruction ID: 55e724f8baa0466c7127027d6889aed91aeaf5b53295ba3632e95c57904f7b22
Opcode Fuzzy Hash: b4dfc35bd3b9e7052a2279a5275d53992a09ddbb8928bfbbd4500a096fa37a21
Instruction Fuzzy Hash: DAB012F6178312E65440A6F44E44F3E7840FFB3700F588C3633CA40000C860E468E21B

Function 07FB5E50 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953912965.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7fb0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2008f6537dd68a73c3141bd5bbf80a7ca2f065d6e759d191b460618d13e0fbfc
Instruction ID: b6b7b663d3a3a977c8c3779efb1b6673b894c5f9fbfb1a44d45ac552e8916854
Opcode Fuzzy Hash: 2008f6537dd68a73c3141bd5bbf80a7ca2f065d6e759d191b460618d13e0fbfc
Instruction Fuzzy Hash: 77A022BB0AC30ECBC23022C3302E0BF332C0882F00F080022E20F038002BACE8B00883

Function 07F9A160 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fccc4322a9f467b1ae874513bbd68112b9145b8a128d45893c8833a6b1aca22
Instruction ID: 678ebd3c6406fcb8583c51dac6a7d1fab9a06b00bfaada98bd496135015cf7ad
Opcode Fuzzy Hash: 3fccc4322a9f467b1ae874513bbd68112b9145b8a128d45893c8833a6b1aca22
Instruction Fuzzy Hash: EDB092718103028BEF508E008204380B7E0AF90314F200809C8C084021B3301589EF11

Function 07F9882A Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8266b115306833af6e6c815c137698c9554869b59df6aa1cb6f3fb2cd6bb580e
Instruction ID: 13edfd8ee37e240c72d29fee6dd96c9835cf771aab2a6cd73550fd83ae91f822
Opcode Fuzzy Hash: 8266b115306833af6e6c815c137698c9554869b59df6aa1cb6f3fb2cd6bb580e
Instruction Fuzzy Hash:

Non-executed Functions

Function 07F9DAA0 Relevance: 6.3, Strings: 5, Instructions: 67COMMON

Download Yara Rule

Strings

4'dq, xrefs: 07F9DB54
4'dq, xrefs: 07F9DB31
4'dq, xrefs: 07F9DAEB
4'dq, xrefs: 07F9DB0E
4'dq, xrefs: 07F9DB77

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID: 4'dq$4'dq$4'dq$4'dq$4'dq
API String ID: 0-2424647854
Opcode ID: 689177816276990fec2a46f0228f02fa5cd6624091f2a66238c73862f31ed687
Instruction ID: 85d5641c8c2fd4684817efc910b9d1a736a0bb8d6117eb1864a3f89db9bd27fb
Opcode Fuzzy Hash: 689177816276990fec2a46f0228f02fa5cd6624091f2a66238c73862f31ed687
Instruction Fuzzy Hash: 6F213270A0021A9FCB48EFA9D4516EE7BF3FF85301F5045A9D105AB3A9EB306E458B91

Function 07F9DAB0 Relevance: 6.3, Strings: 5, Instructions: 62COMMON

Download Yara Rule

Strings

4'dq, xrefs: 07F9DB54
4'dq, xrefs: 07F9DB31
4'dq, xrefs: 07F9DAEB
4'dq, xrefs: 07F9DB0E
4'dq, xrefs: 07F9DB77

Memory Dump Source

Source File: 00000014.00000002.1953592064.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7f90000_NotepadUpdate.jbxd

Similarity

API ID:
String ID: 4'dq$4'dq$4'dq$4'dq$4'dq
API String ID: 0-2424647854
Opcode ID: 79536eb733a507f0dd630aba6cf60a4869067bd36d8458386a3982f20c94cf22
Instruction ID: e2b97aa13a2e9490d782ebfd2de96f6303c54b4a60f2192d7713fe83b43e0c09
Opcode Fuzzy Hash: 79536eb733a507f0dd630aba6cf60a4869067bd36d8458386a3982f20c94cf22
Instruction Fuzzy Hash: 26214270A0011A9FCB08EFAAE5515EE7BF3FF84301F5045A9D105AB3A9EB302B45CB91

Analysis Process: NotepadUpdate.exePID: 7904, Parent PID: 7704COMMON

Execution Graph

Execution Coverage:	9.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	194
Total number of Limit Nodes:	5

Executed Functions

Function 080F7719 Relevance: 8.9, Strings: 7, Instructions: 107
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LRdq, xrefs: 080F786B
$dq, xrefs: 080F789F
8, xrefs: 080F77B3
LRdq, xrefs: 080F7877
$dq, xrefs: 080F7893
$dq, xrefs: 080F7790
$dq, xrefs: 080F7784

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID: 8$LRdq$LRdq$$dq$$dq$$dq$$dq
API String ID: 0-252008424
Opcode ID: 6d17847f72a1c190301a7c18117dbf5e27bb6ca366518e850fb3740a93e8bb5c
Instruction ID: 33e51b47ed3dbb4f3f18dbee363cd15275c96337f0af1807b6a4424e88a23c98
Opcode Fuzzy Hash: 6d17847f72a1c190301a7c18117dbf5e27bb6ca366518e850fb3740a93e8bb5c
Instruction Fuzzy Hash: CC31A030B55245DBEB589A6CD81177E72A3EF84702F24C47AEB069BAC3CA748942C753

Function 080F62D9 Relevance: 5.3, Strings: 4, Instructions: 340
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

F, xrefs: 080F6994
phq, xrefs: 080F6701
4'dq, xrefs: 080F66B4
R, xrefs: 080F65A0

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID: 4'dq$F$R$phq
API String ID: 0-3172865906
Opcode ID: 3d8701e655df4bcfd3e7f46594c3b110cda933e2dd402734b962167098ae5f8a
Instruction ID: 72685ca9fed983b25567045a17469a175499010865c57dbfa336bc0b122a1ace
Opcode Fuzzy Hash: 3d8701e655df4bcfd3e7f46594c3b110cda933e2dd402734b962167098ae5f8a
Instruction Fuzzy Hash: 54D11576600504EFCB46CFA8C984D68BBB2FF4D315B1680A8E6199B672C732EC55EF40

Function 080F8600 Relevance: 3.8, Strings: 3, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8hq, xrefs: 080F8727
8hq, xrefs: 080F866F
8hq, xrefs: 080F867F

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID: 8hq$8hq$8hq
API String ID: 0-1838490158
Opcode ID: 2be1d334832a6d08ba056756e0b4be55d02e0ea74dc71a8883a9633cf8c7df14
Instruction ID: ae827efe373bdba2a0db7c7eaf419f960a510123625ca6d5e958433eb691d733
Opcode Fuzzy Hash: 2be1d334832a6d08ba056756e0b4be55d02e0ea74dc71a8883a9633cf8c7df14
Instruction Fuzzy Hash: 7B31B774F04209DBDB049A5CD951AFE76E3E788342F10C47AD726A7B92DB748D028BA1

Function 080D681A Relevance: 2.7, Strings: 2, Instructions: 173
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hhq, xrefs: 080D68AA
Hhq, xrefs: 080D68F3

Memory Dump Source

Source File: 00000016.00000002.1908376021.00000000080D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80d0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID: Hhq$Hhq
API String ID: 0-2450388649
Opcode ID: 0f55670d4bf06858c39363f084625bd3ff57f27e56dbdc27b9143e8095dae27a
Instruction ID: 9e4ccfebcfc6e5a5f137c8a22a38f62fdd244e1edad4b2cdc2012b63dff1ffd5
Opcode Fuzzy Hash: 0f55670d4bf06858c39363f084625bd3ff57f27e56dbdc27b9143e8095dae27a
Instruction Fuzzy Hash: B7519B347007108FCB54AF79C85895EBBE6AF99611B1985ADE906CB371EF32DC028B80

