Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1572764
MD5:	ae806b6f5e02484c2be2b49da35b3d26
SHA1:	66ae8df94cd9e804fab01bc6be77cfec8d544226
SHA256:	7a31e73a61251309c51a343c14af5149915110c0f818747f7de78344739f21c5
Tags:	NETexeMSILuser-jstrosch
Infos:

Detection

AsyncRAT, VenomRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected AsyncRAT

Yara detected VenomRAT

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE / OLE file has an invalid certificate

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

file.exe (PID: 5236 cmdline: "C:\Users\user\Desktop\file.exe" MD5: AE806B6F5E02484C2BE2B49DA35B3D26)

powershell.exe (PID: 6508 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 1372 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AtkzppDHiyvcIR" /XML "C:\Users\user\AppData\Local\Temp\tmpCAD2.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 4976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

file.exe (PID: 6600 cmdline: "C:\Users\user\Desktop\file.exe" MD5: AE806B6F5E02484C2BE2B49DA35B3D26)

file.exe (PID: 4232 cmdline: "C:\Users\user\Desktop\file.exe" MD5: AE806B6F5E02484C2BE2B49DA35B3D26)

cmd.exe (PID: 4052 cmdline: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "NotepadUpdate" /tr '"C:\Users\user\AppData\Roaming\NotepadUpdate.exe"' & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 504 cmdline: schtasks /create /f /sc onlogon /rl highest /tn "NotepadUpdate" /tr '"C:\Users\user\AppData\Roaming\NotepadUpdate.exe"' MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 6068 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpCE88.tmp.bat"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 2536 cmdline: timeout 3 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

NotepadUpdate.exe (PID: 6080 cmdline: "C:\Users\user\AppData\Roaming\NotepadUpdate.exe" MD5: AE806B6F5E02484C2BE2B49DA35B3D26)

AtkzppDHiyvcIR.exe (PID: 5920 cmdline: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe MD5: AE806B6F5E02484C2BE2B49DA35B3D26)

schtasks.exe (PID: 1808 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AtkzppDHiyvcIR" /XML "C:\Users\user\AppData\Local\Temp\tmp9AD.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 3040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

AtkzppDHiyvcIR.exe (PID: 5776 cmdline: "C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe" MD5: AE806B6F5E02484C2BE2B49DA35B3D26)

NotepadUpdate.exe (PID: 3840 cmdline: C:\Users\user\AppData\Roaming\NotepadUpdate.exe MD5: AE806B6F5E02484C2BE2B49DA35B3D26)

powershell.exe (PID: 6008 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 3568 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AtkzppDHiyvcIR" /XML "C:\Users\user\AppData\Local\Temp\tmp5608.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

NotepadUpdate.exe (PID: 4896 cmdline: "C:\Users\user\AppData\Roaming\NotepadUpdate.exe" MD5: AE806B6F5E02484C2BE2B49DA35B3D26)

NotepadUpdate.exe (PID: 280 cmdline: "C:\Users\user\AppData\Roaming\NotepadUpdate.exe" MD5: AE806B6F5E02484C2BE2B49DA35B3D26)

schtasks.exe (PID: 5708 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AtkzppDHiyvcIR" /XML "C:\Users\user\AppData\Local\Temp\tmp16B7.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 1396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

NotepadUpdate.exe (PID: 6864 cmdline: "C:\Users\user\AppData\Roaming\NotepadUpdate.exe" MD5: AE806B6F5E02484C2BE2B49DA35B3D26)

NotepadUpdate.exe (PID: 5684 cmdline: "C:\Users\user\AppData\Roaming\NotepadUpdate.exe" MD5: AE806B6F5E02484C2BE2B49DA35B3D26)

schtasks.exe (PID: 5224 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AtkzppDHiyvcIR" /XML "C:\Users\user\AppData\Local\Temp\tmp7CF1.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 2704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

NotepadUpdate.exe (PID: 1864 cmdline: "C:\Users\user\AppData\Roaming\NotepadUpdate.exe" MD5: AE806B6F5E02484C2BE2B49DA35B3D26)

NotepadUpdate.exe (PID: 6892 cmdline: "C:\Users\user\AppData\Roaming\NotepadUpdate.exe" MD5: AE806B6F5E02484C2BE2B49DA35B3D26)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Malware Configuration

Threatname: VenomRAT

{"Server": "185.208.158.187", "Ports": "4449", "Version": "Venom RAT + HVNC + Stealer + Grabber  v6.0.3", "Autorun": "true", "Install_Folder": "%AppData%", "Install_File": "NotepadUpdate.exe", "AES_key": "Ijk68MD56nk4n4T5u0ZGNHKlucnIy5B2", "Mutex": "tnybaidkzovl", "Certificate": "MIICOTCCAaKgAwIBAgIVAPyfwFFMs6hxoSr1U5gHJmBruaj1MA0GCSqGSIb3DQEBDQUAMGoxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEfMB0GA1UECgwWVmVub21SQVQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMDgxNDA5NDEwOVoXDTMzMDUyMzA5NDEwOVowEzERMA8GA1UEAwwIVmVub21SQVQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMk9aXYluIabmb8kV7b5XTizjGIK0IH5qWN260bNCSIKNt2zQOLq6jGfh+VvAA/ddzW3TGyxBUMbya8CatcEPCCiU4SEc8xjyE/n8+O0uya4p8g4ooTRIrNFHrRVySKchyTv32rce963WWvmj+qDvwUHHkEY+Dsjf46C40vWLDxAgMBAAGjMjAwMB0GA1UdDgQWBBQsonRhlv8vx7fdxs/nJE8fsLDixjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAAVFFK4iQZ7aqDrUwV6nj3VoXFOcHVo+g9p9ikiXT8DjC2iQioCrN3cN4+w7YOkjPDL+fP3A7v+EI9z1lwEHgAqFPY7tF7sT9JEFtq/+XPM9bgDZnh4o1EWLq7Zdm66whSYsGIPR8wJdtjw6U396lrRHe6ODtIGB/JXyYYIdaVrz", "ServerSignature": "A4QJGpJy/V4cCbTnbG8X0PYHWV+LKegq58mj1q2ZoZfA9x2FqmL8bhLOPQGSBEmtgnKkbETqeRPrsSNvJO3utAVaR5kG3pnQrTTE4Lpy9we7minikcrB8f5ahxH3VCeDhOHw6yDiQnmF1keRGK6R8QzedMamHwNFpeTFBVGJSwg=", "External_config_on_Pastebin": "null", "BDOS": "false", "Startup_Delay": "10", "Group": "Default", "AntiProcess": "false", "AntiVM": "false"}

Threatname: AsyncRAT

{"Server": "185.208.158.187", "Ports": "4449", "Version": "Venom RAT + HVNC + Stealer + Grabber  v6.0.3", "Autorun": "true", "Install_Folder": "%AppData%", "Install_File": "NotepadUpdate.exe", "AES_key": "Ijk68MD56nk4n4T5u0ZGNHKlucnIy5B2", "Mutex": "tnybaidkzovl", "Certificate": "MIICOTCCAaKgAwIBAgIVAPyfwFFMs6hxoSr1U5gHJmBruaj1MA0GCSqGSIb3DQEBDQUAMGoxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEfMB0GA1UECgwWVmVub21SQVQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMDgxNDA5NDEwOVoXDTMzMDUyMzA5NDEwOVowEzERMA8GA1UEAwwIVmVub21SQVQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMk9aXYluIabmb8kV7b5XTizjGIK0IH5qWN260bNCSIKNt2zQOLq6jGfh+VvAA/ddzW3TGyxBUMbya8CatcEPCCiU4SEc8xjyE/n8+O0uya4p8g4ooTRIrNFHrRVySKchyTv32rce963WWvmj+qDvwUHHkEY+Dsjf46C40vWLDxAgMBAAGjMjAwMB0GA1UdDgQWBBQsonRhlv8vx7fdxs/nJE8fsLDixjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAAVFFK4iQZ7aqDrUwV6nj3VoXFOcHVo+g9p9ikiXT8DjC2iQioCrN3cN4+w7YOkjPDL+fP3A7v+EI9z1lwEHgAqFPY7tF7sT9JEFtq/+XPM9bgDZnh4o1EWLq7Zdm66whSYsGIPR8wJdtjw6U396lrRHe6ODtIGB/JXyYYIdaVrz", "ServerSignature": "A4QJGpJy/V4cCbTnbG8X0PYHWV+LKegq58mj1q2ZoZfA9x2FqmL8bhLOPQGSBEmtgnKkbETqeRPrsSNvJO3utAVaR5kG3pnQrTTE4Lpy9we7minikcrB8f5ahxH3VCeDhOHw6yDiQnmF1keRGK6R8QzedMamHwNFpeTFBVGJSwg=", "External_config_on_Pastebin": "null", "BDOS": "false", "Startup_Delay": "10", "Group": "Default", "AntiProcess": "false", "AntiVM": "false"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000008.00000002.2256390278.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000000.00000002.2139607033.0000000002BC7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000014.00000002.2329129575.0000000003129000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0000001E.00000002.2428663519.00000000030D7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000009.00000002.2180584741.00000000029D7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000023.00000002.2510555606.0000000002BEA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: file.exe PID: 5236	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: file.exe PID: 5236	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: file.exe PID: 4232	JoeSecurity_VenomRAT	Yara detected VenomRAT	Joe Security
Process Memory Space: AtkzppDHiyvcIR.exe PID: 5920	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: AtkzppDHiyvcIR.exe PID: 5920	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: NotepadUpdate.exe PID: 3840	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: NotepadUpdate.exe PID: 3840	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: NotepadUpdate.exe PID: 6080	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: NotepadUpdate.exe PID: 280	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: NotepadUpdate.exe PID: 280	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: NotepadUpdate.exe PID: 5684	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: NotepadUpdate.exe PID: 5684	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.file.exe.2be6ae4.1.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.file.exe.2be6ae4.1.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xda86:$q1: Select * from Win32_CacheMemory 0xdac6:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xdb14:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xdb62:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
8.2.file.exe.400000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
8.2.file.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xf886:$q1: Select * from Win32_CacheMemory 0xf8c6:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xf914:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xf962:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
20.2.NotepadUpdate.exe.313c528.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
20.2.NotepadUpdate.exe.313c528.0.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xda86:$q1: Select * from Win32_CacheMemory 0xdac6:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xdb14:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xdb62:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
9.2.AtkzppDHiyvcIR.exe.2a21994.1.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
9.2.AtkzppDHiyvcIR.exe.2a21994.1.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xda86:$q1: Select * from Win32_CacheMemory 0xdac6:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xdb14:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xdb62:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
35.2.NotepadUpdate.exe.2c3198c.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
35.2.NotepadUpdate.exe.2c3198c.0.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xda86:$q1: Select * from Win32_CacheMemory 0xdac6:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xdb14:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xdb62:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
35.2.NotepadUpdate.exe.2c44268.1.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
35.2.NotepadUpdate.exe.2c44268.1.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xda86:$q1: Select * from Win32_CacheMemory 0xdac6:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xdb14:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xdb62:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
9.2.AtkzppDHiyvcIR.exe.2a34270.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
9.2.AtkzppDHiyvcIR.exe.2a34270.0.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xda86:$q1: Select * from Win32_CacheMemory 0xdac6:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xdb14:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xdb62:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
30.2.NotepadUpdate.exe.3134234.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
30.2.NotepadUpdate.exe.3134234.0.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xda86:$q1: Select * from Win32_CacheMemory 0xdac6:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xdb14:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xdb62:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
0.2.file.exe.2bd4208.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.file.exe.2bd4208.0.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xda86:$q1: Select * from Win32_CacheMemory 0xdac6:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xdb14:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xdb62:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
20.2.NotepadUpdate.exe.3129c4c.1.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
20.2.NotepadUpdate.exe.3129c4c.1.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xda86:$q1: Select * from Win32_CacheMemory 0xdac6:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xdb14:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xdb62:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
30.2.NotepadUpdate.exe.3121958.1.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
30.2.NotepadUpdate.exe.3121958.1.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xda86:$q1: Select * from Win32_CacheMemory 0xdac6:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xdb14:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xdb62:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
0.2.file.exe.2be6ae4.1.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
30.2.NotepadUpdate.exe.3134234.0.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.file.exe.2be6ae4.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xf886:$q1: Select * from Win32_CacheMemory 0x2325a:$q1: Select * from Win32_CacheMemory 0xf8c6:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x2329a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xf914:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x232e8:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xf962:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x23336:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
30.2.NotepadUpdate.exe.3134234.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xf886:$q1: Select * from Win32_CacheMemory 0x22732:$q1: Select * from Win32_CacheMemory 0xf8c6:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x22772:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xf914:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x227c0:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xf962:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x2280e:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
35.2.NotepadUpdate.exe.2c3198c.0.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
35.2.NotepadUpdate.exe.2c3198c.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xf886:$q1: Select * from Win32_CacheMemory 0x22162:$q1: Select * from Win32_CacheMemory 0x35b86:$q1: Select * from Win32_CacheMemory 0xf8c6:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x221a2:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x35bc6:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xf914:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x221f0:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x35c14:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xf962:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x2223e:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x35c62:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
0.2.file.exe.2bd4208.0.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.file.exe.2bd4208.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xf886:$q1: Select * from Win32_CacheMemory 0x22162:$q1: Select * from Win32_CacheMemory 0x35b36:$q1: Select * from Win32_CacheMemory 0xf8c6:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x221a2:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x35b76:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xf914:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x221f0:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x35bc4:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xf962:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x2223e:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x35c12:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
35.2.NotepadUpdate.exe.2c44268.1.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
35.2.NotepadUpdate.exe.2c44268.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xf886:$q1: Select * from Win32_CacheMemory 0x232aa:$q1: Select * from Win32_CacheMemory 0xf8c6:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x232ea:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xf914:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x23338:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xf962:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x23386:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
9.2.AtkzppDHiyvcIR.exe.2a34270.0.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
9.2.AtkzppDHiyvcIR.exe.2a34270.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xf886:$q1: Select * from Win32_CacheMemory 0x2273a:$q1: Select * from Win32_CacheMemory 0xf8c6:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x2277a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xf914:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x227c8:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xf962:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x22816:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
20.2.NotepadUpdate.exe.3129c4c.1.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
20.2.NotepadUpdate.exe.3129c4c.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xf886:$q1: Select * from Win32_CacheMemory 0x22162:$q1: Select * from Win32_CacheMemory 0x35002:$q1: Select * from Win32_CacheMemory 0xf8c6:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x221a2:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x35042:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xf914:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x221f0:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x35090:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xf962:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x2223e:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x350de:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
20.2.NotepadUpdate.exe.313c528.0.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
20.2.NotepadUpdate.exe.313c528.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xf886:$q1: Select * from Win32_CacheMemory 0x22726:$q1: Select * from Win32_CacheMemory 0xf8c6:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x22766:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xf914:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x227b4:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xf962:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x22802:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
30.2.NotepadUpdate.exe.3121958.1.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
30.2.NotepadUpdate.exe.3121958.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xf886:$q1: Select * from Win32_CacheMemory 0x22162:$q1: Select * from Win32_CacheMemory 0x3500e:$q1: Select * from Win32_CacheMemory 0xf8c6:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x221a2:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x3504e:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xf914:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x221f0:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x3509c:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xf962:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x2223e:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x350ea:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
9.2.AtkzppDHiyvcIR.exe.2a21994.1.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
9.2.AtkzppDHiyvcIR.exe.2a21994.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xf886:$q1: Select * from Win32_CacheMemory 0x22162:$q1: Select * from Win32_CacheMemory 0x35016:$q1: Select * from Win32_CacheMemory 0xf8c6:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x221a2:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x35056:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xf914:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x221f0:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x350a4:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xf962:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x2223e:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x350f2:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
Click to see the 37 entries

Sigma Signatures

System Summary

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Source: Process started

Author: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "NotepadUpdate" /tr '"C:\Users\user\AppData\Roaming\NotepadUpdate.exe"' & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "NotepadUpdate" /tr '"C:\Users\user\AppData\Roaming\NotepadUpdate.exe"' & exit, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 4232, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "NotepadUpdate" /tr '"C:\Users\user\AppData\Roaming\NotepadUpdate.exe"' & exit, ProcessId: 4052, ProcessName: cmd.exe

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Source: Process started

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 5236, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe", ProcessId: 6508, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Roaming\NotepadUpdate.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe, ProcessId: 5776, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NotepadUpdate

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AtkzppDHiyvcIR" /XML "C:\Users\user\AppData\Local\Temp\tmp9AD.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AtkzppDHiyvcIR" /XML "C:\Users\user\AppData\Local\Temp\tmp9AD.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe, ParentImage: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe, ParentProcessId: 5920, ParentProcessName: AtkzppDHiyvcIR.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AtkzppDHiyvcIR" /XML "C:\Users\user\AppData\Local\Temp\tmp9AD.tmp", ProcessId: 1808, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AtkzppDHiyvcIR" /XML "C:\Users\user\AppData\Local\Temp\tmpCAD2.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AtkzppDHiyvcIR" /XML "C:\Users\user\AppData\Local\Temp\tmpCAD2.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 5236, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AtkzppDHiyvcIR" /XML "C:\Users\user\AppData\Local\Temp\tmpCAD2.tmp", ProcessId: 1372, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 5236, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe", ProcessId: 6508, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AtkzppDHiyvcIR" /XML "C:\Users\user\AppData\Local\Temp\tmpCAD2.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AtkzppDHiyvcIR" /XML "C:\Users\user\AppData\Local\Temp\tmpCAD2.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 5236, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AtkzppDHiyvcIR" /XML "C:\Users\user\AppData\Local\Temp\tmpCAD2.tmp", ProcessId: 1372, ProcessName: schtasks.exe

Suricata Signatures

ET MALWARE Observed Malicious SSL Cert (VenomRAT)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-10T21:24:22.727258+0100	2052267	1	Domain Observed Used for C2 Detected	185.208.158.187	4449	192.168.2.6	49739	TCP

ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-10T21:24:22.727258+0100	2842478	1	Malware Command and Control Activity Detected	185.208.158.187	4449	192.168.2.6	49739	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.2139607033.0000000002BC7000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: VenomRAT {"Server": "185.208.158.187", "Ports": "4449", "Version": "Venom RAT + HVNC + Stealer + Grabber v6.0.3", "Autorun": "true", "Install_Folder": "%AppData%", "Install_File": "NotepadUpdate.exe", "AES_key": "Ijk68MD56nk4n4T5u0ZGNHKlucnIy5B2", "Mutex": "tnybaidkzovl", "Certificate": "MIICOTCCAaKgAwIBAgIVAPyfwFFMs6hxoSr1U5gHJmBruaj1MA0GCSqGSIb3DQEBDQUAMGoxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEfMB0GA1UECgwWVmVub21SQVQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMDgxNDA5NDEwOVoXDTMzMDUyMzA5NDEwOVowEzERMA8GA1UEAwwIVmVub21SQVQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMk9aXYluIabmb8kV7b5XTizjGIK0IH5qWN260bNCSIKNt2zQOLq6jGfh+VvAA/ddzW3TGyxBUMbya8CatcEPCCiU4SEc8xjyE/n8+O0uya4p8g4ooTRIrNFHrRVySKchyTv32rce963WWvmj+qDvwUHHkEY+Dsjf46C40vWLDxAgMBAAGjMjAwMB0GA1UdDgQWBBQsonRhlv8vx7fdxs/nJE8fsLDixjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAAVFFK4iQZ7aqDrUwV6nj3VoXFOcHVo+g9p9ikiXT8DjC2iQioCrN3cN4+w7YOkjPDL+fP3A7v+EI9z1lwEHgAqFPY7tF7sT9JEFtq/+XPM9bgDZnh4o1EWLq7Zdm66whSYsGIPR8wJdtjw6U396lrRHe6ODtIGB/JXyYYIdaVrz", "ServerSignature": "A4QJGpJy/V4cCbTnbG8X0PYHWV+LKegq58mj1q2ZoZfA9x2FqmL8bhLOPQGSBEmtgnKkbETqeRPrsSNvJO3utAVaR5kG3pnQrTTE4Lpy9we7minikcrB8f5ahxH3VCeDhOHw6yDiQnmF1keRGK6R8QzedMamHwNFpeTFBVGJSwg=", "External_config_on_Pastebin": "null", "BDOS": "false", "Startup_Delay": "10", "Group": "Default", "AntiProcess": "false", "AntiVM": "false"}
Source: 00000000.00000002.2139607033.0000000002BC7000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: AsyncRAT {"Server": "185.208.158.187", "Ports": "4449", "Version": "Venom RAT + HVNC + Stealer + Grabber v6.0.3", "Autorun": "true", "Install_Folder": "%AppData%", "Install_File": "NotepadUpdate.exe", "AES_key": "Ijk68MD56nk4n4T5u0ZGNHKlucnIy5B2", "Mutex": "tnybaidkzovl", "Certificate": "MIICOTCCAaKgAwIBAgIVAPyfwFFMs6hxoSr1U5gHJmBruaj1MA0GCSqGSIb3DQEBDQUAMGoxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEfMB0GA1UECgwWVmVub21SQVQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMDgxNDA5NDEwOVoXDTMzMDUyMzA5NDEwOVowEzERMA8GA1UEAwwIVmVub21SQVQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMk9aXYluIabmb8kV7b5XTizjGIK0IH5qWN260bNCSIKNt2zQOLq6jGfh+VvAA/ddzW3TGyxBUMbya8CatcEPCCiU4SEc8xjyE/n8+O0uya4p8g4ooTRIrNFHrRVySKchyTv32rce963WWvmj+qDvwUHHkEY+Dsjf46C40vWLDxAgMBAAGjMjAwMB0GA1UdDgQWBBQsonRhlv8vx7fdxs/nJE8fsLDixjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAAVFFK4iQZ7aqDrUwV6nj3VoXFOcHVo+g9p9ikiXT8DjC2iQioCrN3cN4+w7YOkjPDL+fP3A7v+EI9z1lwEHgAqFPY7tF7sT9JEFtq/+XPM9bgDZnh4o1EWLq7Zdm66whSYsGIPR8wJdtjw6U396lrRHe6ODtIGB/JXyYYIdaVrz", "ServerSignature": "A4QJGpJy/V4cCbTnbG8X0PYHWV+LKegq58mj1q2ZoZfA9x2FqmL8bhLOPQGSBEmtgnKkbETqeRPrsSNvJO3utAVaR5kG3pnQrTTE4Lpy9we7minikcrB8f5ahxH3VCeDhOHw6yDiQnmF1keRGK6R8QzedMamHwNFpeTFBVGJSwg=", "External_config_on_Pastebin": "null", "BDOS": "false", "Startup_Delay": "10", "Group": "Default", "AntiProcess": "false", "AntiVM": "false"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	ReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	ReversingLabs: Detection: 26%

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 26%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: NVBx.pdb source: file.exe, AtkzppDHiyvcIR.exe.0.dr, NotepadUpdate.exe.8.dr
Source:	Binary string: NVBx.pdbSHA256V- source: file.exe, AtkzppDHiyvcIR.exe.0.dr, NotepadUpdate.exe.8.dr

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 185.208.158.187:4449 -> 192.168.2.6:49739
Source: Network traffic	Suricata IDS: 2052265 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (VenomRAT) : 185.208.158.187:4449 -> 192.168.2.6:49739
Source: Network traffic	Suricata IDS: 2052267 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (VenomRAT) : 185.208.158.187:4449 -> 192.168.2.6:49739

Source: global traffic

TCP traffic: 192.168.2.6:49739 -> 185.208.158.187:4449

Source: Joe Sandbox View

ASN Name: SIMPLECARRER2IT SIMPLECARRER2IT

Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.187

Source: file.exe, AtkzppDHiyvcIR.exe.0.dr, NotepadUpdate.exe.8.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: file.exe, AtkzppDHiyvcIR.exe.0.dr, NotepadUpdate.exe.8.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: AtkzppDHiyvcIR.exe, 0000000D.00000002.4602356145.0000000004FE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: 77EC63BDA74BD0D0E0426DC8F80085060.13.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: AtkzppDHiyvcIR.exe, 0000000D.00000002.4602356145.0000000004FE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabH
Source: file.exe, AtkzppDHiyvcIR.exe.0.dr, NotepadUpdate.exe.8.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: file.exe, 00000000.00000002.2139607033.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000008.00000002.2258206011.0000000002E84000.00000004.00000800.00020000.00000000.sdmp, AtkzppDHiyvcIR.exe, 00000009.00000002.2180584741.0000000002981000.00000004.00000800.00020000.00000000.sdmp, AtkzppDHiyvcIR.exe, 0000000D.00000002.4584361518.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, AtkzppDHiyvcIR.exe, 0000000D.00000002.4584361518.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp, NotepadUpdate.exe, 00000014.00000002.2329129575.0000000003041000.00000004.00000800.00020000.00000000.sdmp, NotepadUpdate.exe, 00000016.00000002.2299464922.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp, NotepadUpdate.exe, 0000001E.00000002.2428663519.0000000003081000.00000004.00000800.00020000.00000000.sdmp, NotepadUpdate.exe, 00000023.00000002.2510555606.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: file.exe, AtkzppDHiyvcIR.exe.0.dr, NotepadUpdate.exe.8.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: 0.2.file.exe.2be6ae4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.NotepadUpdate.exe.313c528.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.AtkzppDHiyvcIR.exe.2a21994.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.NotepadUpdate.exe.2c3198c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.NotepadUpdate.exe.2c44268.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.AtkzppDHiyvcIR.exe.2a34270.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.NotepadUpdate.exe.3134234.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.2bd4208.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.NotepadUpdate.exe.3129c4c.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.NotepadUpdate.exe.3121958.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.2be6ae4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.NotepadUpdate.exe.3134234.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.NotepadUpdate.exe.2c3198c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.2bd4208.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.NotepadUpdate.exe.2c44268.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.AtkzppDHiyvcIR.exe.2a34270.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.NotepadUpdate.exe.3129c4c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.NotepadUpdate.exe.313c528.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.NotepadUpdate.exe.3121958.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.AtkzppDHiyvcIR.exe.2a21994.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2256390278.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2139607033.0000000002BC7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2329129575.0000000003129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2428663519.00000000030D7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2180584741.00000000029D7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.2510555606.0000000002BEA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 5236, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AtkzppDHiyvcIR.exe PID: 5920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NotepadUpdate.exe PID: 3840, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NotepadUpdate.exe PID: 280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NotepadUpdate.exe PID: 5684, type: MEMORYSTR

Yara detected VenomRAT

Source: Yara match

File source: Process Memory Space: file.exe PID: 4232, type: MEMORYSTR

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.file.exe.2be6ae4.1.raw.unpack, Keylogger.cs	.Net Code: KeyboardLayout
Source: 0.2.file.exe.2bd4208.0.raw.unpack, Keylogger.cs	.Net Code: KeyboardLayout

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.file.exe.2be6ae4.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 8.2.file.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 20.2.NotepadUpdate.exe.313c528.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 9.2.AtkzppDHiyvcIR.exe.2a21994.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 35.2.NotepadUpdate.exe.2c3198c.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 35.2.NotepadUpdate.exe.2c44268.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 9.2.AtkzppDHiyvcIR.exe.2a34270.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 30.2.NotepadUpdate.exe.3134234.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.2.file.exe.2bd4208.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 20.2.NotepadUpdate.exe.3129c4c.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 30.2.NotepadUpdate.exe.3121958.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.2.file.exe.2be6ae4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 30.2.NotepadUpdate.exe.3134234.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 35.2.NotepadUpdate.exe.2c3198c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.2.file.exe.2bd4208.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 35.2.NotepadUpdate.exe.2c44268.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 9.2.AtkzppDHiyvcIR.exe.2a34270.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 20.2.NotepadUpdate.exe.3129c4c.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 20.2.NotepadUpdate.exe.313c528.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 30.2.NotepadUpdate.exe.3121958.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 9.2.AtkzppDHiyvcIR.exe.2a21994.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen

Source: C:\Users\user\Desktop\file.exe	Code function: 8_2_02A032C8 NtProtectVirtualMemory,	8_2_02A032C8
Source: C:\Users\user\Desktop\file.exe	Code function: 8_2_02A02E72 NtProtectVirtualMemory,	8_2_02A02E72
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Code function: 13_2_00FE32D0 NtProtectVirtualMemory,	13_2_00FE32D0
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Code function: 13_2_00FE2E7B NtProtectVirtualMemory,	13_2_00FE2E7B
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Code function: 13_2_00FE3397 NtProtectVirtualMemory,	13_2_00FE3397
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 27_2_02E232D0 NtProtectVirtualMemory,	27_2_02E232D0
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 27_2_02E22E7A NtProtectVirtualMemory,	27_2_02E22E7A
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 27_2_02E23397 NtProtectVirtualMemory,	27_2_02E23397
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 33_2_00C532D0 NtProtectVirtualMemory,	33_2_00C532D0
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 33_2_00C52E7A NtProtectVirtualMemory,	33_2_00C52E7A

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01173E34	0_2_01173E34
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0117E124	0_2_0117E124
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01176F90	0_2_01176F90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_05D26BB0	0_2_05D26BB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_05D26BA1	0_2_05D26BA1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0773A76A	0_2_0773A76A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_07736A10	0_2_07736A10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_07734FF0	0_2_07734FF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_07734FE0	0_2_07734FE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_077334E0	0_2_077334E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_07734BB8	0_2_07734BB8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_07736A00	0_2_07736A00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_07733918	0_2_07733918
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_077330A8	0_2_077330A8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_09104117	0_2_09104117
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_09101240	0_2_09101240
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_09103668	0_2_09103668
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_09106D08	0_2_09106D08
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0910123A	0_2_0910123A
Source: C:\Users\user\Desktop\file.exe	Code function: 8_2_02A026F8	8_2_02A026F8
Source: C:\Users\user\Desktop\file.exe	Code function: 8_2_02A026E7	8_2_02A026E7
Source: C:\Users\user\Desktop\file.exe	Code function: 8_2_02A02E72	8_2_02A02E72
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Code function: 9_2_02803E34	9_2_02803E34
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Code function: 9_2_0280E124	9_2_0280E124
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Code function: 9_2_02806F90	9_2_02806F90
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Code function: 9_2_05AF0BD4	9_2_05AF0BD4
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Code function: 9_2_05AF0120	9_2_05AF0120
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Code function: 9_2_05AF0130	9_2_05AF0130
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Code function: 9_2_05AF20F0	9_2_05AF20F0
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Code function: 9_2_07676A10	9_2_07676A10
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Code function: 9_2_076798A5	9_2_076798A5
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Code function: 9_2_07674FE0	9_2_07674FE0
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Code function: 9_2_07674FF0	9_2_07674FF0
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Code function: 9_2_076734E0	9_2_076734E0
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Code function: 9_2_07674BB8	9_2_07674BB8
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Code function: 9_2_07676A00	9_2_07676A00
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Code function: 9_2_07673918	9_2_07673918
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Code function: 9_2_07670006	9_2_07670006
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Code function: 9_2_076730A8	9_2_076730A8
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Code function: 9_2_08B04117	9_2_08B04117
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Code function: 9_2_08B01240	9_2_08B01240
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Code function: 9_2_08B03668	9_2_08B03668
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Code function: 9_2_08B06D08	9_2_08B06D08
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Code function: 9_2_08B01230	9_2_08B01230
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Code function: 13_2_00FE2700	13_2_00FE2700
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Code function: 13_2_00FE26EF	13_2_00FE26EF
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Code function: 13_2_00FE2E7B	13_2_00FE2E7B
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Code function: 13_2_06162C50	13_2_06162C50
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 20_2_01483E34	20_2_01483E34
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 20_2_0148E124	20_2_0148E124
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 20_2_01486F90	20_2_01486F90
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 20_2_06326BB8	20_2_06326BB8
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 20_2_06326BAA	20_2_06326BAA
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 20_2_07C19BE7	20_2_07C19BE7
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 20_2_07C16A80	20_2_07C16A80
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 20_2_07C13918	20_2_07C13918
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 20_2_07C14FE0	20_2_07C14FE0
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 20_2_07C14FF0	20_2_07C14FF0
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 20_2_07C134E0	20_2_07C134E0
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 20_2_07C14BB8	20_2_07C14BB8
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 20_2_07C19AE8	20_2_07C19AE8
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 20_2_07C16A71	20_2_07C16A71
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 20_2_07C1306E	20_2_07C1306E
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 20_2_07C10007	20_2_07C10007
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 20_2_091E4117	20_2_091E4117
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 20_2_091E1240	20_2_091E1240
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 20_2_091E3668	20_2_091E3668
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 20_2_091E6D08	20_2_091E6D08
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 20_2_091E1230	20_2_091E1230
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 22_2_01433E34	22_2_01433E34
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 22_2_0143E124	22_2_0143E124
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 22_2_01436F90	22_2_01436F90
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 22_2_05EF6BAB	22_2_05EF6BAB
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 22_2_05EF6BB0	22_2_05EF6BB0
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 22_2_05EF6B78	22_2_05EF6B78
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 22_2_075C4FF0	22_2_075C4FF0
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 22_2_075C4FE0	22_2_075C4FE0
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 22_2_075C34E0	22_2_075C34E0
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 22_2_075C4BB8	22_2_075C4BB8
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 22_2_075C3918	22_2_075C3918
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 22_2_075C0006	22_2_075C0006
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 22_2_075C78D0	22_2_075C78D0
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 22_2_075C30A8	22_2_075C30A8
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 22_2_08DB61DD	22_2_08DB61DD
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 22_2_08DB1240	22_2_08DB1240
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 22_2_08DB3668	22_2_08DB3668
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 22_2_08DB7072	22_2_08DB7072
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 22_2_08DB11F8	22_2_08DB11F8
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 22_2_08DB123B	22_2_08DB123B
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 27_2_02E22700	27_2_02E22700
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 27_2_02E226EF	27_2_02E226EF
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 27_2_02E22E7A	27_2_02E22E7A
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 30_2_02E93E34	30_2_02E93E34
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 30_2_02E9E124	30_2_02E9E124
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 30_2_02E96F90	30_2_02E96F90
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 30_2_07BE6A80	30_2_07BE6A80
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 30_2_07BE9887	30_2_07BE9887
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 30_2_07BE4FF0	30_2_07BE4FF0
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 30_2_07BE4FE0	30_2_07BE4FE0
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 30_2_07BE34E0	30_2_07BE34E0
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 30_2_07BE4BB8	30_2_07BE4BB8
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 30_2_07BE6A71	30_2_07BE6A71
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 30_2_07BE3918	30_2_07BE3918
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 30_2_07BE306E	30_2_07BE306E
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 30_2_092161DD	30_2_092161DD
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 30_2_09211240	30_2_09211240
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 30_2_09213668	30_2_09213668
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 30_2_09216D08	30_2_09216D08
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 30_2_09211230	30_2_09211230
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 33_2_00C52700	33_2_00C52700
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 33_2_00C526EF	33_2_00C526EF
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 33_2_00C52E7A	33_2_00C52E7A
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 35_2_01243E34	35_2_01243E34
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 35_2_0124E124	35_2_0124E124
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 35_2_01246F90	35_2_01246F90
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 35_2_073E3668	35_2_073E3668
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 35_2_073E1240	35_2_073E1240
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 35_2_073E4117	35_2_073E4117
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 35_2_073E1230	35_2_073E1230
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 35_2_073E11F8	35_2_073E11F8
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 35_2_073E6D08	35_2_073E6D08
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 35_2_07A36A80	35_2_07A36A80
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 35_2_07A398B8	35_2_07A398B8
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 35_2_07A34FE0	35_2_07A34FE0
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 35_2_07A34FF0	35_2_07A34FF0
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 35_2_07A334E0	35_2_07A334E0
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 35_2_07A34BB8	35_2_07A34BB8
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 35_2_07A36A71	35_2_07A36A71
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 35_2_07A33918	35_2_07A33918
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 35_2_07A330A8	35_2_07A330A8
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 35_2_07A30007	35_2_07A30007

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe 7A31E73A61251309C51A343C14AF5149915110C0F818747F7DE78344739F21C5
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Roaming\NotepadUpdate.exe 7A31E73A61251309C51A343C14AF5149915110C0F818747F7DE78344739F21C5

Source: file.exe

Static PE information: invalid certificate

Source: file.exe, 00000000.00000002.2139607033.0000000002BC7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientAny.exe" vs file.exe
Source: file.exe, 00000000.00000002.2141119617.0000000003C2D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs file.exe
Source: file.exe, 00000000.00000002.2141119617.0000000003B7A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs file.exe
Source: file.exe, 00000000.00000002.2145630584.0000000007690000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs file.exe
Source: file.exe, 00000000.00000000.2108471872.0000000000702000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameNVBx.exe" vs file.exe
Source: file.exe, 00000000.00000002.2146436687.0000000007E1B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXE.MUIj% vs file.exe
Source: file.exe, 00000000.00000002.2146436687.0000000007E1B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXEj% vs file.exe
Source: file.exe, 00000000.00000002.2138549967.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe, 00000000.00000002.2144886665.0000000007430000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs file.exe
Source: file.exe, 00000008.00000002.2256390278.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientAny.exe" vs file.exe
Source: file.exe, 00000008.00000002.2264054652.0000000003C27000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNVBx.exe" vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameNVBx.exe" vs file.exe

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.file.exe.2be6ae4.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 8.2.file.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 20.2.NotepadUpdate.exe.313c528.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 9.2.AtkzppDHiyvcIR.exe.2a21994.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 35.2.NotepadUpdate.exe.2c3198c.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 35.2.NotepadUpdate.exe.2c44268.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 9.2.AtkzppDHiyvcIR.exe.2a34270.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 30.2.NotepadUpdate.exe.3134234.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.2.file.exe.2bd4208.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 20.2.NotepadUpdate.exe.3129c4c.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 30.2.NotepadUpdate.exe.3121958.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.2.file.exe.2be6ae4.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 30.2.NotepadUpdate.exe.3134234.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 35.2.NotepadUpdate.exe.2c3198c.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.2.file.exe.2bd4208.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 35.2.NotepadUpdate.exe.2c44268.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 9.2.AtkzppDHiyvcIR.exe.2a34270.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 20.2.NotepadUpdate.exe.3129c4c.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 20.2.NotepadUpdate.exe.313c528.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 30.2.NotepadUpdate.exe.3121958.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 9.2.AtkzppDHiyvcIR.exe.2a21994.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI

Source: file.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: AtkzppDHiyvcIR.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: NotepadUpdate.exe.8.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.file.exe.2be6ae4.1.raw.unpack, Settings.cs	Base64 encoded string: '+fy4kJHXq5yjoRbT2HlapvDnJRSL4nlaXbmHCfQoBj4MKq9AEaP1jrPdMS/5YJfPKfboE2jJQQkn9MmH9XqiiP9Zwqpt+5j0HKvZpIF/h+phOpJZC8DzZXV3H/mlq6np', 'QMhnCLJh3j2EZSPvoRKnYsvq4WuaVQVcnc/ZVt+e2aFLFzvp9kRZV/qgi3S3zdZJ4kGa0fj7kyAfXBrxh3xn/Q==', 'uUeSzj1moPHzfrJ+bjtIGJI68PX51RXvqSowrdbs9N+JFY13VGwG0KNypMQYrKFVg+beJTIQ75t/Ro5lJDLXOw==', 'J5e3O7FDx+A+XMtNFXJi+5cXLt05QZLCpZYk6FdyzhPG8pqAgJCnfMUQvh8Mc4/d92KpJ/99xGT99ChwxnEa5A==', 'vldddpERTBHeFnXOH4XqSicVG2H7Ae0TiDwpxsRsrrvgQeivkrI/6Y7PDRzxVlai5SIHFidzBsqKrr2ueOTNeQ=='
Source: 0.2.file.exe.2bd4208.0.raw.unpack, Settings.cs	Base64 encoded string: '+fy4kJHXq5yjoRbT2HlapvDnJRSL4nlaXbmHCfQoBj4MKq9AEaP1jrPdMS/5YJfPKfboE2jJQQkn9MmH9XqiiP9Zwqpt+5j0HKvZpIF/h+phOpJZC8DzZXV3H/mlq6np', 'QMhnCLJh3j2EZSPvoRKnYsvq4WuaVQVcnc/ZVt+e2aFLFzvp9kRZV/qgi3S3zdZJ4kGa0fj7kyAfXBrxh3xn/Q==', 'uUeSzj1moPHzfrJ+bjtIGJI68PX51RXvqSowrdbs9N+JFY13VGwG0KNypMQYrKFVg+beJTIQ75t/Ro5lJDLXOw==', 'J5e3O7FDx+A+XMtNFXJi+5cXLt05QZLCpZYk6FdyzhPG8pqAgJCnfMUQvh8Mc4/d92KpJ/99xGT99ChwxnEa5A==', 'vldddpERTBHeFnXOH4XqSicVG2H7Ae0TiDwpxsRsrrvgQeivkrI/6Y7PDRzxVlai5SIHFidzBsqKrr2ueOTNeQ=='

Source: 0.2.file.exe.3d537f8.2.raw.unpack, uYCig1sF66qVjL68U1.cs	Security API names: _0020.SetAccessControl
Source: 0.2.file.exe.3d537f8.2.raw.unpack, uYCig1sF66qVjL68U1.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.file.exe.3d537f8.2.raw.unpack, uYCig1sF66qVjL68U1.cs	Security API names: _0020.AddAccessRule
Source: 0.2.file.exe.3cfcdd8.3.raw.unpack, uYCig1sF66qVjL68U1.cs	Security API names: _0020.SetAccessControl
Source: 0.2.file.exe.3cfcdd8.3.raw.unpack, uYCig1sF66qVjL68U1.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.file.exe.3cfcdd8.3.raw.unpack, uYCig1sF66qVjL68U1.cs	Security API names: _0020.AddAccessRule
Source: 0.2.file.exe.3cfcdd8.3.raw.unpack, lVRdylhA8jubWD8j1x.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.file.exe.2be6ae4.1.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.file.exe.2be6ae4.1.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.file.exe.7690000.5.raw.unpack, lVRdylhA8jubWD8j1x.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.file.exe.2bd4208.0.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.file.exe.2bd4208.0.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.file.exe.7690000.5.raw.unpack, uYCig1sF66qVjL68U1.cs	Security API names: _0020.SetAccessControl
Source: 0.2.file.exe.7690000.5.raw.unpack, uYCig1sF66qVjL68U1.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.file.exe.7690000.5.raw.unpack, uYCig1sF66qVjL68U1.cs	Security API names: _0020.AddAccessRule
Source: 0.2.file.exe.3d537f8.2.raw.unpack, lVRdylhA8jubWD8j1x.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@53/25@0/1

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4976:120:WilError_03
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3040:120:WilError_03
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Mutant created: \Sessions\1\BaseNamedObjects\AevgPZBLIVkjbJsbumvdFn
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5964:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1396:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4864:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2704:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2264:120:WilError_03
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Mutant created: \Sessions\1\BaseNamedObjects\tnybaidkzovl
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1864:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:280:120:WilError_03
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\tmpCAD2.tmp

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpCE88.tmp.bat""

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%

Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 26%

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AtkzppDHiyvcIR" /XML "C:\Users\user\AppData\Local\Temp\tmpCAD2.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AtkzppDHiyvcIR" /XML "C:\Users\user\AppData\Local\Temp\tmp9AD.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process created: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe "C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "NotepadUpdate" /tr '"C:\Users\user\AppData\Roaming\NotepadUpdate.exe"' & exit
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpCE88.tmp.bat""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "NotepadUpdate" /tr '"C:\Users\user\AppData\Roaming\NotepadUpdate.exe"'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3
Source: unknown	Process created: C:\Users\user\AppData\Roaming\NotepadUpdate.exe C:\Users\user\AppData\Roaming\NotepadUpdate.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\NotepadUpdate.exe "C:\Users\user\AppData\Roaming\NotepadUpdate.exe"
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AtkzppDHiyvcIR" /XML "C:\Users\user\AppData\Local\Temp\tmp5608.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process created: C:\Users\user\AppData\Roaming\NotepadUpdate.exe "C:\Users\user\AppData\Roaming\NotepadUpdate.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\NotepadUpdate.exe "C:\Users\user\AppData\Roaming\NotepadUpdate.exe"
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AtkzppDHiyvcIR" /XML "C:\Users\user\AppData\Local\Temp\tmp16B7.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Users\user\AppData\Roaming\NotepadUpdate.exe "C:\Users\user\AppData\Roaming\NotepadUpdate.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\NotepadUpdate.exe "C:\Users\user\AppData\Roaming\NotepadUpdate.exe"
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AtkzppDHiyvcIR" /XML "C:\Users\user\AppData\Local\Temp\tmp7CF1.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process created: C:\Users\user\AppData\Roaming\NotepadUpdate.exe "C:\Users\user\AppData\Roaming\NotepadUpdate.exe"
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process created: C:\Users\user\AppData\Roaming\NotepadUpdate.exe "C:\Users\user\AppData\Roaming\NotepadUpdate.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AtkzppDHiyvcIR" /XML "C:\Users\user\AppData\Local\Temp\tmpCAD2.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "NotepadUpdate" /tr '"C:\Users\user\AppData\Roaming\NotepadUpdate.exe"' & exit	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpCE88.tmp.bat""	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AtkzppDHiyvcIR" /XML "C:\Users\user\AppData\Local\Temp\tmp9AD.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process created: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe "C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "NotepadUpdate" /tr '"C:\Users\user\AppData\Roaming\NotepadUpdate.exe"'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\NotepadUpdate.exe "C:\Users\user\AppData\Roaming\NotepadUpdate.exe"
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe"
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AtkzppDHiyvcIR" /XML "C:\Users\user\AppData\Local\Temp\tmp5608.tmp"
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process created: C:\Users\user\AppData\Roaming\NotepadUpdate.exe "C:\Users\user\AppData\Roaming\NotepadUpdate.exe"
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AtkzppDHiyvcIR" /XML "C:\Users\user\AppData\Local\Temp\tmp16B7.tmp"
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process created: C:\Users\user\AppData\Roaming\NotepadUpdate.exe "C:\Users\user\AppData\Roaming\NotepadUpdate.exe"
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AtkzppDHiyvcIR" /XML "C:\Users\user\AppData\Local\Temp\tmp7CF1.tmp"
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process created: C:\Users\user\AppData\Roaming\NotepadUpdate.exe "C:\Users\user\AppData\Roaming\NotepadUpdate.exe"
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process created: C:\Users\user\AppData\Roaming\NotepadUpdate.exe "C:\Users\user\AppData\Roaming\NotepadUpdate.exe"

Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Section loaded: msasn1.dll

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: NVBx.pdb source: file.exe, AtkzppDHiyvcIR.exe.0.dr, NotepadUpdate.exe.8.dr
Source:	Binary string: NVBx.pdbSHA256V- source: file.exe, AtkzppDHiyvcIR.exe.0.dr, NotepadUpdate.exe.8.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.file.exe.7690000.5.raw.unpack, uYCig1sF66qVjL68U1.cs	.Net Code: pYUtkxyyMV System.Reflection.Assembly.Load(byte[])
Source: 0.2.file.exe.3cfcdd8.3.raw.unpack, uYCig1sF66qVjL68U1.cs	.Net Code: pYUtkxyyMV System.Reflection.Assembly.Load(byte[])
Source: 0.2.file.exe.2be6ae4.1.raw.unpack, ClientSocket.cs	.Net Code: Invoke System.AppDomain.Load(byte[])
Source: 0.2.file.exe.3d537f8.2.raw.unpack, uYCig1sF66qVjL68U1.cs	.Net Code: pYUtkxyyMV System.Reflection.Assembly.Load(byte[])
Source: 0.2.file.exe.2bd4208.0.raw.unpack, ClientSocket.cs	.Net Code: Invoke System.AppDomain.Load(byte[])

Source: file.exe

Static PE information: 0xBC4E8C9C [Mon Feb 10 13:26:52 2070 UTC]

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_07738C13 push esp; retf	0_2_07738C19
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Code function: 9_2_073BB276 push ds; iretd	9_2_073BB277
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Code function: 13_2_00FE1283 push edi; ret	13_2_00FE1282
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Code function: 13_2_00FE1275 push edi; ret	13_2_00FE1282
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 20_2_091E85FF push es; ret	20_2_091E8610
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 22_2_05EF4471 push 00000005h; ret	22_2_05EF4486
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 27_2_02E21270 push edi; ret	27_2_02E21282
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 30_2_092185FF push es; ret	30_2_09218610
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 33_2_00C51284 push edi; ret	33_2_00C51282
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Code function: 33_2_00C51270 push edi; ret	33_2_00C51282

Source: file.exe	Static PE information: section name: .text entropy: 7.43247692930151
Source: AtkzppDHiyvcIR.exe.0.dr	Static PE information: section name: .text entropy: 7.43247692930151
Source: NotepadUpdate.exe.8.dr	Static PE information: section name: .text entropy: 7.43247692930151