Function 080F85F0 Relevance: 2.6, Strings: 2, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8hq, xrefs: 080F8727
8hq, xrefs: 080F866F

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID: 8hq$8hq
API String ID: 0-601589740
Opcode ID: c684a1651a7b684e90b596c4cfbce16b1dc700b4feef08e35668619fb769b679
Instruction ID: ba52a7a72e74b95005f7545d385f612cb110812d4a2eb81d2f80320b8fffbbf2
Opcode Fuzzy Hash: c684a1651a7b684e90b596c4cfbce16b1dc700b4feef08e35668619fb769b679
Instruction Fuzzy Hash: 4531D970B08205DFD7019A5899506FE77B3EB89346F14C47AD726A7BA3D7348D02CB61

Function 080F7660 Relevance: 2.6, Strings: 2, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$dq, xrefs: 080F7686
$dq, xrefs: 080F7692

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID: $dq$$dq
API String ID: 0-2340669324
Opcode ID: 1ad16f2ca49a6dcd7a2c4e0b789fd8a29d649156494c30d6a17c33c3d39b944f
Instruction ID: 1dccc3fce67ec19f9c47a61cad0bde2e04eecf5f7d223ed85d399c6ebe18d6ea
Opcode Fuzzy Hash: 1ad16f2ca49a6dcd7a2c4e0b789fd8a29d649156494c30d6a17c33c3d39b944f
Instruction Fuzzy Hash: 8021087060A2C0CFC356DB6CD90066A7FF2BB09206B1581BBD509CB963C7308C45CB63

Function 080F773F Relevance: 2.5, Strings: 2, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8, xrefs: 080F77B3
$dq, xrefs: 080F7784

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID: 8$$dq
API String ID: 0-2343709646
Opcode ID: cedad065e5c642d77cd98f31152933d666ea555b5c84c588509dbbfbb72e8b7f
Instruction ID: 09d1954de93b9a55ace88c680901b099028515429c1989d04a396ab8a3d2c689
Opcode Fuzzy Hash: cedad065e5c642d77cd98f31152933d666ea555b5c84c588509dbbfbb72e8b7f
Instruction Fuzzy Hash: 60F0A470755345DBFB148A24D856B9C7772AF40711F15CC69EA015EAC2EAE04891C752

Function 080FE400 Relevance: 1.4, Strings: 1, Instructions: 182COMMON

Download Yara Rule

Strings

Tedq, xrefs: 080FE49E

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID: Tedq
API String ID: 0-228892971
Opcode ID: 5aa4938e8d399f9700dd46108d781ea5444ef550e3edeb455960cd6481129b22
Instruction ID: 57d02e1bf1a0e9b670363532a09fcfda6224f27d445ee78e33cee0754e489a4a
Opcode Fuzzy Hash: 5aa4938e8d399f9700dd46108d781ea5444ef550e3edeb455960cd6481129b22
Instruction Fuzzy Hash: 3371B2B4E04218CFDB08CFA9C844AEDBBB6BF89301F149029D519AB765DB71A945CF50

Function 080F653C Relevance: 1.4, Strings: 1, Instructions: 136COMMON

Download Yara Rule

Strings

F, xrefs: 080F6994

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: 09bfd178a844ed31bded0ffaa697a4af2fe9f6bafd01ef3601a29d2f9bacefe6
Instruction ID: ff87414f46ccbac54d3a1b68a34c861fd3068af86c7d070999fd7785b2643030
Opcode Fuzzy Hash: 09bfd178a844ed31bded0ffaa697a4af2fe9f6bafd01ef3601a29d2f9bacefe6
Instruction Fuzzy Hash: A4519D30A09204CFCB04CFA8C994AADBBF6FF59301B1585AAD5169F662CB32ED01CB10

Function 080F81F8 Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

$dq, xrefs: 080F821F

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID: $dq
API String ID: 0-847773763
Opcode ID: 2a4ed4410801d157778cfaa02bd3410ba501f44476c59b7e9b92020422dae439
Instruction ID: 88adad3250caab106970360d48076c582a51e118976058fa21bf5b51f4c3dbb4
Opcode Fuzzy Hash: 2a4ed4410801d157778cfaa02bd3410ba501f44476c59b7e9b92020422dae439
Instruction Fuzzy Hash: CC21F53060EB80DFC3929668A5101ED3FE35B47207B18C4FBC24A9B953D235A906C762

Function 080F9150 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

Tedq, xrefs: 080F91BB

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID: Tedq
API String ID: 0-228892971
Opcode ID: f1acae655f2fdada8780dc30f7b3921f841cd45bbc283a9a818c6fcd47ba8b0e
Instruction ID: 98d7eb22d0c20096861995bd65a4437d0316be7c5a3e8d99b908cf1f01d3970d
Opcode Fuzzy Hash: f1acae655f2fdada8780dc30f7b3921f841cd45bbc283a9a818c6fcd47ba8b0e
Instruction Fuzzy Hash: 7F111C75F002198BCB54EBB999106EEBAF6AFC8351B108079C514EB355FB319E05CB91

Function 080F69B0 Relevance: 1.3, Strings: 1, Instructions: 17COMMON

Download Yara Rule

Strings

I, xrefs: 080F69C4

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 88f1424be1ef9946dd3681b01ce3e381fbffc0cf579378f6bea4937a7aa12c96
Instruction ID: 6173503aa39a064c3c3d681f91f04e4ee63309b2f77e098c75b0e16fa98e99c1
Opcode Fuzzy Hash: 88f1424be1ef9946dd3681b01ce3e381fbffc0cf579378f6bea4937a7aa12c96
Instruction Fuzzy Hash: F9D02B2540F388CFC303CF20990105C3F32BB2310A70845E7C5A457513C6270E0CCB52

Function 080F7B29 Relevance: 1.3, Strings: 1, Instructions: 16COMMON

Download Yara Rule

Strings

(, xrefs: 080F7B3C

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 64528e5cd365a112ac72453ca815ac048d96676924f534cdbaead01a41473fd9
Instruction ID: 459777161452e9c312b86eca0e085c4d6c2b299d41a1e6439dc016526a1a7345
Opcode Fuzzy Hash: 64528e5cd365a112ac72453ca815ac048d96676924f534cdbaead01a41473fd9
Instruction Fuzzy Hash: 34D0172150E6C59BC702DFB09A61268BF316E53105B098AD7C0985B993CA221E289792

Function 080F69C0 Relevance: 1.3, Strings: 1, Instructions: 11COMMON

Download Yara Rule

Strings

I, xrefs: 080F69C4

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: d9de81e79d5e945ce71ce32008ec53c5c31c80f67c2a0bf4aac408ac82a2979e
Instruction ID: 502e4ccb9312b8d3c6d030a678951e3b9eae50b345b3fe05976e72356b10b990
Opcode Fuzzy Hash: d9de81e79d5e945ce71ce32008ec53c5c31c80f67c2a0bf4aac408ac82a2979e
Instruction Fuzzy Hash: E4C08C7160E20CEBC640EB88D80156DB3AEE720216F0082B6CA2D03A02CA332E149282

Function 080F7B38 Relevance: 1.3, Strings: 1, Instructions: 11COMMON

Download Yara Rule

Strings

(, xrefs: 080F7B3C

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 34390799ccb41ec4bb98a8bee3d8bef1a911faeb0b9da4e4b923a2b6bf9ea2ad
Instruction ID: cdfcb659921eafacca2db6981d7b716cd026df2d2a072b870bbd100b20e79a3a
Opcode Fuzzy Hash: 34390799ccb41ec4bb98a8bee3d8bef1a911faeb0b9da4e4b923a2b6bf9ea2ad
Instruction Fuzzy Hash: E4C08C2040920CE7C740EF9AE80167CF3AEAB12116F0082A6CA0903A03CA322E105283

Function 080F6388 Relevance: 1.3, Strings: 1, Instructions: 11COMMON

Download Yara Rule

Strings

G, xrefs: 080F638C

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID: G
API String ID: 0-985283518
Opcode ID: 8eab967c9deff04ac45af732901f7d73c53c362dadab9714cd28b3458534d2d8
Instruction ID: 736b2e93b57e1c7ad07aa8dd350ccc9c580d5dd044c0bfd6139a3d49574c1f04
Opcode Fuzzy Hash: 8eab967c9deff04ac45af732901f7d73c53c362dadab9714cd28b3458534d2d8
Instruction Fuzzy Hash: 5CC080B040810CD7C700DB85D40653CB7BEE700312F004099D50D43541D7B62E005A91

Function 080F6383 Relevance: 1.3, Strings: 1, Instructions: 11COMMON

Download Yara Rule

Strings

G, xrefs: 080F638C

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID: G
API String ID: 0-985283518
Opcode ID: 28f8bc829383410856d024d147984c1fa3404f44ef8de3e715500beb2775350f
Instruction ID: fa83492e17c67876e218d0a36d23d75f7ae729dbd1178febec5079cad5165fb1
Opcode Fuzzy Hash: 28f8bc829383410856d024d147984c1fa3404f44ef8de3e715500beb2775350f
Instruction Fuzzy Hash: 07C012B1905008C7D700CA84E6462FC7772A760312B14459AD51D57641D7761E009E40

Function 080F1798 Relevance: .5, Instructions: 528COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf894d0d7c88e37323bae3d1a6171b6125622046845e9dca2319c0d0b281670a
Instruction ID: 74b3254e0d4020373fea3c0b88abc8871671f68865bf5880f5e3bb7856d8db7b
Opcode Fuzzy Hash: bf894d0d7c88e37323bae3d1a6171b6125622046845e9dca2319c0d0b281670a
Instruction Fuzzy Hash: D242E330D00619CFDF15EFA8C8446ECBBB1BF49300F5186A9D5497B265EB30AA99CF81

Function 080F01D8 Relevance: .3, Instructions: 339COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8984df352a8471698fa72c749076645571fc375bd0d6c8a8fb3d5c8e09a2d2be
Instruction ID: 9534581d2749ee62531c3a247c5ed87d265bd1da933a11fa52491347ee1e402b
Opcode Fuzzy Hash: 8984df352a8471698fa72c749076645571fc375bd0d6c8a8fb3d5c8e09a2d2be
Instruction Fuzzy Hash: EDB19D71A01609CFDF21DFA9C8446EEBBF6FF88301F24846DC509AB652DB719851CB91

Function 080F4830 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e49b962de99370fbcae779d55174246d0bf21cbfa5d6236a7c5d84a22270fd7f
Instruction ID: 0ef6d3441365ccabc51f7ad72548d14253d8bcfb0a082099522dc35091128eab
Opcode Fuzzy Hash: e49b962de99370fbcae779d55174246d0bf21cbfa5d6236a7c5d84a22270fd7f
Instruction Fuzzy Hash: 54F1EB71D1061ACBCF10DFA8C854AEDB7B5FF48300F1196AAD959B7215EB30AA85CF90

Function 080F481F Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e67918ed0be18e0f7bda793d6e5c2521607c62d9842aa5f516e562023f6a8125
Instruction ID: 565a7797e90a3ea856c654ee688ca17c3da3b0eb5c1012dd20eea33f5b461377
Opcode Fuzzy Hash: e67918ed0be18e0f7bda793d6e5c2521607c62d9842aa5f516e562023f6a8125
Instruction Fuzzy Hash: AEE1EA71D1061ACBCF10DFA8C8546EDB7B5FF49300F1196AAD949B7215EB30AA89CF90

Function 080F4E40 Relevance: .3, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4a632fb93f7d62e4d16d9da50e0d44e2f9bb47391430e5734535c537bee7575
Instruction ID: 7fd19efe3f9a3f9f011f936f39d5d0294ebcb553e28c382889ce321f6fd2075a
Opcode Fuzzy Hash: d4a632fb93f7d62e4d16d9da50e0d44e2f9bb47391430e5734535c537bee7575
Instruction Fuzzy Hash: 57C16D31A00619CFDB14EF68C854AADB7F2FF85305F1485A9D506BB361EB30AE85CB91

Function 080F3978 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5980d4d730f2918eaca00c3b14591d5018ca047a72f7a136222c72f5f33c1050
Instruction ID: 7572a865fe0d258ee47e8d369204de27ea87eee85a147c78221b91388b5b927c
Opcode Fuzzy Hash: 5980d4d730f2918eaca00c3b14591d5018ca047a72f7a136222c72f5f33c1050
Instruction Fuzzy Hash: 2A818030A10609DFDB11EF69D8586ADBBF2FF44311F128069E245AB7A6EB30D965CB40

Function 080D78A0 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908376021.00000000080D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80d0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01817d23a28792a9b4fb3890fdba13d87e903e9d6b0251d4e0625b388a3644e3
Instruction ID: 19c3779d13e2765a578c71bffe9323fa042e61aae88127dd0c0d8d9670d0e109
Opcode Fuzzy Hash: 01817d23a28792a9b4fb3890fdba13d87e903e9d6b0251d4e0625b388a3644e3
Instruction Fuzzy Hash: 33716C31A01709CFDB14DFA9C8546ADFBF2EF89301F10856DD856A7350EB349A45CB90

Function 080D90D1 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908376021.00000000080D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80d0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a32614824c6d1b8afa9a27cec8c4e9bbc9509f443e55bd3dd432f4e867d51aff
Instruction ID: 39ac0233ac22a92ffa204e2c524ea69ee9ee12c3aba243ad5ff2d8b3605f489f
Opcode Fuzzy Hash: a32614824c6d1b8afa9a27cec8c4e9bbc9509f443e55bd3dd432f4e867d51aff
Instruction Fuzzy Hash: DA81EA31A1470ACFCB00DF69C990999F7F1FF99300F25C659E559BB211EB70AA95CB80

Function 080F0B34 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2637fb09be2a65af5bd8984de1fda32faf5bff9f482309abc44445944db3e43
Instruction ID: 115b59a4025dc3c3980ca7b1c88619be0ac6f5b06ac8dc0d3f0ed16e33493d21
Opcode Fuzzy Hash: e2637fb09be2a65af5bd8984de1fda32faf5bff9f482309abc44445944db3e43
Instruction Fuzzy Hash: 3B41C470E04516DFCB43AF68C8586EE7BF2AF44742F54843AD602E76A6F635C9118B80

Function 080F9373 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfb70136ecdc19a519fd19184c63bd44f1a036bd488cd6806a3c77179b2e9fc6
Instruction ID: 6acbf55715c70a8dacf5002274e28e8c205762136e71f46b190e216494042b7e
Opcode Fuzzy Hash: dfb70136ecdc19a519fd19184c63bd44f1a036bd488cd6806a3c77179b2e9fc6
Instruction Fuzzy Hash: D7419231E04209DFDB518FA8C890BAEBBF2AB44702F04C439E3179B692C7749946CB51