Source: 0.2.file.exe.7690000.5.raw.unpack, pPlAdEQSYpDd771yMR.cs	High entropy of concatenated method names: 'GJ2e8O9WSR', 'L05eW5x3WJ', 'NWwe73UH4A', 'gxreqrYfn3', 'symejgxmdU', 't47er3aClP', 'q39ecaO97s', 'mLneTK9lNO', 'TiJeO0ASmI', 'XskeiAjEMn'
Source: 0.2.file.exe.7690000.5.raw.unpack, LDXlpFAqBajZBU222I.cs	High entropy of concatenated method names: 'vjDgNvwIp2', 'nYJgfbqiQH', 'nWi37bdOEc', 'VhG3qetgG4', 'fAH3jKy4Dw', 'uyG3r1YKcE', 'nkr3cPpiRV', 'lyg3TiJjWI', 'b6m3Oaqvhi', 'IV03ielHWN'
Source: 0.2.file.exe.7690000.5.raw.unpack, TwokIEltYOXQBakKStv.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'VBh5edv1Kq', 'Fmm50ELyvA', 'g715GGFcZ2', 'MZX55Bjrkd', 'QRG5VwaxAu', 'J4o5uZQiwK', 'Thv5BiNZap'
Source: 0.2.file.exe.7690000.5.raw.unpack, Stad2JlEpOAw2rQm4DY.cs	High entropy of concatenated method names: 'efRGS5nSEG', 'qPvGzIZG8s', 'asB5pXxqHH', 'fsx1WjXQt9OPOyaC5hL', 'ryvAjFXjWacrp7pxeGT', 'pwKjj7XWv8SMpBgFR37', 'hI5bteXKji6ROYuo1y4', 'TxHb07X2D6UwZOe9mfb'
Source: 0.2.file.exe.7690000.5.raw.unpack, lVRdylhA8jubWD8j1x.cs	High entropy of concatenated method names: 'NM3nxkUWFm', 'PcGnac2aU9', 'eP5nUfr2dd', 'bUdnM0VYTR', 'umfnCceuEM', 'Lgjn624QPu', 'voZn21rJLP', 'INwnyFECkV', 'ObsnQOJUHu', 'vktnS7yh64'
Source: 0.2.file.exe.7690000.5.raw.unpack, CwmuZm6sBnW94miKIt.cs	High entropy of concatenated method names: 'ffMvywpovS', 'sLtvSLC6dB', 'LZXdpOMorr', 'NTHdlO0Zbq', 'DSnvIUt61S', 'JKtvROwpye', 'rdUvYFkbfa', 'r8Tvxmf9NA', 'T2ovaBJ4wV', 'HlbvUUgBcx'
Source: 0.2.file.exe.7690000.5.raw.unpack, VBsLArMNoElOWcGENd.cs	High entropy of concatenated method names: 'D2bvL88Qp0', 'MPPv4mFxV8', 'ToString', 'fdvvXHEL1n', 'WJKvn5GLXd', 'KsNv3avZ44', 'sDSvgfxCWs', 'ucAv1MLh7S', 'E3tvJBYMV3', 'jx9vs7UR3h'
Source: 0.2.file.exe.7690000.5.raw.unpack, npbdMh9ZYDjxE108vq.cs	High entropy of concatenated method names: 'X6OkWeI5Z', 'WJrbVPoSB', 'kOBDB3kTB', 'jtUf9vcom', 'b5SmyG2pU', 'uKDAtsdap', 'sOX4eZ5ql3pFuv1lGM', 'kq3U3Hq30lf2bHJqVa', 'NdRdLq3uw', 'hZE0iCtCn'
Source: 0.2.file.exe.7690000.5.raw.unpack, yaU42illrHtYtTMVKhc.cs	High entropy of concatenated method names: 'fHI0SXjXYT', 'qwM0z4sGd4', 'EggGp7hxrt', 'EAvGlQsnGe', 'bmkG9vYLXJ', 'IRGGE6jNMD', 'KhUGtEappQ', 'peLGZiGvaD', 'puVGX8RaCl', 'cuuGnyD83H'
Source: 0.2.file.exe.7690000.5.raw.unpack, wK8RGwY2TSdWw0MbWi.cs	High entropy of concatenated method names: 'KnPHhw513M', 'T8yHmoh9eZ', 'XIEH8r9XX0', 'vvJHWYN3Xu', 'vFHHqI3ylf', 'OqOHj5SZol', 'HEfHce1EXV', 'OQJHTnYN8g', 'Y5EHiU4gyc', 'NUeHIJCsh6'
Source: 0.2.file.exe.7690000.5.raw.unpack, raWy8KSnBEG8OkGhsu.cs	High entropy of concatenated method names: 'Ahi03iBHew', 'WO80gLPrFd', 'Vc5016tF9Y', 'jsj0J9UxyQ', 'A7m0ebqWnO', 'kb50sjcNhk', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.file.exe.7690000.5.raw.unpack, niY5NKzmET1X3aCafO.cs	High entropy of concatenated method names: 'dth0DV8fxZ', 'F5Z0hLg0gQ', 'AU90mEsfx9', 'aHs08RdtoK', 'H7Y0W92Jwe', 'wA10qyXepC', 'CdX0jhB3vR', 'BO80BILVom', 'ewq0ohb5G3', 'hr60FQMB9T'
Source: 0.2.file.exe.7690000.5.raw.unpack, Uj2lPi2fHvRsqtTgiJ.cs	High entropy of concatenated method names: 'pd5eKsqkfv', 'rIBevt86Ys', 'tyNeeIxNjV', 'FdLeGY7xiM', 'h1geVmp7Zt', 'VjyeBLcTU8', 'Dispose', 'QX4dXCas6A', 'KghdnhkAss', 'JIHd3urtWL'
Source: 0.2.file.exe.7690000.5.raw.unpack, blTGy1n8gTX83m6JaG.cs	High entropy of concatenated method names: 'Dispose', 'qRslQqtTgi', 'OBa9WZhcyD', 'HPEif1OpCb', 'jN5lSBxNkw', 'U14lzZTdba', 'ProcessDialogKey', 'm5w9pPlAdE', 'YYp9lDd771', 'WMR99eaWy8'
Source: 0.2.file.exe.7690000.5.raw.unpack, y6ZHmbtF4C8h68N4Sn.cs	High entropy of concatenated method names: 'wGPlJVRdyl', 'F8jlsubWD8', 'E9BlLEghFp', 'QZBl46cDXl', 'S22lK2Iiqv', 'OVwlwVDxJK', 'Yt9GOaFlfgxiF74PLx', 'OUvP8EQLoVSmh0NRb1', 'W1NllJ3PH6', 'eYOlEJn1bg'
Source: 0.2.file.exe.7690000.5.raw.unpack, sfIBMmm9BEghFpYZB6.cs	High entropy of concatenated method names: 'Run3bHWN1H', 'FLO3D5CvYF', 'wqY3h3Cm8S', 'pd73mfiNpK', 'COC3KPDWVa', 'cD83w5MHLT', 'vXi3vqMAGF', 'Kke3d4uwpL', 'f6Y3erHsTS', 'IGQ30qcFN9'
Source: 0.2.file.exe.7690000.5.raw.unpack, I8lrsDOgbkDxRsBvwr.cs	High entropy of concatenated method names: 'ThRJor0e35', 'wb6JFquv4o', 'CfeJklhhVR', 'TRmJbRRq8G', 'bxAJN34dWU', 'gRUJDG5fya', 'hJAJf5n9mI', 'fPIJhKaltp', 'bYmJmGNtQV', 'otyJA6OK0W'
Source: 0.2.file.exe.7690000.5.raw.unpack, OqvIVw8VDxJKNW7onY.cs	High entropy of concatenated method names: 'tt21ZBWmXF', 'k7R1nM6XaS', 'Iny1gbRYdA', 'rV71JYR4RI', 'cvq1sKRU6d', 'e17gCrm8kq', 'A9Rg65AjAV', 'm0Rg2mgo4V', 'hW7gyE0AfG', 'ebJgQivrQS'
Source: 0.2.file.exe.7690000.5.raw.unpack, uYCig1sF66qVjL68U1.cs	High entropy of concatenated method names: 'Y2PEZDdMVt', 'Va9EXUrBH5', 'ltSEnyrb8X', 'rIGE3cWM6L', 'GHoEg07q3G', 'OdGE15BDrj', 'CNnEJBD49m', 'gs3EsJOTfg', 'ifBEPlSa43', 'FUPELZRqh4'
Source: 0.2.file.exe.7690000.5.raw.unpack, VvrwtClpAQXNMyeuTfQ.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'm3X0IB9gYY', 'XPi0RdKHqs', 'PZi0YXQpsg', 'LXs0xkim7B', 'VoJ0ajvegw', 'mbg0UfW8Kn', 'p4s0M2E2tl'
Source: 0.2.file.exe.3cfcdd8.3.raw.unpack, pPlAdEQSYpDd771yMR.cs	High entropy of concatenated method names: 'GJ2e8O9WSR', 'L05eW5x3WJ', 'NWwe73UH4A', 'gxreqrYfn3', 'symejgxmdU', 't47er3aClP', 'q39ecaO97s', 'mLneTK9lNO', 'TiJeO0ASmI', 'XskeiAjEMn'
Source: 0.2.file.exe.3cfcdd8.3.raw.unpack, LDXlpFAqBajZBU222I.cs	High entropy of concatenated method names: 'vjDgNvwIp2', 'nYJgfbqiQH', 'nWi37bdOEc', 'VhG3qetgG4', 'fAH3jKy4Dw', 'uyG3r1YKcE', 'nkr3cPpiRV', 'lyg3TiJjWI', 'b6m3Oaqvhi', 'IV03ielHWN'
Source: 0.2.file.exe.3cfcdd8.3.raw.unpack, TwokIEltYOXQBakKStv.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'VBh5edv1Kq', 'Fmm50ELyvA', 'g715GGFcZ2', 'MZX55Bjrkd', 'QRG5VwaxAu', 'J4o5uZQiwK', 'Thv5BiNZap'
Source: 0.2.file.exe.3cfcdd8.3.raw.unpack, Stad2JlEpOAw2rQm4DY.cs	High entropy of concatenated method names: 'efRGS5nSEG', 'qPvGzIZG8s', 'asB5pXxqHH', 'fsx1WjXQt9OPOyaC5hL', 'ryvAjFXjWacrp7pxeGT', 'pwKjj7XWv8SMpBgFR37', 'hI5bteXKji6ROYuo1y4', 'TxHb07X2D6UwZOe9mfb'
Source: 0.2.file.exe.3cfcdd8.3.raw.unpack, lVRdylhA8jubWD8j1x.cs	High entropy of concatenated method names: 'NM3nxkUWFm', 'PcGnac2aU9', 'eP5nUfr2dd', 'bUdnM0VYTR', 'umfnCceuEM', 'Lgjn624QPu', 'voZn21rJLP', 'INwnyFECkV', 'ObsnQOJUHu', 'vktnS7yh64'
Source: 0.2.file.exe.3cfcdd8.3.raw.unpack, CwmuZm6sBnW94miKIt.cs	High entropy of concatenated method names: 'ffMvywpovS', 'sLtvSLC6dB', 'LZXdpOMorr', 'NTHdlO0Zbq', 'DSnvIUt61S', 'JKtvROwpye', 'rdUvYFkbfa', 'r8Tvxmf9NA', 'T2ovaBJ4wV', 'HlbvUUgBcx'
Source: 0.2.file.exe.3cfcdd8.3.raw.unpack, VBsLArMNoElOWcGENd.cs	High entropy of concatenated method names: 'D2bvL88Qp0', 'MPPv4mFxV8', 'ToString', 'fdvvXHEL1n', 'WJKvn5GLXd', 'KsNv3avZ44', 'sDSvgfxCWs', 'ucAv1MLh7S', 'E3tvJBYMV3', 'jx9vs7UR3h'
Source: 0.2.file.exe.3cfcdd8.3.raw.unpack, npbdMh9ZYDjxE108vq.cs	High entropy of concatenated method names: 'X6OkWeI5Z', 'WJrbVPoSB', 'kOBDB3kTB', 'jtUf9vcom', 'b5SmyG2pU', 'uKDAtsdap', 'sOX4eZ5ql3pFuv1lGM', 'kq3U3Hq30lf2bHJqVa', 'NdRdLq3uw', 'hZE0iCtCn'
Source: 0.2.file.exe.3cfcdd8.3.raw.unpack, yaU42illrHtYtTMVKhc.cs	High entropy of concatenated method names: 'fHI0SXjXYT', 'qwM0z4sGd4', 'EggGp7hxrt', 'EAvGlQsnGe', 'bmkG9vYLXJ', 'IRGGE6jNMD', 'KhUGtEappQ', 'peLGZiGvaD', 'puVGX8RaCl', 'cuuGnyD83H'
Source: 0.2.file.exe.3cfcdd8.3.raw.unpack, wK8RGwY2TSdWw0MbWi.cs	High entropy of concatenated method names: 'KnPHhw513M', 'T8yHmoh9eZ', 'XIEH8r9XX0', 'vvJHWYN3Xu', 'vFHHqI3ylf', 'OqOHj5SZol', 'HEfHce1EXV', 'OQJHTnYN8g', 'Y5EHiU4gyc', 'NUeHIJCsh6'
Source: 0.2.file.exe.3cfcdd8.3.raw.unpack, raWy8KSnBEG8OkGhsu.cs	High entropy of concatenated method names: 'Ahi03iBHew', 'WO80gLPrFd', 'Vc5016tF9Y', 'jsj0J9UxyQ', 'A7m0ebqWnO', 'kb50sjcNhk', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.file.exe.3cfcdd8.3.raw.unpack, niY5NKzmET1X3aCafO.cs	High entropy of concatenated method names: 'dth0DV8fxZ', 'F5Z0hLg0gQ', 'AU90mEsfx9', 'aHs08RdtoK', 'H7Y0W92Jwe', 'wA10qyXepC', 'CdX0jhB3vR', 'BO80BILVom', 'ewq0ohb5G3', 'hr60FQMB9T'
Source: 0.2.file.exe.3cfcdd8.3.raw.unpack, Uj2lPi2fHvRsqtTgiJ.cs	High entropy of concatenated method names: 'pd5eKsqkfv', 'rIBevt86Ys', 'tyNeeIxNjV', 'FdLeGY7xiM', 'h1geVmp7Zt', 'VjyeBLcTU8', 'Dispose', 'QX4dXCas6A', 'KghdnhkAss', 'JIHd3urtWL'
Source: 0.2.file.exe.3cfcdd8.3.raw.unpack, blTGy1n8gTX83m6JaG.cs	High entropy of concatenated method names: 'Dispose', 'qRslQqtTgi', 'OBa9WZhcyD', 'HPEif1OpCb', 'jN5lSBxNkw', 'U14lzZTdba', 'ProcessDialogKey', 'm5w9pPlAdE', 'YYp9lDd771', 'WMR99eaWy8'
Source: 0.2.file.exe.3cfcdd8.3.raw.unpack, y6ZHmbtF4C8h68N4Sn.cs	High entropy of concatenated method names: 'wGPlJVRdyl', 'F8jlsubWD8', 'E9BlLEghFp', 'QZBl46cDXl', 'S22lK2Iiqv', 'OVwlwVDxJK', 'Yt9GOaFlfgxiF74PLx', 'OUvP8EQLoVSmh0NRb1', 'W1NllJ3PH6', 'eYOlEJn1bg'
Source: 0.2.file.exe.3cfcdd8.3.raw.unpack, sfIBMmm9BEghFpYZB6.cs	High entropy of concatenated method names: 'Run3bHWN1H', 'FLO3D5CvYF', 'wqY3h3Cm8S', 'pd73mfiNpK', 'COC3KPDWVa', 'cD83w5MHLT', 'vXi3vqMAGF', 'Kke3d4uwpL', 'f6Y3erHsTS', 'IGQ30qcFN9'
Source: 0.2.file.exe.3cfcdd8.3.raw.unpack, I8lrsDOgbkDxRsBvwr.cs	High entropy of concatenated method names: 'ThRJor0e35', 'wb6JFquv4o', 'CfeJklhhVR', 'TRmJbRRq8G', 'bxAJN34dWU', 'gRUJDG5fya', 'hJAJf5n9mI', 'fPIJhKaltp', 'bYmJmGNtQV', 'otyJA6OK0W'
Source: 0.2.file.exe.3cfcdd8.3.raw.unpack, OqvIVw8VDxJKNW7onY.cs	High entropy of concatenated method names: 'tt21ZBWmXF', 'k7R1nM6XaS', 'Iny1gbRYdA', 'rV71JYR4RI', 'cvq1sKRU6d', 'e17gCrm8kq', 'A9Rg65AjAV', 'm0Rg2mgo4V', 'hW7gyE0AfG', 'ebJgQivrQS'
Source: 0.2.file.exe.3cfcdd8.3.raw.unpack, uYCig1sF66qVjL68U1.cs	High entropy of concatenated method names: 'Y2PEZDdMVt', 'Va9EXUrBH5', 'ltSEnyrb8X', 'rIGE3cWM6L', 'GHoEg07q3G', 'OdGE15BDrj', 'CNnEJBD49m', 'gs3EsJOTfg', 'ifBEPlSa43', 'FUPELZRqh4'
Source: 0.2.file.exe.3cfcdd8.3.raw.unpack, VvrwtClpAQXNMyeuTfQ.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'm3X0IB9gYY', 'XPi0RdKHqs', 'PZi0YXQpsg', 'LXs0xkim7B', 'VoJ0ajvegw', 'mbg0UfW8Kn', 'p4s0M2E2tl'
Source: 0.2.file.exe.3d537f8.2.raw.unpack, pPlAdEQSYpDd771yMR.cs	High entropy of concatenated method names: 'GJ2e8O9WSR', 'L05eW5x3WJ', 'NWwe73UH4A', 'gxreqrYfn3', 'symejgxmdU', 't47er3aClP', 'q39ecaO97s', 'mLneTK9lNO', 'TiJeO0ASmI', 'XskeiAjEMn'
Source: 0.2.file.exe.3d537f8.2.raw.unpack, LDXlpFAqBajZBU222I.cs	High entropy of concatenated method names: 'vjDgNvwIp2', 'nYJgfbqiQH', 'nWi37bdOEc', 'VhG3qetgG4', 'fAH3jKy4Dw', 'uyG3r1YKcE', 'nkr3cPpiRV', 'lyg3TiJjWI', 'b6m3Oaqvhi', 'IV03ielHWN'
Source: 0.2.file.exe.3d537f8.2.raw.unpack, TwokIEltYOXQBakKStv.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'VBh5edv1Kq', 'Fmm50ELyvA', 'g715GGFcZ2', 'MZX55Bjrkd', 'QRG5VwaxAu', 'J4o5uZQiwK', 'Thv5BiNZap'
Source: 0.2.file.exe.3d537f8.2.raw.unpack, Stad2JlEpOAw2rQm4DY.cs	High entropy of concatenated method names: 'efRGS5nSEG', 'qPvGzIZG8s', 'asB5pXxqHH', 'fsx1WjXQt9OPOyaC5hL', 'ryvAjFXjWacrp7pxeGT', 'pwKjj7XWv8SMpBgFR37', 'hI5bteXKji6ROYuo1y4', 'TxHb07X2D6UwZOe9mfb'
Source: 0.2.file.exe.3d537f8.2.raw.unpack, lVRdylhA8jubWD8j1x.cs	High entropy of concatenated method names: 'NM3nxkUWFm', 'PcGnac2aU9', 'eP5nUfr2dd', 'bUdnM0VYTR', 'umfnCceuEM', 'Lgjn624QPu', 'voZn21rJLP', 'INwnyFECkV', 'ObsnQOJUHu', 'vktnS7yh64'
Source: 0.2.file.exe.3d537f8.2.raw.unpack, CwmuZm6sBnW94miKIt.cs	High entropy of concatenated method names: 'ffMvywpovS', 'sLtvSLC6dB', 'LZXdpOMorr', 'NTHdlO0Zbq', 'DSnvIUt61S', 'JKtvROwpye', 'rdUvYFkbfa', 'r8Tvxmf9NA', 'T2ovaBJ4wV', 'HlbvUUgBcx'
Source: 0.2.file.exe.3d537f8.2.raw.unpack, VBsLArMNoElOWcGENd.cs	High entropy of concatenated method names: 'D2bvL88Qp0', 'MPPv4mFxV8', 'ToString', 'fdvvXHEL1n', 'WJKvn5GLXd', 'KsNv3avZ44', 'sDSvgfxCWs', 'ucAv1MLh7S', 'E3tvJBYMV3', 'jx9vs7UR3h'
Source: 0.2.file.exe.3d537f8.2.raw.unpack, npbdMh9ZYDjxE108vq.cs	High entropy of concatenated method names: 'X6OkWeI5Z', 'WJrbVPoSB', 'kOBDB3kTB', 'jtUf9vcom', 'b5SmyG2pU', 'uKDAtsdap', 'sOX4eZ5ql3pFuv1lGM', 'kq3U3Hq30lf2bHJqVa', 'NdRdLq3uw', 'hZE0iCtCn'
Source: 0.2.file.exe.3d537f8.2.raw.unpack, yaU42illrHtYtTMVKhc.cs	High entropy of concatenated method names: 'fHI0SXjXYT', 'qwM0z4sGd4', 'EggGp7hxrt', 'EAvGlQsnGe', 'bmkG9vYLXJ', 'IRGGE6jNMD', 'KhUGtEappQ', 'peLGZiGvaD', 'puVGX8RaCl', 'cuuGnyD83H'
Source: 0.2.file.exe.3d537f8.2.raw.unpack, wK8RGwY2TSdWw0MbWi.cs	High entropy of concatenated method names: 'KnPHhw513M', 'T8yHmoh9eZ', 'XIEH8r9XX0', 'vvJHWYN3Xu', 'vFHHqI3ylf', 'OqOHj5SZol', 'HEfHce1EXV', 'OQJHTnYN8g', 'Y5EHiU4gyc', 'NUeHIJCsh6'
Source: 0.2.file.exe.3d537f8.2.raw.unpack, raWy8KSnBEG8OkGhsu.cs	High entropy of concatenated method names: 'Ahi03iBHew', 'WO80gLPrFd', 'Vc5016tF9Y', 'jsj0J9UxyQ', 'A7m0ebqWnO', 'kb50sjcNhk', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.file.exe.3d537f8.2.raw.unpack, niY5NKzmET1X3aCafO.cs	High entropy of concatenated method names: 'dth0DV8fxZ', 'F5Z0hLg0gQ', 'AU90mEsfx9', 'aHs08RdtoK', 'H7Y0W92Jwe', 'wA10qyXepC', 'CdX0jhB3vR', 'BO80BILVom', 'ewq0ohb5G3', 'hr60FQMB9T'
Source: 0.2.file.exe.3d537f8.2.raw.unpack, Uj2lPi2fHvRsqtTgiJ.cs	High entropy of concatenated method names: 'pd5eKsqkfv', 'rIBevt86Ys', 'tyNeeIxNjV', 'FdLeGY7xiM', 'h1geVmp7Zt', 'VjyeBLcTU8', 'Dispose', 'QX4dXCas6A', 'KghdnhkAss', 'JIHd3urtWL'
Source: 0.2.file.exe.3d537f8.2.raw.unpack, blTGy1n8gTX83m6JaG.cs	High entropy of concatenated method names: 'Dispose', 'qRslQqtTgi', 'OBa9WZhcyD', 'HPEif1OpCb', 'jN5lSBxNkw', 'U14lzZTdba', 'ProcessDialogKey', 'm5w9pPlAdE', 'YYp9lDd771', 'WMR99eaWy8'
Source: 0.2.file.exe.3d537f8.2.raw.unpack, y6ZHmbtF4C8h68N4Sn.cs	High entropy of concatenated method names: 'wGPlJVRdyl', 'F8jlsubWD8', 'E9BlLEghFp', 'QZBl46cDXl', 'S22lK2Iiqv', 'OVwlwVDxJK', 'Yt9GOaFlfgxiF74PLx', 'OUvP8EQLoVSmh0NRb1', 'W1NllJ3PH6', 'eYOlEJn1bg'
Source: 0.2.file.exe.3d537f8.2.raw.unpack, sfIBMmm9BEghFpYZB6.cs	High entropy of concatenated method names: 'Run3bHWN1H', 'FLO3D5CvYF', 'wqY3h3Cm8S', 'pd73mfiNpK', 'COC3KPDWVa', 'cD83w5MHLT', 'vXi3vqMAGF', 'Kke3d4uwpL', 'f6Y3erHsTS', 'IGQ30qcFN9'
Source: 0.2.file.exe.3d537f8.2.raw.unpack, I8lrsDOgbkDxRsBvwr.cs	High entropy of concatenated method names: 'ThRJor0e35', 'wb6JFquv4o', 'CfeJklhhVR', 'TRmJbRRq8G', 'bxAJN34dWU', 'gRUJDG5fya', 'hJAJf5n9mI', 'fPIJhKaltp', 'bYmJmGNtQV', 'otyJA6OK0W'
Source: 0.2.file.exe.3d537f8.2.raw.unpack, OqvIVw8VDxJKNW7onY.cs	High entropy of concatenated method names: 'tt21ZBWmXF', 'k7R1nM6XaS', 'Iny1gbRYdA', 'rV71JYR4RI', 'cvq1sKRU6d', 'e17gCrm8kq', 'A9Rg65AjAV', 'm0Rg2mgo4V', 'hW7gyE0AfG', 'ebJgQivrQS'
Source: 0.2.file.exe.3d537f8.2.raw.unpack, uYCig1sF66qVjL68U1.cs	High entropy of concatenated method names: 'Y2PEZDdMVt', 'Va9EXUrBH5', 'ltSEnyrb8X', 'rIGE3cWM6L', 'GHoEg07q3G', 'OdGE15BDrj', 'CNnEJBD49m', 'gs3EsJOTfg', 'ifBEPlSa43', 'FUPELZRqh4'
Source: 0.2.file.exe.3d537f8.2.raw.unpack, VvrwtClpAQXNMyeuTfQ.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'm3X0IB9gYY', 'XPi0RdKHqs', 'PZi0YXQpsg', 'LXs0xkim7B', 'VoJ0ajvegw', 'mbg0UfW8Kn', 'p4s0M2E2tl'

Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe			Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Roaming\NotepadUpdate.exe			Jump to dropped file

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: 0.2.file.exe.2be6ae4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.NotepadUpdate.exe.313c528.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.AtkzppDHiyvcIR.exe.2a21994.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.NotepadUpdate.exe.2c3198c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.NotepadUpdate.exe.2c44268.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.AtkzppDHiyvcIR.exe.2a34270.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.NotepadUpdate.exe.3134234.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.2bd4208.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.NotepadUpdate.exe.3129c4c.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.NotepadUpdate.exe.3121958.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.2be6ae4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.NotepadUpdate.exe.3134234.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.NotepadUpdate.exe.2c3198c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.2bd4208.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.NotepadUpdate.exe.2c44268.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.AtkzppDHiyvcIR.exe.2a34270.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.NotepadUpdate.exe.3129c4c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.NotepadUpdate.exe.313c528.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.NotepadUpdate.exe.3121958.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.AtkzppDHiyvcIR.exe.2a21994.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2256390278.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2139607033.0000000002BC7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2329129575.0000000003129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2428663519.00000000030D7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2180584741.00000000029D7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.2510555606.0000000002BEA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 5236, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AtkzppDHiyvcIR.exe PID: 5920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NotepadUpdate.exe PID: 3840, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NotepadUpdate.exe PID: 280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NotepadUpdate.exe PID: 5684, type: MEMORYSTR

Yara detected VenomRAT

Source: Yara match

File source: Process Memory Space: file.exe PID: 4232, type: MEMORYSTR

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AtkzppDHiyvcIR" /XML "C:\Users\user\AppData\Local\Temp\tmpCAD2.tmp"

Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NotepadUpdate			Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NotepadUpdate			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: file.exe PID: 5236, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AtkzppDHiyvcIR.exe PID: 5920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NotepadUpdate.exe PID: 3840, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NotepadUpdate.exe PID: 6080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NotepadUpdate.exe PID: 280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NotepadUpdate.exe PID: 5684, type: MEMORYSTR

Yara detected AsyncRAT

Source: Yara match	File source: 0.2.file.exe.2be6ae4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.NotepadUpdate.exe.313c528.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.AtkzppDHiyvcIR.exe.2a21994.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.NotepadUpdate.exe.2c3198c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.NotepadUpdate.exe.2c44268.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.AtkzppDHiyvcIR.exe.2a34270.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.NotepadUpdate.exe.3134234.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.2bd4208.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.NotepadUpdate.exe.3129c4c.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.NotepadUpdate.exe.3121958.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.2be6ae4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.NotepadUpdate.exe.3134234.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.NotepadUpdate.exe.2c3198c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.2bd4208.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.NotepadUpdate.exe.2c44268.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.AtkzppDHiyvcIR.exe.2a34270.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.NotepadUpdate.exe.3129c4c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.NotepadUpdate.exe.313c528.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.NotepadUpdate.exe.3121958.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.AtkzppDHiyvcIR.exe.2a21994.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2256390278.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2139607033.0000000002BC7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2329129575.0000000003129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2428663519.00000000030D7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2180584741.00000000029D7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.2510555606.0000000002BEA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 5236, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AtkzppDHiyvcIR.exe PID: 5920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NotepadUpdate.exe PID: 3840, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NotepadUpdate.exe PID: 280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NotepadUpdate.exe PID: 5684, type: MEMORYSTR

Yara detected VenomRAT

Source: Yara match

File source: Process Memory Space: file.exe PID: 4232, type: MEMORYSTR

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: file.exe, 00000000.00000002.2139607033.0000000002BC7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000008.00000002.2256390278.0000000000402000.00000040.00000400.00020000.00000000.sdmp, AtkzppDHiyvcIR.exe, 00000009.00000002.2180584741.00000000029D7000.00000004.00000800.00020000.00000000.sdmp, NotepadUpdate.exe, 00000014.00000002.2329129575.0000000003129000.00000004.00000800.00020000.00000000.sdmp, NotepadUpdate.exe, 0000001E.00000002.2428663519.00000000030D7000.00000004.00000800.00020000.00000000.sdmp, NotepadUpdate.exe, 00000023.00000002.2510555606.0000000002BEA000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: TASKMGR.EXE#PROCESSHACKER.EXE

Source: C:\Users\user\Desktop\file.exe	Memory allocated: FC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 2B30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 11B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 9240000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: A240000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: A460000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: B460000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 2A00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 2BC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 4BC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Memory allocated: 27C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Memory allocated: 2980000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Memory allocated: 4980000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Memory allocated: 8C40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Memory allocated: 9C40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Memory allocated: 9E50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Memory allocated: AE50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Memory allocated: FE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Memory allocated: 2AA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Memory allocated: 29B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: 1450000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: 3040000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: 5040000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: 93B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: A3B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: A5C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: B5C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: 1430000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: 2CC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: 2B10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: 8F60000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: 9F60000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: A170000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: B170000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: 2E20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: 2FB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: 4FB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: 2E90000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: 3080000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: 5080000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: 9350000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: A350000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: A560000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: B560000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: C50000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: 2B20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: 1150000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: 1240000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: 2B90000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: 4B90000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: 9100000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: 7B80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: A100000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: B100000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: 2910000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: 2AF0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory allocated: 4AF0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 239844	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 239704	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 239579	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 239454	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 239344	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 239235	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 239110	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 238985	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 238848	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 238688	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 238563	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 238393	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 238280	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 238153	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 237961	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 237759	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 237657	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 237532	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 237407	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 237282	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Thread delayed: delay time: 239858	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Thread delayed: delay time: 239749	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Thread delayed: delay time: 239640	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Thread delayed: delay time: 239523	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Thread delayed: delay time: 239401	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Thread delayed: delay time: 238712	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Thread delayed: delay time: 238599	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Thread delayed: delay time: 238484	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Thread delayed: delay time: 238375	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Thread delayed: delay time: 238258	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Thread delayed: delay time: 238156	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Thread delayed: delay time: 238046	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Thread delayed: delay time: 237937	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Thread delayed: delay time: 237827	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Thread delayed: delay time: 237718	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Thread delayed: delay time: 237609	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Thread delayed: delay time: 237500	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Thread delayed: delay time: 237390	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Thread delayed: delay time: 237281	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Thread delayed: delay time: 237168	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Thread delayed: delay time: 237054	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Thread delayed: delay time: 236937	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 240000
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 239856
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 239747
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 239640
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 239529
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 239421
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 239312
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 239201
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 239093
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 238983
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 238872
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 238765
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 238656
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 238546
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 238437
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 238328
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 238190
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 237937
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 237761
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 237547
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 237250
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 237044
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 236899
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 236725
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 236422
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 236000
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 235789
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 235666
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 240000
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 239872
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 239765
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 239653
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 239546
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 239437
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 239327
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 240000
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 239871
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 239765
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 239656
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 239547
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 239437
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 239328
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 239218
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 239108
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 238987
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 238873
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 238500
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 238297
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 238172
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 238056
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 237948
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 240000
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 239874
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 239766
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 239641
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 239516
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 239406
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 239297
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 239186
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 239078
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 238968
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 238859
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 238749
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 238641
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 238451
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 238344
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 238202
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 238085
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 237969
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 237858
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\file.exe	Window / User API: threadDelayed 1450	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window / User API: threadDelayed 1868	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7819	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 782	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Window / User API: threadDelayed 1145	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Window / User API: threadDelayed 2999	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Window / User API: threadDelayed 579	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Window / User API: threadDelayed 9268	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Window / User API: threadDelayed 903
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Window / User API: threadDelayed 2554
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Window / User API: threadDelayed 1180
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6659
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2945
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Window / User API: threadDelayed 2039
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Window / User API: threadDelayed 493
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Window / User API: threadDelayed 2822
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Window / User API: threadDelayed 393

Source: C:\Users\user\Desktop\file.exe TID: 6260	Thread sleep time: -11990383647911201s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6260	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6260	Thread sleep time: -239844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6260	Thread sleep time: -239704s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6260	Thread sleep time: -239579s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6260	Thread sleep time: -239454s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6260	Thread sleep time: -239344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6260	Thread sleep time: -239235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6260	Thread sleep time: -239110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6260	Thread sleep time: -238985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6260	Thread sleep time: -238848s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6260	Thread sleep time: -238688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6260	Thread sleep time: -238563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6260	Thread sleep time: -238393s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6260	Thread sleep time: -238280s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6260	Thread sleep time: -238153s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6260	Thread sleep time: -237961s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6260	Thread sleep time: -237759s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6260	Thread sleep time: -237657s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6260	Thread sleep time: -237532s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6260	Thread sleep time: -237407s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6260	Thread sleep time: -237282s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1908	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6044	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3184	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5636	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe TID: 3816	Thread sleep time: -10145709240540247s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe TID: 3816	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe TID: 3816	Thread sleep time: -239858s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe TID: 3816	Thread sleep time: -239749s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe TID: 3816	Thread sleep time: -239640s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe TID: 3816	Thread sleep time: -239523s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe TID: 3816	Thread sleep time: -239401s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe TID: 3816	Thread sleep time: -238712s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe TID: 3816	Thread sleep time: -238599s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe TID: 3816	Thread sleep time: -238484s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe TID: 3816	Thread sleep time: -238375s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe TID: 3816	Thread sleep time: -238258s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe TID: 3816	Thread sleep time: -238156s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe TID: 3816	Thread sleep time: -238046s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe TID: 3816	Thread sleep time: -237937s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe TID: 3816	Thread sleep time: -237827s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe TID: 3816	Thread sleep time: -237718s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe TID: 3816	Thread sleep time: -237609s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe TID: 3816	Thread sleep time: -237500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe TID: 3816	Thread sleep time: -237390s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe TID: 3816	Thread sleep time: -237281s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe TID: 3816	Thread sleep time: -237168s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe TID: 3816	Thread sleep time: -237054s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe TID: 3816	Thread sleep time: -236937s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe TID: 6088	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe TID: 5648	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe TID: 4136	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe TID: 2096	Thread sleep count: 579 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe TID: 2096	Thread sleep count: 9268 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 5492	Thread sleep time: -10145709240540247s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 5492	Thread sleep time: -240000s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 5492	Thread sleep time: -239856s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 5492	Thread sleep time: -239747s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 5492	Thread sleep time: -239640s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 5492	Thread sleep time: -239529s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 5492	Thread sleep time: -239421s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 5492	Thread sleep time: -239312s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 5492	Thread sleep time: -239201s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 5492	Thread sleep time: -239093s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 5492	Thread sleep time: -238983s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 5492	Thread sleep time: -238872s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 5492	Thread sleep time: -238765s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 5492	Thread sleep time: -238656s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 5492	Thread sleep time: -238546s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 5492	Thread sleep time: -238437s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 5492	Thread sleep time: -238328s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 5492	Thread sleep time: -238190s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 5492	Thread sleep time: -237937s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 5492	Thread sleep time: -237761s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 5492	Thread sleep time: -237547s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 5492	Thread sleep time: -237250s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 5492	Thread sleep time: -237044s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 5492	Thread sleep time: -236899s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 5492	Thread sleep time: -236725s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 5492	Thread sleep time: -236422s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 5492	Thread sleep time: -236000s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 5492	Thread sleep time: -235789s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 5492	Thread sleep time: -235666s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 1924	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 6120	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 6120	Thread sleep time: -240000s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 6532	Thread sleep count: 1180 > 30
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 6120	Thread sleep time: -239872s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 6120	Thread sleep time: -239765s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 6120	Thread sleep time: -239653s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 6120	Thread sleep time: -239546s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 6120	Thread sleep time: -239437s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 6120	Thread sleep time: -239327s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 2404	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5228	Thread sleep time: -8301034833169293s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 6452	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 4196	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 4196	Thread sleep time: -240000s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 4196	Thread sleep time: -239871s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 4196	Thread sleep time: -239765s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 4196	Thread sleep time: -239656s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 4196	Thread sleep time: -239547s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 4196	Thread sleep time: -239437s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 4196	Thread sleep time: -239328s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 4196	Thread sleep time: -239218s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 4196	Thread sleep time: -239108s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 4196	Thread sleep time: -238987s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 4196	Thread sleep time: -238873s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 4196	Thread sleep time: -238500s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 4196	Thread sleep time: -238297s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 4196	Thread sleep time: -238172s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 4196	Thread sleep time: -238056s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 4196	Thread sleep time: -237948s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 3392	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 6080	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 504	Thread sleep time: -13835058055282155s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 504	Thread sleep time: -240000s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 504	Thread sleep time: -239874s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 504	Thread sleep time: -239766s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 504	Thread sleep time: -239641s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 504	Thread sleep time: -239516s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 504	Thread sleep time: -239406s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 504	Thread sleep time: -239297s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 504	Thread sleep time: -239186s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 504	Thread sleep time: -239078s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 504	Thread sleep time: -238968s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 504	Thread sleep time: -238859s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 504	Thread sleep time: -238749s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 504	Thread sleep time: -238641s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 504	Thread sleep time: -238451s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 504	Thread sleep time: -238344s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 504	Thread sleep time: -238202s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 504	Thread sleep time: -238085s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 504	Thread sleep time: -237969s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 504	Thread sleep time: -237858s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 6512	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 5328	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem

Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 239844	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 239704	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 239579	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 239454	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 239344	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 239235	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 239110	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 238985	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 238848	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 238688	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 238563	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 238393	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 238280	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 238153	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 237961	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 237759	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 237657	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 237532	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 237407	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 237282	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Thread delayed: delay time: 239858	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Thread delayed: delay time: 239749	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Thread delayed: delay time: 239640	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Thread delayed: delay time: 239523	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Thread delayed: delay time: 239401	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Thread delayed: delay time: 238712	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Thread delayed: delay time: 238599	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Thread delayed: delay time: 238484	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Thread delayed: delay time: 238375	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Thread delayed: delay time: 238258	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Thread delayed: delay time: 238156	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Thread delayed: delay time: 238046	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Thread delayed: delay time: 237937	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Thread delayed: delay time: 237827	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Thread delayed: delay time: 237718	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Thread delayed: delay time: 237609	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Thread delayed: delay time: 237500	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Thread delayed: delay time: 237390	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Thread delayed: delay time: 237281	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Thread delayed: delay time: 237168	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Thread delayed: delay time: 237054	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Thread delayed: delay time: 236937	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 240000
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 239856
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 239747
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 239640
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 239529
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 239421
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 239312
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 239201
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 239093
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 238983
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 238872
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 238765
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 238656
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 238546
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 238437
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 238328
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 238190
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 237937
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 237761
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 237547
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 237250
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 237044
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 236899
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 236725
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 236422
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 236000
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 235789
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 235666
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 240000
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 239872
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 239765
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 239653
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 239546
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 239437
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 239327
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 240000
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 239871
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 239765
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 239656
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 239547
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 239437
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 239328
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 239218
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 239108
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 238987
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 238873
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 238500
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 238297
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 238172
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 238056
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 237948
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 240000
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 239874
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 239766
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 239641
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 239516
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 239406
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 239297
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 239186
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 239078
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 238968
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 238859
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 238749
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 238641
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 238451
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 238344
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 238202
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 238085
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 237969
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 237858
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Thread delayed: delay time: 922337203685477

Source: file.exe, 00000000.00000002.2146436687.0000000007E02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: AtkzppDHiyvcIR.exe, 0000000D.00000002.4602356145.00000000050B8000.00000004.00000020.00020000.00000000.sdmp, AtkzppDHiyvcIR.exe, 0000000D.00000002.4602356145.0000000004FE8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: AtkzppDHiyvcIR.exe, 0000000D.00000002.4581829875.0000000000D87000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWthernet0-WFP Native MAC Layer LightW
Source: AtkzppDHiyvcIR.exe, 00000009.00000002.2179673368.0000000000E66000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\~

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe

Code function: 13_2_06161210 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,

13_2_06161210

Source: C:\Users\user\Desktop\file.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0.2.file.exe.2be6ae4.1.raw.unpack, Keylogger.cs	Reference to suspicious API methods: MapVirtualKey(vkCode, 0u)
Source: 0.2.file.exe.2be6ae4.1.raw.unpack, DInvokeCore.cs	Reference to suspicious API methods: DynamicAPIInvoke("ntdll.dll", "NtProtectVirtualMemory", typeof(Delegates.NtProtectVirtualMemory), ref Parameters)
Source: 0.2.file.exe.2be6ae4.1.raw.unpack, AntiProcess.cs	Reference to suspicious API methods: OpenProcess(1u, bInheritHandle: false, processId)

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe"
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe"

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Users\user\Desktop\file.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Memory written: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory written: C:\Users\user\AppData\Roaming\NotepadUpdate.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory written: C:\Users\user\AppData\Roaming\NotepadUpdate.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Memory written: C:\Users\user\AppData\Roaming\NotepadUpdate.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AtkzppDHiyvcIR" /XML "C:\Users\user\AppData\Local\Temp\tmpCAD2.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "NotepadUpdate" /tr '"C:\Users\user\AppData\Roaming\NotepadUpdate.exe"' & exit	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpCE88.tmp.bat""	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AtkzppDHiyvcIR" /XML "C:\Users\user\AppData\Local\Temp\tmp9AD.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Process created: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe "C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "NotepadUpdate" /tr '"C:\Users\user\AppData\Roaming\NotepadUpdate.exe"'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\NotepadUpdate.exe "C:\Users\user\AppData\Roaming\NotepadUpdate.exe"
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe"
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AtkzppDHiyvcIR" /XML "C:\Users\user\AppData\Local\Temp\tmp5608.tmp"
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process created: C:\Users\user\AppData\Roaming\NotepadUpdate.exe "C:\Users\user\AppData\Roaming\NotepadUpdate.exe"
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AtkzppDHiyvcIR" /XML "C:\Users\user\AppData\Local\Temp\tmp16B7.tmp"
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process created: C:\Users\user\AppData\Roaming\NotepadUpdate.exe "C:\Users\user\AppData\Roaming\NotepadUpdate.exe"
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AtkzppDHiyvcIR" /XML "C:\Users\user\AppData\Local\Temp\tmp7CF1.tmp"
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process created: C:\Users\user\AppData\Roaming\NotepadUpdate.exe "C:\Users\user\AppData\Roaming\NotepadUpdate.exe"
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Process created: C:\Users\user\AppData\Roaming\NotepadUpdate.exe "C:\Users\user\AppData\Roaming\NotepadUpdate.exe"

Source: AtkzppDHiyvcIR.exe, 0000000D.00000002.4584361518.0000000002B3B000.00000004.00000800.00020000.00000000.sdmp, AtkzppDHiyvcIR.exe, 0000000D.00000002.4584361518.0000000002B1A000.00000004.00000800.00020000.00000000.sdmp, AtkzppDHiyvcIR.exe, 0000000D.00000002.4584361518.0000000002ECF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: AtkzppDHiyvcIR.exe, 0000000D.00000002.4584361518.0000000002B3B000.00000004.00000800.00020000.00000000.sdmp, AtkzppDHiyvcIR.exe, 0000000D.00000002.4584361518.0000000002B1A000.00000004.00000800.00020000.00000000.sdmp, AtkzppDHiyvcIR.exe, 0000000D.00000002.4584361518.0000000002ECF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTe
Source: AtkzppDHiyvcIR.exe, 0000000D.00000002.4584361518.0000000002B3B000.00000004.00000800.00020000.00000000.sdmp, AtkzppDHiyvcIR.exe, 0000000D.00000002.4584361518.0000000002B1A000.00000004.00000800.00020000.00000000.sdmp, AtkzppDHiyvcIR.exe, 0000000D.00000002.4584361518.0000000002ECF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@\

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Queries volume information: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Queries volume information: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Queries volume information: C:\Users\user\AppData\Roaming\NotepadUpdate.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Queries volume information: C:\Users\user\AppData\Roaming\NotepadUpdate.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Queries volume information: C:\Users\user\AppData\Roaming\NotepadUpdate.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Queries volume information: C:\Users\user\AppData\Roaming\NotepadUpdate.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Queries volume information: C:\Users\user\AppData\Roaming\NotepadUpdate.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Queries volume information: C:\Users\user\AppData\Roaming\NotepadUpdate.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Queries volume information: C:\Users\user\AppData\Roaming\NotepadUpdate.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: 0.2.file.exe.2be6ae4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.NotepadUpdate.exe.313c528.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.AtkzppDHiyvcIR.exe.2a21994.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.NotepadUpdate.exe.2c3198c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.NotepadUpdate.exe.2c44268.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.AtkzppDHiyvcIR.exe.2a34270.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.NotepadUpdate.exe.3134234.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.2bd4208.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.NotepadUpdate.exe.3129c4c.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.NotepadUpdate.exe.3121958.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.2be6ae4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.NotepadUpdate.exe.3134234.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.NotepadUpdate.exe.2c3198c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.2bd4208.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.NotepadUpdate.exe.2c44268.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.AtkzppDHiyvcIR.exe.2a34270.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.NotepadUpdate.exe.3129c4c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.NotepadUpdate.exe.313c528.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.NotepadUpdate.exe.3121958.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.AtkzppDHiyvcIR.exe.2a21994.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2256390278.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2139607033.0000000002BC7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2329129575.0000000003129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2428663519.00000000030D7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2180584741.00000000029D7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.2510555606.0000000002BEA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 5236, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AtkzppDHiyvcIR.exe PID: 5920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NotepadUpdate.exe PID: 3840, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NotepadUpdate.exe PID: 280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NotepadUpdate.exe PID: 5684, type: MEMORYSTR

Yara detected VenomRAT

Source: Yara match

File source: Process Memory Space: file.exe PID: 4232, type: MEMORYSTR

Source: file.exe, 00000000.00000002.2139607033.0000000002BC7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000008.00000002.2256390278.0000000000402000.00000040.00000400.00020000.00000000.sdmp, AtkzppDHiyvcIR.exe, 00000009.00000002.2180584741.00000000029D7000.00000004.00000800.00020000.00000000.sdmp, NotepadUpdate.exe, 00000014.00000002.2329129575.0000000003129000.00000004.00000800.00020000.00000000.sdmp, NotepadUpdate.exe, 0000001E.00000002.2428663519.00000000030D7000.00000004.00000800.00020000.00000000.sdmp, NotepadUpdate.exe, 00000023.00000002.2510555606.0000000002BEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: MSASCui.exe
Source: file.exe, 00000000.00000002.2139607033.0000000002BC7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000008.00000002.2256390278.0000000000402000.00000040.00000400.00020000.00000000.sdmp, AtkzppDHiyvcIR.exe, 00000009.00000002.2180584741.00000000029D7000.00000004.00000800.00020000.00000000.sdmp, NotepadUpdate.exe, 00000014.00000002.2329129575.0000000003129000.00000004.00000800.00020000.00000000.sdmp, NotepadUpdate.exe, 0000001E.00000002.2428663519.00000000030D7000.00000004.00000800.00020000.00000000.sdmp, NotepadUpdate.exe, 00000023.00000002.2510555606.0000000002BEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: procexp.exe
Source: file.exe, 00000000.00000002.2139607033.0000000002BC7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000008.00000002.2256390278.0000000000402000.00000040.00000400.00020000.00000000.sdmp, AtkzppDHiyvcIR.exe, 00000009.00000002.2180584741.00000000029D7000.00000004.00000800.00020000.00000000.sdmp, NotepadUpdate.exe, 00000014.00000002.2329129575.0000000003129000.00000004.00000800.00020000.00000000.sdmp, NotepadUpdate.exe, 0000001E.00000002.2428663519.00000000030D7000.00000004.00000800.00020000.00000000.sdmp, NotepadUpdate.exe, 00000023.00000002.2510555606.0000000002BEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	131 Windows Management Instrumentation	3 Scheduled Task/Job	112 Process Injection	1 Masquerading	1 Input Capture	1 Query Registry	Remote Services	1 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	3 Scheduled Task/Job	1 Scripting	3 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	341 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Native API	1 Registry Run Keys / Startup Folder	1 Registry Run Keys / Startup Folder	151 Virtualization/Sandbox Evasion	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 DLL Side-Loading	1 DLL Side-Loading	112 Process Injection	NTDS	151 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	221 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Software Packing	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	24 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	26%	ReversingLabs
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\NotepadUpdate.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	26%	ReversingLabs
C:\Users\user\AppData\Roaming\NotepadUpdate.exe	26%	ReversingLabs