Function 080F1587 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c96bb503d9bec3107baf2bca7923ac2d2a82763658b72b2aa7f1317d5d29ee5
Instruction ID: 6b5dbea8c74b8f9dd7f28c548a86ed3b563bf77be4281201fe30164daefe9e18
Opcode Fuzzy Hash: 0c96bb503d9bec3107baf2bca7923ac2d2a82763658b72b2aa7f1317d5d29ee5
Instruction Fuzzy Hash: 7C41D671E0051ADFCF03AFA8C9596ED7BF2AF44742F58843AD606B7667F63489118B80

Function 080F0C10 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d43c05adba57a429fe5ad0f65ae4447d7a7d75513616b737f5a510e6c1df13f9
Instruction ID: 7ad9189ad1c135fac7b6beeb662ef028092c9b2cd84b012235b7fa2d156df446
Opcode Fuzzy Hash: d43c05adba57a429fe5ad0f65ae4447d7a7d75513616b737f5a510e6c1df13f9
Instruction Fuzzy Hash: 75417730A012089FDB14EFA8D850AADBBF2EF89311F158569E501FB7A1DB74EC41CB90

Function 080F3768 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a7eca8f8dfcb6368d31c64a40dc6cab61500b86210be20244cabe0e3a40985e
Instruction ID: 18454af42fbe4520d83e1daa3517f800fd487d4b0fd0e7787a28fe05c1ac8369
Opcode Fuzzy Hash: 4a7eca8f8dfcb6368d31c64a40dc6cab61500b86210be20244cabe0e3a40985e
Instruction Fuzzy Hash: 15418834A012089FDB14DFA8D850AADBBF2AF89311F158169E541BB3A1DB34EC46CB90

Function 080F6165 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 024524f14378955e97d9274b7138e119c1ff070fa1cc1d40e6795c0178b07d23
Instruction ID: e4c176d316d231c99c4fbe3dca437d9505fe9916d588f26d23b601b4ebba5b12
Opcode Fuzzy Hash: 024524f14378955e97d9274b7138e119c1ff070fa1cc1d40e6795c0178b07d23
Instruction Fuzzy Hash: B741E230A04504CFD744DB98C4507AE77F3EB99316F18C4A9D62AABB83CB36DC468B90

Function 080F01CA Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02b7cea2e519a4951f33f618ce93e7424299367f3e93e145ad3d014a0519aae6
Instruction ID: f6048d6fa3b19fc570b52379d2143638abd80916874286e7cdc800d339a89b2a
Opcode Fuzzy Hash: 02b7cea2e519a4951f33f618ce93e7424299367f3e93e145ad3d014a0519aae6
Instruction Fuzzy Hash: 59414530A05208DFEB219FA5D9549EDFFB2FF88301F268158D4417B26ACB3158A2DF41

Function 080F6D24 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98e2d7a027892c8df185768655fc53c9a25ef29c783a9cca798dcb8cdbf91348
Instruction ID: cd14e37b4fed87cf05646ef2f62b01cd7867372f18b2a12d7ae072c442d7b233
Opcode Fuzzy Hash: 98e2d7a027892c8df185768655fc53c9a25ef29c783a9cca798dcb8cdbf91348
Instruction Fuzzy Hash: C731BF75B003088BCB04EB7988486BFBBF7EFC4212B50892AD51AC7781EE349C028761

Function 080FB715 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e6a081c73ce524a37fa3c925bd29a6565d29c8f04aa7f15c7b335528cc67bb4
Instruction ID: b1b409ef948c1f72352461eeda83d868aba7107ee9646187080d16462fcc97ea
Opcode Fuzzy Hash: 8e6a081c73ce524a37fa3c925bd29a6565d29c8f04aa7f15c7b335528cc67bb4
Instruction Fuzzy Hash: 0D318260B0D255CBC7509A6CC87067D7BA39F85223F18C0BBD7168BA83D664D947CF52

Function 080F0E18 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb0faa7ca40f4d0bdac87c199168bf662ab00afaa3df2ce41369c35252d9e0f4
Instruction ID: 92bf2fd7cf4bd186a922b8d11e82b4dabd46b730b78ba35635e39f2342902c0c
Opcode Fuzzy Hash: cb0faa7ca40f4d0bdac87c199168bf662ab00afaa3df2ce41369c35252d9e0f4
Instruction Fuzzy Hash: 1F21F2A68193B14BE3036B7CD4303D93FE2CF92616F0848D7C1458B693DA255949C3EA

Function 080F6E10 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4e81767d77ccdcbeaae6b5548c033a1dd387979ad6de4071251258bbc33b84c
Instruction ID: 2670e2a0c62bfceba19f73b8fc2b2431ea992268a96cba21ba3a3f27c6ebd457
Opcode Fuzzy Hash: d4e81767d77ccdcbeaae6b5548c033a1dd387979ad6de4071251258bbc33b84c
Instruction Fuzzy Hash: 13215EF1A04155CBCB149BB8D41826E7AF3EB96302B158436E62BD7742EE364C058BA1

Function 080F6E20 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 794761c4f9721b3ff5283a249b4cd93d691d791dc9dd1b0b88497839e024391d
Instruction ID: 20d447be4ed0f634660d55fa116150e61f0e4655f0d66905cc9e794fbce28a55
Opcode Fuzzy Hash: 794761c4f9721b3ff5283a249b4cd93d691d791dc9dd1b0b88497839e024391d
Instruction Fuzzy Hash: EF214DF1B04115CBCB149FACD41826EBAF7EB95742B10843AE62BD7742EF764C018BA1

Function 080F5D28 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1869a50a5e98c62debba5c4e8577089e253ceeef47ceb24c107e42ce86b9297
Instruction ID: d6f36d74732418f819d7b9e5d3019553571d54c483ef59203aba2a004c32519a
Opcode Fuzzy Hash: b1869a50a5e98c62debba5c4e8577089e253ceeef47ceb24c107e42ce86b9297
Instruction Fuzzy Hash: ED313674E1120A9FCB40DFB8D8945EEBBF2EF48301F108469E605F7691EB309A458FA0

Function 080F61A9 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f2088f6e5c97a72194d2c47b1a08733a1151f8591dd894f9fbacd1d196cf478
Instruction ID: 51aad875ac8f46b333a100d472302508a4a30a0840fa647375c9ee1861617d82
Opcode Fuzzy Hash: 6f2088f6e5c97a72194d2c47b1a08733a1151f8591dd894f9fbacd1d196cf478
Instruction Fuzzy Hash: CA31F330A04504CFD7449B98C54176E77F2EB99316F18C4AAD626ABB43CB36DD468B40

Function 080FB8E8 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62aa3330010eba1ae7682cff3f9f57fc2bbae9565644e33f1340f9bc87cc73ad
Instruction ID: 3a1672b64de6865f43c2105aba8f1ed46a3100358c3abd1cfd10df2bbba8c802
Opcode Fuzzy Hash: 62aa3330010eba1ae7682cff3f9f57fc2bbae9565644e33f1340f9bc87cc73ad
Instruction Fuzzy Hash: F7219F70B0E214DBD6545A5DC83173E72A7EBC4363F64C03ADA079BA96CA71D8428F52

Function 080F6269 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8536254e3e9009075aa9116e66b20b4488beb19d92a9dcace1df5062174a5d6
Instruction ID: 31c641084b3bc7c75628be38a10b6bf5950663492c7647ae8b6bf404c020f2fe
Opcode Fuzzy Hash: f8536254e3e9009075aa9116e66b20b4488beb19d92a9dcace1df5062174a5d6
Instruction Fuzzy Hash: DA31D430604504CFD7849B98C54176EB7F2EB99356F18C479D626ABB43CB36DC468B50

Function 080F00E8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c01f6a48ac10d788fc504326a1be0f34e0e8a7e7f5b323b522432b4e7e2fe9fa
Instruction ID: a680b8d36029fc30f07b11575f227c38b9aef5516e1e9bfa52937cd80815c808
Opcode Fuzzy Hash: c01f6a48ac10d788fc504326a1be0f34e0e8a7e7f5b323b522432b4e7e2fe9fa
Instruction Fuzzy Hash: A5212830E00A05CFDB256F68C8444EDBBB2FF41202F50857AE68567647E731D914CB91

Function 080F2E80 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c462b383f0b128c9ac29fffc127ccb76f7f1fdc1403d6f00628fab69e07e38fb
Instruction ID: 858e6eedaf5cd9aabc2b48043f195adfbfcd12ad141e99f8483934f526d929d8
Opcode Fuzzy Hash: c462b383f0b128c9ac29fffc127ccb76f7f1fdc1403d6f00628fab69e07e38fb
Instruction Fuzzy Hash: 1B219D35E10619CFCB10EFA8C454AAEB7F1FF89311F10826AE919E7261EB309945CB91

Function 080FB8E3 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95f11589e285681a701a9d8abc48718ca1b73a4e2397b4a2c7c7d1df33891a9b
Instruction ID: 45756e588d70f947e07cea1f46d650624d62ac36f5245912211f86630eb35afa
Opcode Fuzzy Hash: 95f11589e285681a701a9d8abc48718ca1b73a4e2397b4a2c7c7d1df33891a9b
Instruction Fuzzy Hash: 96218030B0E100DBD6549A5CC83177A72A3EB85373F64C03BD6069BA97C671D8028F52

Function 080F5D18 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4781c483ef87c77d72ef22988a9235d00bfa4ea1147842cbe4cbd8fd9ba25873
Instruction ID: 622d5b7066832b2c965b37a9b85e1e9904906a519374c721e840b13ebc64bd86
Opcode Fuzzy Hash: 4781c483ef87c77d72ef22988a9235d00bfa4ea1147842cbe4cbd8fd9ba25873
Instruction Fuzzy Hash: A52146B4E1020A9FDB41CFB8D8916EEBBF2EF49301F1084A9D501F7651E7349A458F60

Function 080F4639 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b10e47a8b7eae55aef0d327b347444e99207ae4d4990ea7d558ba8ccc915b801
Instruction ID: 6da17eeec29b1eed9b7eb282a2a7954f3d10cfa186acfa4e83457e9f6a781a9d
Opcode Fuzzy Hash: b10e47a8b7eae55aef0d327b347444e99207ae4d4990ea7d558ba8ccc915b801
Instruction Fuzzy Hash: F0214C75A002098FCB44EF69D8949EEBBF9FF88200B108579E905E7311EB30E905CBA0

Function 080F4648 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41c87ccbef99b74ea8af5f26834c91b8598eb5378ed83890e5cbca8aca4d6961
Instruction ID: f06734295096b60a32ff8f04f46c8aa37f6307235be255364dc5c1677b8e2e21
Opcode Fuzzy Hash: 41c87ccbef99b74ea8af5f26834c91b8598eb5378ed83890e5cbca8aca4d6961
Instruction Fuzzy Hash: 2F210E75A006098FCF44EF69C8848EEB7F5FF88300B118679D905A7315EB70AA45CBA1

Function 080DC840 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908376021.00000000080D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80d0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07546b79d51818fb22086643754f33be37c300d00224d87fbe804074fa132859
Instruction ID: 416e1280f0b73e1f6b212c011f42560637f0fbeed53e89159ba18b64491a3829
Opcode Fuzzy Hash: 07546b79d51818fb22086643754f33be37c300d00224d87fbe804074fa132859
Instruction Fuzzy Hash: 142124B1D003099FDB10CFAAD884A9EFBF5EF48310F10842EE419A7300D375A944CBA0

Function 080F0012 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a850444cf2d081d22cd95d7dd1e7e04150d2fe44e8c08411a1ae81c468095e5c
Instruction ID: dad257cff40c696e31e55072750a85fd07566302d369015dddaefaa52d8056b4
Opcode Fuzzy Hash: a850444cf2d081d22cd95d7dd1e7e04150d2fe44e8c08411a1ae81c468095e5c
Instruction Fuzzy Hash: C411EF66A0E381AFC7435774D8502D83FF19F43241F1A88FBC2C5D76A3E22544188791

Function 080F1478 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 684cfe996415950762b4e7c84cf36ddb20178c623da3a472ab7616c5f2f3b09c
Instruction ID: 2f5ae123b818209b55df9a472c361f9f0e881911b4b167fc1e680caee56a84f9
Opcode Fuzzy Hash: 684cfe996415950762b4e7c84cf36ddb20178c623da3a472ab7616c5f2f3b09c
Instruction Fuzzy Hash: EF217F30910608CFCF01EFA8C8556EEB7F2AF49701F00866DD5467B651EF31AA48CB91

Function 080F0040 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cd35aee41514ab2a9e9d599c65787f665223fce85417f9bc8819eaf7551d7f4
Instruction ID: 334e80a6b9f128e0f068c9df9a12b88dc8be42bc47476d4d07910e9405fd5083
Opcode Fuzzy Hash: 6cd35aee41514ab2a9e9d599c65787f665223fce85417f9bc8819eaf7551d7f4
Instruction Fuzzy Hash: 12110272F0110AEBCB516A99D9045EDBFF1EF80302F2088B5C189B3682E33186348FD0

Function 080FED18 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d19efe0c8a8dfa029e3abe672c2e6a61822ea07d4f80905dc828ec6c70227a6b
Instruction ID: 3c7eb428e2a4a7df695ffe24a67bca269b818c8c2908f554b906e0bec68ccfda
Opcode Fuzzy Hash: d19efe0c8a8dfa029e3abe672c2e6a61822ea07d4f80905dc828ec6c70227a6b
Instruction Fuzzy Hash: 2B21BDB4D04209DFCB44DFA9C580AAEBBF6EB48301F649069D919ABB26D7709E40CF51

Function 080F9220 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1db9f082493457cbd2e6a3527fdfed4472f338bb2aea37a6de1610a840de8c7
Instruction ID: e0866df9f9fd2fc1f54217498fb14f2e303817d4f5b0398f895511f4144a20c4
Opcode Fuzzy Hash: f1db9f082493457cbd2e6a3527fdfed4472f338bb2aea37a6de1610a840de8c7
Instruction Fuzzy Hash: 2F11A079A007498F8B55EBB988405BFBAF7EEC4261714896DD828D7781EB7089068B60

Function 080F16EC Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c82efbe4697fc6d76d72821367cebd0c17d0ee2e8f038d195b644e82934ec116
Instruction ID: 2b28f84e595b9d3c7174eafa5205bb9e7311e91f53173f2edc73eca79b2ba855
Opcode Fuzzy Hash: c82efbe4697fc6d76d72821367cebd0c17d0ee2e8f038d195b644e82934ec116
Instruction Fuzzy Hash: 61115332A187499FCB029E24CC046CABF72FFD6202F08CABAE1446B252D7709449CB90

Function 080F70E8 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a80f8ab67d8d1360c5609d93ea02aaa38e22a1768a8c04dd6c1e910bf65efb02
Instruction ID: 522d884033605633f8d1a18fd894da58fcd524248312566b02007d7a2c00dfee
Opcode Fuzzy Hash: a80f8ab67d8d1360c5609d93ea02aaa38e22a1768a8c04dd6c1e910bf65efb02
Instruction Fuzzy Hash: BE11A33054D3C49FD3029A78C910A987F72AF47306B0980FED5819FA53C379888BD762