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	file.exe, 00000000.00000002.2139607033.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000008.00000002.2258206011.0000000002E84000.00000004.00000800.00020000.00000000.sdmp, AtkzppDHiyvcIR.exe, 00000009.00000002.2180584741.0000000002981000.00000004.00000800.00020000.00000000.sdmp, AtkzppDHiyvcIR.exe, 0000000D.00000002.4584361518.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, AtkzppDHiyvcIR.exe, 0000000D.00000002.4584361518.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp, NotepadUpdate.exe, 00000014.00000002.2329129575.0000000003041000.00000004.00000800.00020000.00000000.sdmp, NotepadUpdate.exe, 00000016.00000002.2299464922.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp, NotepadUpdate.exe, 0000001E.00000002.2428663519.0000000003081000.00000004.00000800.00020000.00000000.sdmp, NotepadUpdate.exe, 00000023.00000002.2510555606.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	file.exe, AtkzppDHiyvcIR.exe.0.dr, NotepadUpdate.exe.8.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.208.158.187	unknown	Switzerland		34888	SIMPLECARRER2IT	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1572764
Start date and time:	2024-12-10 21:23:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@53/25@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 609 Number of non-executed functions: 11
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 199.232.214.172, 2.22.50.144, 2.22.50.131, 184.30.24.109, 23.218.208.109, 13.107.246.63, 20.12.23.50
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
15:23:59	API Interceptor	22x Sleep call for process: file.exe modified
15:24:02	API Interceptor	31x Sleep call for process: powershell.exe modified
15:24:03	API Interceptor	7362788x Sleep call for process: AtkzppDHiyvcIR.exe modified
15:24:15	API Interceptor	74x Sleep call for process: NotepadUpdate.exe modified
21:24:02	Task Scheduler	Run new task: AtkzppDHiyvcIR path: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe
21:24:15	Task Scheduler	Run new task: NotepadUpdate path: "C:\Users\user\AppData\Roaming\NotepadUpdate.exe"
21:24:20	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run NotepadUpdate "C:\Users\user\AppData\Roaming\NotepadUpdate.exe"
21:24:28	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run NotepadUpdate "C:\Users\user\AppData\Roaming\NotepadUpdate.exe"

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
185.208.158.187	Ziraat Bankasi Swift Mesaji.dqy.dll	Get hash	malicious	AsyncRAT, VenomRAT	Browse
	file.exe	Get hash	malicious	AsyncRAT, VenomRAT	Browse
	file.exe	Get hash	malicious	AsyncRAT, VenomRAT	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bg.microsoft.map.fastly.net	sbs9FC81oX.exe	Get hash	malicious	Unknown	Browse	199.232.214.172
	1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	199.232.210.172
	DHL__734825514204.exe	Get hash	malicious	FormBook	Browse	199.232.214.172
	FG Or#U00e7amento JAN 2025.pdf	Get hash	malicious	Unknown	Browse	199.232.214.172
	Stonhard Response Required 10 Dec, 2024- 0PH8-NYFV0C-ZDU7.msg	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://intelligentrepairsolutions-my.sharepoint.com/:b:/g/personal/a_zell_irs-group_com/ETrGN6yXppBBt5Jzbj4zKhgBq4v6Oyb7O70AESL4N06CfQ?e=4%3aChQOAq&at=9	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://listafrica.org/Receipt.html	Get hash	malicious	WinSearchAbuse	Browse	199.232.210.172
	ExternalREMITTANCE ACH SCHEDULED 1210241424bec0c449d38092c0dbd844252d73 (24.0 KB).msg	Get hash	malicious	Unknown	Browse	199.232.214.172
	Ziraat Bankasi Swift Mesaji.dqy.dll	Get hash	malicious	AsyncRAT, VenomRAT	Browse	199.232.214.172
	Price Quotation-01.dqy.dll	Get hash	malicious	Snake Keylogger	Browse	199.232.214.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SIMPLECARRER2IT	Ziraat Bankasi Swift Mesaji.dqy.dll	Get hash	malicious	AsyncRAT, VenomRAT	Browse	185.208.158.187
	file.exe	Get hash	malicious	AsyncRAT, VenomRAT	Browse	185.208.158.187
	file.exe	Get hash	malicious	AsyncRAT, VenomRAT	Browse	185.208.158.187
	lLNOwu1HG4.js	Get hash	malicious	RHADAMANTHYS	Browse	185.196.8.68
	file.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse	185.196.8.239
	stail.exe	Get hash	malicious	Socks5Systemz	Browse	185.208.158.202
	getlab.exe	Get hash	malicious	Socks5Systemz	Browse	185.208.158.202
	chutmarao.ps1	Get hash	malicious	RHADAMANTHYS	Browse	185.196.8.68
	RjygH3Vh7O.exe	Get hash	malicious	RHADAMANTHYS	Browse	185.196.8.68
	SekpL8Z26C.exe	Get hash	malicious	Unknown	Browse	185.208.159.79

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
C:\Users\user\AppData\Roaming\NotepadUpdate.exe	Ziraat Bankasi Swift Mesaji.dqy.dll	Get hash	malicious	AsyncRAT, VenomRAT	Browse
C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe	Ziraat Bankasi Swift Mesaji.dqy.dll	Get hash	malicious	AsyncRAT, VenomRAT	Browse

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.2478978672539016
Encrypted:	false
SSDEEP:	6:kKZnDL9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:diDImsLNkPlE99SNxAhUe/3
MD5:	FE4A3D91A4E3D93EF84482BEF580BEDD
SHA1:	38E1E91A660245E793179E0848B87D99FE6DEA91
SHA-256:	71C6D9363B4C51D5B0E7068430A9A07D1188F34FE343EE7A11D507496453A344
SHA-512:	90B65543F39F20CF826A8585D50806BCDB9A76643A0ECDEA368A654F1BB6851624589A59C1019A5718F4B2867655FC0838612AA2363459EE07B9D24A4A56F995
Malicious:	false
Preview:	p...... ........XJ..AK..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AtkzppDHiyvcIR.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1415
Entropy (8bit):	5.352427679901606
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPE4KMRaKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPHKMRatHo6hAH4
MD5:	97AD91F1C1F572C945DA12233082171D
SHA1:	D5E33DDAB37E32E416FC40419FB26B3C0563519D
SHA-256:	3F64591E0447E6F5034BC69A8A8D4C7ED36DAC5FE1E408401AE1B98F0D915F7E
SHA-512:	8FAEED342DADC17571F711DDC1BE67C79A51CA5BD56B5DA13E472ED45FC4EC6F1DC704BA92E81E97F5ECFD73F3D88F9B9CD9AE4EADDF993BFF826627215FBBCE
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\1b8c564fd69668e6e62d136259980d9e\System.Data.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fc

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NotepadUpdate.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\NotepadUpdate.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1415
Entropy (8bit):	5.352427679901606
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPE4KMRaKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPHKMRatHo6hAH4
MD5:	97AD91F1C1F572C945DA12233082171D
SHA1:	D5E33DDAB37E32E416FC40419FB26B3C0563519D
SHA-256:	3F64591E0447E6F5034BC69A8A8D4C7ED36DAC5FE1E408401AE1B98F0D915F7E
SHA-512:	8FAEED342DADC17571F711DDC1BE67C79A51CA5BD56B5DA13E472ED45FC4EC6F1DC704BA92E81E97F5ECFD73F3D88F9B9CD9AE4EADDF993BFF826627215FBBCE
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\1b8c564fd69668e6e62d136259980d9e\System.Data.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fc

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1415
Entropy (8bit):	5.352427679901606
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPE4KMRaKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPHKMRatHo6hAH4
MD5:	97AD91F1C1F572C945DA12233082171D
SHA1:	D5E33DDAB37E32E416FC40419FB26B3C0563519D
SHA-256:	3F64591E0447E6F5034BC69A8A8D4C7ED36DAC5FE1E408401AE1B98F0D915F7E
SHA-512:	8FAEED342DADC17571F711DDC1BE67C79A51CA5BD56B5DA13E472ED45FC4EC6F1DC704BA92E81E97F5ECFD73F3D88F9B9CD9AE4EADDF993BFF826627215FBBCE
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\1b8c564fd69668e6e62d136259980d9e\System.Data.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fc

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379633281639906
Encrypted:	false
SSDEEP:	48:CWSU4xympjgZ9tz4RIoUl8NPZHUl7u1iMuge//8M0Uyus:CLHxvCZfIfSKRHmOugw1s
MD5:	D69DFA7B277CE2F4DC2A53BADA267A64
SHA1:	737AE135ACA8F7B5EBEC8629E692E52A90FE8C83
SHA-256:	05F95B4CA43C32554371D506A5DED66E06102505DE8528D5BB641C624CC5A2AD
SHA-512:	2E3584ADE259A1D9EECB585CF9E7E703C7F0259A2BD6FA120DC50ECD6C03BDAFFF2A6957310993FAA3719CF0F87A26C8E5E5FDE7FB4797A954F1097A0AA27AEE
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cxtgkwci.qj0.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ibhtjzfo.ypb.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ijpj24ya.nmi.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l3cl1cpp.bdd.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_piua2r1b.hpv.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r5lxwd5x.dm0.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s5b2fau4.rl3.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ulrg0hze.e5y.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp16B7.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\NotepadUpdate.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1601
Entropy (8bit):	5.099818921866846
Encrypted:	false
SSDEEP:	24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLkxvn:cge7QYrFdOFzOzN33ODOiDdKrsuTwv
MD5:	936BFCB24902CE3E3EF3703B3C283D4F
SHA1:	B8CEC4D1DBFCC47881E1ED732DEC550F4F09C7C8
SHA-256:	54D3AB9515056C89341D95FF93AB3959C89A132B9FFD340C686C55F1D181EFAD
SHA-512:	43F4A813CE8AA07BFF71003897D0DF8B7FBC5E9CA657184377DB70B563AC4B19C6270909924530FC82EE8427D4B9DB5BDBAB2205469C5EE4B91CF8EF53D0B1AC
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

C:\Users\user\AppData\Local\Temp\tmp5608.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\NotepadUpdate.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1601
Entropy (8bit):	5.099818921866846
Encrypted:	false
SSDEEP:	24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLkxvn:cge7QYrFdOFzOzN33ODOiDdKrsuTwv
MD5:	936BFCB24902CE3E3EF3703B3C283D4F
SHA1:	B8CEC4D1DBFCC47881E1ED732DEC550F4F09C7C8
SHA-256:	54D3AB9515056C89341D95FF93AB3959C89A132B9FFD340C686C55F1D181EFAD
SHA-512:	43F4A813CE8AA07BFF71003897D0DF8B7FBC5E9CA657184377DB70B563AC4B19C6270909924530FC82EE8427D4B9DB5BDBAB2205469C5EE4B91CF8EF53D0B1AC
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

C:\Users\user\AppData\Local\Temp\tmp7CF1.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\NotepadUpdate.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1601
Entropy (8bit):	5.099818921866846
Encrypted:	false
SSDEEP:	24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLkxvn:cge7QYrFdOFzOzN33ODOiDdKrsuTwv
MD5:	936BFCB24902CE3E3EF3703B3C283D4F
SHA1:	B8CEC4D1DBFCC47881E1ED732DEC550F4F09C7C8
SHA-256:	54D3AB9515056C89341D95FF93AB3959C89A132B9FFD340C686C55F1D181EFAD
SHA-512:	43F4A813CE8AA07BFF71003897D0DF8B7FBC5E9CA657184377DB70B563AC4B19C6270909924530FC82EE8427D4B9DB5BDBAB2205469C5EE4B91CF8EF53D0B1AC
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

C:\Users\user\AppData\Local\Temp\tmp9AD.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1601
Entropy (8bit):	5.099818921866846
Encrypted:	false
SSDEEP:	24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLkxvn:cge7QYrFdOFzOzN33ODOiDdKrsuTwv
MD5:	936BFCB24902CE3E3EF3703B3C283D4F
SHA1:	B8CEC4D1DBFCC47881E1ED732DEC550F4F09C7C8
SHA-256:	54D3AB9515056C89341D95FF93AB3959C89A132B9FFD340C686C55F1D181EFAD
SHA-512:	43F4A813CE8AA07BFF71003897D0DF8B7FBC5E9CA657184377DB70B563AC4B19C6270909924530FC82EE8427D4B9DB5BDBAB2205469C5EE4B91CF8EF53D0B1AC
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

C:\Users\user\AppData\Local\Temp\tmpCAD2.tmp

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1601
Entropy (8bit):	5.099818921866846
Encrypted:	false
SSDEEP:	24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLkxvn:cge7QYrFdOFzOzN33ODOiDdKrsuTwv
MD5:	936BFCB24902CE3E3EF3703B3C283D4F
SHA1:	B8CEC4D1DBFCC47881E1ED732DEC550F4F09C7C8
SHA-256:	54D3AB9515056C89341D95FF93AB3959C89A132B9FFD340C686C55F1D181EFAD
SHA-512:	43F4A813CE8AA07BFF71003897D0DF8B7FBC5E9CA657184377DB70B563AC4B19C6270909924530FC82EE8427D4B9DB5BDBAB2205469C5EE4B91CF8EF53D0B1AC
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

C:\Users\user\AppData\Local\Temp\tmpCE88.tmp.bat

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	163
Entropy (8bit):	4.983993187075643
Encrypted:	false
SSDEEP:	3:mKDDCMNqTtvL5oN+EaKC5eiBNJovmqRDN+E2J5xAInTRIM+RwZPy:hWKqTtT6N7aZ5eOovmq1N723fTt+Rwk
MD5:	9F0613F8729D31B3C022CD5B3E596276
SHA1:	B69D188A343EE85321B5E4556F2D9E90B58C6C96
SHA-256:	F0055233F05618577416B044EE603FA87953FE994D475185DBD69435C58431F3
SHA-512:	BE9682B59BFF2C4F9E2BCC50015314D5017FC97EEE1A2C34843051179A73435C4C0AD1CD39D0E8C9883058C805D14DC31D8A1085B3FA7829DE373FE542A02449
Malicious:	false
Preview:	@echo off..timeout 3 > NUL..START "" "C:\Users\user\AppData\Roaming\NotepadUpdate.exe"..CD C:\Users\user\AppData\Local\Temp\..DEL "tmpCE88.tmp.bat" /f /q..

C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	670216
Entropy (8bit):	7.434728031470088
Encrypted:	false
SSDEEP:	12288:77MfJIBvlbmLC3sCPtRzSXiBdja/z2UmG5pc4M1xK/5BFz2430RUwy9EXX+CNkkR:SIme3LLAiBdMmGpNkspz2i0RUwFOCND
MD5:	AE806B6F5E02484C2BE2B49DA35B3D26
SHA1:	66AE8DF94CD9E804FAB01BC6BE77CFEC8D544226
SHA-256:	7A31E73A61251309C51A343C14AF5149915110C0F818747F7DE78344739F21C5
SHA-512:	8EA9CFE94BC4DBFC0A6C43B811461E6DA4CAB55FE6A3DDD1A4795F0887B2A311A6E9D9A464BB9253985C5A68CC206C36A703319463E5DACA92ADBE056E16A968
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 26%
Joe Sandbox View:	Filename: Ziraat Bankasi Swift Mesaji.dqy.dll, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....N...............0.................. ... ....@.. .......................`............@.....................................O.... ..\................6...@..........p............................................ ............... ..H............text...4.... ...................... ..`.rsrc...\.... ......................@..@.reloc.......@......................@..B........................H...........Th......f...<A................................................r...ps....}.....s....}......}.....(.......(......(........0..............{....o....o......r{..p.{....s....}.....{....o.......{....o....}....+N...X..{....o..........%...?....%..{.....o....o.....%..{.....o....o.....o....&..{....o......-..{....o .....{....o!......0............{....o"....o#...o$...o%.....r...p(&.....9.....s......{.....{....o.....o'...o(...o)....o*...o+...o....o,.....{....r...p.{....o.....

C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\MyData\DataLogs.conf

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	8
Entropy (8bit):	2.75
Encrypted:	false
SSDEEP:	3:Rt:v
MD5:	CF759E4C5F14FE3EEC41B87ED756CEA8
SHA1:	C27C796BB3C2FAC929359563676F4BA1FFADA1F5
SHA-256:	C9F9F193409217F73CC976AD078C6F8BF65D3AABCF5FAD3E5A47536D47AA6761
SHA-512:	C7F832AEE13A5EB36D145F35D4464374A9E12FA2017F3C2257442D67483B35A55ECCAE7F7729243350125B37033E075EFBC2303839FD86B81B9B4DCA3626953B
Malicious:	false
Preview:	.5.False

C:\Users\user\AppData\Roaming\NotepadUpdate.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	670216
Entropy (8bit):	7.434728031470088
Encrypted:	false
SSDEEP:	12288:77MfJIBvlbmLC3sCPtRzSXiBdja/z2UmG5pc4M1xK/5BFz2430RUwy9EXX+CNkkR:SIme3LLAiBdMmGpNkspz2i0RUwFOCND
MD5:	AE806B6F5E02484C2BE2B49DA35B3D26
SHA1:	66AE8DF94CD9E804FAB01BC6BE77CFEC8D544226
SHA-256:	7A31E73A61251309C51A343C14AF5149915110C0F818747F7DE78344739F21C5
SHA-512:	8EA9CFE94BC4DBFC0A6C43B811461E6DA4CAB55FE6A3DDD1A4795F0887B2A311A6E9D9A464BB9253985C5A68CC206C36A703319463E5DACA92ADBE056E16A968
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 26%
Joe Sandbox View:	Filename: Ziraat Bankasi Swift Mesaji.dqy.dll, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....N...............0.................. ... ....@.. .......................`............@.....................................O.... ..\................6...@..........p............................................ ............... ..H............text...4.... ...................... ..`.rsrc...\.... ......................@..@.reloc.......@......................@..B........................H...........Th......f...<A................................................r...ps....}.....s....}......}.....(.......(......(........0..............{....o....o......r{..p.{....s....}.....{....o.......{....o....}....+N...X..{....o..........%...?....%..{.....o....o.....%..{.....o....o.....o....&..{....o......-..{....o .....{....o!......0............{....o"....o#...o$...o%.....r...p(&.....9.....s......{.....{....o.....o'...o(...o)....o*...o+...o....o,.....{....r...p.{....o.....

\Device\Null

Download File

Process:	C:\Windows\SysWOW64\timeout.exe
File Type:	ASCII text, with CRLF line terminators, with overstriking
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.41440934524794
Encrypted:	false
SSDEEP:	3:hYFqdLGAR+mQRKVxLZXt0sn:hYFqGaNZKsn
MD5:	3DD7DD37C304E70A7316FE43B69F421F
SHA1:	A3754CFC33E9CA729444A95E95BCB53384CB51E4
SHA-256:	4FA27CE1D904EA973430ADC99062DCF4BAB386A19AB0F8D9A4185FA99067F3AA
SHA-512:	713533E973CF0FD359AC7DB22B1399392C86D9FD1E715248F5724AAFBBF0EEB5EAC0289A0E892167EB559BE976C2AD0A0A0D8EFC407FFAF5B3C3A32AA9A0AAA4
Malicious:	false
Preview:	..Waiting for 3 seconds, press a key to continue ....2.1.0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.434728031470088
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.98% Win32 Executable (generic) a (10002005/4) 49.93% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	file.exe
File size:	670'216 bytes
MD5:	ae806b6f5e02484c2be2b49da35b3d26
SHA1:	66ae8df94cd9e804fab01bc6be77cfec8d544226
SHA256:	7a31e73a61251309c51a343c14af5149915110c0f818747f7de78344739f21c5
SHA512:	8ea9cfe94bc4dbfc0a6c43b811461e6da4cab55fe6a3ddd1a4795f0887b2a311a6e9d9a464bb9253985c5a68cc206c36a703319463e5daca92adbe056e16a968
SSDEEP:	12288:77MfJIBvlbmLC3sCPtRzSXiBdja/z2UmG5pc4M1xK/5BFz2430RUwy9EXX+CNkkR:SIme3LLAiBdMmGpNkspz2i0RUwFOCND
TLSH:	77E4CF64376DDB06C5394BF00A61E5B4237A7D8AB821E21F6DD97FEF7872B014A10683
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....N...............0.................. ... ....@.. .......................`............@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4a180e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xBC4E8C9C [Mon Feb 10 13:26:52 2070 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	12/11/2018 19:00:00 08/11/2021 18:59:59
Subject Chain	CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
Version:	3
Thumbprint MD5:	DABD77E44EF6B3BB91740FA46696B779
Thumbprint SHA-1:	5B9E273CF11941FD8C6BE3F038C4797BBE884268
Thumbprint SHA-256:	4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
Serial:	7C1118CBBADC95DA3752C46E47A27438

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
push ebx
add byte ptr [ecx+00h], bh
jnc 00007F9C708A3802h
je 00007F9C708A3802h
add byte ptr [ebp+00h], ch
add byte ptr [ecx+00h], al
arpl word ptr [eax], ax
je 00007F9C708A3802h
imul eax, dword ptr [eax], 00610076h
je 00007F9C708A3802h
outsd
add byte ptr [edx+00h], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa17bc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa2000	0x55c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xa0400	0x3608
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x9f1c4	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x9f834	0x9fa00	1bd33ec88eabfce6f6cc14f8ca6ecef1	False	0.7815176561276429	SysEx File - AdamsSmith	7.43247692930151	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xa2000	0x55c	0x600	cbbdd56315ad6e2cdebe8a43129d6c19	False	0.3977864583333333	data	3.902946547383952	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa4000	0xc	0x200	0e36c2075c6d5b1a755cefd545cf91c3	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xa2090	0x2cc	data			0.4301675977653631
RT_MANIFEST	0xa236c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-10T21:24:22.727258+0100	2842478	ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)	1	185.208.158.187	4449	192.168.2.6	49739	TCP
2024-12-10T21:24:22.727258+0100	2052265	ET MALWARE Observed Malicious SSL Cert (VenomRAT)	1	185.208.158.187	4449	192.168.2.6	49739	TCP
2024-12-10T21:24:22.727258+0100	2052267	ET MALWARE Observed Malicious SSL Cert (VenomRAT)	1	185.208.158.187	4449	192.168.2.6	49739	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 10, 2024 21:24:21.072216988 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:24:21.191993952 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:24:21.192154884 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:24:21.198191881 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:24:21.317534924 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:24:22.600872993 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:24:22.606275082 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:24:22.727257967 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:24:23.113187075 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:24:23.229646921 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:24:26.449404955 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:24:26.729482889 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:24:26.729552984 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:24:26.851421118 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:24:37.057071924 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:24:37.177212954 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:24:37.177270889 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:24:37.297884941 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:24:37.782810926 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:24:37.823378086 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:24:37.974725962 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:24:38.026519060 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:24:38.103936911 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:24:38.223498106 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:24:38.223578930 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:24:38.344358921 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:24:47.605443001 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:24:47.725358963 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:24:47.725547075 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:24:47.844820976 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:24:48.253870010 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:24:48.307744980 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:24:48.636452913 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:24:48.638297081 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:24:48.759597063 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:24:48.759767056 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:24:48.879132986 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:24:58.167742014 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:24:58.288048983 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:24:58.288139105 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:24:58.407485008 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:24:58.851485014 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:24:58.901513100 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:24:59.042234898 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:24:59.043926954 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:24:59.164318085 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:24:59.164378881 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:24:59.284393072 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:25:08.730139017 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:25:08.849509954 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:25:08.849634886 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:25:08.969631910 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:25:09.371529102 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:25:09.417152882 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:25:09.568186045 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:25:09.569780111 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:25:09.689105034 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:25:09.689172029 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:25:09.808615923 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:25:19.292841911 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:25:19.412431955 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:25:19.414458990 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:25:19.533711910 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:25:19.940038919 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:25:19.995282888 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:25:20.132097006 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:25:20.133840084 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:25:20.253218889 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:25:20.253293037 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:25:20.373181105 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:25:29.855489969 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:25:29.974853992 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:25:29.974925995 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:25:30.094634056 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:25:30.496160030 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:25:30.542157888 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:25:30.690773964 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:25:30.692487955 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:25:30.812623024 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:25:30.812695980 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:25:30.932300091 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:25:35.042783022 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:25:35.162201881 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:25:35.162251949 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:25:35.281541109 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:25:35.693672895 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:25:35.745276928 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:25:35.885165930 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:25:35.887424946 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:25:36.006656885 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:25:36.006716967 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:25:36.126157045 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:25:45.609127998 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:25:45.733388901 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:25:45.733475924 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:25:45.854593039 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:25:46.258156061 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:25:46.307804108 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:25:46.460427999 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:25:46.462177992 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:25:46.581789017 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:25:46.582062960 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:25:46.701396942 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:25:56.167737961 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:25:56.287242889 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:25:56.290560007 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:25:56.411712885 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:25:56.817097902 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:25:56.948986053 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:25:57.008881092 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:25:57.010694027 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:25:57.130270004 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:25:57.130527020 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:25:57.249998093 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:26:06.730463028 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:26:06.854461908 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:26:06.854547977 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:26:06.980421066 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:26:06.980549097 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:26:07.101262093 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:26:07.386888027 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:26:07.432795048 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:26:07.579010963 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:26:07.580926895 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:26:07.700336933 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:26:07.700395107 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:26:07.770735025 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:26:07.822343111 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:26:07.822402000 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:26:07.941677094 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:26:17.420330048 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:26:17.539683104 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:26:17.539748907 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:26:17.659044027 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:26:18.071799994 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:26:18.120311022 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:26:18.272377968 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:26:18.276561022 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:26:18.396313906 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:26:18.396686077 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:26:18.516163111 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:26:20.952483892 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:26:21.072010040 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:26:21.074639082 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:26:21.195447922 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:26:21.609493971 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:26:21.651596069 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:26:21.800905943 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:26:21.802685976 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:26:21.925623894 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:26:21.925745010 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:26:22.045160055 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:26:31.060724974 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:26:31.180613995 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:26:31.180756092 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:26:31.300385952 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:26:31.715070009 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:26:31.761010885 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:26:31.912842989 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:26:31.914684057 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:26:32.034629107 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:26:32.034710884 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:26:32.154138088 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:26:37.872000933 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:26:37.992571115 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:26:37.992742062 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:26:38.114583969 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:26:38.668251991 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:26:38.714087009 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:26:38.860043049 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:26:38.896855116 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:26:39.016263962 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:26:39.016370058 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:26:39.142441034 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:26:39.445272923 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:26:39.566234112 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:26:39.566298008 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:26:39.686332941 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:26:40.090256929 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:26:40.135951042 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:26:40.391885996 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:26:40.393672943 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:26:40.513207912 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:26:40.514802933 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:26:40.634644032 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:26:41.573947906 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:26:41.693484068 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:26:41.693557978 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:26:41.933043957 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:26:42.225703955 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:26:42.280580997 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:26:42.417623997 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:26:42.422487020 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:26:42.544805050 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:26:42.550487995 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:26:42.669907093 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:26:45.152168989 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:26:45.271624088 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:26:45.271693945 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:26:45.395658970 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:26:45.800302982 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:26:45.854707956 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:26:45.992225885 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:26:45.994566917 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:26:46.114506960 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:26:46.114587069 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:26:46.234004974 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:26:55.108520031 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:26:55.228122950 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:26:55.228457928 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:26:55.347770929 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:26:55.760145903 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:26:55.807835102 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:26:55.956789017 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:26:55.958431005 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:26:56.078075886 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:26:56.078469992 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:26:56.198626995 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:26:57.152213097 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:26:57.271553040 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:26:57.274580956 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:26:57.394028902 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:26:57.801249981 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:26:57.854835033 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:26:57.993280888 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:26:57.995507956 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:26:58.115343094 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:26:58.115403891 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:26:58.234884977 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:27:01.099828959 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:27:01.219228983 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:27:01.222568989 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:27:01.342658997 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:27:01.759953022 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:27:01.807838917 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:27:01.959604025 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:27:01.961615086 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:27:02.080960989 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:27:02.081013918 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:27:02.200426102 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:27:07.323993921 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:27:07.447813988 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:27:07.447875023 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:27:07.568352938 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:27:07.976258993 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:27:08.057878971 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:27:08.170548916 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:27:08.172199965 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:27:08.291815996 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:27:08.291908026 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:27:08.411251068 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:27:16.308518887 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:27:16.428462029 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:27:16.430273056 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:27:16.551403999 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:27:16.956115007 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:27:17.058163881 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:27:17.147903919 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:27:17.152403116 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:27:17.271815062 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:27:17.274595976 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:27:17.394002914 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:27:19.183367014 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:27:19.313131094 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:27:19.313319921 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:27:19.432678938 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:27:19.842351913 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:27:20.039756060 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:27:20.039958954 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:27:20.041690111 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:27:20.161258936 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:27:20.161329985 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:27:20.280745983 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:27:28.262182951 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:27:28.381513119 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:27:28.384552002 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:27:28.505342007 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:27:28.918062925 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:27:28.964529991 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:27:29.119893074 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:27:29.122392893 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:27:29.241703987 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:27:29.241874933 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:27:29.361289024 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:27:34.086414099 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:27:34.250552893 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:27:34.250678062 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:27:34.370212078 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:27:34.732444048 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:27:34.776654959 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:27:34.932409048 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:27:34.935250044 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:27:35.054692030 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:27:35.054837942 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:27:35.174251080 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:27:35.583245993 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:27:35.635988951 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:27:35.775425911 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:27:35.785629988 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:27:35.906898022 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:27:35.906955957 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:27:36.026592016 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:27:45.480746984 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:27:45.600965023 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:27:45.601031065 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:27:45.819425106 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:27:46.131846905 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:27:46.182864904 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:27:46.325186968 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:27:46.370403051 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:27:46.524221897 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:27:46.644294024 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:27:46.644409895 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:27:46.772001028 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:27:48.183377981 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:27:48.302762032 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:27:48.306611061 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:27:48.427448034 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:27:48.834983110 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:27:48.886018991 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:27:49.024848938 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:27:49.073508024 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:27:49.178101063 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:27:49.297991037 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:27:49.298125029 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:27:49.417432070 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:27:58.748110056 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:27:58.867666006 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:27:58.867779970 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:27:58.992172003 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:27:59.396967888 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:27:59.448529959 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:27:59.589332104 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:27:59.593353033 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:27:59.712620020 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:27:59.712681055 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:27:59.831934929 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:28:10.542696953 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:28:10.663549900 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:28:10.663645029 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:28:10.783906937 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:28:11.198012114 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:28:11.261089087 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:28:11.406188965 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:28:11.407025099 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:28:11.526290894 CET	4449	49739	185.208.158.187	192.168.2.6
Dec 10, 2024 21:28:11.526462078 CET	49739	4449	192.168.2.6	185.208.158.187
Dec 10, 2024 21:28:11.645895958 CET	4449	49739	185.208.158.187	192.168.2.6

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 10, 2024 21:24:22.815975904 CET	1.1.1.1	192.168.2.6	0x6a43	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Dec 10, 2024 21:24:22.815975904 CET	1.1.1.1	192.168.2.6	0x6a43	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	15:23:59
Start date:	10/12/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x700000
File size:	670'216 bytes
MD5 hash:	AE806B6F5E02484C2BE2B49DA35B3D26
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.2139607033.0000000002BC7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	15:24:01
Start date:	10/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe"
Imagebase:	0xb30000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	15:24:01
Start date:	10/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	15:24:01
Start date:	10/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AtkzppDHiyvcIR" /XML "C:\Users\user\AppData\Local\Temp\tmpCAD2.tmp"
Imagebase:	0x180000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	15:24:01
Start date:	10/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	15:24:02
Start date:	10/12/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x1a0000
File size:	670'216 bytes
MD5 hash:	AE806B6F5E02484C2BE2B49DA35B3D26
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	15:24:02
Start date:	10/12/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x820000
File size:	670'216 bytes
MD5 hash:	AE806B6F5E02484C2BE2B49DA35B3D26
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000008.00000002.2256390278.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	15:24:02
Start date:	10/12/2024
Path:	C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe
Imagebase:	0x5e0000
File size:	670'216 bytes
MD5 hash:	AE806B6F5E02484C2BE2B49DA35B3D26
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000009.00000002.2180584741.00000000029D7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 26%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	15:24:06
Start date:	10/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AtkzppDHiyvcIR" /XML "C:\Users\user\AppData\Local\Temp\tmp9AD.tmp"
Imagebase:	0x180000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	15:24:06
Start date:	10/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	15:24:06
Start date:	10/12/2024
Path:	C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe"
Imagebase:	0x6d0000
File size:	670'216 bytes
MD5 hash:	AE806B6F5E02484C2BE2B49DA35B3D26
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	15:24:13
Start date:	10/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "NotepadUpdate" /tr '"C:\Users\user\AppData\Roaming\NotepadUpdate.exe"' & exit
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	15:24:13
Start date:	10/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpCE88.tmp.bat""
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	15:24:13
Start date:	10/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	15:24:13
Start date:	10/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	15:24:14
Start date:	10/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /f /sc onlogon /rl highest /tn "NotepadUpdate" /tr '"C:\Users\user\AppData\Roaming\NotepadUpdate.exe"'
Imagebase:	0x180000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	15:24:14
Start date:	10/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout 3
Imagebase:	0xb60000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	15:24:15
Start date:	10/12/2024
Path:	C:\Users\user\AppData\Roaming\NotepadUpdate.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\NotepadUpdate.exe
Imagebase:	0xcc0000
File size:	670'216 bytes
MD5 hash:	AE806B6F5E02484C2BE2B49DA35B3D26
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000014.00000002.2329129575.0000000003129000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 26%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	15:24:17
Start date:	10/12/2024
Path:	C:\Users\user\AppData\Roaming\NotepadUpdate.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\NotepadUpdate.exe"
Imagebase:	0x890000
File size:	670'216 bytes
MD5 hash:	AE806B6F5E02484C2BE2B49DA35B3D26
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	15:24:17
Start date:	10/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe"
Imagebase:	0xb30000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 5964, Parent PID: 6008

General

Target ID:	24
Start time:	15:24:17
Start date:	10/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	15:24:18
Start date:	10/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AtkzppDHiyvcIR" /XML "C:\Users\user\AppData\Local\Temp\tmp5608.tmp"
Imagebase:	0x180000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	15:24:18
Start date:	10/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	15:24:19
Start date:	10/12/2024
Path:	C:\Users\user\AppData\Roaming\NotepadUpdate.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\NotepadUpdate.exe"
Imagebase:	0xca0000
File size:	670'216 bytes
MD5 hash:	AE806B6F5E02484C2BE2B49DA35B3D26
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	15:24:28
Start date:	10/12/2024
Path:	C:\Users\user\AppData\Roaming\NotepadUpdate.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\NotepadUpdate.exe"
Imagebase:	0xcf0000
File size:	670'216 bytes
MD5 hash:	AE806B6F5E02484C2BE2B49DA35B3D26
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000001E.00000002.2428663519.00000000030D7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	15:24:30
Start date:	10/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AtkzppDHiyvcIR" /XML "C:\Users\user\AppData\Local\Temp\tmp16B7.tmp"
Imagebase:	0x180000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	15:24:30
Start date:	10/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	15:24:30
Start date:	10/12/2024
Path:	C:\Users\user\AppData\Roaming\NotepadUpdate.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\NotepadUpdate.exe"
Imagebase:	0x430000
File size:	670'216 bytes
MD5 hash:	AE806B6F5E02484C2BE2B49DA35B3D26
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	15:24:36
Start date:	10/12/2024
Path:	C:\Users\user\AppData\Roaming\NotepadUpdate.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\NotepadUpdate.exe"
Imagebase:	0x810000
File size:	670'216 bytes
MD5 hash:	AE806B6F5E02484C2BE2B49DA35B3D26
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000023.00000002.2510555606.0000000002BEA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	15:24:38
Start date:	10/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AtkzppDHiyvcIR" /XML "C:\Users\user\AppData\Local\Temp\tmp7CF1.tmp"
Imagebase:	0x180000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	15:24:38
Start date:	10/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	15:24:38
Start date:	10/12/2024
Path:	C:\Users\user\AppData\Roaming\NotepadUpdate.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\NotepadUpdate.exe"
Imagebase:	0x3a0000
File size:	670'216 bytes
MD5 hash:	AE806B6F5E02484C2BE2B49DA35B3D26
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	15:24:38
Start date:	10/12/2024
Path:	C:\Users\user\AppData\Roaming\NotepadUpdate.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\NotepadUpdate.exe"
Imagebase:	0x770000
File size:	670'216 bytes
MD5 hash:	AE806B6F5E02484C2BE2B49DA35B3D26
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	8.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	1.2%
Total number of Nodes:	249
Total number of Limit Nodes:	8

Executed Functions

Function 09104117 Relevance: 2.6, Instructions: 2605COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2146781398.0000000009100000.00000040.00000800.00020000.00000000.sdmp, Offset: 09100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9100000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3599117432d429ebce5a46a541ed6a66d82f1d495d5bd0aff567cf6ac0c0bea0
Instruction ID: 89db161a2061692950e5b23490d2e9f4b9e1cd4e8e66123eee8cc29bb67f1299
Opcode Fuzzy Hash: 3599117432d429ebce5a46a541ed6a66d82f1d495d5bd0aff567cf6ac0c0bea0
Instruction Fuzzy Hash: 9D430874B01219CFDB24DF68C898A9DB7B2BF88314F118599E409AB3A1DB71ED91CF50

Function 09101240 Relevance: 1.9, Strings: 1, Instructions: 649
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d, xrefs: 0910138B

Memory Dump Source

Source File: 00000000.00000002.2146781398.0000000009100000.00000040.00000800.00020000.00000000.sdmp, Offset: 09100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9100000_file.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: ed5fa798aae619565355475234dbecd8d42c66043c88c305b1ff0b5491c413b5
Instruction ID: 05bfc08c13c1378e3728817e5fba016ada9c1c5bc2ecc356b3cff0f1f4aec077
Opcode Fuzzy Hash: ed5fa798aae619565355475234dbecd8d42c66043c88c305b1ff0b5491c413b5
Instruction Fuzzy Hash: BD62ED74E05228CFDB25DF68C894BDEBBB2BB89300F1081E9D449A7291DB759E85CF50

Function 09103668 Relevance: .7, Instructions: 725COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2146781398.0000000009100000.00000040.00000800.00020000.00000000.sdmp, Offset: 09100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9100000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be09f6c7eaf946572eeceaa5a0e87fff3bf4687e6de7151ee239fd86c356e6d
Instruction ID: 2c38a7b4eea1239fad31fd883b24fe86227b874af51ea2b10507a5d4354ffc1e
Opcode Fuzzy Hash: 4be09f6c7eaf946572eeceaa5a0e87fff3bf4687e6de7151ee239fd86c356e6d
Instruction Fuzzy Hash: 94526F34B00115DFDB18DF69D9A8A6DBBB2BFC4314B158169E816DB3A0DB72DC42CB90

Function 0773A76A Relevance: .6, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145956263.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a213741237c4b4fa51f87c02a0ceee5e033e1ad871d97cb43b1d06c5e2a70956
Instruction ID: 3a0a6207b4969ce0479b8061f6367d65cf34205a39c468534f6da0c3d52ec66c
Opcode Fuzzy Hash: a213741237c4b4fa51f87c02a0ceee5e033e1ad871d97cb43b1d06c5e2a70956
Instruction Fuzzy Hash: E432DDB17012068FDB19DB79D454BAEBBF6AF89380F1584A9E1859B3A2DB30DD01CB50

Function 01173E34 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2139203632.0000000001170000.00000040.00000800.00020000.00000000.sdmp, Offset: 01170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1170000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2582f05760fb6cb5f3988c13e24f9de74e2f2dbdec1b9d7c53d8ccada91859a0
Instruction ID: 82ce8b635184670ba7becad58910d3dd6841a801932ddd34a6b8493fb1ea2b13
Opcode Fuzzy Hash: 2582f05760fb6cb5f3988c13e24f9de74e2f2dbdec1b9d7c53d8ccada91859a0
Instruction Fuzzy Hash: 7F81C374E00209DFDB08DFE9D994AAEBBB2FF89304F208129D515AB369DB346941CF51

Function 07736A10 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145956263.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e002bf0697358dba374781d10efbaf0a4bf212fac268ad3302e2920610dbe42a
Instruction ID: 57bb9c75e678ba280c484d587662960d07611a02abb787f25285c4f3c7f6ba20
Opcode Fuzzy Hash: e002bf0697358dba374781d10efbaf0a4bf212fac268ad3302e2920610dbe42a
Instruction Fuzzy Hash: DC5107B4D19208EBDB04CFA9D4446EDBBF9EF8B340F24A025D01AE7256DB749945CF14

Function 01176F90 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2139203632.0000000001170000.00000040.00000800.00020000.00000000.sdmp, Offset: 01170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1170000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b3fa9f672ace9b246c0fdfdc3eca32197d7818ec6ba44714e428a35523c0812
Instruction ID: 9a7fc5a00d058b1e39ceb8a802c501a13cf5b935d126faed8daf373c67660780
Opcode Fuzzy Hash: 3b3fa9f672ace9b246c0fdfdc3eca32197d7818ec6ba44714e428a35523c0812
Instruction Fuzzy Hash: 3351D270E012599FDB08DFA9D894ADEBBB2BF89304F10812AD415BB365DB349942CF90

Function 07736A00 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145956263.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fa422ba66de0970ac0d13ff56c3d981389708a77764ec812edaeade2e2e7af9
Instruction ID: 05e05f0827bca7a68d8d0f7cc05107b8b5e8573765e0efadbf5c08fe691ba9e0
Opcode Fuzzy Hash: 2fa422ba66de0970ac0d13ff56c3d981389708a77764ec812edaeade2e2e7af9
Instruction Fuzzy Hash: 334118B4D19208EBDB04CFA6D4442EDFBF6AF8B340F24E025D019E6256DB795945CF44

Function 0117D570 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0117D5FE
GetCurrentThread.KERNEL32 ref: 0117D63B
GetCurrentProcess.KERNEL32 ref: 0117D678
GetCurrentThreadId.KERNEL32 ref: 0117D6D1

Memory Dump Source

Source File: 00000000.00000002.2139203632.0000000001170000.00000040.00000800.00020000.00000000.sdmp, Offset: 01170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1170000_file.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 437988d656098b69aa2e33ed2487e3c6e30aa5a3db6de4baefa292900af8c031
Instruction ID: ece96a6d93a53a6576dd6b3eff275d06939fc5863c9d0aadcef8ef881f5dcab9
Opcode Fuzzy Hash: 437988d656098b69aa2e33ed2487e3c6e30aa5a3db6de4baefa292900af8c031
Instruction Fuzzy Hash: D05168B09003498FEB18DFA9D548BDEBBF5FF88314F20845AE119A7390DB789944CB65

Function 0117D580 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0117D5FE
GetCurrentThread.KERNEL32 ref: 0117D63B
GetCurrentProcess.KERNEL32 ref: 0117D678
GetCurrentThreadId.KERNEL32 ref: 0117D6D1

Memory Dump Source

Source File: 00000000.00000002.2139203632.0000000001170000.00000040.00000800.00020000.00000000.sdmp, Offset: 01170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1170000_file.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 4b4a63f7868a285860b69b33e42010518ac2b4dcdf873675a9bcffcac20dc8b6
Instruction ID: 0e7091aae15eaef5af0c13f1b06c9983efaaf2e19b1d27f6002d874bef5259de
Opcode Fuzzy Hash: 4b4a63f7868a285860b69b33e42010518ac2b4dcdf873675a9bcffcac20dc8b6
Instruction Fuzzy Hash: 5B5157B09003498FEB18DFAAD548BDEBBF5FF88314F208459E119A7350DB74A944CBA5

Function 07735CDC Relevance: 1.7, APIs: 1, Instructions: 249
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 07735F1E

Memory Dump Source

Source File: 00000000.00000002.2145956263.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_file.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 83efaeddf30e0d8e11f1e9551ea9c4dd8665b8d4ef26b65ff128ed4791085d87
Instruction ID: bc76f3aec815ff6176616b0404b4f96d1c4011da1103c739fe96ef769c889e8b
Opcode Fuzzy Hash: 83efaeddf30e0d8e11f1e9551ea9c4dd8665b8d4ef26b65ff128ed4791085d87
Instruction Fuzzy Hash: 11A18EB1D0021ADFDF14CF68C844BEEBBB2BF44310F148569E819A7241DB749995CF92

Function 07735CE8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 07735F1E

Memory Dump Source

Source File: 00000000.00000002.2145956263.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_file.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 5b97a371d437ce6bd2bf7106dfd7ee552a5c7909c403f027d9d4a0311c17f5de
Instruction ID: bcdb242631699b7efc682d66774e9af938ba2d6e4cebd025f4c3a4fe1bab1e4f
Opcode Fuzzy Hash: 5b97a371d437ce6bd2bf7106dfd7ee552a5c7909c403f027d9d4a0311c17f5de
Instruction Fuzzy Hash: 65917DB1D0021ADFEF14CF68C8457EDBBB2BF48310F1485A9E819A7241DB749995CF92

Function 0117B300 Relevance: 1.7, APIs: 1, Instructions: 233
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0117B566

Memory Dump Source

Source File: 00000000.00000002.2139203632.0000000001170000.00000040.00000800.00020000.00000000.sdmp, Offset: 01170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1170000_file.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: e8dcf2f0820ee62eec0c70de4399941d1c54929ac90330ac31e5a7f40bb971e2
Instruction ID: 5eb15431c670e8dad495ce23bce52a6747b29a0e106f0e2e3f3032fba5fc1b99
Opcode Fuzzy Hash: e8dcf2f0820ee62eec0c70de4399941d1c54929ac90330ac31e5a7f40bb971e2
Instruction Fuzzy Hash: 4D915470A04B058FE729DF29D44075ABBF1FF88304F04892AD586CBB51DB79E849CB95

Function 07463478 Relevance: 1.7, Strings: 1, Instructions: 458
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

U, xrefs: 074638CD

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: 03f64c706fb92c24179480a81c4360d719221bddee187271538b882a5e90c31d
Instruction ID: cb37ea8080b07b27cf2ce9801932cc3754f4efd165cd82818dfb32fc7be69dce
Opcode Fuzzy Hash: 03f64c706fb92c24179480a81c4360d719221bddee187271538b882a5e90c31d
Instruction Fuzzy Hash: 60E19CF0E01286DFDB15AF64C4486EEBFF1EF85301F5584AAD442A73A5D630C865CB92

Function 0117590C Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 011759C9

Memory Dump Source

Source File: 00000000.00000002.2139203632.0000000001170000.00000040.00000800.00020000.00000000.sdmp, Offset: 01170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1170000_file.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 561f14fc9c261b93bd06ed21941ff728b77ef7bdaeba572ecd0ddeb9a75a0565
Instruction ID: 1e278e6f52c02baf32d41f14b01296580101d11640cfeee243535674931bbce1
Opcode Fuzzy Hash: 561f14fc9c261b93bd06ed21941ff728b77ef7bdaeba572ecd0ddeb9a75a0565
Instruction Fuzzy Hash: E341C271C00719CBEB24DFA9C9847CEBBB1BF89704F20806AD508AB251DB756946CF91

Function 011744B4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 011759C9

Memory Dump Source

Source File: 00000000.00000002.2139203632.0000000001170000.00000040.00000800.00020000.00000000.sdmp, Offset: 01170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1170000_file.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: d32a41f661d1dbeddde2c0e186c655973c4fd14ca3464e3f671b8351f55ea9d2
Instruction ID: 700ca0b1b311d88a9537506b4662d36ac1b509577653e0c5e5f6c945a70694ac
Opcode Fuzzy Hash: d32a41f661d1dbeddde2c0e186c655973c4fd14ca3464e3f671b8351f55ea9d2
Instruction Fuzzy Hash: A741F271C0071DCBEB24DFAAC9847CEBBB6BF49304F20806AD408AB251DB75A945CF91

Function 07735A59 Relevance: 1.6, APIs: 1, Instructions: 74
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 07735AF0

Memory Dump Source

Source File: 00000000.00000002.2145956263.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_file.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 53fa91413b9d9d57744f9a9e530d6525433860b7ae24197c10907c3e6db08a60
Instruction ID: c81927b83fda31a754b60b5765705a068116d3fa5cc8020ef80447af1ab1a1ab
Opcode Fuzzy Hash: 53fa91413b9d9d57744f9a9e530d6525433860b7ae24197c10907c3e6db08a60
Instruction Fuzzy Hash: 452157B190035A9FDF10CFA9C981BDEBBF4FF48310F14882AE919A7241D7799950DBA1