Function 080F3BEF Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59829cfb33cc37bb41686b4ea48c2d6b95febcef4c8e19e574a14a6bc46e5c65
Instruction ID: 10a9b571bb3bde8e6bd97c41430a2c8b9f5e714449ed67b72f6c0ea58f7ec34d
Opcode Fuzzy Hash: 59829cfb33cc37bb41686b4ea48c2d6b95febcef4c8e19e574a14a6bc46e5c65
Instruction Fuzzy Hash: 7A11E174D0020A9FDB04EF68C8527AEBBB2EF05314F008639D515F7391DB758A46DB80

Function 080F4D30 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35d8f2f51555761de89ad40dfcd5379638f4e8ba487c399415c7c9619428ab9d
Instruction ID: 2ad3399f440f57cc9e4f9906462600af56def95fa039b2eb2ea22503b24563ed
Opcode Fuzzy Hash: 35d8f2f51555761de89ad40dfcd5379638f4e8ba487c399415c7c9619428ab9d
Instruction Fuzzy Hash: 2101217690050AEFCF10DF98D841AEFBBB9EB08311F108576EA14E7241D7306A51CBA1

Function 080F3C00 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5d5087851bafce70c87c43c0f33856ba0c8f66dd42369d85dc3dc981f810147
Instruction ID: 9ba59ea977ad87bb1df89bd9e6b7523e921377f76649d0d7d576aedf345986d1
Opcode Fuzzy Hash: a5d5087851bafce70c87c43c0f33856ba0c8f66dd42369d85dc3dc981f810147
Instruction Fuzzy Hash: 1801CC70E0020A9FDB04EF68C8117AEBBB2AF48304F108229C515B7391DB759A05CBD0

Function 080F1718 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80539f301b6abc918a381a5036a7942b8bb3f29ea80e22bd4b8c74e38b1eda69
Instruction ID: 2fed82477f12838386ca93b3085b2beafedd8da8fc2a29087e743cfd667113f0
Opcode Fuzzy Hash: 80539f301b6abc918a381a5036a7942b8bb3f29ea80e22bd4b8c74e38b1eda69
Instruction Fuzzy Hash: 4501F13291474A9FCF119F74DC848DABF36FFD6308B00866AE08567211D770A49ACB90

Function 080F4DC0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63ad582bb2a85e12a4e5bfbdfa306d0f2a9d01caebce5ec334033131ef9d5314
Instruction ID: 02496b41eb2cba3ef4a5cd9fe958e226bc4a75455ddfbdbbfe10e837aabc503e
Opcode Fuzzy Hash: 63ad582bb2a85e12a4e5bfbdfa306d0f2a9d01caebce5ec334033131ef9d5314
Instruction Fuzzy Hash: C501863191062997CF04BBA8DC144EEB3B5FF89211F018525D915B7250EF706655CBE5

Function 080F1728 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c621479aa73b52f671e975718cbded5c19584e868fa40c7dab88a7b83930786
Instruction ID: cfb9932ca474f3cfec0c17edf847f0e36664dea630ea951dadd1be288b4e2ad3
Opcode Fuzzy Hash: 2c621479aa73b52f671e975718cbded5c19584e868fa40c7dab88a7b83930786
Instruction Fuzzy Hash: 1801AD32A1070A9BCF14AFA4D8448DAFB76FF99308F108629E10527210EB70A599CB90

Function 080F5E4B Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f67f1dc30c36eee3a23a6054c2c4a929463cfd115fc068cba0b4b95aff5572a
Instruction ID: 25c77a685eb7ec558d541d1b3d2a157d7fc4c25e759877217a2b51fbb1585f8b
Opcode Fuzzy Hash: 5f67f1dc30c36eee3a23a6054c2c4a929463cfd115fc068cba0b4b95aff5572a
Instruction Fuzzy Hash: 36F0C2B6A15509DBEB159AACFD464BC3BB3DB562477008472F20AE2D52E720C5029B00

Function 080F4DB0 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97b2b0306e53f412d226627d030d715926873d83c0aeeadf657bcbebe7b40f70
Instruction ID: 737f03c5256074b8c0587af6c3587461c04deefa5ff67c7441f3e1513e39a87b
Opcode Fuzzy Hash: 97b2b0306e53f412d226627d030d715926873d83c0aeeadf657bcbebe7b40f70
Instruction Fuzzy Hash: 64F0FC329006589BCF047B7C98141ED77B5EF89610F008529EA9573250FF315659C7D1

Function 080F82BC Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8532008b014631f5334e7e64b6ecc78e5eef6245ec9915768219e0f55c7ba19d
Instruction ID: ae8e12421aec0a1a2e414b08a37199cf1f422c96a331889cef96e66c27766aef
Opcode Fuzzy Hash: 8532008b014631f5334e7e64b6ecc78e5eef6245ec9915768219e0f55c7ba19d
Instruction Fuzzy Hash: A7F0F65050EA80EFC382836C5C110EC3FA2DA5B143744C5F7E7479B923E1582804D7A2

Function 080F29C1 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 098a461f4d2475d106f99b0d0b46c4e46aeeb83f9c1a38a87161519b2cd923b2
Instruction ID: a68dccbdcfa0479933b438ffa57ef151ea37348e0562b17596ea220915fe64a8
Opcode Fuzzy Hash: 098a461f4d2475d106f99b0d0b46c4e46aeeb83f9c1a38a87161519b2cd923b2
Instruction Fuzzy Hash: EA016935E10A098FCB01EBA8C4545ACB3B2EF89251F1186AAE549A7221EF309981CB52

Function 080F4E31 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 566a62b2502478343341a01c132fd4000c3e25b42d12bd2ac0ea0a40236282ee
Instruction ID: 0cc71631f25452325303c0f1e025d3aab81e8abc7dac384033b328c4e2d494a1
Opcode Fuzzy Hash: 566a62b2502478343341a01c132fd4000c3e25b42d12bd2ac0ea0a40236282ee
Instruction Fuzzy Hash: 65F0A731600744ABDB149BBAA85096BBBEAFBC6651F04853FE64983205EE35EC46C660

Function 080F0EA0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a21ba32cbf39118aa46176918dbbb539f3490a3799e6965b1a947be2e8dffead
Instruction ID: 8c2d2265754dff3d620ca0463d2fce6a360b18999b8eead568c84ef86f0ecf20
Opcode Fuzzy Hash: a21ba32cbf39118aa46176918dbbb539f3490a3799e6965b1a947be2e8dffead
Instruction Fuzzy Hash: 9AF02431A002098BD704ABA8C4206AE77E3DFC4700F1444BED503AB782DFB55D0987E1

Function 080FA4BA Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1573af69dbc16243f11b175ffcdad22b67838d92abf6898685a40de83c6ba203
Instruction ID: 2835805571854e26803a8f2cc5e0a2e98d8bcab43d63841c2eb8e0eaaa8b5f11
Opcode Fuzzy Hash: 1573af69dbc16243f11b175ffcdad22b67838d92abf6898685a40de83c6ba203
Instruction Fuzzy Hash: FBF0F034A45344DFEB059BB4CC0AAEDBFB2BF46301F00C126E212666D2CB70585ACB11

Function 080D3818 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908376021.00000000080D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80d0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8d227bba38db13e143d3a342c7d2a461ae6c5d529b0b48352b989bcdf5e8bfb
Instruction ID: c71fcfd505b0b6271b5c6942c2e53fe86dc36875c4703c504e3d0877b500edb2
Opcode Fuzzy Hash: e8d227bba38db13e143d3a342c7d2a461ae6c5d529b0b48352b989bcdf5e8bfb
Instruction Fuzzy Hash: C6F0B7B0D0430A9FDB44DFA9D845AAEBBF5EF48300F5185A9D918E7340E77495408BD1

Function 080D3809 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908376021.00000000080D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80d0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66c82f2159e9941be7af62548f6d77205538d9d417c947aeb2d69cc4d2fa4ed4
Instruction ID: a744bf1a1ddc5c6a942038fad3a501ff1a680d3a53e1a654e161dcca7bbf47de
Opcode Fuzzy Hash: 66c82f2159e9941be7af62548f6d77205538d9d417c947aeb2d69cc4d2fa4ed4
Instruction Fuzzy Hash: F6F0F4B1D0434A9FDB54DFA9D856AAEBFF1EF08300F0589AAE454E7241E3748640CF92

Function 080FEEB8 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18d55896f5224da63262b2a43a2251680dfd5c450995608f07624e6385c21738
Instruction ID: bad97ec7eaaf32bf84964e4da70632c95d3f8fe38b98c7245831bf0aaabb26ce
Opcode Fuzzy Hash: 18d55896f5224da63262b2a43a2251680dfd5c450995608f07624e6385c21738
Instruction Fuzzy Hash: 70F0C074D05308EFCB54DFA8D4446ADBBB6EB4A301F10C1B9D90897711D7359A50DF50

Function 080F0650 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a05b0e473901c354e976dfd9495c39f9e49488ba49cff2a0de891d0a1ee3ca8e
Instruction ID: 64b7d73420e55cb64e551483a7c0b2c85cf644e88925b428c6812ee30282c96e
Opcode Fuzzy Hash: a05b0e473901c354e976dfd9495c39f9e49488ba49cff2a0de891d0a1ee3ca8e
Instruction Fuzzy Hash: 0DE06D302093558FC3169B38C4148127BE6AB5620531488BED05A8B762CA31E885D781

Function 080FB698 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5593b318b82bafbd1829c95ddc84df9b8ee639abba604530df245d8c74b97971
Instruction ID: 8ac3eb615b95c3cce27fa6a926958934b52ced4e29ff42a18b5ec2e9c9946117
Opcode Fuzzy Hash: 5593b318b82bafbd1829c95ddc84df9b8ee639abba604530df245d8c74b97971
Instruction Fuzzy Hash: 74E09BF0508204DFC7009A58D5305293777DB85323F01C066DB0A879B6DA681C014FA2

Function 080D7840 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908376021.00000000080D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80d0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3238e9dd2f609e116db567eb6fe4b2597c3aadb1638813ffd7a757a82cda88f
Instruction ID: fe3786cf01a1213a17737f46605a4e0ee277762b4c76e4e814e30605f37dd730
Opcode Fuzzy Hash: c3238e9dd2f609e116db567eb6fe4b2597c3aadb1638813ffd7a757a82cda88f
Instruction Fuzzy Hash: 72E039A351D3844FD307AB349C24356BFF19B86201F4984EBC985CB282E128A628C3A3

Function 080F05EF Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc1c650cb5b21cfae39ddb32734fd8ac21c64a14fee5e2287ff3a6869a48933d
Instruction ID: 90919fb3aee6cc3b049c6b7871b9682405afb143ade8bacf0bb491b5e4fff3b4
Opcode Fuzzy Hash: dc1c650cb5b21cfae39ddb32734fd8ac21c64a14fee5e2287ff3a6869a48933d
Instruction Fuzzy Hash: 76E0C6302087944FC702BEB8E8007AA7BB2D380A24F000838D24A4A356CF64080BA3C1

Function 080F0642 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39fce711d889fb95940d2d87e47df99fd3bd32fdf88267f3335aa630b4010ebf
Instruction ID: bcefc58b3de2ffcbedca2c83a8348fe47c266a7b88510c3e263f8d1365da0c60
Opcode Fuzzy Hash: 39fce711d889fb95940d2d87e47df99fd3bd32fdf88267f3335aa630b4010ebf
Instruction Fuzzy Hash: DFE04F355007148FC3159F68D540A5177A6EB46315B0489BDE14A4B732CB72F891DB88

Function 080F0C00 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efa37a5854a109453f9abe65fa74488f433bea75c3802e6904d4d2baa44ed072
Instruction ID: da8067c2136e69b4b6a0cb8f70f292df9d6166be9ec2dc133ad4fcf0db46dc5a
Opcode Fuzzy Hash: efa37a5854a109453f9abe65fa74488f433bea75c3802e6904d4d2baa44ed072
Instruction Fuzzy Hash: 16D0977B38522086D570D618BCC23DD33C3FFE4317F2ACC2AE180EB246C82AC8864280

Function 080F74E0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e9a3b946b7f90b7ffc02294df3372d92e198fbb0b77dcd5ebba74a1bf273e02
Instruction ID: 736264f95c677b07fb34eb3506fed2d1cce47aa582a04b92be9c2f234bc3b989
Opcode Fuzzy Hash: 7e9a3b946b7f90b7ffc02294df3372d92e198fbb0b77dcd5ebba74a1bf273e02
Instruction Fuzzy Hash: 5FE092341093818FD301ABB8C825A2A7BB2EF46605F14C4DAD6568B793CA30A80EC752

Function 080F3728 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05b42519f6692d1bebd444b73a3cb69929886528d71a7e7c719bc563734312e7
Instruction ID: f7f62b1a5c369fb72aa92c26c356d05bc7f82491b1b8b03365ca625d612f5105
Opcode Fuzzy Hash: 05b42519f6692d1bebd444b73a3cb69929886528d71a7e7c719bc563734312e7
Instruction Fuzzy Hash: FEE02B3B54415049D6A0C720BD427D43752FB88101F1DCC59E1C0D7586C419848B8391

Function 080FAEC5 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a3d395a5b067f6bc3d13244cf28320da83ff6062d748929fd53276193f1de71
Instruction ID: 3a2368787594fdef78fa12b1bb9ea5792df9bd2795e6b2db0679191817d05d9d
Opcode Fuzzy Hash: 2a3d395a5b067f6bc3d13244cf28320da83ff6062d748929fd53276193f1de71
Instruction Fuzzy Hash: 3CD05EA1B4C024EF4200EAAC554013EB697B68F21F311C8B7DA0FA7F03D93129516FA2

Function 080FB6A8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d78dd3a430b5f3e3f27b1e260846d48693ce21b7ebee35b1642df8409323f92a
Instruction ID: e4bb861893fda9af3e65e8046de69399ee46c69f43143794f2ad4c493db76d7b
Opcode Fuzzy Hash: d78dd3a430b5f3e3f27b1e260846d48693ce21b7ebee35b1642df8409323f92a
Instruction Fuzzy Hash: 21D01DF0608208DB8714D65CD53152D76ABD788323B10C475DB0AD7E76D9595D010F92

Function 080F9938 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aba6318635859eda39fab3730711b31bfc9ef819f1ea451b3302f8f63776a24
Instruction ID: 42c66829ce8a6b127642f10d4a5b9c9417b68aa595c40be8be1ba9c93002c331
Opcode Fuzzy Hash: 4aba6318635859eda39fab3730711b31bfc9ef819f1ea451b3302f8f63776a24
Instruction Fuzzy Hash: 09E06D3090A205DFDB118F68D850AAE7FB2AF40309B05C46AF6615B563C731D966CB81