Function 05D2EFC0 Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 05D2F05F

Memory Dump Source

Source File: 00000000.00000002.2143308517.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d20000_file.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 5829fa9a2c6c779feb7361b7c3aafcf11c0b3328a2f9a93ff7ef4a48ebb08791
Instruction ID: db1ced24bd92533b3b588a9a70ce06008dd3f2b1e7143a60dcf93625d1ddf794
Opcode Fuzzy Hash: 5829fa9a2c6c779feb7361b7c3aafcf11c0b3328a2f9a93ff7ef4a48ebb08791
Instruction Fuzzy Hash: 2D31E0B590030A9FDB10CF9AD984ADEFBF4BB58324F14842AE919A7310D775A940CFA1

Function 07735A60 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 07735AF0

Memory Dump Source

Source File: 00000000.00000002.2145956263.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_file.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: de9134cb0133a37dc6cd4281aedac5e5266c4a1320b839f5f4c010fca17e8b68
Instruction ID: 279b553c7b97c57191c2d43d9a0a34fbd2e68b5ea646a6043090ea9c47af0278
Opcode Fuzzy Hash: de9134cb0133a37dc6cd4281aedac5e5266c4a1320b839f5f4c010fca17e8b68
Instruction Fuzzy Hash: E32127B19003599FDF10CFA9C881BDEBBF5FF48310F10842AE919A7241D7789950DBA5

Function 05D2EFC8 Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 05D2F05F

Memory Dump Source

Source File: 00000000.00000002.2143308517.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d20000_file.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: bd48001a0b860511e0491a7e7b951ce2be1a5f69551d4920c29a1f69fdd66af2
Instruction ID: 73c3af68b67417c2a2b35a91be41c366802bf8cefa2034637eabd66b8d72ba77
Opcode Fuzzy Hash: bd48001a0b860511e0491a7e7b951ce2be1a5f69551d4920c29a1f69fdd66af2
Instruction Fuzzy Hash: EB21EEB5D0030A9FDB10CF9AD984ADEFBF4BB58324F14842AE919A7310D775A940CFA1

Function 077358C0 Relevance: 1.6, APIs: 1, Instructions: 67
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07735946

Memory Dump Source

Source File: 00000000.00000002.2145956263.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_file.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 8023077cf7975044b21a88b3e4a52e85964094565249530faa8773f8ef326e2d
Instruction ID: 4b9509fec0ce071556a61214e84b708b86de0f973c4a794c531e84e0af87a4fe
Opcode Fuzzy Hash: 8023077cf7975044b21a88b3e4a52e85964094565249530faa8773f8ef326e2d
Instruction Fuzzy Hash: 48216AB19003099FDB10DFAAC4817EEBBF4AF48320F14842AD559A7281CB789954CFA1

Function 07735B48 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 07735BD0

Memory Dump Source

Source File: 00000000.00000002.2145956263.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_file.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: f1ed83cda6f12db2cc11a3ff6e9fb6ab475e063546feb2d9915ea0b01ec42ce6
Instruction ID: c14ed8fcd81e5a3be36b66a257fe2b6329ff9952c20869a27ed573327801cadf
Opcode Fuzzy Hash: f1ed83cda6f12db2cc11a3ff6e9fb6ab475e063546feb2d9915ea0b01ec42ce6
Instruction Fuzzy Hash: D6214AB180034A9FDF10DFA9C884BDEBBF1FF48350F14842AE518A7240C7789911CBA1

Function 0117D7C0 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0117D84F

Memory Dump Source

Source File: 00000000.00000002.2139203632.0000000001170000.00000040.00000800.00020000.00000000.sdmp, Offset: 01170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1170000_file.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c41c440536db7229bfc8a5f3e6a3057f6423364bb2fcef87661d6138f994c112
Instruction ID: 0ed0013b2c346099e73f8d05f1be176db36b372832d4ec7ce1f4f5334df452c5
Opcode Fuzzy Hash: c41c440536db7229bfc8a5f3e6a3057f6423364bb2fcef87661d6138f994c112
Instruction Fuzzy Hash: DD21E5B5900349DFDB10CF99D585ADEBBF4FB48324F24841AE958A3310D378A950CFA5

Function 07735B50 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 07735BD0

Memory Dump Source

Source File: 00000000.00000002.2145956263.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_file.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 75a506f0fe241ff1f5afacf705cf8a4fda91d2469e78b758229754c40f5e1027
Instruction ID: 88f17dfe71d1d107b3951b20ecec931f4eeea7350362d2aad79ebe102455faf3
Opcode Fuzzy Hash: 75a506f0fe241ff1f5afacf705cf8a4fda91d2469e78b758229754c40f5e1027
Instruction Fuzzy Hash: AF2128B18003599FDB10DFAAC881BDEFBF5FF48310F14842AE559A7240C7789510CBA5

Function 077358C8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07735946

Memory Dump Source

Source File: 00000000.00000002.2145956263.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_file.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: d582c7130876e83d6014448127e22aa3d79890a4efafa7b1b52d16aea8de2f2f
Instruction ID: bb0c57ccfa082486cfd62122ef8fc9433badb0b50ae9430dbca4fab08d05bbe8
Opcode Fuzzy Hash: d582c7130876e83d6014448127e22aa3d79890a4efafa7b1b52d16aea8de2f2f
Instruction Fuzzy Hash: 572149B1D003098FDB10DFAAC4857EEBBF4EF88320F14842AD559A7241CB789944CFA5

Function 0117D7C8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0117D84F

Memory Dump Source

Source File: 00000000.00000002.2139203632.0000000001170000.00000040.00000800.00020000.00000000.sdmp, Offset: 01170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1170000_file.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 74872c6e90ddb9edf506b703b04ed70315d3f7493a2bdae033764d482f8f3c8e
Instruction ID: 3096f14e787142ce92256da7101987108a0e37494e0f4588058fee7a2b5355a6
Opcode Fuzzy Hash: 74872c6e90ddb9edf506b703b04ed70315d3f7493a2bdae033764d482f8f3c8e
Instruction Fuzzy Hash: C621B3B59002499FDB10CF9AD984ADEBBF4FB48320F14841AE918A3350D374A954CFA5

Function 07735998 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 07735A0E

Memory Dump Source

Source File: 00000000.00000002.2145956263.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 230cde5d3ff8b106f12c55bffe56e68f6406e2f12b1995d451e390c5e56ba167
Instruction ID: 2311a030a499f6a3f350ee8e2b3eb8566b8fca4084286c6323ad326ffbf32e83
Opcode Fuzzy Hash: 230cde5d3ff8b106f12c55bffe56e68f6406e2f12b1995d451e390c5e56ba167
Instruction Fuzzy Hash: 561147B28003499FDB10DFAAC845BDFBFF5EF88320F14881AE959A7250CB759550DBA1

Function 07735811 Relevance: 1.6, APIs: 1, Instructions: 55threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 0773587A

Memory Dump Source

Source File: 00000000.00000002.2145956263.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_file.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 0b2af3038ff774fd11e1c775f2fb69b8826584f79d685237da2787c722676abc
Instruction ID: 1e3bba6a79d7656963490d53e05c9c6a219614568145f13e792c26a172e67e25
Opcode Fuzzy Hash: 0b2af3038ff774fd11e1c775f2fb69b8826584f79d685237da2787c722676abc
Instruction Fuzzy Hash: 59115BB1D003498FDB10DFAAD4457EEFBF4EF88320F24842AD519A7240CB75A540CBA5

Function 077359A0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 07735A0E

Memory Dump Source

Source File: 00000000.00000002.2145956263.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9ab61d383f8d6b67ff492ff6483c5ab48ed9618c903fa1ac05b2f2becdd58ab5
Instruction ID: 892b6e96e0b93f8125da1af4a2237f9a889c6c607f89c4c8de3fdc8490bdbc8d
Opcode Fuzzy Hash: 9ab61d383f8d6b67ff492ff6483c5ab48ed9618c903fa1ac05b2f2becdd58ab5
Instruction Fuzzy Hash: 9E1126729003499FDB10DFAAC845BDFBBF5EF88320F148819E519A7250CB75A550DBA1

Function 07735818 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 0773587A

Memory Dump Source

Source File: 00000000.00000002.2145956263.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_file.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 6c479cd85684145412e422e1656a6d20e74bf5b704ca1bc95881d6468ea19e93
Instruction ID: 6bd7aa33b3995b4d4eb8798e545f161e7ddd91a207a3a2f50e31a9ec158f0506
Opcode Fuzzy Hash: 6c479cd85684145412e422e1656a6d20e74bf5b704ca1bc95881d6468ea19e93
Instruction Fuzzy Hash: 1C110AB1D003498FDB10DFAAC4457DFFBF5AF88724F248429D519A7240CB75A544CB95

Function 07732730 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07739EFD

Memory Dump Source

Source File: 00000000.00000002.2145956263.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_file.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 1d68b797b4158dc707c50a9925643d08d9be92a8f078cfb9e6912569359215e8
Instruction ID: d6f5d5713f958274526228b84d113b39cd66807434d617781717f32212a96e54
Opcode Fuzzy Hash: 1d68b797b4158dc707c50a9925643d08d9be92a8f078cfb9e6912569359215e8
Instruction Fuzzy Hash: 421133B5804349DFDB10DF8AC484BDFBBF8EB48324F10841AE618A7201C3B5A940CFA1

Function 07739E9B Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07739EFD

Memory Dump Source

Source File: 00000000.00000002.2145956263.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_file.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 41abf55549526e7691180f03a3f6c5c7836ebff89d8eba17783fb44390fcde89
Instruction ID: 03b7d8c4efdd521e412a2e428c70ebc4a6347364d4a7fcc8d2f0c757df9d1737
Opcode Fuzzy Hash: 41abf55549526e7691180f03a3f6c5c7836ebff89d8eba17783fb44390fcde89
Instruction Fuzzy Hash: 5F1103B5800349DFDB10DF9AD985BDEBBF8FB48724F20841AE518A7601D3B5A944CFA1

Function 0117B500 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0117B566

Memory Dump Source

Source File: 00000000.00000002.2139203632.0000000001170000.00000040.00000800.00020000.00000000.sdmp, Offset: 01170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1170000_file.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 29491f8a3118aee9a5977e248ef7eefb03c69797d911cb681a85c282d6e94dba
Instruction ID: 03e42e4467886e22c89bb3d9d63dcc79d35753ec312ff7cbaf3a1c09c6558958
Opcode Fuzzy Hash: 29491f8a3118aee9a5977e248ef7eefb03c69797d911cb681a85c282d6e94dba
Instruction Fuzzy Hash: DC11FAB6C003498BDB14CF9AD544A9EFBF4AB88724F10842AD929A7210C3B9A545CFA5

Function 0746778F Relevance: 1.4, Strings: 1, Instructions: 193COMMON

Download Yara Rule

Strings

%*&/)(#$^@!~-_, xrefs: 07467810

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID: %*&/)(#$^@!~-_
API String ID: 0-3325533558
Opcode ID: c4e56b38fe9f64c4fbcdfc278d7e1c77c15c34e2d0a7dd254ea052176aeaa8da
Instruction ID: e3cd5e859edcec98d2ad80feb70fa84dfa3c42fff2d839041f4efb2ef4ac4ea7
Opcode Fuzzy Hash: c4e56b38fe9f64c4fbcdfc278d7e1c77c15c34e2d0a7dd254ea052176aeaa8da
Instruction Fuzzy Hash: 6871CF34B042449FD701AB64D455AAEBBB2EF89300F0485EAD9859F387CF74AD4AC792

Function 074677C8 Relevance: 1.4, Strings: 1, Instructions: 169COMMON

Download Yara Rule

Strings

%*&/)(#$^@!~-_, xrefs: 07467810

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID: %*&/)(#$^@!~-_
API String ID: 0-3325533558
Opcode ID: 87727728e781b4ba06f6b722d42a26e16e0ac91e73580a0c603b462882c99033
Instruction ID: 0ecae4367c7807839b2e2de43ee18e9096ad6142efcf698dfa31e141824bcd60
Opcode Fuzzy Hash: 87727728e781b4ba06f6b722d42a26e16e0ac91e73580a0c603b462882c99033
Instruction Fuzzy Hash: 45615D34B002159FD704AF64D455AAEBBB2FF88300F1489A9D9855F38ACF74AE46C7D1

Function 07467D58 Relevance: 1.3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

Strings

W, xrefs: 07467DB4

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID: W
API String ID: 0-655174618
Opcode ID: ab3b636210b5657a2cec0f95266ed003dbb39b575e9c51f43a870ade8cd26097
Instruction ID: 5b9f43a2d1c1fa9de2ccc999217eaa31b7336298472ab9d9c76f49375c7ec6f0
Opcode Fuzzy Hash: ab3b636210b5657a2cec0f95266ed003dbb39b575e9c51f43a870ade8cd26097
Instruction Fuzzy Hash: 3A01D27095C3948FD7029664C4182EA7FB26B8330DF1488ABD1658B682C77A9987CB23

Function 0746839F Relevance: 1.3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

Strings

8, xrefs: 07468413

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID: 8
API String ID: 0-4194326291
Opcode ID: e6f58ae446d696bc3c009ce758cb93e8ee2645f1e1b5a1b351d22d9b10ddcb46
Instruction ID: ebc09d2240f12167bb1cc56a4d65d9237c7d4277eee268071254f5d0f6b015b9
Opcode Fuzzy Hash: e6f58ae446d696bc3c009ce758cb93e8ee2645f1e1b5a1b351d22d9b10ddcb46
Instruction Fuzzy Hash: 1D01D6B0740309DBFB248A24CC1E7EA3765BB40704F294C579C45AF687EAB19891C793

Function 07466D20 Relevance: 1.3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

Strings

G, xrefs: 07466D34

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID: G
API String ID: 0-985283518
Opcode ID: c94cba54881128ae1c7a39d0d3dfa667ec70ffc5e2b08c9c6a7b92f8887f3e79
Instruction ID: 38b571ef3988431addec861b760924fcaf981593c5811941b1aadec0855a4aa7
Opcode Fuzzy Hash: c94cba54881128ae1c7a39d0d3dfa667ec70ffc5e2b08c9c6a7b92f8887f3e79
Instruction Fuzzy Hash: BED05EB550E2489BC3018E51AD062F8BB78D783226F2515D3DA5A96582CF280E6697A3

Function 07466D30 Relevance: 1.3, Strings: 1, Instructions: 11COMMON

Download Yara Rule

Strings

G, xrefs: 07466D34

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID: G
API String ID: 0-985283518
Opcode ID: 4084aa84ca5e9b02c739a06e8fe15411122807e92c71a8558e9e7d9bb19375bb
Instruction ID: 19a66351cb15316c7c2a5505196c93b474adc4eea5e002bb1963523960f27d64
Opcode Fuzzy Hash: 4084aa84ca5e9b02c739a06e8fe15411122807e92c71a8558e9e7d9bb19375bb
Instruction Fuzzy Hash: 21C012F0408208EBC604CE84D90A6ACB7AC9702318F010486DA0E52200DB391E209A83

Function 07460480 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d96b482fef23c06eaaf560e6a4ccb5e71a2e95f7319458f04646d6607387fd4
Instruction ID: 6ee0852e971f9d82e4c37644fe0848569e094c0e79189713516cae659235491f
Opcode Fuzzy Hash: 3d96b482fef23c06eaaf560e6a4ccb5e71a2e95f7319458f04646d6607387fd4
Instruction Fuzzy Hash: B3F1C771D1061ACBCF14DFA8C854AEDB7B5FF49300F1086AAD559B7214EB70AA89CF90

Function 07460471 Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1078b358095472dd7eda1c48c4b4b203f7aeba035a6ba48e24b5671391d9869
Instruction ID: 579cf4fd500e3813b73a82164e4f74b24d4cf52ded093235da36a191fd9c5d94
Opcode Fuzzy Hash: a1078b358095472dd7eda1c48c4b4b203f7aeba035a6ba48e24b5671391d9869
Instruction Fuzzy Hash: E0E1D871D1061A8FCF14DFA8C854AEDB7B5FF49300F1086AAD459B7214EB70AA89CF90

Function 07464AA1 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e596324d01862b4787d3aa1484d2d3cd5f114f739fac95f25c8c4820fef2a86
Instruction ID: 16542dd524cdcae100030550e87f5cfa6cb2ca589a5657a74e96bb1993e6e7d9
Opcode Fuzzy Hash: 8e596324d01862b4787d3aa1484d2d3cd5f114f739fac95f25c8c4820fef2a86
Instruction Fuzzy Hash: DFB1D471910619CFDB10EF68C844AD9FBB1FF49314F05C699E949BB211EB30AA89CF91

Function 07462AD8 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0650384858575af4daf07a66e69c3e05d128f29006e7f70259c4d122e178ed80
Instruction ID: 68afa9b8befde57d63225a52119c0b12c482df32693be441fda0941bdce323dc
Opcode Fuzzy Hash: 0650384858575af4daf07a66e69c3e05d128f29006e7f70259c4d122e178ed80
Instruction Fuzzy Hash: 57719DB0A002199FDB14EF69D4087EEBBE6FFC8710F10842AD506A7390DB749901CBA6

Function 07462D98 Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de335f67d45377a90f8672164b41146c52c9277d9d7c4847842cee9227704fa4
Instruction ID: 077caea980c199d28f6a3c9cf2cc736129a233dbdff8ad25fcaae5a6547ed821
Opcode Fuzzy Hash: de335f67d45377a90f8672164b41146c52c9277d9d7c4847842cee9227704fa4
Instruction Fuzzy Hash: B971C2B0600206AFD7289F69D8587AFBBA6FFC4310F10842EE50697394DFB49D45CB52

Function 0746ED18 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43946d84c740db914451a9c655a9d0c1bde179b1e6b93292b12fa00c32048379
Instruction ID: ab0f2b2850f7dc93a08fb42a27357c2f1c201ce150f0f9ac9901c0fdfe5ff81a
Opcode Fuzzy Hash: 43946d84c740db914451a9c655a9d0c1bde179b1e6b93292b12fa00c32048379
Instruction Fuzzy Hash: CB71D3B8E14219CFDB04CFA9C888AEEBBF6FF89300F14842AD519AB355D7705946CB51

Function 07460C38 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6510c18ab93053497875829b8dc81bd03d96675e530459245668c273378c5271
Instruction ID: 2a699230b5ce6b7fdef7ef7e76f3892367a0fd45157bf21c8de9926831ea96cb
Opcode Fuzzy Hash: 6510c18ab93053497875829b8dc81bd03d96675e530459245668c273378c5271
Instruction Fuzzy Hash: BC511C74A1060A8FCF44DFA8C8949EDF7B1FF89310B14866AD516B7354EB30E985CB51

Function 07461800 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2339863abf81846d6818268e27d472130095600d686d6ccfc3d49af471563b4
Instruction ID: c05a6b880f32bf7ee71dd1640c7f59a842dc66712c373be41a30b9bbe63457f1
Opcode Fuzzy Hash: f2339863abf81846d6818268e27d472130095600d686d6ccfc3d49af471563b4
Instruction Fuzzy Hash: 2C4160B0B1120ADFDB18DF64D858AAFBBB6BF85701F14846AD80697394DF35C841CB92

Function 07460E40 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0911e484c5819b81d9b63614e32b840c2fda2c1d363ce8c00443f0a49c42e92
Instruction ID: df3f973f6883244fade578a989ee23c2a288ebb67e98064e6cb49f50bb2771c4
Opcode Fuzzy Hash: f0911e484c5819b81d9b63614e32b840c2fda2c1d363ce8c00443f0a49c42e92
Instruction Fuzzy Hash: 8251A635B10619CFCB04EFA8D8848EDF7B5FF89304F00855AE515AB321EB71A945CB91

Function 07469DFC Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f556012601fb6b9872f7b9e2404939211e28a7e4c17a9636e71e816f73cec282
Instruction ID: 2e7e93ef8999bff8200faf91bd2c06c53b7f0d8f777c5817aa87fd7f7efe7e3e
Opcode Fuzzy Hash: f556012601fb6b9872f7b9e2404939211e28a7e4c17a9636e71e816f73cec282
Instruction Fuzzy Hash: AC41B7B0B14606DFDB159FA8C898AFAB7B1FF45304F10C42BE216A7291D7B59942CB13

Function 07460C2A Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32bf54f2bb04063cf71be254d35df2ce74bb817d5d16eda92c2833d8cb3cfd04
Instruction ID: 6f7332f2bfc664ccd903034a1fff04d97cb200878d98fe5e7ce358945413d6bd
Opcode Fuzzy Hash: 32bf54f2bb04063cf71be254d35df2ce74bb817d5d16eda92c2833d8cb3cfd04
Instruction Fuzzy Hash: 29416C75A0060A8FCF04DFA4C8949EDF7B1FF88310B14866AD916A7365EB34E985CB91

Function 07467A46 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1247a84513bb31419043f2917ea51283a9134e45bb7196a976c6d40abd10ace4
Instruction ID: efc5b092efa0ca79874dc25b896f33fb8dff0c925fbd9c065bcb697a4068a49a
Opcode Fuzzy Hash: 1247a84513bb31419043f2917ea51283a9134e45bb7196a976c6d40abd10ace4
Instruction Fuzzy Hash: C141B1B061C3918FC7065B74982D2BABFB1AB96729F1009A7D442C7392DA784D42C7A3

Function 07469250 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc2042a917434228717d80a5e71f8f357294391ff98cf947fbc487e410f2941d
Instruction ID: c050b5789faf570b5063cfb01868e3c76657ec6793df374319258f5a6afa803c
Opcode Fuzzy Hash: cc2042a917434228717d80a5e71f8f357294391ff98cf947fbc487e410f2941d
Instruction Fuzzy Hash: 7A31F4F4A18206DFDB049AA4C4485FE7BA6EBCA310F104C1FD542A7385DAF1A84387A3

Function 07461198 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdb13cefe49d3de63a6ccf53c0172a1e6f192ee8a5e8ccda3ac5dd376104778f
Instruction ID: 4e3ea0fada1315e02076a4ec36fb5a69f13b479f9e835ebe5f14512029e9e2ca
Opcode Fuzzy Hash: cdb13cefe49d3de63a6ccf53c0172a1e6f192ee8a5e8ccda3ac5dd376104778f
Instruction Fuzzy Hash: 94317EB1E10119DFCB14DFA8D84899EFBB6FF88311F14826AE901A7360EB709845CB91

Function 07466B44 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30c8b346e4f92d7e0ffd6e7511d06d21980233506b00cd5665defaf65500b6e5
Instruction ID: 00a0f0a1a1fd8b6ec9347ba256db526b337d7af235b238851ba285be894e83cb
Opcode Fuzzy Hash: 30c8b346e4f92d7e0ffd6e7511d06d21980233506b00cd5665defaf65500b6e5
Instruction Fuzzy Hash: A73104B0604508CFD704CF58D4597EABBB2EB8A314F15882BC1169B381CB759D47CB93

Function 074617DF Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ce4005ee28af039169b5ad17db46b4e48c622400b4293bbae445b7163fef7a0
Instruction ID: f851f56510753f2562c4aaf7bb3cbc124cc6b95a99433a0fd5f491643a666ca5
Opcode Fuzzy Hash: 0ce4005ee28af039169b5ad17db46b4e48c622400b4293bbae445b7163fef7a0
Instruction Fuzzy Hash: 9831E4B4A1130A9FDB198F64D8197AA7BB6AF86700F18446BD802D7391DF35C845CB93

Function 0746A2E0 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef211e43cc541770072c28f72500a2bbc8075ccf9c39370d062a2a65b57cfb15
Instruction ID: 9bb93ba178b1b06849d3e6296634c6826e1dfb4708245d2c194f54f8e8d4c89a
Opcode Fuzzy Hash: ef211e43cc541770072c28f72500a2bbc8075ccf9c39370d062a2a65b57cfb15
Instruction Fuzzy Hash: 2B313AB1A002099FCF14DFA9D984ADEBFF5EB48310F10846AE509E7310D775A954CFA1

Function 0746C308 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c08cdd3fff89a9d90471ffac3213ed45da46d3a5207b87275901e66e70346be
Instruction ID: e7aa256604dea607ccf13cf318a298ea10addfc67a918a506e85bcf35543b191
Opcode Fuzzy Hash: 1c08cdd3fff89a9d90471ffac3213ed45da46d3a5207b87275901e66e70346be
Instruction Fuzzy Hash: A221E9B0758204CBD614861A94886FA7667EBC2714F248827D5C78BB86C9B1EC8387B7

Function 07462D88 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33b4b4c915aa88ca467f376481adba039315e842b9951b073bb89eb668ea3448
Instruction ID: 986a5973b6a8717fbc540fbda9d81bdceb0a8b01b1ef78fd5f694fca41ba59d5
Opcode Fuzzy Hash: 33b4b4c915aa88ca467f376481adba039315e842b9951b073bb89eb668ea3448
Instruction Fuzzy Hash: 32315EB4A01205AFDB14DF65C8486EEBBF6FF88300F10882AA51597390DBB5DD41CB61

Function 074622F0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38288aab20bb7a6ae74ef50962955e09346f7c3c94b57846801e47f752f86945
Instruction ID: bfa0d6f163482a5e09ce5d46f7228e8425cc2f6457db63b66fa516122698c685
Opcode Fuzzy Hash: 38288aab20bb7a6ae74ef50962955e09346f7c3c94b57846801e47f752f86945
Instruction Fuzzy Hash: 66314DB13042019FD758DF79D884AAB77E6FB89310F14847AE519CB355DB709C82CB62

Function 07466568 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8c0d93aa329ce6224dd740581a9f401910e1904fd38c88ef8fc9a192747becf
Instruction ID: 54a9a6c6557ba5b4477b1f1e75244d18ed2ca045895c65a5477aa3774b5389ef
Opcode Fuzzy Hash: c8c0d93aa329ce6224dd740581a9f401910e1904fd38c88ef8fc9a192747becf
Instruction Fuzzy Hash: 0B3138B4E1020ADFCB00DFA8D9955EEBBF1EB48304F11446AD505F3314EB309A458BA2

Function 0746C1A1 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b7aed72ab1f481f87ae803a06b672010814fad50f05d6a9d232d7ce6f49ae47
Instruction ID: a48c63506ebfb6f9455f68d0aeab338f908bec1907418179dced647c6f212225
Opcode Fuzzy Hash: 7b7aed72ab1f481f87ae803a06b672010814fad50f05d6a9d232d7ce6f49ae47
Instruction Fuzzy Hash: 38218DF0E18255CBC7108BE8C8D82FAB772AB47350F048967D996C7645C675A9068BB3

Function 07466C11 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65f13a1b0a0b3fdcc79898ee74882356fdd33fe6ffcdbb774224f0d78791c230
Instruction ID: 0139c43a8d38e00aa1fc36651ef2ce341e3751326b1efddd8902e669327b9dad
Opcode Fuzzy Hash: 65f13a1b0a0b3fdcc79898ee74882356fdd33fe6ffcdbb774224f0d78791c230
Instruction Fuzzy Hash: 6C31CEB0604508CFC7048F58C4597AAB7B2EB86318F15886BD116DB781CB759D46CB93

Function 07460FC0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a4c9f4b99719b28e2f3e1d5ce4deef54658ed5ab304a40719231e7eb661bc1e
Instruction ID: 3c762ae74bfb828ddbb63eb0f4e5e0ac9d8b5c42298b177caf7b279b34d7ba59
Opcode Fuzzy Hash: 7a4c9f4b99719b28e2f3e1d5ce4deef54658ed5ab304a40719231e7eb661bc1e
Instruction Fuzzy Hash: 78318831A10619CFCB01EFA8C454CEDFBB5FF89300F01869AE5056B224FB70A989CB91

Function 07460FD0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 940b4022d86e4a5b65c19abcf2aea0c04f66c8a778f880b6fdb7ce4bcb5e5949
Instruction ID: 7e02d067cd0f1b4cc8fba67185772c9dcbedbb1034b144b786fc51e964dd0beb
Opcode Fuzzy Hash: 940b4022d86e4a5b65c19abcf2aea0c04f66c8a778f880b6fdb7ce4bcb5e5949
Instruction Fuzzy Hash: 43314131A10619DFCB04EFA8C894CDDFBB5FF89314F018659E5056B224FB70A989CB91

Function 07466559 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d821ac6e163118de77b0765024254847068c13f4d5a151bd690b5726e39d2c7c
Instruction ID: 8a524e05dc4780ea25d70217725450d610c7e3811d15364846c7e55ea2a918e0
Opcode Fuzzy Hash: d821ac6e163118de77b0765024254847068c13f4d5a151bd690b5726e39d2c7c
Instruction Fuzzy Hash: 553146B4E0024ADFCB01DFA8D8956EEBBF1EF88314F11446AD501E7354EB349A45CBA2

Function 074629E0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d63c199e1599a4f859a0eaf6c9513b6826e9935afd9fddaedba15ea896eadfed
Instruction ID: 18068f83981a70b3d2fdc2bdc32e8d984ee247064e67d90135ce2bf7620acf96
Opcode Fuzzy Hash: d63c199e1599a4f859a0eaf6c9513b6826e9935afd9fddaedba15ea896eadfed
Instruction Fuzzy Hash: F021D174700116EFDB249FA4E548BABBBF4FB48365F00402AE529D7740DBB0D845CBA1

Function 07460290 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fd61d3cf73b7ae1ce13c0b9406d14a6895ff35d0725518ec36449b7521c2186
Instruction ID: eb0d48355461f78375a49aac771626b53606f0e2db7eed22b0910be5d77f9d30
Opcode Fuzzy Hash: 0fd61d3cf73b7ae1ce13c0b9406d14a6895ff35d0725518ec36449b7521c2186
Instruction Fuzzy Hash: C9216074B112058FCB04EF69C9948AEBBB5FF89300B40856AE909E7355EB709D45CBA1

Function 00D7D1B4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2138533207.0000000000D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d7d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 298d321346aee50b21645b511a1dcd4cdbceee6744c68c4be10acc51c767b857
Instruction ID: d0eb8084375f196cefcd8259766a41b77b8774ac01174c1e72a3330df80efc07
Opcode Fuzzy Hash: 298d321346aee50b21645b511a1dcd4cdbceee6744c68c4be10acc51c767b857
Instruction Fuzzy Hash: A221CC75604304AFDB04DF14D980B2ABBB6FF84318F24C5ADE94E4B292D77AD846CA71

Function 00D7D36C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2138533207.0000000000D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d7d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7aa0747728e2647e3bdbaa0b1ef3d7cbc991b4e5419cfcc85f3f0316a02402bf
Instruction ID: a09ad8751a2ed5fa026a3d3331d9f9583fdd6fb8293a3a1ad07aca65ea8f794d
Opcode Fuzzy Hash: 7aa0747728e2647e3bdbaa0b1ef3d7cbc991b4e5419cfcc85f3f0316a02402bf
Instruction Fuzzy Hash: 1C210075504204EFCB04DF14D9C0B26BB72EF84318F24C56DE90D4A292D376E846CA72

Function 074602A0 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22209bad35672c92e4bfb1beebe72a6a62b85392c5dce6ac179d4c9811fc70cb
Instruction ID: 49387a218eec01b2db4609be69971fe66f7695f1b47fb0de20c4073fd1275fb3
Opcode Fuzzy Hash: 22209bad35672c92e4bfb1beebe72a6a62b85392c5dce6ac179d4c9811fc70cb
Instruction Fuzzy Hash: 08216074B1020A8FCF04EF69C8848EEB7B5FF88300B508569E905B7355EB70AD45CBA0

Function 0746C536 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25e7d2fc42e1dc3e2991968879b48fe3904dab97b2a3c2891ecb38c61b970cac
Instruction ID: 4f0402d234eece5205d176f27a4c9fbae5f8c41107310be26fe9cba4691e5afd
Opcode Fuzzy Hash: 25e7d2fc42e1dc3e2991968879b48fe3904dab97b2a3c2891ecb38c61b970cac
Instruction Fuzzy Hash: F62162F0A68531C7D700D669CCC86F9B361AB4A310F024A17A192C6398C774F5928AB7

Function 0746038F Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dae577c0926d61ca1e9e6e0962a70466a0a89f5b74f1200cc5873ed179ab0db0
Instruction ID: a2f21bcc19c46672e55c05aa69c1a35542aa60f29d69838f4c4d567d43396374
Opcode Fuzzy Hash: dae577c0926d61ca1e9e6e0962a70466a0a89f5b74f1200cc5873ed179ab0db0
Instruction Fuzzy Hash: 43119C763012454BDF19AB29DC808EFBB61EBC5231714857AD81ECB3E2CB25DC868392

Function 07468E68 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c932ed3d4fc6694cb6160e31f574f7de4d5609c80617cbb0edbd9deb67bface
Instruction ID: 437866cec8794d6536e49028ed80a219e266a96c8e086d6426924049875352c4
Opcode Fuzzy Hash: 2c932ed3d4fc6694cb6160e31f574f7de4d5609c80617cbb0edbd9deb67bface
Instruction Fuzzy Hash: 151124F8A6C294DFC3209264D41C2F67BAE9B53319F144CABD156CB592C67E8843C3A7

Function 074622E2 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4526f5cd0ede18b93101246942ab14d9e1b309bbe6bcda9967e5ec8ceee24dd1
Instruction ID: 2e8b0f00a75c6f16cf019639adfda5b60c4fd724990d65f6373b67e58f4d2d39
Opcode Fuzzy Hash: 4526f5cd0ede18b93101246942ab14d9e1b309bbe6bcda9967e5ec8ceee24dd1
Instruction Fuzzy Hash: 29214D703042019FD718DFA8D884AAB7BA6FB89310F14857AD929CB359DB749882CB61

Function 07463FC8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d785d0b3c5f98bd0bdcb58708d4f2cb0f593deefb2746320c114d586a17dce7
Instruction ID: 6b9326dbccff6e8470a207f4627c561826f99167e7bfe313de91559f4475a9d1
Opcode Fuzzy Hash: 9d785d0b3c5f98bd0bdcb58708d4f2cb0f593deefb2746320c114d586a17dce7
Instruction Fuzzy Hash: 34110131B043449FC7189B7E985459FBFFADF82250B1480ABE649C7741EE308C0283A1

Function 0746C0CA Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89f0e3656c0b99269ce1395d46657435b27d1b103358928c5a7f08c0be21a045
Instruction ID: a64de455e7de3035650591d69d57f3ed180fcbaedbabcfd6e25bb499c7d36fcc
Opcode Fuzzy Hash: 89f0e3656c0b99269ce1395d46657435b27d1b103358928c5a7f08c0be21a045
Instruction Fuzzy Hash: FD11E9E451C208DFC724B6E4A8990F47BA9AB4B320F108997D88B86546D9127D4347B3

Function 074629D0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6219c961fa13b46f59dc968330237b177b7391f34eb6bbec0ef1f6b2cc0894c8
Instruction ID: d3ccbfbd4dd329c6383d4991801443a03c408bc8d8f49a98561aa046a94d8178
Opcode Fuzzy Hash: 6219c961fa13b46f59dc968330237b177b7391f34eb6bbec0ef1f6b2cc0894c8
Instruction Fuzzy Hash: EB11AFB4701202DFCB249BA4E548AABBBF5FF45360F04402AE519D7785EBB0D945CB61

Function 074659F4 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9af60b6bead765e870ca2d780745484cedc0acd809e14b6d4315861a23dc4995
Instruction ID: 1eacd36103126ddb017a3b91b32aaf0495dda92d709d31d2147aee2e0d8233f8
Opcode Fuzzy Hash: 9af60b6bead765e870ca2d780745484cedc0acd809e14b6d4315861a23dc4995
Instruction Fuzzy Hash: 8621CFB59007499FCB10DF9AD988ADEBBF4FB48320F10841AE919A7310C7B5A954CFA1

Function 00D7D367 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2138533207.0000000000D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d7d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: 9e9a853c5d4f30deca20a6a07b46cef86b952dd1e6b4abdf99041ba53a274493
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: D4118B76504284DFCB05CF14D5C4B15BBB2FF84318F28C6A9D8494B656C33AE84ACB62

Function 00D7D1AF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2138533207.0000000000D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d7d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: 09d54002ab5eb9c73109d592a5e9d9792d980bd7ff89ae0103ce3ba64013bbf1
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: A0118B75504284DFCB05CF10D5C4B15BBB2FF84318F28C6A9D84D4B656C33AD84ACBA1

Function 074682C1 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3aa3b7329a4730cc89d949176212f5c747024336bee7f255a08ae2db6411e89f
Instruction ID: def49684497a6a703cb0b7721dc9d785b8580dd4140642485759c015bfc79823
Opcode Fuzzy Hash: 3aa3b7329a4730cc89d949176212f5c747024336bee7f255a08ae2db6411e89f
Instruction Fuzzy Hash: 1801A2F0619682CFC3108614E80C2E1BB6AF743354F5446A7D54ACB642C7759886C7AB

Function 07464DD0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 103ca755ff4458725c8765fce8d5e9ac771c3e4b55a536996b5305200e7ccca2
Instruction ID: 8c87d4d15ed2a5d4989dc4503def5f6039327185bce5385e759d352eeb3a7a8d
Opcode Fuzzy Hash: 103ca755ff4458725c8765fce8d5e9ac771c3e4b55a536996b5305200e7ccca2
Instruction Fuzzy Hash: 5D018131305259AFCB059F65AC458AEBFB6FB88360700807BF916C3751EB358C21DB90

Function 074682D0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2853332f3cf27ada90d3b50a860faf0f9efe52c005293ac1c2b3e600a577ccfd
Instruction ID: 28b76a052c5c19ffa9a9531972ebb9f767c460781106462b299c2a5e75ec1b2d
Opcode Fuzzy Hash: 2853332f3cf27ada90d3b50a860faf0f9efe52c005293ac1c2b3e600a577ccfd
Instruction Fuzzy Hash: E501B1B0619285CFD3158724D41C2E6BBAABB07344F1446EBD049CB653DB768886C7AB

Function 07462800 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a3ff11d2b87d1d0802c5a03c3f47f8643bd079d03bd4f2e1aed2a57b2c910d1
Instruction ID: 6ffdac0f8b0415b19948f606bad1a7659a6baab2ad12d5a0e3335b881fabe985
Opcode Fuzzy Hash: 0a3ff11d2b87d1d0802c5a03c3f47f8643bd079d03bd4f2e1aed2a57b2c910d1
Instruction Fuzzy Hash: 3DF0C231300300AFC3289F64E809AD67FA5FBC9321F50C03EE556C7750DA358852CBA0

Function 07468F1C Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97489fe19a01880ff250ba2198a185fe2462c042e5d54f0be95c9774dfe115a1
Instruction ID: 9d314a2a340e47ba292c2edcf359ca3338515bc4a7dcdfe6c1d41425ddc6fdd0
Opcode Fuzzy Hash: 97489fe19a01880ff250ba2198a185fe2462c042e5d54f0be95c9774dfe115a1
Instruction Fuzzy Hash: 3BF024E6A6D294DFC3064268982C0F13FAEE9A7311B000CC7E683CB953D968494683A3

Function 07469D78 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfd003c5d44aa297dfa5c0cb791f186d6710bcbfedc5d96e53392713b266e10c
Instruction ID: 7c38890fa51718d74d1e521d0c598dc841a266e1594f0ca1f8f4ef2293f1e9d1
Opcode Fuzzy Hash: bfd003c5d44aa297dfa5c0cb791f186d6710bcbfedc5d96e53392713b266e10c
Instruction Fuzzy Hash: AEF0BBA411C240DBC7446664D50D5F5BBA56B83320F004CBFC62F87656DAB67812C753

Function 0746A2D0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0e0c72c8c4eb5c32e8db234788bba2af9b3c82d5202d800f416ca8a620a81ba
Instruction ID: 1caefb24fc567713084754c74185ddf6bffe613b3196e03fe7ffbf0df5849443
Opcode Fuzzy Hash: c0e0c72c8c4eb5c32e8db234788bba2af9b3c82d5202d800f416ca8a620a81ba
Instruction Fuzzy Hash: C7F0B472208144AFDF05DB64E8559DF7FB5EF45224B1481ABE404DB261E6709D80C7A1

Function 07464DE0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62d483ab774835e8bbe3a8d747c4724b73bfce575cb4ab74ff89985e7d7cd2ce
Instruction ID: bb7c16d5e53b05d197100c4aa6ceefb5880ebe28e54db0eb396d332699c04709
Opcode Fuzzy Hash: 62d483ab774835e8bbe3a8d747c4724b73bfce575cb4ab74ff89985e7d7cd2ce
Instruction Fuzzy Hash: 22F01D36700219AFDB059F95E8458AEBFAAFB8C221710802AFD19C3350EB758C21DB90

Function 0746B8E8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3718b0e9f12c4b3fe5a663510e5a76fb60f8ab152956576e90a21ca07ba6ea4c
Instruction ID: b40345ad8f69f3832e94800af8604c305d4bf21ead3583635ab06d70e00fe761
Opcode Fuzzy Hash: 3718b0e9f12c4b3fe5a663510e5a76fb60f8ab152956576e90a21ca07ba6ea4c
Instruction Fuzzy Hash: E0F054E093C24CDF871597A4A85A4F57B64DB47320F200CDBD44AC7612EB25194AD763

Function 0746AEEA Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c755bbf81278338dcf3d42ed18d5f4d55b3d78d8f622ddeeaea1e907f1430866
Instruction ID: c1e3e22cef554d0da898397e9c2fff6426b5628db175e0ab90b482fdbe7290d0
Opcode Fuzzy Hash: c755bbf81278338dcf3d42ed18d5f4d55b3d78d8f622ddeeaea1e907f1430866
Instruction Fuzzy Hash: 68F096B0A45345EFDB019B70CC5EAED7B72AF46300F10C257E612662D1C7749856CB52

Function 07469E5B Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e667e99b5c10b0da8c915ba01af7e9288a17b68cb54377176b31412c67f77c50
Instruction ID: 457ab93b6d82fe170b963f2c781bfb756abd1ce3878b6a0400f352d0759562e9
Opcode Fuzzy Hash: e667e99b5c10b0da8c915ba01af7e9288a17b68cb54377176b31412c67f77c50
Instruction Fuzzy Hash: 80F0E9B06097828FD7035F7C8C545E6BFB2AF43204F28459BC1D197293C6250C0AC753

Function 07462AC7 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51c80b182ce0fb82431725859fb35e2834b32ed396ab021aeecdbdc4699ef6f4
Instruction ID: 03be244afa7676034ce75ac3ceaae124ba54275c138d33f0dc3853ac8dab7744
Opcode Fuzzy Hash: 51c80b182ce0fb82431725859fb35e2834b32ed396ab021aeecdbdc4699ef6f4
Instruction Fuzzy Hash: 86F0A9716013028FC325CF6AD885486FBE4FF88320354886FE88AC7620EA74D885CBA0

Function 07467D51 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa5ff7488e34c01c9e0a21f36766ca063d1ccdc53f25f84005effd5374b887da
Instruction ID: 1538d297aa332174cd9449ed1a66883ab927e9c3594c2d9b28e9d2c4949b04de
Opcode Fuzzy Hash: aa5ff7488e34c01c9e0a21f36766ca063d1ccdc53f25f84005effd5374b887da
Instruction Fuzzy Hash: B8F0A0B45D92588AD352562491092F5BB2697C330EF14C4AAD1694EA82C73FC887C662

Function 0746C092 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1e6763d99f836d46d8dd3aaf230f4a006738567296747baaf7e95816f1a7de1
Instruction ID: eb9da56d045d7abf53d9a3c3394ee7bcc81b4ad456f55e0323597f02733fe6de
Opcode Fuzzy Hash: e1e6763d99f836d46d8dd3aaf230f4a006738567296747baaf7e95816f1a7de1
Instruction Fuzzy Hash: CBD0179922D388CAC611B2F528AC1F93FA8969B321F204D97D2DB86147D966784742B3

Function 07460DE8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23bfeb7b88cc95f11e0fa2cf26db4c431efbec448926ae9f78490189fb289f7c
Instruction ID: cd24d21e6e380bbfc051f1c439ca1c05c3cbee8b8a46c0502047bcde04061e1d
Opcode Fuzzy Hash: 23bfeb7b88cc95f11e0fa2cf26db4c431efbec448926ae9f78490189fb289f7c
Instruction Fuzzy Hash: 82E0C9B291535C9FC741AF74C8155DA3BF0AB22315B01C56BE49ACB121F6348694DB51

Function 074620C8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1731b69195c8cac54ccdc55e90e14a3bf8591efb8bc6f675641ca1bdc637cf1d
Instruction ID: 9d91a051b5d41953448f17117b4255b6a9cbfaacd79b58fcdd5106a4e0d48d4c
Opcode Fuzzy Hash: 1731b69195c8cac54ccdc55e90e14a3bf8591efb8bc6f675641ca1bdc637cf1d
Instruction Fuzzy Hash: A9E026307493004FC3096BF1690B2BA3FE9BF8120030680A6E206C75A2CE34C912D322

Function 07468140 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 563f892ba72e0fa316c4069cbfb7963c35a0bbf90962d714cd6486c60879f95a
Instruction ID: 8dc0f9ef3af22a5d73a2d1d7f444a2fc7dbdcbb87b155c2406ba815ba2d387b0
Opcode Fuzzy Hash: 563f892ba72e0fa316c4069cbfb7963c35a0bbf90962d714cd6486c60879f95a
Instruction Fuzzy Hash: 6DE092B4108751CFD302DB64C82926AB7A1EF46304F05CC9794958B7A7CA30A80BC762

Function 07469D88 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1aa38ebcd6f0a9de972983a612646247d6bc79b4fa8f049a37674d13806c0030
Instruction ID: 6afce42aad897cd5412667c2241d572238c13720ec2ab1d899862d3258bffbd0
Opcode Fuzzy Hash: 1aa38ebcd6f0a9de972983a612646247d6bc79b4fa8f049a37674d13806c0030
Instruction Fuzzy Hash: B6D09ED467C104C7C6883564951DAFA76A65BC2325F104C7F933B8678AEAF6B8138293

Function 0746B8F8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a28c4d7da37cb92d1281dcad31b630a66ebe2d3adb7d6afeb9c67a6acd3d65f
Instruction ID: 4d5ffd2f00078dea4c3f7c48882a65c722f4c24edccab90febb3ed5eed41495f
Opcode Fuzzy Hash: 7a28c4d7da37cb92d1281dcad31b630a66ebe2d3adb7d6afeb9c67a6acd3d65f
Instruction Fuzzy Hash: 4FD0E2E0A3C90CDB4614A698544D5B97AA8E747324F304C5B980BC3B04F931090EC2A3

Function 0746C2E0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bb968d6ec4ccfe30a3955e32bc37bc902f70f535cc8e8cb2b54f787ad027ec7
Instruction ID: b0c361899476d0adbdc015aa8e0be63a6c9d1f21a60484ec0023e667f1166e13
Opcode Fuzzy Hash: 9bb968d6ec4ccfe30a3955e32bc37bc902f70f535cc8e8cb2b54f787ad027ec7
Instruction Fuzzy Hash: 72D0A795A5C38C8FC70202A024FC1F03F26A487321B2108A3D5D796842441528D7C3B3

Function 0746AE9E Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c52bc1473a2032c8943704d36c5993e6574e2e633936df05dc8b8cbcab084a26
Instruction ID: f5593396dbedd015769fd32df63de727ae707069a94fa2fc063ee2fe719bf555
Opcode Fuzzy Hash: c52bc1473a2032c8943704d36c5993e6574e2e633936df05dc8b8cbcab084a26
Instruction Fuzzy Hash: 50E04FF1904745DFC305CF6488663AABBB1BF42310F24C157D014D6216D7304947C792

Function 07460DF8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0d42112f2c21fbc5d60866f6364dd4dac583466f83d49122c88dac7181e9be9
Instruction ID: bf877caec011ae23ea9b97e8524c1a5e936012707722de4d06cb09127c0d26ed
Opcode Fuzzy Hash: e0d42112f2c21fbc5d60866f6364dd4dac583466f83d49122c88dac7181e9be9
Instruction Fuzzy Hash: B9E0EC7181061C9D8B40EF74D5085DA7BE8AB15214F00C52AE8499A110E630D2E4CB91

Function 074620D8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a70ba9e3f623df0b82613818933a4914e68fb7ffcd1bb0e0e1df0f4903012566
Instruction ID: b1693af382fe8f2f8d1a900ce1d6947e59c19fff4ab684c0e010929f2f2a9a1a
Opcode Fuzzy Hash: a70ba9e3f623df0b82613818933a4914e68fb7ffcd1bb0e0e1df0f4903012566
Instruction Fuzzy Hash: A5D052607042188B93082AB2A90A3AA3A9EBB846057418025A20AC2A84CE24E8228226

Function 07466681 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62d8d46fb9cc9997234a023e1cb2ced77d44e9a56e1d132a8f35e8b88ceeaac3
Instruction ID: e81c4cfebc8a297ac24db3aa7d2134970d57879dbdd6b808f79f37e0b19028d7
Opcode Fuzzy Hash: 62d8d46fb9cc9997234a023e1cb2ced77d44e9a56e1d132a8f35e8b88ceeaac3
Instruction Fuzzy Hash: B3D0C9A102C3DAAEC3031A74B8091F63F7869422257464593E845CD853D61969A182A3

Function 0746A2A8 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9398f29045d8c759170261930028e87c5e3cda89507c5e242ff58430c49dca4
Instruction ID: f153b927d91768566d0b8a2f534bee7805325eef8d2fd5b1a7b9e97e2a0b5a92
Opcode Fuzzy Hash: c9398f29045d8c759170261930028e87c5e3cda89507c5e242ff58430c49dca4
Instruction Fuzzy Hash: CAC080663596C00FD30351113C522D51B10D7D321632840E3CA85D43538414154F4133

Function 0746C0A0 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f454e7c567ae5992c1cc6739acfb0df48817fd6dedba413e177bd9657bd1801
Instruction ID: 4382b3f951bfed01459dad517ceb1792d90239955c045e22fd1ffc34ad7e85fc
Opcode Fuzzy Hash: 3f454e7c567ae5992c1cc6739acfb0df48817fd6dedba413e177bd9657bd1801
Instruction Fuzzy Hash: 9CC012D423C208CA8004B1E8289C4F83AAD259A320F104C07C68F4220ADA23B8030673

Function 0746E318 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9e6bf47d58007a7c63f3af2188a43cf8cc32fd7a26a7d4f05b5dd14fcee7178
Instruction ID: 85a46e48d2e87aab00c4576bd5e04f937be1114bc8d67737a57ade746a4f49c7
Opcode Fuzzy Hash: c9e6bf47d58007a7c63f3af2188a43cf8cc32fd7a26a7d4f05b5dd14fcee7178
Instruction Fuzzy Hash: F5C08CB0001346CBC3102FD4A50E36937A8AB80202F410112E40A804228BB89480C627

Function 0746BCB0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48df1d648cb1009b04627c1e37e5ae6c052c4799793b66b0da83a5160f4d4f9f
Instruction ID: e19e5b860f4d9c6f4ef8d809dfda2f2470abcdaf801e3c14150764ffc989ab90
Opcode Fuzzy Hash: 48df1d648cb1009b04627c1e37e5ae6c052c4799793b66b0da83a5160f4d4f9f
Instruction Fuzzy Hash: A3D0C9F2418150DFC341CB51DD998983BF0BE4A340714498AC0058B222D320A412CB41

Function 0746C2F0 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7aa5db506ef1ba258fab96a764d2e8bd0cac31879956a7084accdd5267f0b2b2
Instruction ID: d8fc72ed0707aeb2ddfe5d2ea7efb5c7d4450ce01a70ae2a13d29b8728250aaf
Opcode Fuzzy Hash: 7aa5db506ef1ba258fab96a764d2e8bd0cac31879956a7084accdd5267f0b2b2
Instruction Fuzzy Hash: 6EB092E48EC20CC2450025D424AD1F53A1E2007B24E000C13ADFF209001931346340B3

Function 0746770C Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1774be166e720fb2740e86511b96cfdfc4885d9e832007259ff6914f83b27b6
Instruction ID: b00bac7d920028950c456db9afd31e4254e8035a0e984e2e5ae7061d88a7dadb
Opcode Fuzzy Hash: e1774be166e720fb2740e86511b96cfdfc4885d9e832007259ff6914f83b27b6
Instruction Fuzzy Hash: FDB012B52E8901E360016BA44C8C9BB7891FBF2706F80DE1B3708200B0CDB1552DD217

Function 0746B9C1 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4552269b3686a16692c1cafce891c3e211be200fd3a5401a2a91696e231a435d
Instruction ID: a97edc54605674add6a92e22dc08ed60ddc884f7571ad49e5523fea51c595a8c
Opcode Fuzzy Hash: 4552269b3686a16692c1cafce891c3e211be200fd3a5401a2a91696e231a435d
Instruction Fuzzy Hash: 0BC04CF0B60219EFDB518A51DE4ADEC7666EB46B40F204916A602A6195D7604602C641

Function 07466690 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145467240.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71f580828f33fc85f834acdfb0257008d13ff50ad9c72c3652fc8c1466f0c7ef
Instruction ID: 5fa1b1a339cd61490177089dd0740c13d0f85b2d8fc60f6c99b7dfbc1d6f628a
Opcode Fuzzy Hash: 71f580828f33fc85f834acdfb0257008d13ff50ad9c72c3652fc8c1466f0c7ef
Instruction Fuzzy Hash: FCA012B002830EC681001950700D1763B3C1041305B010942E80A04401961678214047

Non-executed Functions

Function 07734BB8 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

+d~, xrefs: 07734C13

Memory Dump Source

Source File: 00000000.00000002.2145956263.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_file.jbxd

Similarity

API ID:
String ID: +d~
API String ID: 0-1217840463
Opcode ID: 273aeb33a391f16974d56105589ce39dd545bea68fd2c4b708fe8ea4f238a3ca
Instruction ID: 74bb791789c99ae212404a8a95b6e5fcf8f306d0c68c148486da0fd7aef7fd89
Opcode Fuzzy Hash: 273aeb33a391f16974d56105589ce39dd545bea68fd2c4b708fe8ea4f238a3ca
Instruction Fuzzy Hash: 5EE1EDB4E002698FDB14DFA9C580AAEFBF2FF49305F248269D514A7356D730A942CF61

Function 0910123A Relevance: 1.4, Strings: 1, Instructions: 126COMMON

Download Yara Rule

Strings

d, xrefs: 0910138B

Memory Dump Source

Source File: 00000000.00000002.2146781398.0000000009100000.00000040.00000800.00020000.00000000.sdmp, Offset: 09100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9100000_file.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 43fc1252fdbbe2b2a50c249572235ea462c34f697f2928282c9bc708b5186c02
Instruction ID: b42a40ead90f2990e7fb32ffeaf7b0d7d62eea8c414c178e8f8178b3220659ae
Opcode Fuzzy Hash: 43fc1252fdbbe2b2a50c249572235ea462c34f697f2928282c9bc708b5186c02
Instruction Fuzzy Hash: BB51C271E04228DFDB29DF66CC447EEBBB2AB89300F40C1AAD418A7355DB755A86CF50

Function 09106D08 Relevance: .5, Instructions: 495COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2146781398.0000000009100000.00000040.00000800.00020000.00000000.sdmp, Offset: 09100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9100000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43593fb72f908b15d5a7a948d9b2bd6cab1467b275ec076f8b528eea6fdb65c0
Instruction ID: 46e3cd9200454a4a4c50f925678614dca9e236043eae157f0d8168f50c1462d9
Opcode Fuzzy Hash: 43593fb72f908b15d5a7a948d9b2bd6cab1467b275ec076f8b528eea6fdb65c0
Instruction Fuzzy Hash: F4F1C431B012118FDB29DF78C864A2E7BA2BFC57487164569E406CB3E1DBB2EC41C7A1

Function 07734FF0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145956263.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b457969e55c41f7a3bc16deac8e0593bd5f0c01b43f3fd47a58e21eb1d25533
Instruction ID: 0f28def2cf8bb613fc1b33c26e6435aff2ab0e06fa6ea41bbb3c8b00e3242061
Opcode Fuzzy Hash: 4b457969e55c41f7a3bc16deac8e0593bd5f0c01b43f3fd47a58e21eb1d25533
Instruction Fuzzy Hash: 2CE11CB4E002598FDB14DFA8C580AAEFBF2FF49305F248269D414AB356D730A942CF61

Function 07733918 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145956263.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: debf819dc769e269cf33ea30159e1550c817d71712250ce848ec6ea970e8fd20
Instruction ID: c489087d2be27e1c3077478a0639e4d1953c528eb092cbeeea49d04545389e10
Opcode Fuzzy Hash: debf819dc769e269cf33ea30159e1550c817d71712250ce848ec6ea970e8fd20
Instruction Fuzzy Hash: 69E11BB4E002598FDB14DFA9C580AAEFBF2FF89305F248269D414A7356D731A942CF61

Function 077334E0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145956263.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35843fa1bc3954f9b5da276d8e15b493bae9f16d1a1b28c7621adc1f7f123a09
Instruction ID: d853c2ecd127319014eaa2b7faa60a565edcdd7ef75cdd9290d5c8c0c45cb788
Opcode Fuzzy Hash: 35843fa1bc3954f9b5da276d8e15b493bae9f16d1a1b28c7621adc1f7f123a09
Instruction Fuzzy Hash: 7FE10CB4E002598FDB14DFA9C590AAEFBF2FF49305F248269D414AB356D730A942CF61

Function 077330A8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145956263.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed016237044a4e1de2981d17a4d625bf838a468f5d30805565860e38ac44e78
Instruction ID: b1f5bf4f2c041443ebe71b678c58cbf37d4ff7806c826a0c9af42cf92a9618e9
Opcode Fuzzy Hash: fed016237044a4e1de2981d17a4d625bf838a468f5d30805565860e38ac44e78
Instruction Fuzzy Hash: 95E10DB4E002598FDB15DFA9C580AAEFBF2FF49305F248169D414AB356DB309942CF61

Function 05D26BA1 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2143308517.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33d9785fa103941ddd2ad9eec40895274192f1553aac6e0dbfe1cedebf958dcb
Instruction ID: e675c43d8669d4ecd83a2af5792f5512f4db9db1c1d773d100653dc7364e2c21
Opcode Fuzzy Hash: 33d9785fa103941ddd2ad9eec40895274192f1553aac6e0dbfe1cedebf958dcb
Instruction Fuzzy Hash: 57D1083592075ACADB00EBA4D9956EDB7B1FFD5300F10879AE04A37650EFB06AC8CB51

Function 05D26BB0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2143308517.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d014a0d3e52f00b90b8a2804a599824a3070ed3e56c30bee2dca5c21f9c9b7c
Instruction ID: 04244076de10375cb7ab997af609ca51b8af518c224b76550bf96a2f9f717a00
Opcode Fuzzy Hash: 3d014a0d3e52f00b90b8a2804a599824a3070ed3e56c30bee2dca5c21f9c9b7c
Instruction Fuzzy Hash: E6D1F83192075ACADB00EBA4D9956EDB7B1FFD5300F10879AE04A37650EFB06AC8CB51

Function 0117E124 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2139203632.0000000001170000.00000040.00000800.00020000.00000000.sdmp, Offset: 01170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1170000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bf952588ec590760552c121192e06db0350541000b6acbe0c6e28c18320297d
Instruction ID: a345ef567f62b0c43e7768de7100daa596dab54892b81684dd4240586cee03d4
Opcode Fuzzy Hash: 6bf952588ec590760552c121192e06db0350541000b6acbe0c6e28c18320297d
Instruction Fuzzy Hash: 55A16D32E002168FCF19DFB4D8405DEBBF2BF85304B1585AAE915AB365DB31E956CB80

Function 07734FE0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2145956263.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e98c3f247ca2380e9233c2796e0da23d6809c485f7a6598347f2fbfc6ab91d7b
Instruction ID: ef917dd8c3ae1899fcc4fcac683051eb701c118e10684336d8e9a9ee0a900f9d
Opcode Fuzzy Hash: e98c3f247ca2380e9233c2796e0da23d6809c485f7a6598347f2fbfc6ab91d7b
Instruction Fuzzy Hash: 8B510BB0E002598FDB14DFA9C5805AEFBF2FF89344F24C569D418AB256D7319A42CFA1

Analysis Process: file.exePID: 4232, Parent PID: 5236COMMON

Execution Graph

Execution Coverage:	29%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	100%
Total number of Nodes:	8
Total number of Limit Nodes:	0

Executed Functions

Function 02A02E72 Relevance: 2.0, APIs: 1, Instructions: 451
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 02A03351

Memory Dump Source

Source File: 00000008.00000002.2257943230.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2a00000_file.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: b616872973d2ca8686d08af02c34180481d70bdf602a7240d331cea2dd5408a2
Instruction ID: 4d61ca68f081b1bef6f531872df13568be510187f26cd83b1e55ae67035b293c
Opcode Fuzzy Hash: b616872973d2ca8686d08af02c34180481d70bdf602a7240d331cea2dd5408a2
Instruction Fuzzy Hash: 34E19D35F013454BDF14CABAACD03AEB2A36FD8324F59826AE916DB7C4EF7499019740

Function 02A032C8 Relevance: 1.6, APIs: 1, Instructions: 63
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 02A03351

Memory Dump Source

Source File: 00000008.00000002.2257943230.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2a00000_file.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: fe00aadc6d0fc885abd0b9cba4b53e2fe8bd19b696a230cd34c30c79bf3c8bb1
Instruction ID: 8664092e0519deb933abfff021e363be3c4244a2ec2ac137abd69e6352f79f20
Opcode Fuzzy Hash: fe00aadc6d0fc885abd0b9cba4b53e2fe8bd19b696a230cd34c30c79bf3c8bb1
Instruction Fuzzy Hash: 5221F4B1D013499FDB10CFAAD984ADEFBF5FF48310F20842AE519A7250C7759910CBA1

Analysis Process: AtkzppDHiyvcIR.exePID: 5920, Parent PID: 1064COMMON

Execution Graph

Execution Coverage:	11.8%
Dynamic/Decrypted Code Coverage:	98.6%
Signature Coverage:	0%
Total number of Nodes:	218
Total number of Limit Nodes:	11

Executed Functions

Function 0280D570 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0280D5FE
GetCurrentThread.KERNEL32 ref: 0280D63B
GetCurrentProcess.KERNEL32 ref: 0280D678
GetCurrentThreadId.KERNEL32 ref: 0280D6D1

Memory Dump Source

Source File: 00000009.00000002.2180216990.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2800000_AtkzppDHiyvcIR.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: a8a81f3e7a04b204723f9ade1c4844a99301a2ee84f39ca604b177ff3b6a499a
Instruction ID: 40ee948676d615d417b08d439e541fa31872e7c06bedb8b07c05c8ce63c7e7f3
Opcode Fuzzy Hash: a8a81f3e7a04b204723f9ade1c4844a99301a2ee84f39ca604b177ff3b6a499a
Instruction Fuzzy Hash: BA5188B49003498FDB44DFA9DA88BAEBBF0FF88314F208499D019A72A1DB745944CB65

Function 0280D580 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0280D5FE
GetCurrentThread.KERNEL32 ref: 0280D63B
GetCurrentProcess.KERNEL32 ref: 0280D678
GetCurrentThreadId.KERNEL32 ref: 0280D6D1

Memory Dump Source

Source File: 00000009.00000002.2180216990.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2800000_AtkzppDHiyvcIR.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 284ad5c3196504724690d5cbb8ae1f7eeb5fbcd92ea1510a0b01ef0b7fbc6e2d
Instruction ID: 36f12b7b84916881b4dab6fa966dbcae634bad33eea25ac0db0cc6557d292d7a
Opcode Fuzzy Hash: 284ad5c3196504724690d5cbb8ae1f7eeb5fbcd92ea1510a0b01ef0b7fbc6e2d
Instruction Fuzzy Hash: CD5186B490034ACFDB54DFA9DA88BAEBBF0FF88314F208459E019A7391DB745944CB65

Function 07675CDC Relevance: 1.7, APIs: 1, Instructions: 248
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07675F1E

Memory Dump Source

Source File: 00000009.00000002.2191545849.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7670000_AtkzppDHiyvcIR.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: ef4550c462c8e48965e552a4a9a0e6264fb71ac62abb0d3822de70a34de37b95
Instruction ID: 3cd7f5169e4e21dbca9cd5dfbb67dba93b0fd3d6ed59a035c3717c3142584f3d
Opcode Fuzzy Hash: ef4550c462c8e48965e552a4a9a0e6264fb71ac62abb0d3822de70a34de37b95
Instruction Fuzzy Hash: 3DA15CB1D0025ADFEB14DF68C845BEDBBB2BF44310F1481A9E81AA7281DB749991CF91

Function 07675CE8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07675F1E

Memory Dump Source

Source File: 00000009.00000002.2191545849.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7670000_AtkzppDHiyvcIR.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: bc8a0aa018dbf7d84e6af99060b9b4a31b1950cf2828d1b2355c653b3e7c8173
Instruction ID: 004bd19fe7e32523b240922233ad56b2ca3f3736335431301e82144ed94b6377
Opcode Fuzzy Hash: bc8a0aa018dbf7d84e6af99060b9b4a31b1950cf2828d1b2355c653b3e7c8173
Instruction Fuzzy Hash: B5916DB1D0025ADFEF14DF68C845BDDBBB2BF44310F1481A9E81AA7281DB749991CF91

Function 0280B300 Relevance: 1.7, APIs: 1, Instructions: 203
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0280B566

Memory Dump Source

Source File: 00000009.00000002.2180216990.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2800000_AtkzppDHiyvcIR.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: ae3be7f0d3d20dbbd211ff2f00f55b8e9604145eeaf3783c0097b22d5d4a2f7e
Instruction ID: 5a34c4efacb7b6e4eae13fc1d5161c9651e0fb8a89498baa34e493b50b75eb1f
Opcode Fuzzy Hash: ae3be7f0d3d20dbbd211ff2f00f55b8e9604145eeaf3783c0097b22d5d4a2f7e
Instruction Fuzzy Hash: 2E815878A00B058FD764DF29D88475ABBF1FF88308F14892ED48ADBA90D774E905CB91

Function 05AF1DE4 Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05AF1F02

Memory Dump Source

Source File: 00000009.00000002.2190501539.0000000005AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5af0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: ac8bb9afcab551cc6beedc40554e50f579bd54fc6d1beaa17c4d2053f31d99fd
Instruction ID: e31c5c6622cf83fcedd97ad9ede3842bbf4128b67357b7c8abb017ffe979c71f
Opcode Fuzzy Hash: ac8bb9afcab551cc6beedc40554e50f579bd54fc6d1beaa17c4d2053f31d99fd
Instruction Fuzzy Hash: 1551CCB1D00349EFDF14CFA9C884ADEBBB5BF48310F24812AE919AB210D775A945CF90

Function 05AF1DF0 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05AF1F02

Memory Dump Source

Source File: 00000009.00000002.2190501539.0000000005AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5af0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 9bd575d29e2f551645c3435d1bc7101cf67a2a426606601d1015a137a2f4e142
Instruction ID: 21fe017bee7e9bf95921e492c7dbfed1813992ed1baacefe1837fd67abaa8679
Opcode Fuzzy Hash: 9bd575d29e2f551645c3435d1bc7101cf67a2a426606601d1015a137a2f4e142
Instruction Fuzzy Hash: 44419EB1D10349EFDF14CF9AC884ADEBBB5BF48310F64812AE919AB210D775A945CF90

Function 0280590C Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 028059C9

Memory Dump Source

Source File: 00000009.00000002.2180216990.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2800000_AtkzppDHiyvcIR.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 4c239de6ed0f1f534f4107bb7de1b3f5403421c30cdabc5cd1db3c1c856f85c3
Instruction ID: 188fae8e5d916729a034c33cd09ea1e6b1fc091f0b330c45c8f2ba0de0ab4593
Opcode Fuzzy Hash: 4c239de6ed0f1f534f4107bb7de1b3f5403421c30cdabc5cd1db3c1c856f85c3
Instruction Fuzzy Hash: 7A41D174C00619CBEB25CFAAC984BDDBBB5BF89304F60815AD408AB251DB75694ACF50

Function 05AF0CD4 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 05AF4471

Memory Dump Source

Source File: 00000009.00000002.2190501539.0000000005AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5af0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 84e8e0f50022f4d47656e5f1a5e47a59d19505f037d4e72baa42a805b940741f
Instruction ID: 2e3526b915b1bfa223a51c0a7a7c3c27ef7ec4b15701c59410c6cb88db6d346b
Opcode Fuzzy Hash: 84e8e0f50022f4d47656e5f1a5e47a59d19505f037d4e72baa42a805b940741f
Instruction Fuzzy Hash: 2341E5B5A00309CFDB14CF99C488EABBBF5FB88314F25C459E619A7361D774A941CBA0

Function 028044B4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 028059C9

Memory Dump Source

Source File: 00000009.00000002.2180216990.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2800000_AtkzppDHiyvcIR.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f3dd81f293dee5133b712268c067ed9551c43d78c873f074ec4491a8dcd39f58
Instruction ID: 426a6ff4f86f1e971a4e12a68c11ac72a2201f2b27a1199f28a52024e30eeb59
Opcode Fuzzy Hash: f3dd81f293dee5133b712268c067ed9551c43d78c873f074ec4491a8dcd39f58
Instruction Fuzzy Hash: 3941D474C0071DCBEB24DFAAC984B9EBBF5BF44704F60805AD409AB251DB795945CF90

Function 07675A59 Relevance: 1.6, APIs: 1, Instructions: 73
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07675AF0

Memory Dump Source

Source File: 00000009.00000002.2191545849.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7670000_AtkzppDHiyvcIR.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 6e2f3e7d9349dbd1c6bbe1573109f39a89e009151dc1acde5a3e47ecfa1d8457
Instruction ID: 30aa714d3c2cc0b9a7296690ee71ba25907fc319778a286ccc057996fa51cfec
Opcode Fuzzy Hash: 6e2f3e7d9349dbd1c6bbe1573109f39a89e009151dc1acde5a3e47ecfa1d8457
Instruction Fuzzy Hash: C62135B590034A9FDF10DFA9C881BEEBBF4FF48310F10842AE919A7241D7799950CBA4

Function 07675A60 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07675AF0

Memory Dump Source

Source File: 00000009.00000002.2191545849.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7670000_AtkzppDHiyvcIR.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: d974ecad9f98f90ef052e5dfff8b2d3b17f516462ccbe75d7a54f05ded1d6266
Instruction ID: 06a1087a5c1297fce1b34253dcd920fe1dcd87d60f214212ee2dcfd5e38a159d
Opcode Fuzzy Hash: d974ecad9f98f90ef052e5dfff8b2d3b17f516462ccbe75d7a54f05ded1d6266
Instruction Fuzzy Hash: 852126B190035A9FDF10DFA9C881BDEBBF5FF48310F10842AE919A7241D7799950CBA4

Function 076758C0 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07675946

Memory Dump Source

Source File: 00000009.00000002.2191545849.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7670000_AtkzppDHiyvcIR.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 69d863b3e5d9f27f726c6300231ff2bdfd5d43edc99cc890d7bae57a4bc7bf36
Instruction ID: d9cc45db87017e747e907c4f3a6b2c12abeffdda6c185851cee5948f44ed225a
Opcode Fuzzy Hash: 69d863b3e5d9f27f726c6300231ff2bdfd5d43edc99cc890d7bae57a4bc7bf36
Instruction Fuzzy Hash: 32216DB1D0034A8FDB10DFAAC4457EEBBF4EF48320F14842AD559A7281D7789954CFA5

Function 07675B48 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07675BD0

Memory Dump Source

Source File: 00000009.00000002.2191545849.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7670000_AtkzppDHiyvcIR.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 42790c28339438dfc300a0c03e96bd9d39f35deb56c8f1fa42b3d614464e7c8a
Instruction ID: 8f4ad53ba59351b1319d07022445ef2f3a775c85ece58d20b517464c6b677703
Opcode Fuzzy Hash: 42790c28339438dfc300a0c03e96bd9d39f35deb56c8f1fa42b3d614464e7c8a
Instruction Fuzzy Hash: AC2119B18013499FDF10DFA9C841AEEBBF5FF48310F10842AE559A7240D7799554CBA5

Function 07675B50 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07675BD0

Memory Dump Source

Source File: 00000009.00000002.2191545849.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7670000_AtkzppDHiyvcIR.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: bd4fe42c40ba1ca65b9348e4cb454c5a142e969f5be3f78bb710d04251159ab6
Instruction ID: 75e06a78d19c33806cc245fdeef52d924356d761dcf388a0c71f7b102ce478b9
Opcode Fuzzy Hash: bd4fe42c40ba1ca65b9348e4cb454c5a142e969f5be3f78bb710d04251159ab6
Instruction Fuzzy Hash: C82116B18003499FDF10DFAAC881AEEBBF5FF48310F108429E519A7240D7799910CBA5

Function 076758C8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07675946

Memory Dump Source

Source File: 00000009.00000002.2191545849.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7670000_AtkzppDHiyvcIR.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: e483274efbacddbbfb870db1894880720d40316f1683ac755fa81ef9986341f8
Instruction ID: 0fcfa2fd1b986641f41eea26314261d463d06f01e519cb13a8358fee3b3ba5dc
Opcode Fuzzy Hash: e483274efbacddbbfb870db1894880720d40316f1683ac755fa81ef9986341f8
Instruction Fuzzy Hash: 5E2168B1D0034A8FDB10DFAAC481BAEBBF4EF88320F108429D559A7241CB789944CFA0

Function 0280D7C0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0280D84F

Memory Dump Source

Source File: 00000009.00000002.2180216990.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2800000_AtkzppDHiyvcIR.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8eb994ed6b5c62ce75b5ec68c3f426b73843500dc37b825fc97fa6f03abd7910
Instruction ID: bc50bb93fde32e635957edfad688b055c92913cc4a31149d65bcb97b787cfe55
Opcode Fuzzy Hash: 8eb994ed6b5c62ce75b5ec68c3f426b73843500dc37b825fc97fa6f03abd7910
Instruction Fuzzy Hash: 092103B5D00249DFDB10CFA9D984AEEBBF4FF08324F14845AE918A3251D378A955CF64

Function 0280D7C8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0280D84F

Memory Dump Source

Source File: 00000009.00000002.2180216990.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2800000_AtkzppDHiyvcIR.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: bd580eb9244a567b5f4869eb5f64d848b112f17a9e33daef1767a18a8f608ccf
Instruction ID: 10db76efba726e2e6ecc2001cdee0bc84696a3203c2b146008f02a770dd65d14
Opcode Fuzzy Hash: bd580eb9244a567b5f4869eb5f64d848b112f17a9e33daef1767a18a8f608ccf
Instruction Fuzzy Hash: 2C21E4B5D00249DFDB10CF9AD984ADEBBF4FB48320F14841AE918A3350D378A954CF64

Function 07675998 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07675A0E

Memory Dump Source

Source File: 00000009.00000002.2191545849.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7670000_AtkzppDHiyvcIR.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d5e33d832eff1c87f0669d3284df76e05a6eeea90120d356c95cab97786aff3d
Instruction ID: 650a1f6342aa9f1be74971eb79cbb2c16e9229c659af21820ef6313e72f629aa
Opcode Fuzzy Hash: d5e33d832eff1c87f0669d3284df76e05a6eeea90120d356c95cab97786aff3d
Instruction Fuzzy Hash: EC1159728003499FDF10DFAAC845BDEBFF5EF88324F14881AE519A7250C7759954CBA1

Function 07675811 Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0767587A

Memory Dump Source

Source File: 00000009.00000002.2191545849.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7670000_AtkzppDHiyvcIR.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 48b43a8909a78fdaf01139e3f4a0bfdd24c998b72ff6699f019457f4c3e539a5
Instruction ID: 2744f55033656c6209709bd9e8168baf952812ee87a3394528435f6b27b52e89
Opcode Fuzzy Hash: 48b43a8909a78fdaf01139e3f4a0bfdd24c998b72ff6699f019457f4c3e539a5
Instruction Fuzzy Hash: 86115BB1D003498FDB10DFAAC4457EEFBF4EF88324F20841AD519A7240D775A900CBA5

Function 076759A0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07675A0E

Memory Dump Source

Source File: 00000009.00000002.2191545849.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7670000_AtkzppDHiyvcIR.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f7e0d5adab86d77977d1fa5750c53e0b699fe37b652fdaebec7ff9de32b774a7
Instruction ID: de65bea2bfa8197df9a5f7637ea31125f04bcc8b52d532810691528bd83f7be8
Opcode Fuzzy Hash: f7e0d5adab86d77977d1fa5750c53e0b699fe37b652fdaebec7ff9de32b774a7
Instruction Fuzzy Hash: BD1126729002499FDF10DFAAC845BDEBBF5EF88324F248819E51AA7250C775A950CBA1

Function 07675818 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0767587A

Memory Dump Source

Source File: 00000009.00000002.2191545849.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7670000_AtkzppDHiyvcIR.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 248bb6f210cc72595cb3bed41484a3f624f8db46eb4efa25b14ccdf30d8dc294
Instruction ID: 682afa0a6e77109869aea51aae605db3e23084389a2fe25a4954a2157cff601a
Opcode Fuzzy Hash: 248bb6f210cc72595cb3bed41484a3f624f8db46eb4efa25b14ccdf30d8dc294
Instruction Fuzzy Hash: 7B113AB1D003498FDB10DFAAC44579EFBF4EF88724F248459D519A7240CB79A940CBA5

Function 07678FB8 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0767901D

Memory Dump Source

Source File: 00000009.00000002.2191545849.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7670000_AtkzppDHiyvcIR.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: e211aa9096e44fb37daceef8d56d7147fc2f1822199df0d61889694ced5cf92c
Instruction ID: b3a2a8ab021e12ff6e287fb8454ee34e67d3a2f624ac4ed6dc9e29431ef71f14
Opcode Fuzzy Hash: e211aa9096e44fb37daceef8d56d7147fc2f1822199df0d61889694ced5cf92c
Instruction Fuzzy Hash: F91106B5800349DFDB10DF99D885BDEBBF8FB48724F20841AD515A7600D375A954CFA1

Function 076726FC Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0767901D

Memory Dump Source

Source File: 00000009.00000002.2191545849.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7670000_AtkzppDHiyvcIR.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 954d155960f2d59d51daa504fffc5f6afc9120c98bae62c7d250a82422db2390
Instruction ID: 02b92b0e4e727a98687e3af3c4bd3fca461de5fd0dc9f82ee40443bec9f2f137
Opcode Fuzzy Hash: 954d155960f2d59d51daa504fffc5f6afc9120c98bae62c7d250a82422db2390
Instruction Fuzzy Hash: C61103B5800349DFDB10DF9AC889BDEBBF8EB48364F108419E519A7601D3B9A954CFA1

Function 0280B500 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0280B566

Memory Dump Source

Source File: 00000009.00000002.2180216990.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2800000_AtkzppDHiyvcIR.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f4f29ccd07c212f4f967af9fc2734752f0e0c3242fb0e14e6ede7e668ff25e84
Instruction ID: 51dc06972420ca090e8002b69cae64bce822d9fcb165eb43153166deb8c4c0c9
Opcode Fuzzy Hash: f4f29ccd07c212f4f967af9fc2734752f0e0c3242fb0e14e6ede7e668ff25e84
Instruction Fuzzy Hash: 6B110FBAD002498FCB10CF9AC844A9EFBF4EF88328F10845AD518A7250D3B9A545CFA1

Function 073B17E0 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

k , xrefs: 073B17E5

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID: k
API String ID: 0-882622465
Opcode ID: 242505b0c5386d6e2c56ba10b6a0a2322ac867ccc010423e7a997c4c49bff01a
Instruction ID: a5fb9943d034a56dd4e1612ec3fab48a2a71c5059c250b3de930a8f71040ec08
Opcode Fuzzy Hash: 242505b0c5386d6e2c56ba10b6a0a2322ac867ccc010423e7a997c4c49bff01a
Instruction Fuzzy Hash: B431C5B0A11349DFEB248F64C568AED7BB6BF86301F244069E50AD7B91DB34C941CB92

Function 073B839F Relevance: 1.3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

Strings

8, xrefs: 073B8413

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID: 8
API String ID: 0-4194326291
Opcode ID: aeb433fc9c4b76c4e2f27302be23318382dc0f9e602b437682fb82edde61adb8
Instruction ID: 6275c77d82d45dac9bf2a8891d5401bbdfc9551c0bc2925bfb73e42622c1c70d
Opcode Fuzzy Hash: aeb433fc9c4b76c4e2f27302be23318382dc0f9e602b437682fb82edde61adb8
Instruction Fuzzy Hash: B701D6F074020DDBF7348764CC6B7E97669BB40704F158852DA0EAFE82EAA59C50C7D2

Function 073B6D20 Relevance: 1.3, Strings: 1, Instructions: 19COMMON

Download Yara Rule

Strings

G, xrefs: 073B6D34

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID: G
API String ID: 0-985283518
Opcode ID: bc42a6d16a845bca9cc0613d5cd2ce930cd442ff907402a78f8784bea36b6294
Instruction ID: 4dfe5d6161c07b404190a7892436d8e158fa319cd491c54f9372d3cda163e085
Opcode Fuzzy Hash: bc42a6d16a845bca9cc0613d5cd2ce930cd442ff907402a78f8784bea36b6294
Instruction Fuzzy Hash: 47D0C2E004E28CEBCB118A5888222A87B7D9B03200F4410CAC48846402DB240E228757

Function 073B6D30 Relevance: 1.3, Strings: 1, Instructions: 11COMMON

Download Yara Rule

Strings

G, xrefs: 073B6D34

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID: G
API String ID: 0-985283518
Opcode ID: 11b3d94f01d51d970a3adb84d9dfeb2a20b26f92c8f17662036e88215e2f03be
Instruction ID: eebdb1c91ae96874c5404541df30d05c4b8fa2a017d4452b74426394fb00cf3a
Opcode Fuzzy Hash: 11b3d94f01d51d970a3adb84d9dfeb2a20b26f92c8f17662036e88215e2f03be
Instruction Fuzzy Hash: 8FC012F1409108EBDA14CE80D9076ACB7AC9782204F400088DA0E42A02CB351F209A82

Function 073B3478 Relevance: .5, Instructions: 453COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d2aac920b3dce21e57689d0acfad7f483db44fcdb1b437e4a47dffa8bdd4b4e
Instruction ID: 168045c57f75fb132fa5338916ec351be8e298207dd0f03b8321eb63b520e02c
Opcode Fuzzy Hash: 7d2aac920b3dce21e57689d0acfad7f483db44fcdb1b437e4a47dffa8bdd4b4e
Instruction Fuzzy Hash: 8EE127F0F00126DFEB25AB68C4496EEBFF5EF45200F1544A9D649A7A95D730CC15CB81

Function 073B0480 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 312bebebefe6decb6c6404206a34476b39a6e6893717d9aa4708dafa2eccaafc
Instruction ID: 0686f571120c67d206825ff5212228c8b450384cbb0e05092a1458c6d5e8a454
Opcode Fuzzy Hash: 312bebebefe6decb6c6404206a34476b39a6e6893717d9aa4708dafa2eccaafc
Instruction Fuzzy Hash: A8F1E975D1061ACBCF14DFA8C854AEEB7B5FF89300F1086A9D549B7254EB30AA85CF90

Function 073B0471 Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cde4b420b208021ba356311bc419e245daa33844987e601b6851f8d2dbb512cb
Instruction ID: fc6fdaca8f1f6b616c11a66d3635ed7f02a81381d3b7f1a209a075e8e34bdda6
Opcode Fuzzy Hash: cde4b420b208021ba356311bc419e245daa33844987e601b6851f8d2dbb512cb
Instruction Fuzzy Hash: 2DE1FA75E1061A8FCF14DFA8C8546EDB7B5FF49300F1086A9D549B7254EB30AA85CF90

Function 073B4AA1 Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1c0c7748db45f8368efa8330fbe69730acd849f7b7bea95975268ef788470d7
Instruction ID: 5bcc24f276280827bf4e07748c2a72be42cfaefc1edc79ac26a28d749ea6dd7e
Opcode Fuzzy Hash: e1c0c7748db45f8368efa8330fbe69730acd849f7b7bea95975268ef788470d7
Instruction Fuzzy Hash: C0B1E675910659CFDB10EF68C844AD8FBB1FF4A314F05C299D549BB216EB30AA89CF90

Function 073B2AD8 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c9d64bc7030f7b2dfc553300d487058ef27b374a1caccff9197f72a071d9145
Instruction ID: 8bd406685e087036ac1c6be8dc6f72ea37b2b7047df21260625ce4ae3cde3f18
Opcode Fuzzy Hash: 5c9d64bc7030f7b2dfc553300d487058ef27b374a1caccff9197f72a071d9145
Instruction Fuzzy Hash: 4C71B0B1A002199FEB24EF69D8047EFBBE6EFC8710F148529D549A7740DB389901CBA5

Function 073B2D98 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98ff0f73bc93a24650bd567b8a34de6e2934472fba5ac2dd32913150ec6471df
Instruction ID: 7ad4ca86aacef1e4460fee6b11f5e96ec623a8e75d2b83c0a0e2e72f0471605f
Opcode Fuzzy Hash: 98ff0f73bc93a24650bd567b8a34de6e2934472fba5ac2dd32913150ec6471df
Instruction Fuzzy Hash: 6671E5B16003059FEB24EF69C854BAFBBA6EFC8350F108529E60A97B90CF749D41CB51

Function 073B778F Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9a019bc6fb8943abbd72c7509ced313d423f719f905419d2f477d4b7fc95997
Instruction ID: e7e81c8472e14a4c6fb612310c53c1b0ac47381bdd73247830bf5490981e3889
Opcode Fuzzy Hash: d9a019bc6fb8943abbd72c7509ced313d423f719f905419d2f477d4b7fc95997
Instruction Fuzzy Hash: 16710134B042449FE701AB68D455AAEBBB2FF89300F0485EAD9859F387CB745D46C7D1

Function 073BED18 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5af989fa6dc6e1023d1fe0062225f2878ef82f79c2343a5eeb56e8bf862e228
Instruction ID: b2dc19375e237ccfb3f68b0b909272757ffe992f2df024b1eb052d3fcc17bfa0
Opcode Fuzzy Hash: c5af989fa6dc6e1023d1fe0062225f2878ef82f79c2343a5eeb56e8bf862e228
Instruction Fuzzy Hash: 9271E4B4E04218CFEB14CFE9C8446EDBBBAFF89300F149029D519AB755D7745946CB50

Function 073B77C8 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b01c201489981fa4645acccbfa58fee02fe6e3556b593c9aaa47d15b356a3312
Instruction ID: 4143f5d99b1ab063589790b1eb1da132a0f727118464ca292dac3ded6c12b503
Opcode Fuzzy Hash: b01c201489981fa4645acccbfa58fee02fe6e3556b593c9aaa47d15b356a3312
Instruction Fuzzy Hash: F7619034B00215AFE704AFA4D445AAEBBB2FFC8300F1485A9D9856B386CF749D46C7D1

Function 073B0C38 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25347551e0c63072faea81cd9485dba390f5096afdeca505ec2921d84452398e
Instruction ID: 0cf79dee82d291ff08ebde3e1aac8835f10496996de3d79e97861acc7bec8f6b
Opcode Fuzzy Hash: 25347551e0c63072faea81cd9485dba390f5096afdeca505ec2921d84452398e
Instruction Fuzzy Hash: D8513C75A1060A8FDB14EFA8C8849EEF7B1FF89310B508669D516B7354EB30E985CB90

Function 073B1800 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36fac6ab787f5f2045bb03bd89591180f62855996ef6798da96ab5fe26fa7075
Instruction ID: e27ef35658ce941d7529ad840c3bbf81376bcc8f0f23a2ea5689a197bac59c0f
Opcode Fuzzy Hash: 36fac6ab787f5f2045bb03bd89591180f62855996ef6798da96ab5fe26fa7075
Instruction Fuzzy Hash: 6B4194B4B10209DFEB28CF74D454AAEBBB6FF85301B148469E509D7A94DF30C811CB91

Function 073B0E40 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a41af90674f33b3333600acde237e25601791c35f5e1340cc19b9458a1498e8a
Instruction ID: fc87e8c163fb92041c5dd6a8e22a43017926b0caabc728117eec0cbee5a76b1c
Opcode Fuzzy Hash: a41af90674f33b3333600acde237e25601791c35f5e1340cc19b9458a1498e8a
Instruction Fuzzy Hash: 75519435B10609CFCB04EFA8D8849EEF7B5FF89300F00855AE545AB321EB70A945CB91

Function 073B9250 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3221d51c8116679fe372d5c911a95ecf586bf9d5752b60a800c9b9eb9b95a48
Instruction ID: 1a94670e1cc509bd9ba15279b72fc48082cbebdffd1c7e79826e00ffcc15e5ab
Opcode Fuzzy Hash: b3221d51c8116679fe372d5c911a95ecf586bf9d5752b60a800c9b9eb9b95a48
Instruction Fuzzy Hash: 094128F5E1820EDFFB245BA484517FE7B69EF86210F514056D70E9FE81C632680687A2

Function 073B0C37 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a51709029e320fb55912d29cd54e507f0f69a7793164deb6a9e118ca07fab95
Instruction ID: 33c587f63b5a31057546f434be672a76d5e3f76cbad7571bc061126cf9024a93
Opcode Fuzzy Hash: 1a51709029e320fb55912d29cd54e507f0f69a7793164deb6a9e118ca07fab95
Instruction Fuzzy Hash: 53414975A0060A8FDB14EFA8C8845EDF7B1FF88310B548669D51ABB754EB30E985CB90

Function 073B6AFC Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fad1a21c8051c9ac06ee9e5ee4c2c0d73a43e5abaf27c56356bc9dec6d0cc11
Instruction ID: 4329466849fd4fc8aa07fce7f79cf4a5b6905a4b90661bef7e978b5fcbd4f33d
Opcode Fuzzy Hash: 8fad1a21c8051c9ac06ee9e5ee4c2c0d73a43e5abaf27c56356bc9dec6d0cc11
Instruction Fuzzy Hash: 6141C3F0608108DBE724DF58D4526AE77B5EB8A314F148469C25EABB83CB359D42CBA1

Function 073B7A46 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d456493f97450f56b616643311e05e807e1befd1852343e4ce52fba5df74db19
Instruction ID: 72ad914e2bb6a38cd4e47cb74f99cdf7661fd9dd1592c0ff6f1fe17bb42a6db5
Opcode Fuzzy Hash: d456493f97450f56b616643311e05e807e1befd1852343e4ce52fba5df74db19
Instruction Fuzzy Hash: DD4106B061C390CFDB29977498192A97FB5EBD7245F0084A7D246C7B92CA784D01CBA2

Function 073B1198 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e203892217193bf7307a3d6e88a05dbab412ca67caa62007ea9ff94b83b496f
Instruction ID: 8d275c4c00389dea0722aeb2f643720923f3f2182af8372a3a68ed503070cb20
Opcode Fuzzy Hash: 5e203892217193bf7307a3d6e88a05dbab412ca67caa62007ea9ff94b83b496f
Instruction Fuzzy Hash: AE3181B1E10219DFDB24DFA8D85499DBBB6FFC9300F10816AE605AB7A0DB709C51CB91

Function 073B17AD Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b6318e75f0c5a12097faa3d341f3bd6fa0902b8e4404b9cb73e7bb7b50a2e1a
Instruction ID: d5a1014b69194aa0476deceb01268649f91e4b8a30b27688ad574b0a24b6d86c
Opcode Fuzzy Hash: 7b6318e75f0c5a12097faa3d341f3bd6fa0902b8e4404b9cb73e7bb7b50a2e1a
Instruction Fuzzy Hash: F131E8B0A11349DFEB348B64D564AED7BB6FF85301F244069E50AD7B50DB30C841CB92

Function 073BA2E0 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94ada1c750e8e82fa52af114c35cc07fa49438f9ea361ea57b4abccfef97461c
Instruction ID: 406495a73f626c9eb85150343a07794c4c27b057826c043c3bd8398ec9aa37f9
Opcode Fuzzy Hash: 94ada1c750e8e82fa52af114c35cc07fa49438f9ea361ea57b4abccfef97461c
Instruction Fuzzy Hash: 873136B1A00309EFDF24DFA9D884ADEBFF5EB48310F10842AE508E7210D775A954CBA0

Function 073B2D88 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fb5aecec54e2adb4832d75623ddeeff2dbe02b167dba9b2b22a797b7bf1c16d
Instruction ID: 1385ff99ed155240c4fec83525d3cebeb326e7f9eda57418ef0a9d9206c6c118
Opcode Fuzzy Hash: 2fb5aecec54e2adb4832d75623ddeeff2dbe02b167dba9b2b22a797b7bf1c16d
Instruction Fuzzy Hash: 3531A5B0601205AFEB24DF69C8447EFBBF6EF88300F108529E5099B691DB74DD41CB50

Function 073B22F0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d525d3790a874a7aa1dea6c350cb843c025971b4f76a2ae840a752d059cd1462
Instruction ID: ed463ce58ea0e5ed7ff26180dfcc59b3ef81b61ae2f7b6418e53bb34b3981f8d
Opcode Fuzzy Hash: d525d3790a874a7aa1dea6c350cb843c025971b4f76a2ae840a752d059cd1462
Instruction Fuzzy Hash: E931ADB53002118FE724DF68D880AAB77EAFF89210F148569E60DCB755DB319C4A8B60

Function 073BC308 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3cfcffa856a9be4d9e23b07a77a3eb1bab2937049116454e5e45a3743900744
Instruction ID: 866fab6ec7d2887b6344539258fd0b6f575df8fbe2f94ba819352fd93c98b987
Opcode Fuzzy Hash: e3cfcffa856a9be4d9e23b07a77a3eb1bab2937049116454e5e45a3743900744
Instruction Fuzzy Hash: 8F2106F0718114DBF735461988016F9766BABC2310FA4A026D24F4BE8ACAB68D068776

Function 073B6568 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0cc8c15f291439a28de0e242295c7de6bb80b45c2abb1ecadfacee41b45ee4c
Instruction ID: 14b16d5a87815b5a27e46c4cae7dddfe67c6736a4fa51ffd69bd2a444e5baa72
Opcode Fuzzy Hash: c0cc8c15f291439a28de0e242295c7de6bb80b45c2abb1ecadfacee41b45ee4c
Instruction Fuzzy Hash: 4C311CB4E1020EEFDB10DFA8C4916EEBBF5EB48310F104429D609F7641E7309A508FA0

Function 073B6B51 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaf6ee8a84cb9f2c50d1553e5e62e656d5b0829080e57034c5adc082c01c0c81
Instruction ID: b128c69332100714c6ccb9e1d21df2b1840c78c37e44a833571a90c9cf777e08
Opcode Fuzzy Hash: aaf6ee8a84cb9f2c50d1553e5e62e656d5b0829080e57034c5adc082c01c0c81
Instruction Fuzzy Hash: 5C3191F0608108CFE724DF58D4536A977B5EB86314F14846AC25E9FB43CB769D42CBA0

Function 073B6C11 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 188aeffe43b701c5fa44b11a403de34fa73054342b8a999b33ab984c605db5a5
Instruction ID: 8ef82ee12973d6c4a49c5a9d2e61b98db0036cd0228a06c0441191e60ff965ae
Opcode Fuzzy Hash: 188aeffe43b701c5fa44b11a403de34fa73054342b8a999b33ab984c605db5a5
Instruction Fuzzy Hash: FC31A0F0608108CBE724DF58C4536AA77B5EB85314F14846AC25E9BF43C7769D42CBA4

Function 073B0FC0 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 851391e5f391a597d8dea4ce240f7b05f2304189fe7367fc4c18d52797ba7082
Instruction ID: 5a7b72d2954b5a80a819b71d89c6631ab6f42df39a3bed76319e741211a17f7e
Opcode Fuzzy Hash: 851391e5f391a597d8dea4ce240f7b05f2304189fe7367fc4c18d52797ba7082
Instruction Fuzzy Hash: 9F314535A10609CFCB05EFA8C4548EDBBB5FF49310F01869AD5456B224FB70A989CB91

Function 073B0FD0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99e83f3a8b0f09f4dc9ae77b41faac07592e263f3b3fe2cd6d7ecfa8403ee8cd
Instruction ID: e0c6202ee8628ab4d15270caa5a1b86a82cf5a0fded3655994ac1d4cdb6445ee
Opcode Fuzzy Hash: 99e83f3a8b0f09f4dc9ae77b41faac07592e263f3b3fe2cd6d7ecfa8403ee8cd
Instruction Fuzzy Hash: 7D31F235A10609DFCB04EFA8C4948EDFBB5FF89710F01865AE5056B264FB70A989CB91

Function 073B29E0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76da66f13d0c9a86f8e93b5f24a53196a6c5cf3331db2fd20a79484c539a33f2
Instruction ID: ff1b9ed98ea666a51bdc95783c6ad42e4ca1a7bfe066a0265e46318a204ea085
Opcode Fuzzy Hash: 76da66f13d0c9a86f8e93b5f24a53196a6c5cf3331db2fd20a79484c539a33f2
Instruction Fuzzy Hash: 5721A1B8710102CFEB249FA8E944BABBBF4FB89351F409129E619D7640DF34D915CB60

Function 073B0290 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d2c87e93fa144f58974f1169f8aad3f433dff3c50c2454333757ecce37497fd
Instruction ID: f15a01a877a1eaa0238a3da19fdc17c4518ac2c7df4ac293a13d9a1bb75e790f
Opcode Fuzzy Hash: 7d2c87e93fa144f58974f1169f8aad3f433dff3c50c2454333757ecce37497fd
Instruction Fuzzy Hash: 93216274B012458FCF54DF69C8948EEBBB5FF89200B5045A9D909E7355EB30E905CBA0

Function 00D9D1B4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2179433106.0000000000D9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_d9d000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 339a6e7114e7e84b38653dc658aba6aada3f1178602091ceaaba4a4ab0702771
Instruction ID: cc09c17f945c5bfb45ac327f2ac06d2abbbef8a7918edc72ed8c3b634b6dff4c
Opcode Fuzzy Hash: 339a6e7114e7e84b38653dc658aba6aada3f1178602091ceaaba4a4ab0702771
Instruction Fuzzy Hash: CA212675504304EFDF04DF14D5C0B2ABB66FB84314F24C56DE9494B252C776D846CA71

Function 00D9D36C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2179433106.0000000000D9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_d9d000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69136a9090238c159b4ff1bf8deacec87f1710c569f69a7e537e87777741d5bd
Instruction ID: 5943bb30233e6a720a12923dc909cbb1b9c8bcecf1eb72e197e3f63301993286
Opcode Fuzzy Hash: 69136a9090238c159b4ff1bf8deacec87f1710c569f69a7e537e87777741d5bd
Instruction Fuzzy Hash: 5E214675604304EFDF04DF14D9C0B26BBA2FB84314F24C56DE9094B292C37AD846CA72

Function 073B02A0 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a00d6f24398a4513d21fa250ec936599e142d84cde728177be4356ee87d694c7
Instruction ID: ac5ec3c22f3e29bcc8c23af11bf42889fd093e9a458daf6908798639233b5185
Opcode Fuzzy Hash: a00d6f24398a4513d21fa250ec936599e142d84cde728177be4356ee87d694c7
Instruction Fuzzy Hash: 91211275A1020A8FCF44EF69C8848EEB7B5FF89300B518569D909B7355EB30A945CBA0

Function 073B8E58 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52634d1783f9f585c2df2f18afbea2ee68e23c991437c44e7defbeee02162f04
Instruction ID: f9095e282e2b4149dc596aea1078a03432bf60af28481f8b418d99da95ed45fc
Opcode Fuzzy Hash: 52634d1783f9f585c2df2f18afbea2ee68e23c991437c44e7defbeee02162f04
Instruction Fuzzy Hash: 2F11E4F195D244EEF330A6E494012F57B9E5B43154F548897D34E8BD46C63A844287E7

Function 073BC536 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50dcbe0c9dd19b94c432c07ebac021b1b5dd8e2ecdd8f99c0ceccfddd584ad95
Instruction ID: 254f8613b5ab182fd3011a7c9362e57182095adf31160765612b9b07e24ce082
Opcode Fuzzy Hash: 50dcbe0c9dd19b94c432c07ebac021b1b5dd8e2ecdd8f99c0ceccfddd584ad95
Instruction Fuzzy Hash: BF2165F0E28515CBF735862AC4806F9B369AB4B310F006217A35EC6E90C774E5908A76

Function 073B6566 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f7ebeb306b33cc74536b155c7a1a60e3faaffb0fd4e08c7d83bdec31d4818d6
Instruction ID: 938eafce4556be23d41cdca8f1d65b82cfc65c8e110b765473056ab2dd818885
Opcode Fuzzy Hash: 0f7ebeb306b33cc74536b155c7a1a60e3faaffb0fd4e08c7d83bdec31d4818d6
Instruction Fuzzy Hash: 6A2119B4E1020EEFDB50DFA8C4916EEBBF5EB48314F10442AD609F7645EB349A418FA0

Function 073B22E2 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fc5edbe7a5307ed317f7b1af9006a85f902b6dca77e702bd44d18e167402f64
Instruction ID: 40e7e3a72ebe1a2cca4086ab17901ff2825a80bf06bdd348262132027efb567d
Opcode Fuzzy Hash: 0fc5edbe7a5307ed317f7b1af9006a85f902b6dca77e702bd44d18e167402f64
Instruction Fuzzy Hash: 9921C3747042518FE714DF68D880BAB3BE6FFC9300F148569D90DCB355DA709C498760

Function 073B8E68 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88c2c55b8baf58295790ff2b3c703824b2f19ff88e87ed37941afd1f905a9fa1
Instruction ID: 6a697df8dc5c7691ff1070e4d6ec16621ef570c06d353384062b61030986ab78
Opcode Fuzzy Hash: 88c2c55b8baf58295790ff2b3c703824b2f19ff88e87ed37941afd1f905a9fa1
Instruction Fuzzy Hash: CA11E1F1A1D280DFF331A6F494102E57FAE5B43114F1488ABD34E8AD96C63A8841C7E7

Function 073B3FC8 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a317677a262b202ef25f723227cd326d5ff73723d052609728f0b84840e284cd
Instruction ID: 175b84a8fce96a376993bcc3f6d30b932c650082356f164e472f9bc1e1793ea9
Opcode Fuzzy Hash: a317677a262b202ef25f723227cd326d5ff73723d052609728f0b84840e284cd
Instruction Fuzzy Hash: 5711E571704314ABC7249B7E98646AFBBFADF85660F0444ABE609C7741ED30AC0683E1

Function 073B29D0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca1ec405587388692a9325b05ce99c6aa847afcc5303695132bf44b6db6f16e9
Instruction ID: 26cb452d26104e1762fc2cd41af741946eb98a418f91e67f34dd69bb12498ad3
Opcode Fuzzy Hash: ca1ec405587388692a9325b05ce99c6aa847afcc5303695132bf44b6db6f16e9
Instruction Fuzzy Hash: A111E1B87041028FEB24DBA8D984AABBFF4FB85350F045169E519CB681DF70C805CB60

Function 073B59F4 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf7a27bb061f8b8293dc935fff128be4dc923e36d7944b18fc941957e466c692
Instruction ID: 4f30943c491734db4b1837d193f55717d018638fc765845f2e552b5d92e61632
Opcode Fuzzy Hash: bf7a27bb061f8b8293dc935fff128be4dc923e36d7944b18fc941957e466c692
Instruction Fuzzy Hash: 242103B59003499FDB20CF9AD884ADEBBF4FB48320F10841AEA18A7600D775A954CFA1

Function 00D9D1AF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2179433106.0000000000D9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_d9d000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: 35d578b1c1cdccfd41a23bef08630a4c7c84585dcd807055f6eef1875aa68072
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: 2B119D75504684DFCB05CF50D5C4B19BBA2FB84318F28C6AAD8494B656C33AD84ACBA1

Function 00D9D367 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2179433106.0000000000D9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_d9d000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: c5327eba667b0cfae5f448cea730d413d21b5e894183d934730636ac66ba0f8e
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: 8F118B76504284DFCB05CF14D5C4B15BBA2FB84318F28C6A9D8494B696C33AE84ACF62

Function 073B82D0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d97f863cc110b4d17f3f1325fd1407faaa9b65e8aa97be452b369ae68c1330d
Instruction ID: 9843f83a603112ee133e252681a68dae6f217806bf8cc68541037fdea793abcf
Opcode Fuzzy Hash: 2d97f863cc110b4d17f3f1325fd1407faaa9b65e8aa97be452b369ae68c1330d
Instruction Fuzzy Hash: DF018CF461D249CFE325872494142E1BBADBB06244F0882ABD24D8FD52C6768986C7EA

Function 073B4DD0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56ee64f3db7a498ae0d76b926b3d17f63b0b5f7e03eac44edea0ec761106c10c
Instruction ID: 03ed7e6d35f56f413c5ef06d6d66b18847006e34d886185c5ee38a4e9abd44f7
Opcode Fuzzy Hash: 56ee64f3db7a498ae0d76b926b3d17f63b0b5f7e03eac44edea0ec761106c10c
Instruction Fuzzy Hash: 7C01813130429AAFDF419F6598048AEBFB6FB89290760806BF905C3351DB758C32DBD1

Function 073B7D58 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 927d27e7eeb9d31f3b473d06daa4a51d7664d0f89555526a08aff482b4633d48
Instruction ID: 6631b96e568f88d7207bc1c590f4cbc28197261ddb9808395cf3958fe7c75b86
Opcode Fuzzy Hash: 927d27e7eeb9d31f3b473d06daa4a51d7664d0f89555526a08aff482b4633d48
Instruction Fuzzy Hash: 1901D6B155C3848FE3529778C4102E97FA69B83345F4480AED2495F982C77A8486CB61

Function 073B2800 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c1f0f997f3fce0f785f2daa10ece81af296af4b2cc5cd19e9bd0b7f03afe198
Instruction ID: d6b6e7235d9838d8e5b9836e6807f5b4ca317d8a7f6e90505c31bc3d93b8c203
Opcode Fuzzy Hash: 7c1f0f997f3fce0f785f2daa10ece81af296af4b2cc5cd19e9bd0b7f03afe198
Instruction Fuzzy Hash: 57F096363003009FD7259F69E409AD67FA5EBC6761B21C43FE649CB641CA75C856C7A0

Function 073B8F1C Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 238e64b186ada6f63adf164347ccba9cf37271140d90705a4de405c988863a85
Instruction ID: b2809fd14d56d7ef38651cc6cc678a7bff39eccccb29a05985928c660d8140c4
Opcode Fuzzy Hash: 238e64b186ada6f63adf164347ccba9cf37271140d90705a4de405c988863a85
Instruction Fuzzy Hash: 57F024D252E288EFF33156A868210F13FAEA967040B4004C7E78FCFD67D528544183E3

Function 073B4DE0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a22e7e1dea8f59f4a2f2edd1a2fbd93b7e0038ec154d6d55377d6d9ab33733c
Instruction ID: ee55e6bbb3d9c7bff4751214177a8d135e7fa8c0c037d746c2cea32ee5dac3a4
Opcode Fuzzy Hash: 5a22e7e1dea8f59f4a2f2edd1a2fbd93b7e0038ec154d6d55377d6d9ab33733c
Instruction Fuzzy Hash: FFF01D36700219AFDF059F95E8458AEBFAAFB8C261710802AFD19C3350DB758C32DB90

Function 073BA2D0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7905bf763e30c09703acd66b78c08906da6fbf4730b93a97da99e5f7f5b43a8
Instruction ID: 761f2605556962db92d94902c70e1e1984cc1ee3fa48e44ad5d92142a76de387
Opcode Fuzzy Hash: d7905bf763e30c09703acd66b78c08906da6fbf4730b93a97da99e5f7f5b43a8
Instruction Fuzzy Hash: 2FF0E972608244BFEF15DB64DC418DE7FB6EF45220B04C0ABE108DB266E6719950C791

Function 073B82CF Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d430f27d607273b8bddeb5373dd953c067019a5f82676738be89dd9fef96961
Instruction ID: 68a44abd65e68a8458e5451d95fde502ede1c68dbfe549e6eb17093a9e1895e4
Opcode Fuzzy Hash: 6d430f27d607273b8bddeb5373dd953c067019a5f82676738be89dd9fef96961
Instruction Fuzzy Hash: FDF090F461950ADBF7348A14D4002F0B7ADB706384F488266960ECFE01C772C980C7EA

Function 073BAEEA Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11d101105ee1e5091a94dc6a1175d1fb3b5a66b093663d4a364bd72df239f3b8
Instruction ID: de3636ba0d263dbb29103c77c9c1b0c7bc5f5c5fd003a1d47f3b0628afe1dae4
Opcode Fuzzy Hash: 11d101105ee1e5091a94dc6a1175d1fb3b5a66b093663d4a364bd72df239f3b8
Instruction Fuzzy Hash: 58F090B0A45345EFEB119BB0CC5AAEDBB72BF46300F00C252E616666D1CB744816CB51

Function 073B7D51 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e4b620af962871e4b8e23cf0b43bbf427d03a0197578a5a35d1a6ae6425da44
Instruction ID: c0e7373f95d8a9a2878baeec5482ce5307bdb723c30bce4c71554577fb333ba6
Opcode Fuzzy Hash: 7e4b620af962871e4b8e23cf0b43bbf427d03a0197578a5a35d1a6ae6425da44
Instruction Fuzzy Hash: B0F027B249C1488FE3600A2880102B47B27D7C334EF94C0AEC25D0E987C73F8443CA51

Function 073B2AC7 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85dcd06d3dc77528cf78ffacc568462a81c75198f3b0b0aeeeb11e0c4108af24
Instruction ID: aa4e2b609d7bf293e2b4b64a8552dcb876410ab578589d8c3ebf7222b0e6d13d
Opcode Fuzzy Hash: 85dcd06d3dc77528cf78ffacc568462a81c75198f3b0b0aeeeb11e0c4108af24
Instruction Fuzzy Hash: 76E06D76600B009BD329CE1AD8C5A87FBE5FF88260710C92EA55DC3A04DB70D405CB90

Function 073BB8F2 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29d4e7d71dcf52d3e1d4dbb8e952693619972e2155816016d7641548c8834985
Instruction ID: 790467074d55c751ff6a6f3c3a38aea2f0b08002d57b49ea8482e173b9125d9f
Opcode Fuzzy Hash: 29d4e7d71dcf52d3e1d4dbb8e952693619972e2155816016d7641548c8834985
Instruction Fuzzy Hash: 67E08CE1A2C14CEB66709AB864412F5FBAC6747120F8044969A4FC7E09DDA14940C3B3

Function 073B20C8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3196f2c81d35c47d291c18c08befb8a4d32d29f9c20c4d68df442c89c96c334
Instruction ID: a1d3bcc932bb054b5a62087e1928a287f001d47077a4448a97ef288e3f80c1bb
Opcode Fuzzy Hash: e3196f2c81d35c47d291c18c08befb8a4d32d29f9c20c4d68df442c89c96c334
Instruction Fuzzy Hash: 6AE0262424E3840FE3162BB588062E93FA9DF8220031660D6E209CF193C934C405D362

Function 073B0DE8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e320c2070699914511860c11e69df6a8e8ea9dba20f3adee2f129daf3772f966
Instruction ID: e0c8084c8af6b53b8aee5a0b5422b250f65fd1846efa74c6e9e329b6eb49c6b5
Opcode Fuzzy Hash: e320c2070699914511860c11e69df6a8e8ea9dba20f3adee2f129daf3772f966
Instruction Fuzzy Hash: 98E01AB195060C9FDB51AF74C9053DA7BE0EB12320F00C56EE89ECA110E674C2D9CB81

Function 073B8140 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddbc227e2dbe8f744ed83078d116b95a4a115e45a0b0957610dec817da5e734b
Instruction ID: 9b2848df86e6bd56c0c598fcbf3b8b1de02184c1096092e94ca988548d888926
Opcode Fuzzy Hash: ddbc227e2dbe8f744ed83078d116b95a4a115e45a0b0957610dec817da5e734b
Instruction Fuzzy Hash: BFE0D8F4508745CFE312EB74C8252AA77B4EF46204F04C49795598FAA7CB309C0BC7A1

Function 073BC0D7 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68438d9f3a3ab2c50c74f1f0c8101ac2685bb3978c2a2b92a9b0bf53d5f48e75
Instruction ID: 6875c28b032bd63146cebecc8b9d5f0677a89b2b52b2633cce5e62a8c0a799f1
Opcode Fuzzy Hash: 68438d9f3a3ab2c50c74f1f0c8101ac2685bb3978c2a2b92a9b0bf53d5f48e75
Instruction Fuzzy Hash: 69E0CDF0B5C10CDBA334965564111F1379D978A310F009143DB0FD6E04C951C8000673

Function 073BC092 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fb3a179160446c69278241b94a02bf6566ea0426a834f19a5f92141bd091567
Instruction ID: 0936ea6e2f9bc41cb6aa5f15217915e932e56386533ea104203d33a1b0856b89
Opcode Fuzzy Hash: 9fb3a179160446c69278241b94a02bf6566ea0426a834f19a5f92141bd091567
Instruction Fuzzy Hash: DDD02EC002C388CFEA3461BC48240F93F6D9987208F00608BE38E86C0AC801C8060277

Function 073BAE9B Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fa099a31dc4c9ebaadfb4f8cdd0ab785001a7dbd808eb16abbec7ce82501748
Instruction ID: 8cc257d4210519f1454f0ea5eae28c73092a0058422a0f8ba0d5054dd65cbb87
Opcode Fuzzy Hash: 7fa099a31dc4c9ebaadfb4f8cdd0ab785001a7dbd808eb16abbec7ce82501748
Instruction Fuzzy Hash: E1E06DF1C08684CFD716CF78C8912A9FFB1BF82200B04809BD05897616C73054168B82

Function 073B9D82 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 674161c74c4221e60704bc984b66f3f7378816807e3d4f2004f8fce564a619bb
Instruction ID: 63b0f7cab2ce33cbe0fcb2341979742d3e8fd4fe76a222f9b3bb549c6b371f36
Opcode Fuzzy Hash: 674161c74c4221e60704bc984b66f3f7378816807e3d4f2004f8fce564a619bb
Instruction Fuzzy Hash: 22D05ED726C048D3F578205F444C7FA739E5783324FE440AE930F45E6AD822742281A6

Function 073BB8F8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f371003034c0f055e072d768ea5844d34429fc8b2b9e3ecc483343ba00d436c
Instruction ID: 7563bb8b3a34f558aba2453e47c1453ca71363c2200719ade2c3f76433b66ae5
Opcode Fuzzy Hash: 7f371003034c0f055e072d768ea5844d34429fc8b2b9e3ecc483343ba00d436c
Instruction Fuzzy Hash: 30D017E0A2C10CEB6674AAB954415B9F6ACA747220F8048569B4FC7E04DD61490083B3

Function 073BC2E0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165617aea39b94045c38ade7c1f4c12ec357eae0e4f390eec9f18668c20924fc
Instruction ID: 529cfaa466a36294c713441d53d2bc487aab77eaa1b83480690a091580c11d1e
Opcode Fuzzy Hash: 165617aea39b94045c38ade7c1f4c12ec357eae0e4f390eec9f18668c20924fc
Instruction Fuzzy Hash: 31D0C9D595D78CEEEF3212A868652F83F6C2823601B4620A7D29F9DCA7850544D3C3B7

Function 073B9D88 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8441136b070806f9b28b970411af719109c2a36b1abd01b7b5461458ac19df38
Instruction ID: ab8a9d71bd3a0b753dfd224e82164a4eba8b54502ed345fbfb0e54456b646cd5
Opcode Fuzzy Hash: 8441136b070806f9b28b970411af719109c2a36b1abd01b7b5461458ac19df38
Instruction Fuzzy Hash: 10D0C7D727C508C3F578255B540D7F5715D5783314FD040AE530F45E56D912741181A6

Function 073B0DF8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bb1038e74b58f069d065bdeeb21ee6073a46e62ea3ac29bc7e5989d8a433842
Instruction ID: c10b1e92d78910f177aef9ee2a8846edadb7fb4c1444f72bdd77b9070d4dceec
Opcode Fuzzy Hash: 5bb1038e74b58f069d065bdeeb21ee6073a46e62ea3ac29bc7e5989d8a433842
Instruction Fuzzy Hash: DDE01271910A0CDDCB54FF78D5045EE7BE8AB05210F00C53AE94D9A510F630D2D4CF90

Function 073B6680 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f60e2e579b8be7477c83ccf4a6676dfba2be8ea8fc3eae24842ffb659ada615
Instruction ID: 43a8a84486d385d06f6d3b9556f81e21db3d0c9aafa9de5ecd04c610cff8b8c5
Opcode Fuzzy Hash: 8f60e2e579b8be7477c83ccf4a6676dfba2be8ea8fc3eae24842ffb659ada615
Instruction Fuzzy Hash: 81D0C7A515D3C69ED3231670B40A1FBBF7C5987125F4504DBE5858DC53851954D48363

Function 073B20D8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8745065991f2e024caebd4757925f9a30d155f067363372da2208dbc89d8bc05
Instruction ID: 2055ea6cb46225b5459ba3d117499b8321edaa3bc79bf51014365587116b24d3
Opcode Fuzzy Hash: 8745065991f2e024caebd4757925f9a30d155f067363372da2208dbc89d8bc05
Instruction Fuzzy Hash: C6D052387042098BA3082BBAA80A2FA36DEAB80A01351A024A60ECA681DE34D8418331

Function 073BC0A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf88beab48dab917be6537231f84c54a3f5fa50238ddd4d5c271b2886f34010c
Instruction ID: 49d8965d6bbe2932ee0e64caffffe1a86dc4639c523e4a4a5ec9503da37eecc8
Opcode Fuzzy Hash: bf88beab48dab917be6537231f84c54a3f5fa50238ddd4d5c271b2886f34010c
Instruction Fuzzy Hash: 3DC08CD023C20CCBB438A1AC28144F93A6D218B318F10B007E71F46D08CD02CC100AB3

Function 073BE318 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2344077367f97316feb93b9932879a56bb73cfd38713b142ccb94771e635b302
Instruction ID: a023c254a5f505710caeb5cd4884dc9bc5d1c60e17babd130b422f2888a43196
Opcode Fuzzy Hash: 2344077367f97316feb93b9932879a56bb73cfd38713b142ccb94771e635b302
Instruction Fuzzy Hash: CEC08CB0042349CBE3242BD8A50F3A8BBAC5B00302F411010E50E804318FA85490C626

Function 073BBCB0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 981ce0e2ecd6fed45cabf449a2eaf06b56052409f34480a7c8622df54db48b72
Instruction ID: ca5ec7fa4be0496dc4c47a5155fb7732b44838ec67b275ef9bd4d2da9f64f27e
Opcode Fuzzy Hash: 981ce0e2ecd6fed45cabf449a2eaf06b56052409f34480a7c8622df54db48b72
Instruction Fuzzy Hash: F5D012F2418150DFC301CB61ED96C887FF0BE0E300B04499AC0094B722D734E411CB41

Function 073BC2F0 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75eeea8a67b4d6197609205cb81598f6b681408e444f7015157c570ecd350945
Instruction ID: 64dde9d9627d34b248db00ccfb22b96fc44c1b9f801adce80ae7e666711f785e
Opcode Fuzzy Hash: 75eeea8a67b4d6197609205cb81598f6b681408e444f7015157c570ecd350945
Instruction Fuzzy Hash: F6B012E803C20CC27D3421D8243A1F9361C3017A04F003013A31F3CC108901146140F3

Function 073B770C Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e64a16ac77378b0bf3c3ea3738a23172fe70cbdcc2df88b8e9f07f2ce9d8e97
Instruction ID: 0e993f8cbf002cf9757ba25529d1a3219796e68d359d43262364909f36582676
Opcode Fuzzy Hash: 5e64a16ac77378b0bf3c3ea3738a23172fe70cbdcc2df88b8e9f07f2ce9d8e97
Instruction Fuzzy Hash: 3DB012F52A8900E3B1106BA44C8997A6C90EBF6B01F80DD06370D20CA0C9714528D317

Function 073BB9C1 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a1d591efd93c5400884545417bc3de6233646fd049a6ec5e056c410df70b3fc
Instruction ID: 98d176b69658bd41a76328a536530d797cfb6de59079ecde281c0394dfd29046
Opcode Fuzzy Hash: 4a1d591efd93c5400884545417bc3de6233646fd049a6ec5e056c410df70b3fc
Instruction Fuzzy Hash: D0C04CF0B61219FFFB25CA61DE47DACF66EAB06B00F104520A74666998DB6045018640

Function 073B6690 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6377c5687f67bb0e2f49ba32dedbd47b6cba7b72e11ea35a17cd4df0ed342d6b
Instruction ID: d7de9b9655d38d5afc71b91e072f3bef72d17e5b3aee15a00a6a4f387b7f751e
Opcode Fuzzy Hash: 6377c5687f67bb0e2f49ba32dedbd47b6cba7b72e11ea35a17cd4df0ed342d6b
Instruction Fuzzy Hash: 21A011E803820CEAA2282280A00F2BABB3C200E208F800000EA2E08C832A2A38200088

Function 073BA2B7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2191318367.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11f15a488d16d2860ca5a5a050a5f69a4c13a77201549fa9213d074f602d0c2f
Instruction ID: 1693cf7999cb1cbd522b311a1e3f4f00b22f94d6d30b8947817ad5d31c8efa94
Opcode Fuzzy Hash: 11f15a488d16d2860ca5a5a050a5f69a4c13a77201549fa9213d074f602d0c2f
Instruction Fuzzy Hash: 459002A6360941917114A1A18C07B755410D6F17043548452171960994C95090658137

Analysis Process: AtkzppDHiyvcIR.exePID: 5776, Parent PID: 5920COMMON

Execution Graph

Execution Coverage:	9.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	16.2%
Total number of Nodes:	37
Total number of Limit Nodes:	3

Executed Functions

Function 06161210 Relevance: 4.7, APIs: 3, Instructions: 160
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 06161336
LdrInitializeThunk.NTDLL ref: 0616134F
LdrInitializeThunk.NTDLL ref: 06161368

Memory Dump Source

Source File: 0000000D.00000002.4606463663.0000000006160000.00000040.00000800.00020000.00000000.sdmp, Offset: 06160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6160000_AtkzppDHiyvcIR.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9ca07d399c52e8e30b2d866583501ab16002e254f9222764180724cdd2581d30
Instruction ID: 0827f860766ef4586cd779d126d9860a60cb24bbc75f036af9a21ff35765454e
Opcode Fuzzy Hash: 9ca07d399c52e8e30b2d866583501ab16002e254f9222764180724cdd2581d30
Instruction Fuzzy Hash: D8519F34A01249DFDB54EF7AC9516AEB7F2BF89308F208529E405AB354DF759942CB80

Function 00FE2E7B Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 455
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 00FE3359

Strings

r, xrefs: 00FE32F2

Memory Dump Source

Source File: 0000000D.00000002.4583611807.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_fe0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID: r
API String ID: 2706961497-1812594589
Opcode ID: 21dc5ca5fa2147a79f0cbdf78e011addbf5db01c5d041e06c0b4a3d8f9c29aaf
Instruction ID: cc883e75c62c218e8f46e648260550920b808ff5e5c917836fc7f8cef04cf0ad
Opcode Fuzzy Hash: 21dc5ca5fa2147a79f0cbdf78e011addbf5db01c5d041e06c0b4a3d8f9c29aaf
Instruction Fuzzy Hash: 32E1C231F053864BDB14CABE8CD83AE72E76FC8324F598229DA55DB384EA749E016741

Function 00FE32D0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 00FE3359

Strings

r, xrefs: 00FE32F2

Memory Dump Source

Source File: 0000000D.00000002.4583611807.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_fe0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID: r
API String ID: 2706961497-1812594589
Opcode ID: e977ba76935252e932a522422860153267431228e1a2c728cfafcc770ea3dae5
Instruction ID: 7bf318ff084517a747dfede88c912ec8a2e2e6692532626fe60ff68179653aa5
Opcode Fuzzy Hash: e977ba76935252e932a522422860153267431228e1a2c728cfafcc770ea3dae5
Instruction Fuzzy Hash: 8F2103B1D013499FDB10DFAAD984ADEFBF5FF48310F20842AE519A7250D775A910CBA1

Function 00FE3397 Relevance: 1.6, APIs: 1, Instructions: 58
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 00FE3359

Memory Dump Source

Source File: 0000000D.00000002.4583611807.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_fe0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 81eaa453e7aff06e96fffcb86abebfe0d65b3d2519dfd71494eb570aecce473e
Instruction ID: 2a2c08eb35ea630eb1f1adfe48b8350dad4ada97e757e1daf70e968c8aaae631
Opcode Fuzzy Hash: 81eaa453e7aff06e96fffcb86abebfe0d65b3d2519dfd71494eb570aecce473e
Instruction Fuzzy Hash: 9111DF768083898FDB12DF7AD804B9EBBE1AF45310F18849AE085D71A2DB754805DB61

Function 061611E5 Relevance: 4.6, APIs: 3, Instructions: 142
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 06161336
LdrInitializeThunk.NTDLL ref: 0616134F
LdrInitializeThunk.NTDLL ref: 06161368

Memory Dump Source

Source File: 0000000D.00000002.4606463663.0000000006160000.00000040.00000800.00020000.00000000.sdmp, Offset: 06160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6160000_AtkzppDHiyvcIR.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8b5abf9afe5e147efa0239052b36fff5807b0482149387bc5c13ce8ff8695074
Instruction ID: 1313731223306b4d8a29c69dc92ec8d6f41bf6b668da58ec232cc1497d64a842
Opcode Fuzzy Hash: 8b5abf9afe5e147efa0239052b36fff5807b0482149387bc5c13ce8ff8695074
Instruction Fuzzy Hash: 4B518E34A01785CFCB15DF7AC95169DBBF2BF8A308F248169E005EB366DB74A846CB50

Function 0616141D Relevance: 4.6, APIs: 3, Instructions: 67
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 06161336
LdrInitializeThunk.NTDLL ref: 0616134F
LdrInitializeThunk.NTDLL ref: 06161368

Memory Dump Source

Source File: 0000000D.00000002.4606463663.0000000006160000.00000040.00000800.00020000.00000000.sdmp, Offset: 06160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6160000_AtkzppDHiyvcIR.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 337b6cd135b2da8fa9ab90aeb464ac3787c33a39e9107c9fe0e9d22e6f79c212
Instruction ID: a594918be9042dca5e6d26614c6f9b4ae717e72434c9bd6531452c25228fb34a
Opcode Fuzzy Hash: 337b6cd135b2da8fa9ab90aeb464ac3787c33a39e9107c9fe0e9d22e6f79c212
Instruction Fuzzy Hash: F6212738A00219DFDB54DF6AC996AADB7B1BF49309F248469E506EB361CB34EC41CF50

Function 00FEAE38 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00FEAEC7

Strings

r, xrefs: 00FEAE5F

Memory Dump Source

Source File: 0000000D.00000002.4583611807.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_fe0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID: DuplicateHandle
String ID: r
API String ID: 3793708945-1812594589
Opcode ID: efade402309e14b04b20631573ee258c2b7a0aff189eaed11ac2f366a1504605
Instruction ID: 28f943bf89c4c5e4e19373e319189b90e3e45a552abc9b22adaf25d2972639a7
Opcode Fuzzy Hash: efade402309e14b04b20631573ee258c2b7a0aff189eaed11ac2f366a1504605
Instruction Fuzzy Hash: 802103B5800249DFDB10CFAAD484ADEFFF4FB48320F14842AE918A7210D378A955CFA1

Function 00FEAE40 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00FEAEC7

Strings

r, xrefs: 00FEAE5F

Memory Dump Source

Source File: 0000000D.00000002.4583611807.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_fe0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID: DuplicateHandle
String ID: r
API String ID: 3793708945-1812594589
Opcode ID: 6dede4c3f7f27e25c0b0c05c605ff23910c9649403302ddde024f6ac24c138a9
Instruction ID: ba6bc6ba4c3c8c0ab2d612d8b0c75f54765cdbf916e314e20f52c4cfc4c2541c
Opcode Fuzzy Hash: 6dede4c3f7f27e25c0b0c05c605ff23910c9649403302ddde024f6ac24c138a9
Instruction Fuzzy Hash: B521B3B59002499FDB10CFAAD984ADEBBF4FB48320F14841AE918A3250D379A954CF65

Function 00FE3748 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32(00F445D0,00000000,?,?), ref: 00FE52F3

Strings

r, xrefs: 00FE5292

Memory Dump Source

Source File: 0000000D.00000002.4583611807.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_fe0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID: HookWindows
String ID: r
API String ID: 2559412058-1812594589
Opcode ID: 63f61b2cd1d04717fd1274c40d03794ef8f180da367a7f09d90b2b6c064de991
Instruction ID: 660547b1aa585c230da407df99a35edc9ad52f02ff2141eafda968b2847cfe3b
Opcode Fuzzy Hash: 63f61b2cd1d04717fd1274c40d03794ef8f180da367a7f09d90b2b6c064de991
Instruction Fuzzy Hash: 842134B1D006498FDB10DFAAC844BAEBBF5BB88724F108429E519A7250D7B4A944CFA1

Function 00FE5270 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32(00F445D0,00000000,?,?), ref: 00FE52F3

Strings

r, xrefs: 00FE5292

Memory Dump Source

Source File: 0000000D.00000002.4583611807.0000000000FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_fe0000_AtkzppDHiyvcIR.jbxd

Similarity

API ID: HookWindows
String ID: r
API String ID: 2559412058-1812594589
Opcode ID: 33515335e633dfc8f0d98206577625e5689bc88abc1f28bb5b7a931b1e36acf1
Instruction ID: 0ed780ea9196a1a19a3d107bf401b75a70d9ce6cca2aa32e88029a66a9498c50
Opcode Fuzzy Hash: 33515335e633dfc8f0d98206577625e5689bc88abc1f28bb5b7a931b1e36acf1
Instruction Fuzzy Hash: 3D213775D002498FDB14CFAAC844BDEFBF5BF88720F108419E419A7250D7B4A944CFA1

Function 00F4D0FC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4583065091.0000000000F4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f4d000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13c4ef3923dde868de9c7107107d8e39fabeb203ef21cecee6c2aff571ea462c
Instruction ID: 6129b94f03b9679e0b44aec3851d53f9741aeb4e3247fc809561da8de4f619db
Opcode Fuzzy Hash: 13c4ef3923dde868de9c7107107d8e39fabeb203ef21cecee6c2aff571ea462c
Instruction Fuzzy Hash: DD210476504244EFEB04DF14D9C0B26BFA5FBC8324F20C56DED0A4B292C77AD846DA61

Function 00F4D01C Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4583065091.0000000000F4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f4d000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 455b26e31f4f4b7469a0437039234c3aab0c30e50d3adbc249967aed12e2e4e6
Instruction ID: 06440f6e0868a017e6d45fb5308097afe0af5c58f33169bec0b32f861724d604
Opcode Fuzzy Hash: 455b26e31f4f4b7469a0437039234c3aab0c30e50d3adbc249967aed12e2e4e6
Instruction Fuzzy Hash: 0521F272A04300DFDB24DF28D5C0B26BF65EB84728F20C56DDD0A4B35AC776D846DA61

Function 00F4D005 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4583065091.0000000000F4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f4d000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77c742d2b2c480bc8993102d2674a7f08d969587ea26bc686c0a7f4877e8dc8b
Instruction ID: 70437ad9510205b165e691f7cdd0bbcc5c55a7a5c079e5a9e0dc2b1a4523e5c3
Opcode Fuzzy Hash: 77c742d2b2c480bc8993102d2674a7f08d969587ea26bc686c0a7f4877e8dc8b
Instruction Fuzzy Hash: 382162759093C08FCB16CF24C590715BF71EB46314F29C5EAD8498B6A7C33A984ACB62

Function 00F4D0F7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4583065091.0000000000F4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f4d000_AtkzppDHiyvcIR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: 932b9d2edffec259664fd2b3af6e996cbb84e2b99666495e49a28aa4af75af91
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: 87119D75904284DFEB05CF10D9C4B15BFB1FB84328F24C6AADC494B656C33AD85ADB61

Analysis Process: NotepadUpdate.exePID: 3840, Parent PID: 1064COMMON

Execution Graph

Execution Coverage:	8.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	183
Total number of Limit Nodes:	5

Executed Functions

Function 0148D570 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0148D5FE
GetCurrentThread.KERNEL32 ref: 0148D63B
GetCurrentProcess.KERNEL32 ref: 0148D678
GetCurrentThreadId.KERNEL32 ref: 0148D6D1

Memory Dump Source

Source File: 00000014.00000002.2324644515.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1480000_NotepadUpdate.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 5b22dcba016446f62989cbe4d9ff996176ca2ba416435a7f8ead759321d4a019
Instruction ID: f6265fbbd13b0337f8f1dacfcd760c280dc49700665743dbbf201914d877e95a
Opcode Fuzzy Hash: 5b22dcba016446f62989cbe4d9ff996176ca2ba416435a7f8ead759321d4a019
Instruction Fuzzy Hash: 935163B090134ACFDB04DFA9D548BAEBBF1EF88318F20845AE019A73A0DB745944CB65

Function 0148D580 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0148D5FE
GetCurrentThread.KERNEL32 ref: 0148D63B
GetCurrentProcess.KERNEL32 ref: 0148D678
GetCurrentThreadId.KERNEL32 ref: 0148D6D1

Memory Dump Source

Source File: 00000014.00000002.2324644515.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1480000_NotepadUpdate.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 6fcd41e63b729d7bc3999dc3211172c06f16db174f0b0fe354c228c75eee684f
Instruction ID: 75672e0a393cec36484f907d5cec03377441255c807a000100f2c144e74ce7fa
Opcode Fuzzy Hash: 6fcd41e63b729d7bc3999dc3211172c06f16db174f0b0fe354c228c75eee684f
Instruction Fuzzy Hash: B65143B0D0124A8FDB14DFA9D548BAEBBF1EF88318F20845AE119A73A0DB745944CB65

Function 07C15CDC Relevance: 1.7, APIs: 1, Instructions: 247
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07C15F1E

Memory Dump Source

Source File: 00000014.00000002.2348316914.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7c10000_NotepadUpdate.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 3fbf13d1cf495ab8cea830d83ce3e87ffb91a03e2693675aafe11dd9f084410b
Instruction ID: c73ffcd7e7aaf369a36dc3785d06f97eab558d0eceafb2cbc8bf79a5b82d7565
Opcode Fuzzy Hash: 3fbf13d1cf495ab8cea830d83ce3e87ffb91a03e2693675aafe11dd9f084410b
Instruction Fuzzy Hash: 9A917EB1D0021ACFDB14DF68D9817DDBBB2BF89314F1481AAE818A7240DB749A91DF91

Function 07C15CE8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07C15F1E

Memory Dump Source

Source File: 00000014.00000002.2348316914.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7c10000_NotepadUpdate.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 51d66c8abe6f4fc27cfd74f3938c5972bb1b600e5ba0a9719abaaf3ae4432e8b
Instruction ID: 5d8a423b4c6729cb240e23087fc6b290730529e6235ffc2c4e2ff3aa45df4cb8
Opcode Fuzzy Hash: 51d66c8abe6f4fc27cfd74f3938c5972bb1b600e5ba0a9719abaaf3ae4432e8b
Instruction Fuzzy Hash: 46917EB1D0021ACFDF14DF68D9857DDBBB2BF89310F1481AAE818A7240DB749A91DF91

Function 0148B300 Relevance: 1.7, APIs: 1, Instructions: 202
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0148B566

Memory Dump Source

Source File: 00000014.00000002.2324644515.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1480000_NotepadUpdate.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d95d64a789385d495fbf4c0fb862b275c36a12268b80d0510b1dd7e1f3a01dbe
Instruction ID: e49e1dcd646087854f05d05b31e53769486743419199fb8afdaba0ef430d7ef1
Opcode Fuzzy Hash: d95d64a789385d495fbf4c0fb862b275c36a12268b80d0510b1dd7e1f3a01dbe
Instruction Fuzzy Hash: 51811270A00B068FD725EF6AD44576ABBF1FB88204F108A2ED486D7B61D774E849CB91

Function 0148590C Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 014859C9

Memory Dump Source

Source File: 00000014.00000002.2324644515.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1480000_NotepadUpdate.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 496edf8d751fc8ce5ff8795d9525b574815b5f712b66eaf3a621a02b5d0a73c8
Instruction ID: 410c0d19ba8aada914d3dd79cb1e2aa6cff57b3c9b5f895c704c7eadace4f77a
Opcode Fuzzy Hash: 496edf8d751fc8ce5ff8795d9525b574815b5f712b66eaf3a621a02b5d0a73c8
Instruction Fuzzy Hash: 5141B070C00719CBEB24DFA9C9847DEBBB5BF88704F20815AD408AB251DB755945CF90

Function 014844B4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 014859C9

Memory Dump Source

Source File: 00000014.00000002.2324644515.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1480000_NotepadUpdate.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: ae583d575df30d6aef73c46baac17e6a99807c0154ae23685b6ff6038369c2db
Instruction ID: 78a81e2c9ea3943e17ef5dc69560b5b5ff0d907e49e9169a71d49dc24d891107
Opcode Fuzzy Hash: ae583d575df30d6aef73c46baac17e6a99807c0154ae23685b6ff6038369c2db
Instruction Fuzzy Hash: B041D2B0C0071DCBEB24DFAAC98479EBBB5BF89704F20805AD408AB251DB75A945CF90

Function 0632EFC2 Relevance: 1.6, APIs: 1, Instructions: 74
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 0632F05F

Memory Dump Source

Source File: 00000014.00000002.2346986281.0000000006320000.00000040.00000800.00020000.00000000.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6320000_NotepadUpdate.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: e3509f5459504fda2d8bb7de2a91475008f71e9146b2046e84ee1f4ea514965a
Instruction ID: 50226c832909839f2751d363bf2ef9a082a46678811d5116502fadf801f04724
Opcode Fuzzy Hash: e3509f5459504fda2d8bb7de2a91475008f71e9146b2046e84ee1f4ea514965a
Instruction Fuzzy Hash: 2531C0B5D0021A9FDB10CF9AD884ADEBBF5FB58320F14842AE919A7210D775A944CFA0

Function 07C15A59 Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07C15AF0

Memory Dump Source

Source File: 00000014.00000002.2348316914.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7c10000_NotepadUpdate.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 54ba291399d32aa711b4a600b609ff746424f47ca6a4d845ad5fd4bc1ebec807
Instruction ID: 7afcdf50afa3e46b66ddbebdc8df187d63a168ea4827fe88cb3c03db3c5f9753
Opcode Fuzzy Hash: 54ba291399d32aa711b4a600b609ff746424f47ca6a4d845ad5fd4bc1ebec807
Instruction Fuzzy Hash: 7A2148B19003599FDB10CFA9D881BEEBBF5FF88310F10842AE918A7240D7789950CBA5

Function 0632EFC8 Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 0632F05F

Memory Dump Source

Source File: 00000014.00000002.2346986281.0000000006320000.00000040.00000800.00020000.00000000.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6320000_NotepadUpdate.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 85ca913fd53771ce3c899031b59151b3f80875231c754200b798cce1a88e0ef0
Instruction ID: a08df54c94c1f420798dff5fab4710b3905d6e557acaf29d6a81653527efba7c
Opcode Fuzzy Hash: 85ca913fd53771ce3c899031b59151b3f80875231c754200b798cce1a88e0ef0
Instruction Fuzzy Hash: 5321A0B5D0021A9FDB10CF9AD884A9EFBF5FB48320F14842EE919A7210D775A944CFA0

Function 07C15A60 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07C15AF0

Memory Dump Source

Source File: 00000014.00000002.2348316914.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7c10000_NotepadUpdate.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: bf9e54a030ea08df9a484da9a75b4daef899bd8c6980d280f9f975234d3f9fe0
Instruction ID: 466f1c0b896cd68c0962133cd22b7576f93ba8ab122b20ece53b4a6ad213a2d3
Opcode Fuzzy Hash: bf9e54a030ea08df9a484da9a75b4daef899bd8c6980d280f9f975234d3f9fe0
Instruction Fuzzy Hash: 1B2128B19003599FDB10CFA9C881BDEBBF5FF88310F10842AE919A7240D7789550DBA4

Function 07C15B48 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07C15BD0

Memory Dump Source

Source File: 00000014.00000002.2348316914.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7c10000_NotepadUpdate.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 38a3387f26ead845fc311c06cd158d68be1682fef705eb0e4522e467a1d841f0
Instruction ID: e8382e54d6bb1959692f2ae70d56bd2081704a2c388f10bf8ebab78091805474
Opcode Fuzzy Hash: 38a3387f26ead845fc311c06cd158d68be1682fef705eb0e4522e467a1d841f0
Instruction Fuzzy Hash: F72139B18003499FDB10DFAAD881ADEBBF5FF48320F10842AE918A7240C7789950CBA1

Function 07C193B0 Relevance: 1.6, APIs: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07C1937D

Memory Dump Source

Source File: 00000014.00000002.2348316914.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7c10000_NotepadUpdate.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 504a357677833402dd5540dbe799ab38d9ea2b6d96253a2d2bc5d025d0e7fc7d
Instruction ID: bd9984233dfe379a41fd0ee8d35d3eb725913ba4e1a86cc795f1e3cc1450156d
Opcode Fuzzy Hash: 504a357677833402dd5540dbe799ab38d9ea2b6d96253a2d2bc5d025d0e7fc7d
Instruction Fuzzy Hash: 582105F6D002A58BDB11DFA4E5543EEBBF0AF46300F548479C446B7281C7396A00DBA0

Function 07C158C0 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07C15946

Memory Dump Source

Source File: 00000014.00000002.2348316914.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7c10000_NotepadUpdate.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: d8f1f44dfc006e48244733f18651775be33a8155edc54e1c90d7b9db51617a8b
Instruction ID: 01c9cab5de5b1d4f4fdb83fadb78427bfa8af1d2ef236b9ec56246b556652017
Opcode Fuzzy Hash: d8f1f44dfc006e48244733f18651775be33a8155edc54e1c90d7b9db51617a8b
Instruction Fuzzy Hash: 5F216AB190030ACFDB10DFAAC5817EEBBF0AF88320F14842AD558A7280D7789945CF91

Function 0148D7C0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0148D84F

Memory Dump Source

Source File: 00000014.00000002.2324644515.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1480000_NotepadUpdate.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1636d88da3c336c35222add417b84690161f3e4ab8f0218626001d79c01cf8af
Instruction ID: 9ae66a7d87d80fce823129caf98072378a49a0a33a09bd2a745259c73cdf239f
Opcode Fuzzy Hash: 1636d88da3c336c35222add417b84690161f3e4ab8f0218626001d79c01cf8af
Instruction Fuzzy Hash: 1021E3B5D10209DFDB10CFA9D984ADEBBF4FB48320F24841AE918A3350D378A955CF64

Function 07C15B50 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07C15BD0

Memory Dump Source

Source File: 00000014.00000002.2348316914.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7c10000_NotepadUpdate.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 47014626b20898eef1f48c715db0a9f4f0d623d442614e9600cfdee87a3642d7
Instruction ID: a17dc3eae414b9a678c2a2468bebf24dc655f8175a2187dee599e8cc7242bed0
Opcode Fuzzy Hash: 47014626b20898eef1f48c715db0a9f4f0d623d442614e9600cfdee87a3642d7
Instruction Fuzzy Hash: 6B2128B19003499FDB10DFAAD881BDEFBF5FF88320F10842AE918A7240D7789510DBA5

Function 07C158C8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07C15946

Memory Dump Source

Source File: 00000014.00000002.2348316914.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7c10000_NotepadUpdate.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: e036a0902f8c0a3686c2149a7a1e45979242ef1748e74da7ea289eba60726fbc
Instruction ID: aafc3f9d72ababb355be7b0c9beadf8b98b03fc19e404ba533a34aae050253f1
Opcode Fuzzy Hash: e036a0902f8c0a3686c2149a7a1e45979242ef1748e74da7ea289eba60726fbc
Instruction Fuzzy Hash: 462149B1D0030A8FDB10DFAAC4857EEBBF4EF88320F14842AD559A7240DB789945CFA5

Function 0148D7C8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0148D84F

Memory Dump Source

Source File: 00000014.00000002.2324644515.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1480000_NotepadUpdate.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8ff671d8743e1b5ef70c7e726de9771c6675806e9578092f76c9b53981534b61
Instruction ID: 7c8a9aa6341617fa713d5b2fbcb1a6ddd72aadaac6ed22ab6fb987ce737d10c5
Opcode Fuzzy Hash: 8ff671d8743e1b5ef70c7e726de9771c6675806e9578092f76c9b53981534b61
Instruction Fuzzy Hash: A021B3B5D01249DFDB10CF9AD984ADEBBF5FB48320F14841AE918A3350D374A954CF65

Function 07C15998 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07C15A0E

Memory Dump Source

Source File: 00000014.00000002.2348316914.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7c10000_NotepadUpdate.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ea99f183e15594ee79bcd852eba41f3726a856c0f3d25ab5634e22621eda4157
Instruction ID: 4034a6684a5e02bd28c682e965a60615eb4eb2c292b2eb587a25ad6e9496fbff
Opcode Fuzzy Hash: ea99f183e15594ee79bcd852eba41f3726a856c0f3d25ab5634e22621eda4157
Instruction Fuzzy Hash: 291189B28002499FDB10DFAAD841BEFBFF5EF88320F108819E519A7210C7759950CBA1

Function 07C159A0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07C15A0E

Memory Dump Source

Source File: 00000014.00000002.2348316914.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7c10000_NotepadUpdate.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 619b11032d989400a62ccc486d26f34d298fa50d5181c56e16be264e37610a31
Instruction ID: 14d0bf292d8732c9cec8b73321ee7ecfd845e188571fda3151a1eaf5cae71937
Opcode Fuzzy Hash: 619b11032d989400a62ccc486d26f34d298fa50d5181c56e16be264e37610a31
Instruction Fuzzy Hash: 481126B29002499FDB10DFAAD845BEEBBF5EF88320F248819E519A7250C775A550CBA1

Function 07C15811 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07C1587A

Memory Dump Source

Source File: 00000014.00000002.2348316914.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7c10000_NotepadUpdate.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 5358be7a96c68198ce3fdf402170bf94daee3e42ac13d507618719a9d47c23b6
Instruction ID: 0a2a33910062ab785202f53c7572a86441692ca47c4afe44065abbdce0cb4c97
Opcode Fuzzy Hash: 5358be7a96c68198ce3fdf402170bf94daee3e42ac13d507618719a9d47c23b6
Instruction Fuzzy Hash: 94115BB1D003498FDB20DFAAD4457DEFBF4AF88324F248429D519A7240CB75A940CB95

Function 07C15818 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07C1587A

Memory Dump Source

Source File: 00000014.00000002.2348316914.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7c10000_NotepadUpdate.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 8e7c6092727aae53b10ca31a786bd11bc38716b224cdca52fd4da102f223aac3
Instruction ID: 4068ab680365be2194ba282431c5de7dc03bf4cfe02ff5745e90ead1c8a498bd
Opcode Fuzzy Hash: 8e7c6092727aae53b10ca31a786bd11bc38716b224cdca52fd4da102f223aac3
Instruction Fuzzy Hash: 08113AB1D00349CFDB10DFAAD44579EFBF5EF88724F248429D519A7240CB75A540CB95

Function 0148B500 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0148B566

Memory Dump Source

Source File: 00000014.00000002.2324644515.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1480000_NotepadUpdate.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 4d0019b62b6ae435bb903b53de197e299c299c9b2c5bdbebaac19c66b6ce8c00
Instruction ID: 240a9bc6a74457c91a8d997fa9d6cc24cdee87ed3ee7f71c3802ec47889b0d50
Opcode Fuzzy Hash: 4d0019b62b6ae435bb903b53de197e299c299c9b2c5bdbebaac19c66b6ce8c00
Instruction Fuzzy Hash: 4311DFB6C006498FDB10DF9AD444A9EFBF4EB88724F10841AD929A7210D379A545CFA5

Function 07C126FC Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07C1937D

Memory Dump Source

Source File: 00000014.00000002.2348316914.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7c10000_NotepadUpdate.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 5d50b71514509657f6ef00625827ed3ffef4f4aaabe26cc356457f97c13f30fe
Instruction ID: 7716da0709b3e2509decaa2c099b868f067b393d43fae2b7c07829e802ae654a
Opcode Fuzzy Hash: 5d50b71514509657f6ef00625827ed3ffef4f4aaabe26cc356457f97c13f30fe
Instruction Fuzzy Hash: E411F5B5804349DFDB10DF9AD445BDEBBF8EB49320F208419E518A7250D375A944CFA1

Function 07C1931A Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07C1937D

Memory Dump Source

Source File: 00000014.00000002.2348316914.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7c10000_NotepadUpdate.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 15b4a2b25810b68cc61d9dfc016d0f2867c9aceb9be3fa11da2e5e6a3b1b7457
Instruction ID: dfb33a4824f82f1c9b88394cd592d880d4c58f2c2a150261174584b316195b98
Opcode Fuzzy Hash: 15b4a2b25810b68cc61d9dfc016d0f2867c9aceb9be3fa11da2e5e6a3b1b7457
Instruction Fuzzy Hash: 7411F5B58003499FDB10DF9AD545BDEBBF8EB48320F10841AE518A7650D375A944CFA1

Function 093817E0 Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

i , xrefs: 093817E5

Memory Dump Source

Source File: 00000014.00000002.2349690773.0000000009380000.00000040.00000800.00020000.00000000.sdmp, Offset: 09380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_9380000_NotepadUpdate.jbxd

Similarity

API ID:
String ID: i
API String ID: 0-1992214396
Opcode ID: fae500d100b7315735fc3e969b7eca40e59484f9f4f151ab7098a7053ac806ab
Instruction ID: 075b55402ee843855dfe7e011df494e309bc4ab98121007324d858858404c164
Opcode Fuzzy Hash: fae500d100b7315735fc3e969b7eca40e59484f9f4f151ab7098a7053ac806ab
Instruction Fuzzy Hash: 0A31C035A093059FCB25AFA4D84AAAB7BBAAF89300F144069E406D7391CE34CD46CF91

Function 0938837F Relevance: 1.3, Strings: 1, Instructions: 34COMMON

Download Yara Rule

Strings

8, xrefs: 09388413

Memory Dump Source

Source File: 00000014.00000002.2349690773.0000000009380000.00000040.00000800.00020000.00000000.sdmp, Offset: 09380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_9380000_NotepadUpdate.jbxd

Similarity

API ID:
String ID: 8
API String ID: 0-4194326291
Opcode ID: da80d3094b44c0352a126a0bf4adca7a37bb73d3604fdd3d68e4badececdf6da
Instruction ID: a008c227ae2142da20cad1e5e493e78a6c037b6a36d4ea095af21c8d5f671cdd
Opcode Fuzzy Hash: da80d3094b44c0352a126a0bf4adca7a37bb73d3604fdd3d68e4badececdf6da
Instruction Fuzzy Hash: 58F0F634B0234DDFEB246F64C80437F3735FB00340F504022E4669A952DAB4C8418FA2

Function 0938839F Relevance: 1.3, Strings: 1, Instructions: 34COMMON

Download Yara Rule

Strings

8, xrefs: 09388413

Memory Dump Source

Source File: 00000014.00000002.2349690773.0000000009380000.00000040.00000800.00020000.00000000.sdmp, Offset: 09380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_9380000_NotepadUpdate.jbxd

Similarity

API ID:
String ID: 8
API String ID: 0-4194326291
Opcode ID: 20057540e0053c796ac7e6b83395ef6435dd37494dd479556e59da926f70eb7e
Instruction ID: 1c204f83e618ec305a83b55ac0dbc46ca818a95723344f1388949e50f34de687
Opcode Fuzzy Hash: 20057540e0053c796ac7e6b83395ef6435dd37494dd479556e59da926f70eb7e
Instruction Fuzzy Hash: 7FF0FC31742305DBEB206A10CC567AA7371FB10704F548862EC169F681E7E08C90CF92

Function 09386D30 Relevance: 1.3, Strings: 1, Instructions: 11COMMON

Download Yara Rule

Strings

G, xrefs: 09386D34

Memory Dump Source

Source File: 00000014.00000002.2349690773.0000000009380000.00000040.00000800.00020000.00000000.sdmp, Offset: 09380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_9380000_NotepadUpdate.jbxd

Similarity

API ID:
String ID: G
API String ID: 0-985283518
Opcode ID: 044ef22b86191a849d7116010adc7e65349678ef8b1453a9e21e3290aac1ca86
Instruction ID: 58ef8971b0e4841eab0534223eb8931120634d740f2426290e57784753895cd3
Opcode Fuzzy Hash: 044ef22b86191a849d7116010adc7e65349678ef8b1453a9e21e3290aac1ca86
Instruction Fuzzy Hash: F0C08CB140820CEBC704EF80DA0663EB7BDF780348F000085D90E47A01DF711F149E82

Function 09383478 Relevance: .5, Instructions: 457COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2349690773.0000000009380000.00000040.00000800.00020000.00000000.sdmp, Offset: 09380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_9380000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00b7c5e951583a3be14b1aab4a1ae10c3ae3b80d20b83f142b3fbe6c81f5a472
Instruction ID: a8ccbd967240dcd670eeefd1d18d91a049fb9be30f4261e1337f4a443f190a0b
Opcode Fuzzy Hash: 00b7c5e951583a3be14b1aab4a1ae10c3ae3b80d20b83f142b3fbe6c81f5a472
Instruction Fuzzy Hash: C2D1CCB1B01205DFCB15BF68C4486AFBFB6EF84B40F5144A9E442A73A5EA30C865CF81

Function 09380480 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2349690773.0000000009380000.00000040.00000800.00020000.00000000.sdmp, Offset: 09380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_9380000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5f4e0ee48b095a5493aebd44f323f681ea621cc0e90aebe7cbe9db3ce66cbdb
Instruction ID: ff672de84f828b9e95cf6406feb6d6be0df4d3caf17295527014c9181616afda
Opcode Fuzzy Hash: b5f4e0ee48b095a5493aebd44f323f681ea621cc0e90aebe7cbe9db3ce66cbdb
Instruction Fuzzy Hash: 36F1C831D1061A8FCF14DFA8C854AEEB7B5BF58300F1086A9E459B7254EB74AA85CF90

Function 09380471 Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2349690773.0000000009380000.00000040.00000800.00020000.00000000.sdmp, Offset: 09380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_9380000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a3bf8d7a6c9d0211c33a9fa14d8fb2e95b80f1560fe07e639ca83ffd75af6b5
Instruction ID: 642bb9ddd9816e7b4a94a885c90151d1d0cc029f8429b783d044461a19e57821
Opcode Fuzzy Hash: 5a3bf8d7a6c9d0211c33a9fa14d8fb2e95b80f1560fe07e639ca83ffd75af6b5
Instruction Fuzzy Hash: 02E1C931D1061A8FCF14DFA4C8546EEB7B5BF58300F1086A9E459B7254EB74AA89CF90

Function 09382AD8 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2349690773.0000000009380000.00000040.00000800.00020000.00000000.sdmp, Offset: 09380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_9380000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10fc7d4e0fced6516050e931f2638662b1cf6df7f6c5501b4f813344ddb661ea
Instruction ID: a021e6fd460acd58719b78f3043f20add7e4366da43e713c4e1045090bb3802e
Opcode Fuzzy Hash: 10fc7d4e0fced6516050e931f2638662b1cf6df7f6c5501b4f813344ddb661ea
Instruction Fuzzy Hash: 6D71BD74A002158FDB14EF69D9087AFBBF6EBC8350F148429E815A7380DB389D05CFA5

Function 09382D98 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2349690773.0000000009380000.00000040.00000800.00020000.00000000.sdmp, Offset: 09380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_9380000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 075db18ea69fca44c383975591f261ed87609a8a8b39a088ff08b4aae3923c9e
Instruction ID: 5048847232a5425ca8b0128a736753424caca852f54441a1f70f410ffbb56cbf
Opcode Fuzzy Hash: 075db18ea69fca44c383975591f261ed87609a8a8b39a088ff08b4aae3923c9e
Instruction Fuzzy Hash: DF71AD316003059FDB24EF69D854BAFBBA6EFC8740F14842AE9169B694CF74AD41CB90

Function 0938ED18 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2349690773.0000000009380000.00000040.00000800.00020000.00000000.sdmp, Offset: 09380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_9380000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20a0e6ef53718adb984326e34d9d5fcda3201fd6d5225caa855c001868c3a019
Instruction ID: cbd2bdf11204c8aa80ed724c3831654084eceedce87471d8376e5951f4ca5c3b
Opcode Fuzzy Hash: 20a0e6ef53718adb984326e34d9d5fcda3201fd6d5225caa855c001868c3a019
Instruction Fuzzy Hash: 8E710575E05218CFCB14EFA9C8846EEBBBAFF89300F108429D419AB354D7306946CF50

Function 093877C8 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2349690773.0000000009380000.00000040.00000800.00020000.00000000.sdmp, Offset: 09380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_9380000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b820b5980a0446230fc03755b4fb4f3dd9b0f6a44447b03a365e5da0951089e4
Instruction ID: e5b4bef1f8d03de955736a1c5c0f94a67718f125a7615ac56a7ac2433090f11a
Opcode Fuzzy Hash: b820b5980a0446230fc03755b4fb4f3dd9b0f6a44447b03a365e5da0951089e4
Instruction Fuzzy Hash: D7619035B012499FD704AF64D444AAEBBB2FF88300F1489A9D9965F386CF716D46CBC2

Function 09380C38 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2349690773.0000000009380000.00000040.00000800.00020000.00000000.sdmp, Offset: 09380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_9380000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac6083b4aaf2a02f0ba2b9e7fd20d05d8465963fe055ad25713d1f9f97d92397
Instruction ID: 864da6a40a954afa7019a07bc522112a9d541ebcf12c99586ec239a81400882e
Opcode Fuzzy Hash: ac6083b4aaf2a02f0ba2b9e7fd20d05d8465963fe055ad25713d1f9f97d92397
Instruction Fuzzy Hash: 47512E35A10609CFCB54EFA8C8848EDF7B5FF89310B108669E416B7354EB34E989CB90

Function 09381800 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2349690773.0000000009380000.00000040.00000800.00020000.00000000.sdmp, Offset: 09380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_9380000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 204086902b974894801d64591f751481a9fd8dde16813de9b2979ce13cecf229
Instruction ID: 0200916d0ae44523b59f0c6efa6562a69acc186f5c0544c32f2454a39b3ac424
Opcode Fuzzy Hash: 204086902b974894801d64591f751481a9fd8dde16813de9b2979ce13cecf229
Instruction Fuzzy Hash: 90416A30A15305CFDB18EFA8D449AAEBBB6EF84300B148469E806E7291DE30DD42CB91

Function 09380E40 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2349690773.0000000009380000.00000040.00000800.00020000.00000000.sdmp, Offset: 09380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_9380000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6f7cd691305a42297f853715e0d2c41df7e447acddd55ba06aa3c564e643cf6
Instruction ID: c4246d7d7c53a74f615d61aa776d7671ee0576bc7ea9921c9a57b7d11e8c0dc5
Opcode Fuzzy Hash: e6f7cd691305a42297f853715e0d2c41df7e447acddd55ba06aa3c564e643cf6
Instruction Fuzzy Hash: 2C518731A10609DFCB04EFA8D8849EEF7B5FF89304F00815AE515AB325EB71A949CB91

Function 09380C2A Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2349690773.0000000009380000.00000040.00000800.00020000.00000000.sdmp, Offset: 09380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_9380000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb93a9c96afd5f17f8b949eae51f7152ee589e386b1682e7209c02939b18bda8
Instruction ID: 520ac0c67e6e898d839a797d522bd82cf0dd10527c1795c36f8c756484fead61
Opcode Fuzzy Hash: fb93a9c96afd5f17f8b949eae51f7152ee589e386b1682e7209c02939b18bda8
Instruction Fuzzy Hash: D7413F35A0070A8FCB54EF68C8845EDFBB1FF89310B148659E456AB355DB34E989CB90

Function 09386AFC Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2349690773.0000000009380000.00000040.00000800.00020000.00000000.sdmp, Offset: 09380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_9380000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a516b9773201b142ae146f44a933c10b0b491ce97803bdd06eb2f6a1e5e0f38
Instruction ID: 7cf1038ade3dfe8e84e4fa370da1c59042682943f2112ed4407505dc1f261e5c
Opcode Fuzzy Hash: 2a516b9773201b142ae146f44a933c10b0b491ce97803bdd06eb2f6a1e5e0f38
Instruction Fuzzy Hash: C2410339604204CFD745EF68D05A66BB7F9EB8932CF14846AC016AB781CB7A9C42CF91

Function 09381198 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2349690773.0000000009380000.00000040.00000800.00020000.00000000.sdmp, Offset: 09380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_9380000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4067ab5e5a5518b6786261db675d468782789c32db750698fd42ff6bb2dd7af
Instruction ID: 7f876731717bd57c5cae42bea40c8e3ada7210e2a952c617d561d0abd312a293
Opcode Fuzzy Hash: b4067ab5e5a5518b6786261db675d468782789c32db750698fd42ff6bb2dd7af
Instruction Fuzzy Hash: 03314F71A10219DFDB14AFA8D8449AEBBB6FF88301F10816AE905A7260DB709C45CB91

Function 09389250 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2349690773.0000000009380000.00000040.00000800.00020000.00000000.sdmp, Offset: 09380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_9380000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e407fede6b229d7aba7d0f723159e021996938044efc9a87cca1d992e3b85e9a
Instruction ID: 8dcd760137cb883cf09d7b51018a2f4aeec3cc7027f0a9ef504f5e3bd52a652b
Opcode Fuzzy Hash: e407fede6b229d7aba7d0f723159e021996938044efc9a87cca1d992e3b85e9a
Instruction Fuzzy Hash: 8631BB35A0430ADFDB04BBA4C45477F77B9EBC8390F60405AD543AB785DBB549028FA2

Function 09382D88 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2349690773.0000000009380000.00000040.00000800.00020000.00000000.sdmp, Offset: 09380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_9380000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03daa21bcaa1145fe5142bfe3e5e6f282e57a995a1e5859f8408ea49616610ee
Instruction ID: e3d456f1cd7345dfe694cd4069b330c8257082dc66a4eae270025fa885412d86
Opcode Fuzzy Hash: 03daa21bcaa1145fe5142bfe3e5e6f282e57a995a1e5859f8408ea49616610ee
Instruction Fuzzy Hash: 76317270A01205AFDB14EF65C854BAFBBF6EF88340F108529E856AB690DB75DD44CF90

Function 0938A2E0 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2349690773.0000000009380000.00000040.00000800.00020000.00000000.sdmp, Offset: 09380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_9380000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55eb8b9ac6122380471cab2b1e120c40686d21df3eafd23527cdb8f8ac3374f7
Instruction ID: 986d9e7c295751de6e76ca5b8e59468a10c57cf238c12b33f53493e47dbd2da3
Opcode Fuzzy Hash: 55eb8b9ac6122380471cab2b1e120c40686d21df3eafd23527cdb8f8ac3374f7
Instruction Fuzzy Hash: 123124B69003099FCF14DFA9D884A9EBBF6EB48310F10846AE909E7210D775A945CFA0

Function 0938C15B Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2349690773.0000000009380000.00000040.00000800.00020000.00000000.sdmp, Offset: 09380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_9380000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 785ff8fd1d71c9f3375e4597bb7abdfaa7c8ca064c7fea6c812c28315fd38cfd
Instruction ID: 8d3ecd22b220124c335442942f3881b8ccd30d731571c7f5b27d67b5c1726746
Opcode Fuzzy Hash: 785ff8fd1d71c9f3375e4597bb7abdfaa7c8ca064c7fea6c812c28315fd38cfd
Instruction Fuzzy Hash: E531C432A0C354CBCF10AAEC8880677B778EB45390F04A167E5D6C6AC5C7349A018FB2

Function 093822F0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2349690773.0000000009380000.00000040.00000800.00020000.00000000.sdmp, Offset: 09380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_9380000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10cda0a3aec31f8d854972d5d0ea4d0bb19fd2b9574be7925afee22bb564d784
Instruction ID: 10108315da163ed96a0a6ba149defd461b722f57060154ebd466067b457e8329
Opcode Fuzzy Hash: 10cda0a3aec31f8d854972d5d0ea4d0bb19fd2b9574be7925afee22bb564d784
Instruction Fuzzy Hash: F9319F313043008FE758EF69D8D4A6B77E6FBC8360F158469EA19CB365DB70AC058B60

Function 0938C308 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2349690773.0000000009380000.00000040.00000800.00020000.00000000.sdmp, Offset: 09380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_9380000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a79d80fb9ad89f72b7ca1017e5a01c7e5893d1f76de6a7e8e21a1aa765aecc73
Instruction ID: 222901b523a4134985542340d3270aed37848553d8faee6fd0bfe6c8d8ffdd57
Opcode Fuzzy Hash: a79d80fb9ad89f72b7ca1017e5a01c7e5893d1f76de6a7e8e21a1aa765aecc73
Instruction Fuzzy Hash: 4821E631709304DBD7167A29880267B776ABBC1794F64A066D0874BA95CAF9CC438F72

Function 0938C460 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2349690773.0000000009380000.00000040.00000800.00020000.00000000.sdmp, Offset: 09380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_9380000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a95112b991c0d02f64293c87f54d62bfdddecc56ec54c187c98c96ab7607633
Instruction ID: 7d4f4d8cf2087ec79c7cbfa67c39abd083aed616be8881345364995b0930cb5a
Opcode Fuzzy Hash: 7a95112b991c0d02f64293c87f54d62bfdddecc56ec54c187c98c96ab7607633
Instruction Fuzzy Hash: 2B31A532E18704CBCB55AA6AC4506BBB778EB49390F106167E182C7B51C374E9C0CFB2

Function 09386568 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2349690773.0000000009380000.00000040.00000800.00020000.00000000.sdmp, Offset: 09380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_9380000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0e68202b27d29a2300418b552ab4650de6f39e26214f07e8f94920d560cac18
Instruction ID: ecd862501371f01598b078e674080cbe90a021c04fa80475dbc777443a837997
Opcode Fuzzy Hash: b0e68202b27d29a2300418b552ab4650de6f39e26214f07e8f94920d560cac18
Instruction Fuzzy Hash: A73107B5E1024ADFCB00EFA8D9455EEBBF6EB88314F104469D505F7240EB349A408FA0

Function 09386C11 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2349690773.0000000009380000.00000040.00000800.00020000.00000000.sdmp, Offset: 09380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_9380000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c21c681b441c83f910b588463d126cd256020b60dbd9dc9738558051a85b53ae
Instruction ID: 0a3df9a5cad4175554d49c672d0aea643f5ef47b64108f4b3743934ac352ca3f
Opcode Fuzzy Hash: c21c681b441c83f910b588463d126cd256020b60dbd9dc9738558051a85b53ae
Instruction Fuzzy Hash: 6331CE39604204CBD744EF68C45A76B77FAEB84318F14886AC116AB741CB76AC46CF80

Function 09380FC0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2349690773.0000000009380000.00000040.00000800.00020000.00000000.sdmp, Offset: 09380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_9380000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ee08280685434314bef84184c593688c373b1bc3665cb1142c98037772163c9
Instruction ID: cf30c77a14f2afbf0e9c425c14c5c9fe630a68518f0f13df0f797b99397f30a5
Opcode Fuzzy Hash: 8ee08280685434314bef84184c593688c373b1bc3665cb1142c98037772163c9
Instruction Fuzzy Hash: 36318831A10649CFCB00EFA8C8908DDFBB1FF89300F018699E5056B265FB30A989CB91

Function 09380FD0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2349690773.0000000009380000.00000040.00000800.00020000.00000000.sdmp, Offset: 09380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_9380000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f6ac4a66004b730f53ca6c49b010d7d9de5abf5f99d2fa113b00e088da4e4e5
Instruction ID: 4e37c30163c1cec41ccafda34527414f9b080fb1a65edb4bff8006684f8aa0e3
Opcode Fuzzy Hash: 6f6ac4a66004b730f53ca6c49b010d7d9de5abf5f99d2fa113b00e088da4e4e5
Instruction Fuzzy Hash: 7E312F31A10619DFCB04EFA8C894CEDFBB5FF89310F018659E5156B264FB70A989CB91

Function 093829E0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2349690773.0000000009380000.00000040.00000800.00020000.00000000.sdmp, Offset: 09380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_9380000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ab2247cfef5a5dc867ec1c103fa12bf69449bb0823edabb6926153ac7a44199
Instruction ID: efda83068d8294d58127173375f8e675bdd683d849e423173fc0d4129d9a6195
Opcode Fuzzy Hash: 2ab2247cfef5a5dc867ec1c103fa12bf69449bb0823edabb6926153ac7a44199
Instruction Fuzzy Hash: 72215C75700205DFDB20EFA4EA48BABBBB5FF48381F104429E92997241DF78D806CB91

Function 09380290 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2349690773.0000000009380000.00000040.00000800.00020000.00000000.sdmp, Offset: 09380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_9380000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 736c546bb35434431470faaad4ef8f735914b607be57c11a5157e02ae54451e4
Instruction ID: b8430c94af00c47a1d07cde2bae2a1fb2d5ae9837cc80d1ae1502bf1c21160ea
Opcode Fuzzy Hash: 736c546bb35434431470faaad4ef8f735914b607be57c11a5157e02ae54451e4
Instruction Fuzzy Hash: 49213075B006058FCB44EF69CC848AEBBB9FF893007418569E905EB255EB70A945CBA0

Function 09388E68 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2349690773.0000000009380000.00000040.00000800.00020000.00000000.sdmp, Offset: 09380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_9380000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a864bf62aa8cbb5a739da65953c251f2629ca2b926bef594483435e79fd3e18e
Instruction ID: c07858af37a1c58bb011f53b2eee0c7f2353e311d9381c7b51cfee0fc70a3036
Opcode Fuzzy Hash: a864bf62aa8cbb5a739da65953c251f2629ca2b926bef594483435e79fd3e18e
Instruction Fuzzy Hash: 2821F93290D340DFC321BA6494001777F9EDB8138479444EBE176CAD52D639A841CFA6

Function 012FD36C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2320096908.00000000012FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_12fd000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18c55d6ccaef7c72557ef07c4b3a193ef8a6b3a694069ecb4033bfdc22eb2f92
Instruction ID: 449e81a3e9c495340f40749ba7bf8ae49b4970070e252cf65860868d4882fd56
Opcode Fuzzy Hash: 18c55d6ccaef7c72557ef07c4b3a193ef8a6b3a694069ecb4033bfdc22eb2f92
Instruction Fuzzy Hash: DB210075514208EFDB05DF94D5C0B26FB61EB84314F20C57DEB094B296C376E846CB61

Function 012FD1B4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2320096908.00000000012FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_12fd000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbeebf6d28220304ecb2d793b2dab98deddadfa66cdd016eb2365982cdd71116
Instruction ID: 5fb40960d7a08ae84ee2681024bc4818e6245b469688c2dd42199745a8cd77f5
Opcode Fuzzy Hash: bbeebf6d28220304ecb2d793b2dab98deddadfa66cdd016eb2365982cdd71116
Instruction Fuzzy Hash: AA21CF79514208AFDB05DF94D580B26FB65FB84324F20C56DEA094B253C776D846CAA1

Function 093802A0 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2349690773.0000000009380000.00000040.00000800.00020000.00000000.sdmp, Offset: 09380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_9380000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce7c2b33e9727d7508a34e98afbb1c2822f8e34879950254fd74d497084d1a88
Instruction ID: 17b91859a7fef6fe3e1aa205580a3d537d2781f609f0e955b5dca813e62b1f15
Opcode Fuzzy Hash: ce7c2b33e9727d7508a34e98afbb1c2822f8e34879950254fd74d497084d1a88
Instruction Fuzzy Hash: 14213275A0060A8FCF44EF69C8848EEB7B5FF88300B518569E915B7355EB70A945CBA0

Function 0938C536 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2349690773.0000000009380000.00000040.00000800.00020000.00000000.sdmp, Offset: 09380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_9380000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 542c6627906da067fd8d27d26ef6ee711e425c5b621215ae26d668c5207b5743
Instruction ID: b2e904f2a39615784de684cb2643754951c3615a591991f836fe6d5db67e677f
Opcode Fuzzy Hash: 542c6627906da067fd8d27d26ef6ee711e425c5b621215ae26d668c5207b5743
Instruction Fuzzy Hash: 64218432E18714CBDB00BA6AC45077BB368FB49390F106213A192C7F90C774E5908EB6

Function 093829D0 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2349690773.0000000009380000.00000040.00000800.00020000.00000000.sdmp, Offset: 09380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_9380000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5a84ed7b40b0ef53adbc4f3a542a55696db435040e30b48bbd1d3d062915568
Instruction ID: 249ae77887e4792b6442b1b7d632e1db4f45816c53bcc6f5836426c3a178c396
Opcode Fuzzy Hash: f5a84ed7b40b0ef53adbc4f3a542a55696db435040e30b48bbd1d3d062915568
Instruction Fuzzy Hash: 9F1160747002019FDB20EFA5D948BABBFB9FF85380B045129E915D7641DF789905CBA2

Function 09383FC8 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2349690773.0000000009380000.00000040.00000800.00020000.00000000.sdmp, Offset: 09380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_9380000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c893428535608d5e285b417aa033dad3151886dccb621d6d6d59965c763db21f
Instruction ID: 47d260125ecc296e0401ca7955d1cdb36b2e0dd856b41629edbdb9bcb17bb08a
Opcode Fuzzy Hash: c893428535608d5e285b417aa033dad3151886dccb621d6d6d59965c763db21f
Instruction Fuzzy Hash: 38113631B083545FC7559BBE981059FBFFACF82650B0444ABE509C7382EE70AC0283E1

Function 093859F4 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2349690773.0000000009380000.00000040.00000800.00020000.00000000.sdmp, Offset: 09380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_9380000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6825b0c4db27594ffc658d255083788a33771a9a1eb27f5f01c611fb6707f394
Instruction ID: 237dca656969d5ac795b47f31eefd0eb4d662484fade0bd5134e16c3dc637e1c
Opcode Fuzzy Hash: 6825b0c4db27594ffc658d255083788a33771a9a1eb27f5f01c611fb6707f394
Instruction Fuzzy Hash: 5B21D3B6900349DFCB10DF9AD884ADFBBF5FB48320F10841AE919A7210D3B5A954CFA1

Function 09380DE8 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2349690773.0000000009380000.00000040.00000800.00020000.00000000.sdmp, Offset: 09380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_9380000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 191ad260b376f865cfbe0763f862cbc369c8d2e84fcb9f93119d409dc37bbeb2
Instruction ID: 548c1024ae9639d27906adfe1aefb572b7eec21f8ad8457e355d382ba380e531
Opcode Fuzzy Hash: 191ad260b376f865cfbe0763f862cbc369c8d2e84fcb9f93119d409dc37bbeb2
Instruction Fuzzy Hash: 4F118F72914709DFCF59EFA4C8412EEBBB0BF41314F10859AE8A9AB011E734A199CF91

Function 012FD1AF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2320096908.00000000012FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_12fd000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: 05da69584e8da8f39973fc56477291223a7d3c3fad5d1973c01c721c0c4ecb29
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: 5611BB7A504284CFCB02CF54C5C0B15FBA1FB84228F24C6AEDA494B257C33AD80ACFA1

Function 012FD367 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2320096908.00000000012FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_12fd000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: 461617d2f81803828afb000f58ae0269967f264e5cdc44151e243521f5893c79
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: D411BB76504284CFDB02CF54D5C4B55FBA1FB84318F24C6ADDA094B656C33AE44ACB62

Function 09384DD0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2349690773.0000000009380000.00000040.00000800.00020000.00000000.sdmp, Offset: 09380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_9380000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 383225902172b6fcc8e770a336edfe9913a7ea2229c8efa7d7cf68896248209f
Instruction ID: 9d5dce6970ecdac66ad06450c710aacb486aec490c65ad96c31f8b9fc88a9c7e
Opcode Fuzzy Hash: 383225902172b6fcc8e770a336edfe9913a7ea2229c8efa7d7cf68896248209f
Instruction Fuzzy Hash: 6F016D31304255BF8B054F65AC448AFBFBBFB882107008026F905C6361CB758D21CB90

Function 012ED76D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2317643437.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_12ed000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28e25918d29ef61933e62460dd2e028d70a2eb9ca343059a5445f81a285286c3
Instruction ID: 0f115026bb05c010d90bd50ceecfebbafe0e148803f106ccd2582e38f9510419
Opcode Fuzzy Hash: 28e25918d29ef61933e62460dd2e028d70a2eb9ca343059a5445f81a285286c3
Instruction Fuzzy Hash: C4012B720543889AF7144B59DD88B67FFD8DF41324F58C41AEE090A182C7B89840C671

Function 09382800 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2349690773.0000000009380000.00000040.00000800.00020000.00000000.sdmp, Offset: 09380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_9380000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31bd005a47ac6c8f592b45fdb17bcda0fc8e3945fbe2a2b50bd77337cd9f6dcf
Instruction ID: a5015cc24ad1e9c42156b0948c9cc8415d6818149a67b436b74c0388a1d605d9
Opcode Fuzzy Hash: 31bd005a47ac6c8f592b45fdb17bcda0fc8e3945fbe2a2b50bd77337cd9f6dcf
Instruction Fuzzy Hash: 70F0AF31204600ABC3259B69A808A97BFA5EBC5321B04C03AF659CB251CA318816CBA0

Function 09384DE0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2349690773.0000000009380000.00000040.00000800.00020000.00000000.sdmp, Offset: 09380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_9380000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8c68b7e6c2bce4b6807fbabeb433ea931310171531a1a3f83a6592a10d47656
Instruction ID: 2468e4c7d82c2fd52e3bd275209c377600b3f455bd28a0c0b4a718a5f88ce464
Opcode Fuzzy Hash: d8c68b7e6c2bce4b6807fbabeb433ea931310171531a1a3f83a6592a10d47656
Instruction Fuzzy Hash: B1F03036700219AF9F059F95E8448AEBFABFB8C220710803AFE19C3351DB758D21DB90

Function 012ED76C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2317643437.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_12ed000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f656ec6065f3c6cf226f1d964c23ad03e79961bf53ca06ac46a36c71f953aab
Instruction ID: 760859894151a4270b96abfab98fbb359a376826021dec26e9a0da83b3d393e3
Opcode Fuzzy Hash: 5f656ec6065f3c6cf226f1d964c23ad03e79961bf53ca06ac46a36c71f953aab
Instruction Fuzzy Hash: B4F062724453889EE7158B19DD88B62FFD8EB42624F18C45AEE484A686C3799844CB71

Function 09382AC7 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2349690773.0000000009380000.00000040.00000800.00020000.00000000.sdmp, Offset: 09380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_9380000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be6b2f45ed498e81f3a05debc9f0e2cf4bcbf55a8bf3b337f68dfd7490c1e905
Instruction ID: e7be6f81ab89e1ceb40bbae3fd72745db7b80ba042dc4a460712d91eb7855a63
Opcode Fuzzy Hash: be6b2f45ed498e81f3a05debc9f0e2cf4bcbf55a8bf3b337f68dfd7490c1e905
Instruction Fuzzy Hash: 57F0E2767097405BC721DF5AE881987FFA8FE89271304C56BE46DC7A51DA309805CBA0

Function 0938AEEA Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2349690773.0000000009380000.00000040.00000800.00020000.00000000.sdmp, Offset: 09380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_9380000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0066b92f1bfa8f9eadc01bb790465f57d924566bdc35af4ed307918ea8b99aaa
Instruction ID: 5d40ec6ab48a2ae18847d317f1a17315c0a9c1d94eaee65ded8e832c163c179a
Opcode Fuzzy Hash: 0066b92f1bfa8f9eadc01bb790465f57d924566bdc35af4ed307918ea8b99aaa
Instruction Fuzzy Hash: 35F0B431B46385EFDF01EBB0CC5AAAEBB71AF46300F008252E522AB6D1C7705856CF11

Function 093820C8 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2349690773.0000000009380000.00000040.00000800.00020000.00000000.sdmp, Offset: 09380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_9380000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3492941a944dcd94f525379b929960d77da6aa74bb39df6a23cd1c9dc1b1e525
Instruction ID: f73e0d6a8d6ec76d42cd92da9dfb545d915da51231dcf370ce675bd3ae68f0dd
Opcode Fuzzy Hash: 3492941a944dcd94f525379b929960d77da6aa74bb39df6a23cd1c9dc1b1e525
Instruction Fuzzy Hash: 06E026A4B152008FD3055F71885A2B73B6AEF4210130680AAF406C7282CE289803C720

Function 0938B8F6 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2349690773.0000000009380000.00000040.00000800.00020000.00000000.sdmp, Offset: 09380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_9380000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27416445974729877e752b99af575b56f4ffc26cf39a93038f70815491b00e64
Instruction ID: 875cc801914e1f7fd1823f4509904dd8905c8e27a4a963e7c352bef79318a76c
Opcode Fuzzy Hash: 27416445974729877e752b99af575b56f4ffc26cf39a93038f70815491b00e64
Instruction Fuzzy Hash: 2FE0122790C30EEB4660B6A95445537FAFF97443F07004C52944BC7E05D96509019FB3

Function 0938C0D6 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2349690773.0000000009380000.00000040.00000800.00020000.00000000.sdmp, Offset: 09380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_9380000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dca34511ac061ed820f6d9119500bd10abe537b2bad0acf1a338887dce2cb71
Instruction ID: 0eaaa689bb5587c4baeda67fcade1ef76fbbab37bc5555fc076230749c6468cb
Opcode Fuzzy Hash: 3dca34511ac061ed820f6d9119500bd10abe537b2bad0acf1a338887dce2cb71
Instruction Fuzzy Hash: EBE0CDB666C308EB8720B55568115733A9EE7843D0F00D152E98BD6E44C951DC004E73

Function 09388140 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2349690773.0000000009380000.00000040.00000800.00020000.00000000.sdmp, Offset: 09380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_9380000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5299cd17936e71fb807584c00f2895aa52c293e88a515ae746bd2397ac773b50
Instruction ID: bc4382b9dbbf290feb9b01411be904d71fdcbe0f0e624e4632f5903bbf4ff236
Opcode Fuzzy Hash: 5299cd17936e71fb807584c00f2895aa52c293e88a515ae746bd2397ac773b50
Instruction Fuzzy Hash: 5FE09278108742CFD342EB74D82422777A0EF46300F04C897D4668B6A2CB34AC0BCB51

Function 093876E0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2349690773.0000000009380000.00000040.00000800.00020000.00000000.sdmp, Offset: 09380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_9380000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0eda2e65d58fe38e9cfee9b743f017d1a97d225497033850f0c4ecba9703e92
Instruction ID: f22a9c48ceee613e8622f5c72c88f457caf53223730f997e3c2a4d1c9571190e
Opcode Fuzzy Hash: f0eda2e65d58fe38e9cfee9b743f017d1a97d225497033850f0c4ecba9703e92
Instruction Fuzzy Hash: D1E02632029681EEE708AF3CC4B87A5BFA1EFB2384F010A5AC1C440483CB21511AC64B

Function 0938B8F8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2349690773.0000000009380000.00000040.00000800.00020000.00000000.sdmp, Offset: 09380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_9380000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 359b925f68ff174e13ebd4516beec37729bb66655b5dff82dd3bd4b53a3357f1
Instruction ID: ed448e477c8a6080cd5b46e7c2420d8c0e5c13df1dace9d6af8f409b1e94d767
Opcode Fuzzy Hash: 359b925f68ff174e13ebd4516beec37729bb66655b5dff82dd3bd4b53a3357f1
Instruction Fuzzy Hash: 28D01727A0C30EDB4650BAA8544053BF6FFA7843E07004C92984BC7E05DA6509029FA3

Function 09389D88 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2349690773.0000000009380000.00000040.00000800.00020000.00000000.sdmp, Offset: 09380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_9380000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80132216ad3f577ce4cabc076a461f1debf6e1a927c3195d19f8a84a6787b214
Instruction ID: 36b3d369193c90005f4ba14cf051ad7e9f065ce15753315e2063508dbaa65ecf
Opcode Fuzzy Hash: 80132216ad3f577ce4cabc076a461f1debf6e1a927c3195d19f8a84a6787b214
Instruction Fuzzy Hash: FDD0A71370C304CBC64C35785408B3B72EF5B803E4B1044A2914B8AF87D962881CCF9E

Function 0938C098 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2349690773.0000000009380000.00000040.00000800.00020000.00000000.sdmp, Offset: 09380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_9380000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1df2e6fc1d130396b9d4443230422efc8149e68bc43a58abbb93b0390fa77de
Instruction ID: 0e34d09cee5cbc8b4a62514fde8614bc8143c646ffd6179527204ca012ced8fe
Opcode Fuzzy Hash: d1df2e6fc1d130396b9d4443230422efc8149e68bc43a58abbb93b0390fa77de
Instruction Fuzzy Hash: E0D0A7F313C308CB8B14B2F4181457B3F1DEA483D57302416D58F05905C921D8414E73

Function 0938AE9E Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2349690773.0000000009380000.00000040.00000800.00020000.00000000.sdmp, Offset: 09380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_9380000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daa00a1279359b0a97dc55ae678d44ee1449423e732636884ba84e6dec6a04b6
Instruction ID: 97f1ae9981093fc3bd781c2d72ee58a6f0bc4b1dea02794483e5159e24ebf95b
Opcode Fuzzy Hash: daa00a1279359b0a97dc55ae678d44ee1449423e732636884ba84e6dec6a04b6
Instruction Fuzzy Hash: 21E0467190878ACFC305EFB4886626BFBF1BF42310B1481AAD0648A626D7305846CB92

Function 09380DF8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2349690773.0000000009380000.00000040.00000800.00020000.00000000.sdmp, Offset: 09380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_9380000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63d1f8e00b94794525d3532e28338de7de11cbf36a8daaa766a093463f454167
Instruction ID: ad10bb65d82348ababddd1ee7e1bced0269bb463bff319e0f910d8e34b7058b0
Opcode Fuzzy Hash: 63d1f8e00b94794525d3532e28338de7de11cbf36a8daaa766a093463f454167
Instruction Fuzzy Hash: 4CE0E231810B1C9E8B84FE79D9055DB7BE8AB05221F00C52AE8599A510EA30E2E8CF80

Function 0938C2E0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2349690773.0000000009380000.00000040.00000800.00020000.00000000.sdmp, Offset: 09380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_9380000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee16ae6e4003c13855cd0b78bda3fff17625685ba4509a87dcddda0a6fc5d66c
Instruction ID: 2080585ded9d29a95104761e1549e69e551984208dcde1ea79fc4160a75171b5
Opcode Fuzzy Hash: ee16ae6e4003c13855cd0b78bda3fff17625685ba4509a87dcddda0a6fc5d66c
Instruction Fuzzy Hash: 6BD05E3151D788DFDF3626B424250663F2C680274630110EBE186A9CD385164482CB33

Function 093820D8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2349690773.0000000009380000.00000040.00000800.00020000.00000000.sdmp, Offset: 09380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_9380000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41f71c1beb69c00c026ed76546956ac2d48731b449750c724569bf32d4da9bf4
Instruction ID: d4d52ffe1cd98278d39cdb085e6510f406a7a0d9f4f9be5de29d1bc9d20b78fb
Opcode Fuzzy Hash: 41f71c1beb69c00c026ed76546956ac2d48731b449750c724569bf32d4da9bf4
Instruction Fuzzy Hash: D6D0A7747142048797006FBA940F3B737DFFB805013458025BA0AC3180CE38E802C721

Function 09387D51 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2349690773.0000000009380000.00000040.00000800.00020000.00000000.sdmp, Offset: 09380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_9380000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abb0673facae995bfd5a0b9040e4aae679d21eb5ae2ea030b251cf4727526a07
Instruction ID: f7aa91cf712e8c9bd7bf8bf583bdf68e8faa318cdef7abb84f06ecd218ddcc95
Opcode Fuzzy Hash: abb0673facae995bfd5a0b9040e4aae679d21eb5ae2ea030b251cf4727526a07
Instruction Fuzzy Hash: 59D0A73815F708DBC3146610D4186733B2ED392744B208438D1030BA91CB795882CEE1

Function 0938C0A0 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2349690773.0000000009380000.00000040.00000800.00020000.00000000.sdmp, Offset: 09380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_9380000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a92841fdb3a04826d9b2347727e55342916cf68812eaac9a54ca99882948b43
Instruction ID: 259f833356f77633eba5105f3732ae508efb825a9a1cc29b8bbacdc28bd795fd
Opcode Fuzzy Hash: 8a92841fdb3a04826d9b2347727e55342916cf68812eaac9a54ca99882948b43
Instruction Fuzzy Hash: 80C012D323C308CA8304B2A8281443B3A6E29883D93207106D6CB46D0ACA52C8040E33

Function 0938E318 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2349690773.0000000009380000.00000040.00000800.00020000.00000000.sdmp, Offset: 09380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_9380000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f23c030f77d351ff7b14d05d21d8bd02768a546bd1e61f8dbcb44bd5bcbcd74c
Instruction ID: 3a012550fab1efe33812e03006d4136fc15b2bce2a1ff8791b235cfc2e1de37c
Opcode Fuzzy Hash: f23c030f77d351ff7b14d05d21d8bd02768a546bd1e61f8dbcb44bd5bcbcd74c
Instruction Fuzzy Hash: 3EC08C300833C8C7C3203BE4A50C32832689B01202F820010E48A810208BB09CC0CA67

Function 0938C2F0 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2349690773.0000000009380000.00000040.00000800.00020000.00000000.sdmp, Offset: 09380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_9380000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2e247b2a2e65a1a3606b592805f0e2b0f2637e02879fad2d1bef4430f63cf35
Instruction ID: 979067e99bf1b08c7c4cd9a5247caf50493acde52708c3c9497fa978b6f45622
Opcode Fuzzy Hash: f2e247b2a2e65a1a3606b592805f0e2b0f2637e02879fad2d1bef4430f63cf35
Instruction Fuzzy Hash: 0BB0922742C70CC7CF3032D82028137361C3404B946002112E2CB24CC1094114514C72

Function 0938B9C1 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2349690773.0000000009380000.00000040.00000800.00020000.00000000.sdmp, Offset: 09380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_9380000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adf018832afbcdbaab45894209359867a2b4371beb2f2d5534f290b3a3cef2e3
Instruction ID: 6ff7962ba920aa394e2c45e38a25f35d945447f35f18ecf41dd250bb39cbc22b
Opcode Fuzzy Hash: adf018832afbcdbaab45894209359867a2b4371beb2f2d5534f290b3a3cef2e3
Instruction Fuzzy Hash: FBC08C71B8631AEFDB009A01EE8696DB27A6B05F40F110410A20326184C36045008A40

Function 0938770C Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2349690773.0000000009380000.00000040.00000800.00020000.00000000.sdmp, Offset: 09380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_9380000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5e8015f2030f71f1b553e3885d98bab6bcf792d61cc0295c55d2334b9fd2c83
Instruction ID: 55e2a907f20a6ce355c59447c7428aa0c7563614b2517514e7de3659cd9853cc
Opcode Fuzzy Hash: e5e8015f2030f71f1b553e3885d98bab6bcf792d61cc0295c55d2334b9fd2c83
Instruction Fuzzy Hash: F2B01237198704F3D1007BA44D84A3B78D1EBB1700B50ED46770940060C9754529DA2B

Function 09386690 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2349690773.0000000009380000.00000040.00000800.00020000.00000000.sdmp, Offset: 09380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_9380000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeddddafbeb7ad1d81a62909a0018a5f2ddba3e07ffdb969a5019f4ca59798a4
Instruction ID: d484a4c811004ba43d03d783b7345745a72ccd52d56d59ce2241b887cc09a7d4
Opcode Fuzzy Hash: aeddddafbeb7ad1d81a62909a0018a5f2ddba3e07ffdb969a5019f4ca59798a4
Instruction Fuzzy Hash: 93A011A200E3CEEA020832A0A00A03BBB2C20003AC3000800EA0B088002A2238A0888A

Analysis Process: NotepadUpdate.exePID: 6080, Parent PID: 6068COMMON

Execution Graph

Execution Coverage:	7.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	45
Total number of Limit Nodes:	3

Executed Functions

Function 08DB1240 Relevance: 1.9, Strings: 1, Instructions: 649
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d, xrefs: 08DB138B

Memory Dump Source

Source File: 00000016.00000002.2311791642.0000000008DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8db0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 3da6589bdcf00d1432eeb754a5edc839abcdbbd9243c51e586bfed4fb2d5829e
Instruction ID: a1c1e53d69e2027a7d80e029fe09167c1005ba422bb227a7c88b2bb4d0f660ef
Opcode Fuzzy Hash: 3da6589bdcf00d1432eeb754a5edc839abcdbbd9243c51e586bfed4fb2d5829e
Instruction Fuzzy Hash: 3F62CE74E01228CFDB25DF69C894BDEBBB2BB89301F1082E9D449A7255DB319E85CF50

Function 08DB61DD Relevance: 1.8, Strings: 1, Instructions: 560
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

D, xrefs: 08DB61E2

Memory Dump Source

Source File: 00000016.00000002.2311791642.0000000008DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8db0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID: D
API String ID: 0-2746444292
Opcode ID: 13345bf1bae7b51ce546522edcaa3c28ae991d150420581ebf5e872e2ec04d7d
Instruction ID: 0c2ec4e10f183b3e8c3186bcfc5dbbe806268c1812dc84502f023f5bf16ce911
Opcode Fuzzy Hash: 13345bf1bae7b51ce546522edcaa3c28ae991d150420581ebf5e872e2ec04d7d
Instruction Fuzzy Hash: 8152A874A01219CFDB64DF68D899AADBBB2FF89300F1041E9D509AB355CB34AE81CF50

Function 08DB3668 Relevance: .7, Instructions: 722COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311791642.0000000008DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8db0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a4daae2b786f585bf43472d8b06992f14dc8e8be74ae2fe6cd63f8fa1838a8a
Instruction ID: 90f9ec3b09070e39d2086822a49853f7bc36cd709e3039cfbe215b071e2e83af
Opcode Fuzzy Hash: 0a4daae2b786f585bf43472d8b06992f14dc8e8be74ae2fe6cd63f8fa1838a8a
Instruction Fuzzy Hash: CF526234B00115DFDB18DF69C884AADBBF2BF88751B158269E806DB365DB31EC42DB90

Function 08F56C81 Relevance: 2.8, Strings: 2, Instructions: 347
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

F, xrefs: 08F5733C
R, xrefs: 08F56F48

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID: F$R
API String ID: 0-4292606238
Opcode ID: 6faa2688c5bb285c8a5607e431a776eb6cd7f476671a04a940eb8df685bddca9
Instruction ID: 9c486aa15391cad22a949a990f2cd10e71421a70f2e8d5e9f5d419ca7274eda9
Opcode Fuzzy Hash: 6faa2688c5bb285c8a5607e431a776eb6cd7f476671a04a940eb8df685bddca9
Instruction Fuzzy Hash: 0BD11776A00104EFCB06DFA9C984D69BBB2FF49315B1A8099EA099F272D732DC51DF50

Function 0143B300 Relevance: 1.7, APIs: 1, Instructions: 205
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0143B566

Memory Dump Source

Source File: 00000016.00000002.2298751698.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1430000_NotepadUpdate.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: fbdc087bc87a2bb8990bfb466f7b66a983f49691ec923ecf406f82eaa7b9cf6e
Instruction ID: 7fdbf53cdff46a972ba0a4ebb0758023fcf7a45e5acbce3f17f9e3e8a2dd3047
Opcode Fuzzy Hash: fbdc087bc87a2bb8990bfb466f7b66a983f49691ec923ecf406f82eaa7b9cf6e
Instruction Fuzzy Hash: AD812070A00B058FE724DF2AD44576ABBF1FF88204F10892ED586DBBA0DB74E845CB91

Function 0143590C Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 014359C9

Memory Dump Source

Source File: 00000016.00000002.2298751698.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1430000_NotepadUpdate.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 114976117b01ccf24d29a966ea1c0c916cddbbf0e99b10f01b31ec66cff3905d
Instruction ID: f21a0a1d4c24c1f7e138187c85a95d117e68856205ae28be454e9dd8202939a3
Opcode Fuzzy Hash: 114976117b01ccf24d29a966ea1c0c916cddbbf0e99b10f01b31ec66cff3905d
Instruction Fuzzy Hash: 0041DFB0C00719CBEB24DFA9C9857DEBBB1BF89704F20805AD508AB251DB756946CF90

Function 014344B4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 014359C9

Memory Dump Source

Source File: 00000016.00000002.2298751698.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1430000_NotepadUpdate.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: da747ee3a00478d8adf9c9faf75643899e15bedcc1f83fcf31bbe32b0a97a1e5
Instruction ID: 2a2cb71918e3f9eba3ce8c5179678379420beb9ddde0521d6e3f736cdcdbc08e
Opcode Fuzzy Hash: da747ee3a00478d8adf9c9faf75643899e15bedcc1f83fcf31bbe32b0a97a1e5
Instruction Fuzzy Hash: 2841E2B0C0071DCBDB24DFA9C984B9EBBF5BF89714F20806AD508AB251DB756946CF90

Function 05EFEFC0 Relevance: 1.6, APIs: 1, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 05EFF05F

Memory Dump Source

Source File: 00000016.00000002.2309433271.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5ef0000_NotepadUpdate.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: adc6cd79d1b836728d7b4a2c296c9437d640b46c55cd996ce305a271d33c1f52
Instruction ID: 77d8f0fe27be1ce2783cf830a24de33cf3e0f6bc11ec2f395462ed72bb6cdf01
Opcode Fuzzy Hash: adc6cd79d1b836728d7b4a2c296c9437d640b46c55cd996ce305a271d33c1f52
Instruction Fuzzy Hash: 533100B5D002499FDB10CF9AD880AEEFFF5BF48324F14842AE929A7210D774A540CFA0

Function 05EFEFC8 Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 05EFF05F

Memory Dump Source

Source File: 00000016.00000002.2309433271.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5ef0000_NotepadUpdate.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 6bd89a364d14bc7d4d2406ebda5b2ee4b4f6761ac81979a3e3a222978c95be5a
Instruction ID: 2fa7e15106680f3b635eff2f166a8b2b3411216be3dc40ff5786c3be0709d9f1
Opcode Fuzzy Hash: 6bd89a364d14bc7d4d2406ebda5b2ee4b4f6761ac81979a3e3a222978c95be5a
Instruction Fuzzy Hash: C621A0B5D002099FDB10CF9AD984A9EFBF5BB48324F14842AE919A7210D775A944CFA0

Function 0143D098 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0143D78E,?,?,?,?,?), ref: 0143D84F

Memory Dump Source

Source File: 00000016.00000002.2298751698.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1430000_NotepadUpdate.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1258c6aafc44cc7f5324a26eb5be1f06299c7bba4e08392c6ab8bffbb45ebb7a
Instruction ID: d35e39cc770f6fe32a59563aa7a78b1ab87e9403df6e951ab6ef02dbb2641fe5
Opcode Fuzzy Hash: 1258c6aafc44cc7f5324a26eb5be1f06299c7bba4e08392c6ab8bffbb45ebb7a
Instruction Fuzzy Hash: 6621D4B5D002499FDB10CF9AD984ADEBFF4FB48320F14841AE918A3350D378A954CFA1

Function 0143D7C0 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0143D78E,?,?,?,?,?), ref: 0143D84F

Memory Dump Source

Source File: 00000016.00000002.2298751698.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1430000_NotepadUpdate.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 00b766de6c2846755e978869b379a2f7716d9bbdca6a7a9f3143f60d10480629
Instruction ID: a5a91a705c4675182ca90c747998945d427cbdb80d67e4fd57ad8e1a718e8078
Opcode Fuzzy Hash: 00b766de6c2846755e978869b379a2f7716d9bbdca6a7a9f3143f60d10480629
Instruction Fuzzy Hash: DF21F2B5D002099FDB10CFA9D984AEEBBF4FB48320F24845AE918A3310D378A951CF61

Function 075C6A30 Relevance: 1.6, APIs: 1, Instructions: 50
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 075C6A95

Memory Dump Source

Source File: 00000016.00000002.2310797876.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_75c0000_NotepadUpdate.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 06b84c6394820094c305d937af507e303a7680091d34b53c0ffd9f2b62f8b97b
Instruction ID: 158a3dd188ce5d41aeccd50ff1c5f56d06ce8ffa408fb0573d2e96f7823d646d
Opcode Fuzzy Hash: 06b84c6394820094c305d937af507e303a7680091d34b53c0ffd9f2b62f8b97b
Instruction Fuzzy Hash: 9011E3B68043499FDB10CF9AD945BDEBBF8FB48720F20841AE518A7600C775A544CFA1

Function 0143B500 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0143B566

Memory Dump Source

Source File: 00000016.00000002.2298751698.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1430000_NotepadUpdate.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: dd4b37c85ba3471a6c34d2514d30ca5e2d4a577e3b1f4246e1d0c39e2f9d6a33
Instruction ID: ab61fe44fc5389820eb17b99591c62d8fb49d83345388cf01ceb967e567a069a
Opcode Fuzzy Hash: dd4b37c85ba3471a6c34d2514d30ca5e2d4a577e3b1f4246e1d0c39e2f9d6a33
Instruction Fuzzy Hash: 95110FB6C006498FDB10CF9AC544B9EFBF4EB88324F20841AD928A7250C379A545CFA1

Function 075C2600 Relevance: 1.5, APIs: 1, Instructions: 47
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 075C6A95

Memory Dump Source

Source File: 00000016.00000002.2310797876.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_75c0000_NotepadUpdate.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 3ca1cdc811cf54f78f859e25df0025aa9202eaeee12365c4965a096bd5b9573a
Instruction ID: 6d75e1216e09f09b588558df3f2b7f630288e416bc62393f85d5a11fc918ba5a
Opcode Fuzzy Hash: 3ca1cdc811cf54f78f859e25df0025aa9202eaeee12365c4965a096bd5b9573a
Instruction Fuzzy Hash: 4A11F5B5800349DFDB10CF99C945BDEBBF8FB48324F24841AE514A7200C779A944CFA1

Function 05EFD478 Relevance: 1.3, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 05EFD4D8

Memory Dump Source

Source File: 00000016.00000002.2309433271.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5ef0000_NotepadUpdate.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: f6d27a415d8777ebc8c4af2ecabf77cb8ffaa39be7f95df75373991c045be770
Instruction ID: 708efb3a08bb0c79f3b5f593da597ba582b66494764f3cc88ae8b5be3f06eb8c
Opcode Fuzzy Hash: f6d27a415d8777ebc8c4af2ecabf77cb8ffaa39be7f95df75373991c045be770
Instruction Fuzzy Hash: 0E1158B58002098FDB20CF9AC545BEEBFF4FB48320F10841AE558A7240C778A544CFA1

Function 05EFD480 Relevance: 1.3, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 05EFD4D8

Memory Dump Source

Source File: 00000016.00000002.2309433271.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5ef0000_NotepadUpdate.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: eeb9d4f605d02e1288c2867d2b55afdad1b62f8c78f3a836bd6459994c74ef4b
Instruction ID: d6b1787dda37c42cc2dbfb32585b5c5daa1e6236ca1e5d412e54d9ab3822d65b
Opcode Fuzzy Hash: eeb9d4f605d02e1288c2867d2b55afdad1b62f8c78f3a836bd6459994c74ef4b
Instruction Fuzzy Hash: DF11F2B58006498FDB10DF9AC545BDEBBF4EB48320F20845AD558A7240D779A544CFA5

Function 08F5839F Relevance: 1.3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

Strings

8, xrefs: 08F58413

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID: 8
API String ID: 0-4194326291
Opcode ID: 652dd77f722185f92e9676cfd14b8e178c635d9ab25ba4be5c738b97b499a1d9
Instruction ID: a31aaa8bfcd6d4a7b5a1d5bc42099ce721d4ce3576285bb9771057a8ac759695
Opcode Fuzzy Hash: 652dd77f722185f92e9676cfd14b8e178c635d9ab25ba4be5c738b97b499a1d9
Instruction Fuzzy Hash: 3C01F970B50204CBF7208B34DC1A7AB7761BB44751F144876DE85DF686EAA49C91C792

Function 08F5B8E8 Relevance: 1.3, Strings: 1, Instructions: 35COMMON

Download Yara Rule

Strings

E, xrefs: 08F5B89C

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID: E
API String ID: 0-3568589458
Opcode ID: 6355268149e48abfc225c1213f4f183ee82dd4d960a2ce265995a1e2a04c56ad
Instruction ID: 5b733851d1a0daa460de7b83f8f63c858f4e08e11f25f3ea9e5e8567b2c5a765
Opcode Fuzzy Hash: 6355268149e48abfc225c1213f4f183ee82dd4d960a2ce265995a1e2a04c56ad
Instruction Fuzzy Hash: BBF0826390D24CDBDB10DBB5A8525797FB49745233B1040D7DF4B87602DB254A4297E3

Function 08F56D20 Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

G, xrefs: 08F56D34

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID: G
API String ID: 0-985283518
Opcode ID: a12ecf55711d1c40a849a8e88ba1e76567b0ff2fe29ab832acbe7f061c60d1f3
Instruction ID: 0a5c149457e7f89b5c2d542712bae75f21a64f6287dd290b238b0a24e7515097
Opcode Fuzzy Hash: a12ecf55711d1c40a849a8e88ba1e76567b0ff2fe29ab832acbe7f061c60d1f3
Instruction Fuzzy Hash: 8FD05EB110E3899BC3429F74F9121ADFF789B13221B5815C3DA59CA543CB290E25C7A3

Function 08F56D30 Relevance: 1.3, Strings: 1, Instructions: 11COMMON

Download Yara Rule

Strings

G, xrefs: 08F56D34

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID: G
API String ID: 0-985283518
Opcode ID: c249693fb5b5d2359f1f0c6889648ba0e45c755483856a378620c808478681a0
Instruction ID: 9e9ae3095f148b567e52a9fe944b2bed929bb54805ea1bf1eabe4e9d996b0076
Opcode Fuzzy Hash: c249693fb5b5d2359f1f0c6889648ba0e45c755483856a378620c808478681a0
Instruction Fuzzy Hash: F8C012B150C108EBC604CEA4D90667CB7BCA700302F800584DE0E82200DB791E109A92

Function 08DB0040 Relevance: .8, Instructions: 754COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311791642.0000000008DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8db0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70244e62f00b5898ea191631ca4c97272f72cad03e122a7b8c2e7138ae02188f
Instruction ID: a4d05d0ae24a41af9ff16ddcabf63fd06774fa42a6505a03a0ca5183595086ab
Opcode Fuzzy Hash: 70244e62f00b5898ea191631ca4c97272f72cad03e122a7b8c2e7138ae02188f
Instruction Fuzzy Hash: 4C62FC70E01F41CADB705FB494987EF7AA5AB45385F604B2ED1ABCA350DB349842CF4A

Function 08DBC5F0 Relevance: .5, Instructions: 523COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311791642.0000000008DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8db0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 628bf10898952e9299e64ae74fbc40b7f7e28e7a4113f5ab970510694b34bfaa
Instruction ID: ae1a46ae891c2fe31673289a99ed27d6cbf3a025dca49c7372fa2df07cff94b3
Opcode Fuzzy Hash: 628bf10898952e9299e64ae74fbc40b7f7e28e7a4113f5ab970510694b34bfaa
Instruction Fuzzy Hash: D042E230D10619CFCF15EFA8C8446DCBBB1BF49301F5182A9D5897B265EB30AA99CF91

Function 08DBC5E0 Relevance: .5, Instructions: 521COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311791642.0000000008DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8db0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65c45366b5a3c96a8158f6c15c09056e0bdc44448e6eefc64e37b2ed7840114f
Instruction ID: e80f5c16d1e1daaa5de2078e30f0896326db1979dad875325fcb120303447ec6
Opcode Fuzzy Hash: 65c45366b5a3c96a8158f6c15c09056e0bdc44448e6eefc64e37b2ed7840114f
Instruction Fuzzy Hash: C742F330D10619CFCF25EFA8C8446DCBBB1BF49301F5182A9D5897B265EB309A99CF91

Function 08DB0011 Relevance: .5, Instructions: 471COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311791642.0000000008DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8db0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7044dfe6ec0830372a1b91b97cdaf4c63a309722f3cb398622fcb9d5eb76319c
Instruction ID: 5d4fa0107459d5f3c0ec18eac0081408d8977c66b66306c2d999ee911b8ecb6a
Opcode Fuzzy Hash: 7044dfe6ec0830372a1b91b97cdaf4c63a309722f3cb398622fcb9d5eb76319c
Instruction Fuzzy Hash: 7F2258B0905F42CAD7705FA48488ADEBAA4AB06385F704B5FC0FB8A355D7349486DF4E

Function 08DB9738 Relevance: .3, Instructions: 340COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311791642.0000000008DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8db0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a8e04e3a4b6f5ca6376cbbbb12cdb4016b9a33b0e0085791974d3dc35e225b8
Instruction ID: f07a8d7f2160641c6eec77b676332fa24dc8e2eab333fa9cf24c05439dc0d576
Opcode Fuzzy Hash: 0a8e04e3a4b6f5ca6376cbbbb12cdb4016b9a33b0e0085791974d3dc35e225b8
Instruction Fuzzy Hash: D8B1BA31A00209DFDB21DFA9C4506EEBBF2FF88351F60426EC14AA7291DB309952CB51

Function 08F50480 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0216a2e1edf6ab074e1629dec031578a142fbcad4ad991c5789854406421e365
Instruction ID: 9f0ab66e3dc5dc7b7ddaa049ba5aaee58b5e3159e77a413f7d06b880dc92afee
Opcode Fuzzy Hash: 0216a2e1edf6ab074e1629dec031578a142fbcad4ad991c5789854406421e365
Instruction Fuzzy Hash: DDF1D975D1061ACBCF10DFA4C854AEDB7B5FF88300F1086AAD959B7254EB70AA85CF90

Function 08F50479 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c74837ef6996fa7dd1c437244f42fb3399a3e755e3e9861b167ccfdfc1661e1d
Instruction ID: 115501c502ebf5b37fb118221984997fcabd5e326da456accdb36cd9f4847f95
Opcode Fuzzy Hash: c74837ef6996fa7dd1c437244f42fb3399a3e755e3e9861b167ccfdfc1661e1d
Instruction Fuzzy Hash: A6E1D875D1061ACBCF10DFA8C8546EDB7B5FF88300F1086AAD959B7254EB70AA85CF90

Function 08F5778A Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a98757efd91db185775f9639065633c4a56b778692b037235ebd04ffa46bc016
Instruction ID: 4669644b9ecb602e1c4b8ba9cf12bc736d433a1f953cbe7760107f6e04acf367
Opcode Fuzzy Hash: a98757efd91db185775f9639065633c4a56b778692b037235ebd04ffa46bc016
Instruction Fuzzy Hash: F0A1E334A002499FDB00EFA8D445AAEBBB1FF88300F1485AAD9859B396CB746945CBD1

Function 08F54AA4 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a426cea6178a58e5141b2e6542c7029b92ecd776ab81bf2a88e00a259f0620cb
Instruction ID: a60619882698d0a432ddae1e93722f8d8a58bb9e51aac8d6fb095a674d90c822
Opcode Fuzzy Hash: a426cea6178a58e5141b2e6542c7029b92ecd776ab81bf2a88e00a259f0620cb
Instruction Fuzzy Hash: 66B1D675910619CFDB10EF68C844A9CFBB1FF59304F05C6A9D949BB215EB30AA89CF90

Function 08F52D98 Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b85e674674a59599ec38875ef92c3a97f927d9b24edb017bf2599cfeb3339a0e
Instruction ID: 46f1286045c8fea5202bb09c28ce2e2e981bcb507d9e1db3d42772002d9a6e54
Opcode Fuzzy Hash: b85e674674a59599ec38875ef92c3a97f927d9b24edb017bf2599cfeb3339a0e
Instruction Fuzzy Hash: 7471C170A002059FDB249B79D844BAEBBE6EFC8341F14852EEA0697794DF74A942CB50

Function 08DB9AF8 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311791642.0000000008DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8db0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cac2e75ac373e548667ed7364a064fdea7b70d15233eb641c38769fa5d1a0a9
Instruction ID: 4e3e9665d3bb5751eb3ed96513c5b6d5b4232aed8e737fedb869baa010b8f659
Opcode Fuzzy Hash: 1cac2e75ac373e548667ed7364a064fdea7b70d15233eb641c38769fa5d1a0a9
Instruction Fuzzy Hash: F791F475A0064AEFCB11DF68C990ADEBBF2FF48310F148669E92AD7250E731E951CB50

Function 08DBBDF8 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311791642.0000000008DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8db0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c55147b47c04ce0f0f00d73a945a142a586319bb6a784294b9aa488a67f5e4c9
Instruction ID: f187a8bba1aa0a062f23ddab9914eed4cbce01362b24a100ff902eb53b723315
Opcode Fuzzy Hash: c55147b47c04ce0f0f00d73a945a142a586319bb6a784294b9aa488a67f5e4c9
Instruction Fuzzy Hash: E581B230A10509DFCB11EF68D8886ECBFB1FF48351F11466AE596A72A4EB31D965CF80

Function 08DB3007 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311791642.0000000008DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8db0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0a9f23931fda9c3c9b9740428c60aa44a569e62064d5128fad7845c8e0e7870
Instruction ID: e6fc493511eba3c1a8d432cf1d5873640f217cf39368897181f153f310b8c708
Opcode Fuzzy Hash: d0a9f23931fda9c3c9b9740428c60aa44a569e62064d5128fad7845c8e0e7870
Instruction Fuzzy Hash: C8718035B00248DFCB199F68D854AED7BF6BF89692F144269E802AB351CB71DC42DB90

Function 08DB3468 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311791642.0000000008DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8db0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85224bfb16e812267811797d168e99b958c2b2cdd7f0fc1eedb0df5a9f5e020a
Instruction ID: cc7f6a6dc06faef5cd55d329df41aa92fe7b34f572cd4862911dd95ef7808c8c
Opcode Fuzzy Hash: 85224bfb16e812267811797d168e99b958c2b2cdd7f0fc1eedb0df5a9f5e020a
Instruction Fuzzy Hash: 3C51E435B00245CFCB19CF78C884AAEBBF2AFC5292F05426DD406D7361E770D84297A1

Function 08F5ED18 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39e9854b1bf468edd98e8613bcfde60e9bc62b5a431954b2c0075a1551c054aa
Instruction ID: 7e8629b665a0e3939e34883f256d54434e647a491666cad481b2c16752be66cc
Opcode Fuzzy Hash: 39e9854b1bf468edd98e8613bcfde60e9bc62b5a431954b2c0075a1551c054aa
Instruction Fuzzy Hash: 6371E575E04218CFDB04CFA9C884AEEBBB6FF89301F10902ADA19AB355D7705A46CF50

Function 08F577C8 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a47e3b9a1293672903369fd39bb553b6e520ccd4c7a371988e1ac081ddebb12
Instruction ID: bb3a9a026525c3ed6921ad018e63fa8bc9460824a5d2a34248e924abdf8e0b3f
Opcode Fuzzy Hash: 9a47e3b9a1293672903369fd39bb553b6e520ccd4c7a371988e1ac081ddebb12
Instruction Fuzzy Hash: 24616034B002199FDB04AFA4D455AAEBBB2FF88300F1485A9D9859F396CF706E46C7D1

Function 08F53494 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41b5a2a00d57f855c420e7b3d2dc653cbb03ef00d13cbb4deb76e3ff55f0d88b
Instruction ID: 9f26b5e0569169cd8def64a8c6eb1657705b4c1bc58c13261d89a8ac5af05e1d
Opcode Fuzzy Hash: 41b5a2a00d57f855c420e7b3d2dc653cbb03ef00d13cbb4deb76e3ff55f0d88b
Instruction Fuzzy Hash: DB514B74E01205CFCB15DF78D458A9EBBB2AF8A351F15806DDA05AB361DB31DC86CB50

Function 08F50C38 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 232fe8decc358c048e2399c4cc2746aec51c9b540f8bd938aec5ee1262e42389
Instruction ID: 13c3242e90f3d159140a717a9586cb6574407288cb7e1ee7972130e774a921b8
Opcode Fuzzy Hash: 232fe8decc358c048e2399c4cc2746aec51c9b540f8bd938aec5ee1262e42389
Instruction Fuzzy Hash: D851F975A10A09CFCB10EFA8C8948ADB7B1FF89311B109669E956B7314EB30E985CB50

Function 08F51800 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21d3b531d38a848638a21b5b514df0f7b3a279a87001646550e91c936e463f4a
Instruction ID: 4f9a1b25b9ada904afb08d72468d3dbf48aadeffe55facad8fa308c73c4c9e78
Opcode Fuzzy Hash: 21d3b531d38a848638a21b5b514df0f7b3a279a87001646550e91c936e463f4a
Instruction Fuzzy Hash: 52416E75A01205DFDB249F78D458AAEBBB6FF85302B244129D90697380DE35E881CB51

Function 08F50E40 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e50bee6568693e482dd940dc67dbab51a814b6378d5cbbb160c49e9ea193ec0
Instruction ID: 1c6001c885065add76b080a01eca603e48ee69b077a719c1cecc451a23976ac9
Opcode Fuzzy Hash: 4e50bee6568693e482dd940dc67dbab51a814b6378d5cbbb160c49e9ea193ec0
Instruction Fuzzy Hash: D6517335A10609DFCB00EFA8D4849EDF7B5FF89300F10856AE645AB321EF71A945CB91

Function 08F50C29 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2668cdf37d636bea79aa4726de4cac935e4e830fdc9d75242668d5ec909a0cf
Instruction ID: af5430d9cc3d69b44ec91cf2574e3d2a9475e541518c763ea3622e07558cfd08
Opcode Fuzzy Hash: c2668cdf37d636bea79aa4726de4cac935e4e830fdc9d75242668d5ec909a0cf
Instruction Fuzzy Hash: 84414A75A00A09CFCF10DFA4C8945ADFBB1FF89311B108669E956EB315EB34E985CB90

Function 08DBA348 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311791642.0000000008DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8db0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 610bbbd0f426b44845478202e7ada9950fe28f04ef09953559f44835795fb7e8
Instruction ID: 24ca3a59b1ee671d94ef9d5d6ed60f98d7dc2419782cd2528275a438849c3547
Opcode Fuzzy Hash: 610bbbd0f426b44845478202e7ada9950fe28f04ef09953559f44835795fb7e8
Instruction Fuzzy Hash: B141AE303007118BD728ABB9A51463E76EBAFC4282764493DDA07DB7C4EF28DC02CB65

Function 08DBB6A0 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311791642.0000000008DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8db0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ea18de58fa5689bbccc245d4ce81471f30baac31271ecd71a9762695e1fadbb
Instruction ID: 58f3867013b58a583a821af6a519f49284b971455f2f9d9450b763fedb7ab566
Opcode Fuzzy Hash: 4ea18de58fa5689bbccc245d4ce81471f30baac31271ecd71a9762695e1fadbb
Instruction Fuzzy Hash: 6741B470E6411ADFDB01AF69C8496EA7BF0FB443C2F10462AE847F7294FA74C9118B91

Function 08DBAC74 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311791642.0000000008DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8db0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e68508ea9e12446e45efd0e304b50a73ae576a3def084035021b5985002ab1bd
Instruction ID: 06c1278d0fe9dfa7cc98ee3d0c7a5f89ec8460ee75759b7037059a4a99bf7d2c
Opcode Fuzzy Hash: e68508ea9e12446e45efd0e304b50a73ae576a3def084035021b5985002ab1bd
Instruction Fuzzy Hash: AA412A34A11258DFDB14DF68D854AEDBBF2EF89352F148269E542BB3A0EB31D841CB50

Function 08DB37A7 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311791642.0000000008DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8db0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2381095b782792a0fac71a2d51e62325e5cdbf075ef528952c2444ff01bdd108
Instruction ID: 8928fac4d24dcb54531ab0bae709517fc760dd3d67cb4fc5533a7a999636d674
Opcode Fuzzy Hash: 2381095b782792a0fac71a2d51e62325e5cdbf075ef528952c2444ff01bdd108
Instruction Fuzzy Hash: B8414930B0021ADBDF199F68D844AAE7BA6FFC8351F148229E90297394DB34DC56DB90

Function 08DBAC78 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311791642.0000000008DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8db0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a13172a3b1a489e95c6595c13a41ef5e00d6b5ed5639ef8be81855b806bab9f
Instruction ID: c32b7b61e99bc7d324d83c8180c38c96011f85e4f16fe30517998944b15d9725
Opcode Fuzzy Hash: 6a13172a3b1a489e95c6595c13a41ef5e00d6b5ed5639ef8be81855b806bab9f
Instruction Fuzzy Hash: B8413934A11258DFDB14DF69D854ADDBBF2EF89352F148269E542BB3A0EB30E841CB50

Function 08DBC086 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311791642.0000000008DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8db0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77d30f75461ae1fae9a4697d6ba9ce5489d992bf5fd9f1fa7b4d5a9322fb2795
Instruction ID: 2d559f97721fadbdc4cbce81dc5f274b2847431b6fa1dd1ab485e378be642753
Opcode Fuzzy Hash: 77d30f75461ae1fae9a4697d6ba9ce5489d992bf5fd9f1fa7b4d5a9322fb2795
Instruction Fuzzy Hash: 7B41B570E6411ADFCB11AF65C8496EA7BB1FB443C2F10462AE887B7294F630C9118B90

Function 08F57A46 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 039f09c9cacd65f459160081c1779c7e442cd60a10211e68e4d2a7dea53b8c32
Instruction ID: c1a7bd86372d86eefbcd4cd9721441b4a4aabbe5eb3759952907e0e431468887
Opcode Fuzzy Hash: 039f09c9cacd65f459160081c1779c7e442cd60a10211e68e4d2a7dea53b8c32
Instruction Fuzzy Hash: 9B41E93160D3D5CFCB156B78982917EBFB1BB86212B1445A7DB43C7296CA780E43C7A2

Function 08F59250 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a02509c9a942e7d5d58c24d27a484221e3689256fd6b215b7cc9e097b7688013
Instruction ID: 327a4c70db65e41cc787ceeebd14127dd4805fdfac8f579cc949dfdb0a1298c0
Opcode Fuzzy Hash: a02509c9a942e7d5d58c24d27a484221e3689256fd6b215b7cc9e097b7688013
Instruction Fuzzy Hash: 9631F876B08205DBDB089BB4E44057EBFB5EB85201F50406ACF56EB685DBF149038BB2

Function 08F5C15B Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a7294e2827b681d476ca7a0179b51974da8a8b9a157adedef413d1a20bf6e97
Instruction ID: 4870727e57ef90a39840f93198cabf27e8de8b978df2829933d347002c31c06e
Opcode Fuzzy Hash: 6a7294e2827b681d476ca7a0179b51974da8a8b9a157adedef413d1a20bf6e97
Instruction Fuzzy Hash: 3D31E472A0C754CBC7108AFD8890376BBB1AB46313F04816BDF57CB686C664CD418BA6

Function 08DBAF9C Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311791642.0000000008DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8db0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f62d067d75588f006773ab6cfaba37211c1002748f9c665a0df132cfcafeeed
Instruction ID: 18fbb416ca99236dde1395389401608e913481ef2db05a9f678caed482177b17
Opcode Fuzzy Hash: 5f62d067d75588f006773ab6cfaba37211c1002748f9c665a0df132cfcafeeed
Instruction Fuzzy Hash: 4D410070E05218DBDB219FA5D9949EDFFB2FF88341F218259D446BB256CB3188A2CF40

Function 08F51198 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 426cbdae590333419fe670bda01583203e4704e53b89a91c82ad7edb6c0ec59e
Instruction ID: 2116d37e32d1d6a985afa7068a418d08fdec29956f199b74416e91ba7999efbb
Opcode Fuzzy Hash: 426cbdae590333419fe670bda01583203e4704e53b89a91c82ad7edb6c0ec59e
Instruction Fuzzy Hash: 6F316175E10119DFCB14DFA8D84499DBBB6FF88301F10826AEA15A7360EF71AC81CB91

Function 08F56B44 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a342e33685f626489f9cc7415ad45cdd85a4508d1afc50f3d4eb5e30394c6fd7
Instruction ID: 45024ccc979d08eb6cfbbc7e6b8067a07af5d75e74e7b322d50dcfdf7a604b7a
Opcode Fuzzy Hash: a342e33685f626489f9cc7415ad45cdd85a4508d1afc50f3d4eb5e30394c6fd7
Instruction Fuzzy Hash: 0F310670A04208CFD704DB78D8657AAB7F1EB95316F94845ACB26EB342CB799D438B90

Function 08DB29B8 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311791642.0000000008DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8db0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1704ea7117bce7abc710d22be7a2fc755f0a111ce70a1a0cc9342439a76d743
Instruction ID: 8a77d5f48245cb798d5ac70f6f139d24cdeb6850b6858d0167f853531688c65b
Opcode Fuzzy Hash: e1704ea7117bce7abc710d22be7a2fc755f0a111ce70a1a0cc9342439a76d743
Instruction Fuzzy Hash: 5C31F431A09384EFE7129B78C8157EA7FB5EF86340F0485AAE585DF186DA344D06C761

Function 08F5A2E0 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f81f2c6ca9e67854ea5705c100687f0b5405bdc441b6d1fff9ff5edf348bc375
Instruction ID: d725fe352b586823fa2cadfd9a2a6056e1d182f965d40cf9c941c480d4a20a0c
Opcode Fuzzy Hash: f81f2c6ca9e67854ea5705c100687f0b5405bdc441b6d1fff9ff5edf348bc375
Instruction Fuzzy Hash: 2A3135B59002099FCF14DFA9D884A9EBFF5EF48324F10852AE909E7311D775A954CFA0

Function 08DBC4B8 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311791642.0000000008DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8db0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18ff694577fcf10202b59001807bc357a30aae03a69c1a214a784da43b8e9e88
Instruction ID: 6184576e235945e96d405bdf39a8af123c79c119b8970869300e4ccaae7e7aa7
Opcode Fuzzy Hash: 18ff694577fcf10202b59001807bc357a30aae03a69c1a214a784da43b8e9e88
Instruction Fuzzy Hash: CC313731A10108CFCB10DFA8C954AEDB7F1FF49241F2446AAE506EB261DB31DE51CB60

Function 08F517DE Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ee6e10915e8136ba1d6af484f7706f36d87837c2560d568627caf0e5ae302a2
Instruction ID: 2d550181ef6b28df5d489d8d7b31c93b9925acf6598c26ea1ee2495e0b550040
Opcode Fuzzy Hash: 0ee6e10915e8136ba1d6af484f7706f36d87837c2560d568627caf0e5ae302a2
Instruction Fuzzy Hash: F831CD75A01305DFCB258F78D9187AD7BB6AF89302F284269D902E7391CB74ED81CB51

Function 08F522F0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9e40506e5684ebbe8e351b2da5c7c03bd376f84058db2da39cf2a62b1f8121a
Instruction ID: 54da4cd2c5873ab6423aa10fcba40c58baca728909ffdd3d2c3904e8c0bdf16a
Opcode Fuzzy Hash: b9e40506e5684ebbe8e351b2da5c7c03bd376f84058db2da39cf2a62b1f8121a
Instruction Fuzzy Hash: 69317C71B00200CFD714DF79E880B6AB7EAEB89311B148569EA0ACB365DF30EC028B50

Function 08F5A0DB Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a8c1eb76bc4cdce964005199c014ae8f1a7008d954769fbe906f65d047f55a0
Instruction ID: dd80f1bdcc7d8b695538ff44915a15154dc1d1e273a3cbedb284f2ac19dc4860
Opcode Fuzzy Hash: 4a8c1eb76bc4cdce964005199c014ae8f1a7008d954769fbe906f65d047f55a0
Instruction Fuzzy Hash: EC21AB3650F3C1EFC707A778996089ABFB48E1311471941DBD7C08B2A3D261886AC362

Function 08F5C308 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb5f77bd580d9f554b9bedaec4df41438575b8a3abaded63577e08d207a2fbec
Instruction ID: 3999d3c279417d08472256dba12e324e03a678d41f169226ea59861c75df76ac
Opcode Fuzzy Hash: fb5f77bd580d9f554b9bedaec4df41438575b8a3abaded63577e08d207a2fbec
Instruction Fuzzy Hash: C2210571B08348CBD7148A39D810B7A77A6BBC1712F24802BDF578B68ACAB18C428756

Function 08DB29C8 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311791642.0000000008DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8db0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f51499969e245ec79081d08c09a4e63c4c7050219167950da1af7612f8b38f62
Instruction ID: c04511e6a162e541ad329a54d38ace0feec06ffc72bc6889f3079793659c774b
Opcode Fuzzy Hash: f51499969e245ec79081d08c09a4e63c4c7050219167950da1af7612f8b38f62
Instruction Fuzzy Hash: DF212331A08244EFE7469B78CC16BBA7FB6EBC5300F0081AAE585DB185CA348E06C751

Function 08F5C460 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 163011e486cdfc670f6f0d3942e5950b402825ca8af43e94dd23c6f073f2ff34
Instruction ID: edb2ea41dc664cfcd18679b80b348f0eae78bec2908276a220e9b747543dce73
Opcode Fuzzy Hash: 163011e486cdfc670f6f0d3942e5950b402825ca8af43e94dd23c6f073f2ff34
Instruction Fuzzy Hash: A131A572E18745CBC7408AB9C800ABABBB0AF59353F144267EF07C7652C374E590CB92

Function 08F52D95 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c7977cdb622dab3e1448910b38f2442d1b4fb40dff663130bbf902d2342f214
Instruction ID: c5e601119c0b9684ddbf7d5a1643096dec5d46e947879be615a2f5933faa92bc
Opcode Fuzzy Hash: 4c7977cdb622dab3e1448910b38f2442d1b4fb40dff663130bbf902d2342f214
Instruction Fuzzy Hash: C4318F70A01205AFDB14DF74D844BAEB7F6EF88301F10852AEA09AB391DB75DD41CB50

Function 08F56568 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cf4ef8da23532be5a25af60eba245d65ddb561a0ca0f297902b58ecbb8284d6
Instruction ID: 7fffa50d34d009249394b2e3e76b40698a5ca1435c39f413efcb23289ca18e87
Opcode Fuzzy Hash: 7cf4ef8da23532be5a25af60eba245d65ddb561a0ca0f297902b58ecbb8284d6
Instruction Fuzzy Hash: 873116B5E1020EDFCB00DFB8D8905EEBBF1EB48311F50446ADA16F7254EB349A418BA0

Function 08DB9249 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311791642.0000000008DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8db0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 031f738bba974d3d88c966c4b36f90a6bceeb7c4b2086f5794149d3f0fbaff6b
Instruction ID: c459edbed42257c42476ef9e928a1afacc7aff5015012a6ef6d4af7bde9227f4
Opcode Fuzzy Hash: 031f738bba974d3d88c966c4b36f90a6bceeb7c4b2086f5794149d3f0fbaff6b
Instruction Fuzzy Hash: 4B213736B006109FEB24CA69C4D15BEBBF6EBC4261B68852ED247D3394DA34EC81C761

Function 08DB9728 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311791642.0000000008DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8db0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0acc718068f80b281362e3d592a94f9a4d8352ce8e793b8fd0f29cfe4eb41beb
Instruction ID: 0787edb5bdbfaea9b0f5321fa07776c5cc96a683e0b939bd9fec8727537e9623
Opcode Fuzzy Hash: 0acc718068f80b281362e3d592a94f9a4d8352ce8e793b8fd0f29cfe4eb41beb
Instruction Fuzzy Hash: 5A21E570F02126D7CB11BF68C4441EEBBB0EF45282B504A6AD587A7244FE31D915C790

Function 08F56C11 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32b6a967b4370590477cc6ed86dc0be2b9ba60458d6174c2f76634d80ab19ceb
Instruction ID: 4a04946e20d9ee186d63934db964964f8d3cbe560b724761f6243010e90d3c79
Opcode Fuzzy Hash: 32b6a967b4370590477cc6ed86dc0be2b9ba60458d6174c2f76634d80ab19ceb
Instruction Fuzzy Hash: C831D170A04108CFC714DB78C86676AB7F1EB95316F94846ACB36EB741CB799D438B90

Function 08F50FC0 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dad5ae535aef43437f49fd3bb7df9129f1313f30cc0e3adf88052c981dd1c0ae
Instruction ID: a5e31ac79b3e2ddddb87b7501cff12a030003d6bab513b25c798853f957034a9
Opcode Fuzzy Hash: dad5ae535aef43437f49fd3bb7df9129f1313f30cc0e3adf88052c981dd1c0ae
Instruction Fuzzy Hash: 3E317531A10609DFCB04EFA8C854CDDBBB5FF89300F018299E5456B265FB70A949CB91

Function 08DB9250 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311791642.0000000008DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8db0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0aa25066b585bd978a7f43ae6b9d912056b30f928361c68e7207bce1b21ec27
Instruction ID: 8335802424ba59219227ae64744e1206c08794d7f9ed4ff9c0d5c43e18d11b81
Opcode Fuzzy Hash: f0aa25066b585bd978a7f43ae6b9d912056b30f928361c68e7207bce1b21ec27
Instruction Fuzzy Hash: 84212936B006109FEB24CA65C4D15BEB7F6EBC4251B68852ED247D3394DA34ED418761

Function 08DBAB0C Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311791642.0000000008DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8db0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6aa82c9166ee44a597083be366545cf672833db5bd500fc570836a3ccfd7f749
Instruction ID: 8564981cbcbdbac3934a3fe27d3e412b11809c889e4f82ec34b13b8ea0c6966c
Opcode Fuzzy Hash: 6aa82c9166ee44a597083be366545cf672833db5bd500fc570836a3ccfd7f749
Instruction Fuzzy Hash: 7D212A31A01128CFCB14DF69C854AEDBBF2BF88341F144169D506EB3A0DB759D01CBA0

Function 08F50FD0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f6ac4a66004b730f53ca6c49b010d7d9de5abf5f99d2fa113b00e088da4e4e5
Instruction ID: 69b0cef98ce099ddb3d60eb408527ebaec3f6f5b45d3e798dbb8c4283d4540fe
Opcode Fuzzy Hash: 6f6ac4a66004b730f53ca6c49b010d7d9de5abf5f99d2fa113b00e088da4e4e5
Instruction Fuzzy Hash: C6313031A10609DFCB04EFA8C894CEDBBB5FF89300F018659E5456B224FB70A989CB91

Function 08DBE728 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311791642.0000000008DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8db0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5325e0f5b53e09235657ff7ea36ab31291fe495f02f39ad5d35d6546e73d454d
Instruction ID: b287fd84a80d4d4dfafd86bd64ad6567805c0bea8b9fd90d6b612879e7e4eeab
Opcode Fuzzy Hash: 5325e0f5b53e09235657ff7ea36ab31291fe495f02f39ad5d35d6546e73d454d
Instruction Fuzzy Hash: FE215E35F00609CFCB11EBB8D4486EEB7B4EF89251F00826AE919E7260EB709945CB91

Function 08F529E0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36fa6406e777c8e43779b9d34cd4427f28f868ec990cad5fc8a5d7fc24a40391
Instruction ID: 3754efea00cb2a39862e08e6eace05aab9fa809980ba437677ae592adcf7220c
Opcode Fuzzy Hash: 36fa6406e777c8e43779b9d34cd4427f28f868ec990cad5fc8a5d7fc24a40391
Instruction Fuzzy Hash: 7021BD79B00105CFDB20DFB4E944BAABBF5FB49342F009129EA19D7240DB34E912CBA1

Function 08F56559 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd90c00f3d9a29bc61f74fff36a60ebdcdff53c6c4816c540abb36030798fad1
Instruction ID: 46c69fe3026ef5371af5ea0bbc8d0e4b0438f1114fe158ab3472702fce14eb74
Opcode Fuzzy Hash: bd90c00f3d9a29bc61f74fff36a60ebdcdff53c6c4816c540abb36030798fad1
Instruction Fuzzy Hash: 9D3139B1E0024ADFDB41DFB8C8915EEBBF1AF48310F50456ADA11F7255EB349A41CBA0

Function 08F517AD Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2ab89b68e1874c090b9c604b3cc36ebbc42fb1f37b90839f4cf076b8bc6cdb9
Instruction ID: 68d0a2139d632d36b357116e23e3ed003124c7c559cbab4e25ac01dd13d96993
Opcode Fuzzy Hash: e2ab89b68e1874c090b9c604b3cc36ebbc42fb1f37b90839f4cf076b8bc6cdb9
Instruction Fuzzy Hash: 69216B75A01205DFDB248F74D559BADBBB6BF84303F284168E902D7250CB35E981CB51

Function 00F0D1B4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2296754094.0000000000F0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_f0d000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b748f018fa680f6169972f4dfa243f616a397552463a1f32d26a05401d1fd8e
Instruction ID: 21173494edec0f697e2909e51bfa5649e2e2d68fe632823a148d8eb9b9fba105
Opcode Fuzzy Hash: 0b748f018fa680f6169972f4dfa243f616a397552463a1f32d26a05401d1fd8e
Instruction Fuzzy Hash: B4212676904304EFDB04DF94D9C0B26BB65FB84324F20C5ADE9094B2D2C776D856EA61

Function 00F0D36C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2296754094.0000000000F0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_f0d000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b33fa371acc9a4ba0ca6eaa961d7b8f9e589e97a34dd4cbbff63aa0be54973e0
Instruction ID: 01374e3b03b535a80ccd7a25b52829bb34e093682fd759fd8434497b3eb73be8
Opcode Fuzzy Hash: b33fa371acc9a4ba0ca6eaa961d7b8f9e589e97a34dd4cbbff63aa0be54973e0
Instruction Fuzzy Hash: 4A214976504304DFCB04DF94D5C0B26BB65FB84324F20C56DD9094B2D2C376D846EA62

Function 08F50291 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8dcf78c2e84e2c56e666b2b547c149d33278c611abb6a429dc5dd8b8e7dc998
Instruction ID: c9fffcd9faff33da9034df71c8a9da5c06e8b9456b6f723133025316426683bb
Opcode Fuzzy Hash: d8dcf78c2e84e2c56e666b2b547c149d33278c611abb6a429dc5dd8b8e7dc998
Instruction Fuzzy Hash: 56214475A002098FCB44DF69D8848AEB7B5FF89310B518579D90AE7351EB70AD45CBA0

Function 08F502A0 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5c9cfb789e3058ce57a9d87a01a0251cccabe676311aafd1aa1e5ae3a2eb82c
Instruction ID: 4d878ddb754f1af40dff370552ed54e05885eef4f78af95ca2172a9b4ccbfc45
Opcode Fuzzy Hash: e5c9cfb789e3058ce57a9d87a01a0251cccabe676311aafd1aa1e5ae3a2eb82c
Instruction Fuzzy Hash: 9D211075E1060A8FCF44EF69C8848EEB7B5FF89300B518669D906B7351EB70A945CBA0

Function 08F5C536 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce03df9c19ecf5206c76495492bca4b18ef245a6df3935fa6c2fc42b5df0a34e
Instruction ID: 82826f3e8de79eb7a06f182c44bd2df6cec146a5c5af4a86e30b4b193d79b5c2
Opcode Fuzzy Hash: ce03df9c19ecf5206c76495492bca4b18ef245a6df3935fa6c2fc42b5df0a34e
Instruction Fuzzy Hash: F1218E72E08714CBD7008AB9C840BB9B3A0EB69357F004227EF17C7791C774E9908A86

Function 08DBA343 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311791642.0000000008DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8db0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95c79d831eebcc44b260624b08a6c71feb61ded3833bd028fd4a8cbd80d2382d
Instruction ID: debefb9aaabf8a9de8939f55303b49578bb7542ff931dec321a4057a3ac7ffd9
Opcode Fuzzy Hash: 95c79d831eebcc44b260624b08a6c71feb61ded3833bd028fd4a8cbd80d2382d
Instruction Fuzzy Hash: D3117230301310CBC738AA7AD55457A77ABAFC92857544A7DDA478B790EF75DC02CB20

Function 08F58E68 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ac654c328773e4bd944463f92e9f68a073c089574d218832f2171016013078b
Instruction ID: 45071c3ea21d9f9005cf2a749c3598cc2dcd708f306157b4e947ad075ae759ca
Opcode Fuzzy Hash: 7ac654c328773e4bd944463f92e9f68a073c089574d218832f2171016013078b
Instruction Fuzzy Hash: 4611DF2292C280DFC32196F4D4112B77FF65B06297B1484FBDF46CA586C7328A4287A3

Function 08DB9718 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311791642.0000000008DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8db0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4325ec7ceb5d8abf651eb9a2802c8752a94da6e59144d876eddc4f219d1d9d49
Instruction ID: 59a24bacd2b0e1ab39c68d8159c2935608abc8e9989f890b78d8a9d9f623124b
Opcode Fuzzy Hash: 4325ec7ceb5d8abf651eb9a2802c8752a94da6e59144d876eddc4f219d1d9d49
Instruction Fuzzy Hash: 9A11CA72F02116EFCB116B55E9445EEBFB4EB41782B604DA5D18BB3184F631CA318B94

Function 08F53FC8 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bbc66408b6910ec20f0744fd27ca18d0bd8f1b9eb8764af7886c086e3034e93
Instruction ID: 17646e446099c6862f0eeb72ab21617a11dcf99c5b1246d21ce90e20fd734e55
Opcode Fuzzy Hash: 2bbc66408b6910ec20f0744fd27ca18d0bd8f1b9eb8764af7886c086e3034e93
Instruction Fuzzy Hash: DB110261B083905FC7159BBD985056F7FFB8F86260B0980ABDA49CB782DD209D0783E1

Function 08F5A0FE Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6744bd25bd09283621717f546282651fc0894a4e9a361028b1e38119c5211e3
Instruction ID: 277ea9ee8c0377a3fbfd7b42b8bc2d28667d9db0865e169752553e05e31e6392
Opcode Fuzzy Hash: b6744bd25bd09283621717f546282651fc0894a4e9a361028b1e38119c5211e3
Instruction Fuzzy Hash: C5215C6654F3D2DFC31397788561A96BFE04F23255B1D41CBCB908F2A3C2A5456AC722

Function 08DBC318 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311791642.0000000008DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8db0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb9aa92a3e597f3353ab8ad11ec4c6d1260971a82605a9470fb2bddb1807cc34
Instruction ID: 408cccb5de4ee7da2473f8e40cb543b6d1b80104dc1a502a38de290207cf5dac
Opcode Fuzzy Hash: fb9aa92a3e597f3353ab8ad11ec4c6d1260971a82605a9470fb2bddb1807cc34
Instruction Fuzzy Hash: 83215C30910609CFCB15EF68C8556EEBBB1FF89301F50862ED4467B260EF75A948CBA1

Function 08F522EB Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57bcdce4e1f654f07b2250318ab612c5b300a3872063ba3114a30c5d897d10d3
Instruction ID: 02a45c6b19310d29e91ffc5739d7367570c156eadecdba877a490ec756c3cdea
Opcode Fuzzy Hash: 57bcdce4e1f654f07b2250318ab612c5b300a3872063ba3114a30c5d897d10d3
Instruction Fuzzy Hash: 8F117F71B052008FE714DF78E880B6A77EAEBC9311F144539DA0ACB355DF30A8428B60

Function 08DBB1E0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311791642.0000000008DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8db0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4fb7606cb25574c6f77fb146ade10751e8aef4cf02c14235ad47930a1dd25ff
Instruction ID: a79677c2b49f6845063f2cfd5daa527df6af11430d159a132540af302c89ece2
Opcode Fuzzy Hash: e4fb7606cb25574c6f77fb146ade10751e8aef4cf02c14235ad47930a1dd25ff
Instruction Fuzzy Hash: 26116D71A00209DFCB11DFE9D8506EEBBF9AF89291F90062EC50AE7250EB349901CB61

Function 08DBE331 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311791642.0000000008DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8db0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2d95f7676410511a7f281ac38d176fa05e1b28b083db6d1e861bc5f7c8fe2cf
Instruction ID: 83dae3428512181dd86378309ff3d021a71a63201c309b0cb20defab9f0c1075
Opcode Fuzzy Hash: b2d95f7676410511a7f281ac38d176fa05e1b28b083db6d1e861bc5f7c8fe2cf
Instruction Fuzzy Hash: 6011C6343052918FC7429738C8585AD7FE59F86552B1951EED186CF3A3CE218C078751

Function 08F529D1 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b362040808a0a7231741059a29c7866db9da809410f8fa362253469b0104ca4
Instruction ID: c4942dfdeeddabebfe76b82f445acdc2a5c719fd724db441e3900d0c08f35516
Opcode Fuzzy Hash: 3b362040808a0a7231741059a29c7866db9da809410f8fa362253469b0104ca4
Instruction Fuzzy Hash: 4811AC74B002468FCB10DBB8E944B6ABFF5EB4A351F049169EA1ADB241DB74D806CB61

Function 08F559F4 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4724c0e3c7d31d6429b442f7a3140932d2d5c6e937731b9ba8f48e88f1528e9
Instruction ID: ce986b3fa919c3df8d5afff10191560602e8ab56a0e4