Function 080FEF60 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcede3c9bf2922e1ffeb8ba1595094ae54da17a6019ad3294029d8229b5003a4
Instruction ID: 21493d96f900cdff6f159d04fdda9c413c42ac958639b32b2eae0ba93e4f3b46
Opcode Fuzzy Hash: bcede3c9bf2922e1ffeb8ba1595094ae54da17a6019ad3294029d8229b5003a4
Instruction Fuzzy Hash: C1E092B0D4420ADFD750EFA9C905B5EBFF1AB08200F11C5B9D119EB262E7B496048F91

Function 080FB660 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44c58d8ff2739573fcadb6c7e23e62739216ee40e7ce77921fed003c8ab5ec14
Instruction ID: 4f45d3e2778cc7d58c07a474094879a5bca317d44da1e8a9b82d5d15a25c79b9
Opcode Fuzzy Hash: 44c58d8ff2739573fcadb6c7e23e62739216ee40e7ce77921fed003c8ab5ec14
Instruction Fuzzy Hash: 7DD0129114D3C4DEC2024668C53013C3F63994222B33A84EBC24A8B973DD1E48058F22

Function 080D38A7 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908376021.00000000080D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80d0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9188f562a4dc1974bdcc9941cde992646b10e1d919b7658cfebc610469270f25
Instruction ID: 5a37759ce078b9083f98b560cf310427ddef2ee9dbd7cdef87ae22c2153d6d51
Opcode Fuzzy Hash: 9188f562a4dc1974bdcc9941cde992646b10e1d919b7658cfebc610469270f25
Instruction Fuzzy Hash: C1E0C2325402898AD791EF65E840F92BBE5FF21200F04C8A5E44486511D221E02DDB04

Function 080DC808 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908376021.00000000080D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80d0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d8d00e1ef296556e0cc26f5caccf4b8e0b29715086f970f9999d38c679f7735
Instruction ID: ba815615ab0ca6d4817e8f71be223da4e5f74e350b81001be35894c752e7a5f0
Opcode Fuzzy Hash: 9d8d00e1ef296556e0cc26f5caccf4b8e0b29715086f970f9999d38c679f7735
Instruction Fuzzy Hash: 50D0A73B500158AFCB42DFB0D500E86BFB6EF46604B08C59DE18C87121C332E62ACBC4

Function 080FB8B0 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b91af5747fac09d688d882972028b6b21c7e35df2e2466d84126ce8c2cefbb7
Instruction ID: 12f8286c7f664051b85a5460fbe9191f05d0ea64446ea1c4262a9c4773fbb611
Opcode Fuzzy Hash: 8b91af5747fac09d688d882972028b6b21c7e35df2e2466d84126ce8c2cefbb7
Instruction Fuzzy Hash: 8FD0C9E500D6D4DEC603165899310683F231D8212330A40E7E65AAB963C1290C5BCF72

Function 080F9118 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fa93e741880655a50aea12c7407ee2499b7df941c203131395f81fcd6906d49
Instruction ID: 52eac0dff421c5e9352720527a30dedc6e3bf08d5faa471e0dd156326798ae73
Opcode Fuzzy Hash: 0fa93e741880655a50aea12c7407ee2499b7df941c203131395f81fcd6906d49
Instruction Fuzzy Hash: 98D0127641E3C5AFEB4357708C028803F726A2311A30E89E2D290AA933D446882EC722

Function 080DC818 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908376021.00000000080D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80d0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dd16e809ac8319cf48205736e8dfa402ad704cb0b9785b2d29f053570073c0d
Instruction ID: bd30b76e8e4330cd53583a3f3920df796f2823450b4dab49b9f2450761fef4dd
Opcode Fuzzy Hash: 3dd16e809ac8319cf48205736e8dfa402ad704cb0b9785b2d29f053570073c0d
Instruction Fuzzy Hash: 0AC0123610021C7B4B01AB85D800CC6BFADAF4A654304C056E5089B221D632E92297E0

Function 080F9820 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0394a829f1f052a8e0b7ce9ff373e1651a4a1599292d09894a26bbe50074f5e4
Instruction ID: c5ec736540c886d7d2bac61eb6b0f31d43aabac50909503c38eb111a7fd039b6
Opcode Fuzzy Hash: 0394a829f1f052a8e0b7ce9ff373e1651a4a1599292d09894a26bbe50074f5e4
Instruction Fuzzy Hash: 48C0020A26FBC89FE303967548125516F36495351835E06E7C5C5AA563C044691AC772

Function 080FD9F8 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a3e6eea1cf4da79daec7ef899a01018a41a36896f27b5dc9c698f325c7856eb
Instruction ID: 3ced47458ab54dc62278d83f23b41c105145263647d38bd1eae2265c39a5cb01
Opcode Fuzzy Hash: 3a3e6eea1cf4da79daec7ef899a01018a41a36896f27b5dc9c698f325c7856eb
Instruction Fuzzy Hash: B1C09B711467048FD7546BD5F40C374B7BAE705317F54C024E70D41465EB705450CF59

Function 080F6D04 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e2b847eb2325f649d2fed8c3478825f62c66ed90057274f021d4436bf1934ec
Instruction ID: 7aec7a87d3db9813a321df87bae44496757fc6de7f89cdee02df12960eda92f1
Opcode Fuzzy Hash: 8e2b847eb2325f649d2fed8c3478825f62c66ed90057274f021d4436bf1934ec
Instruction Fuzzy Hash: 59C02B39014004AFC204F704C984C997EE2FF62701B40CC72F24401031C721C418D711

Function 080F6DAC Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6af375ac2af922c1c48e331e23a863ffe4fce559586124f8095f41393fe517c0
Instruction ID: 2117f07462b557d8ca5e205e3a858fa279bef0ecde0b7a02de735a55f41ebfd5
Opcode Fuzzy Hash: 6af375ac2af922c1c48e331e23a863ffe4fce559586124f8095f41393fe517c0
Instruction Fuzzy Hash: 81B0127A2B4700B6500066EC59D1F7E7C52EFB2B02F40CC22B3CE1100086609425D62B

Function 080F5E50 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908738721.00000000080F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80f0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0e068eb6a3daf774939e6f904d862832835c471b686bd32f6c525bd9e20d04f
Instruction ID: 19bd02cdf7597b739408ec0f28f91a2ec1929e1545676d639d6281cb798666e8
Opcode Fuzzy Hash: e0e068eb6a3daf774939e6f904d862832835c471b686bd32f6c525bd9e20d04f
Instruction Fuzzy Hash: CAA0113C0082088AA208228C380B03E3B2E8882A8AB088022E20E80C823A2028B00E80

Function 080D881A Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1908376021.00000000080D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_80d0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4522257aed25544487c0980b19ec862a0128f2924ebb18659c08c35b476ee85e
Instruction ID: 10d7c2ed4b8e35693e030386d370802da9116f8a22b5b597607e24dc37303cf4
Opcode Fuzzy Hash: 4522257aed25544487c0980b19ec862a0128f2924ebb18659c08c35b476ee85e
Instruction Fuzzy Hash: 53B092700001818ACA408B3165081843B30E7023247184399C4BC051C1CA2618038A20

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VenomRAT

Threatname: AsyncRAT

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NotepadUpdate.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\yRnixT.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1zr2u04c.xov.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2ccwn4sp.xuu.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2ccy42u1.ikv.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5olz220h.xzx.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5qoe0nc2.iew.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_imcvoym0.psm.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j1wtbp2l.wi5.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kmtzm3wl.xpl.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kvrj0p4d.e3j.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lnqqs2nf.qof.ps1

Windows Analysis Report
file.exe

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre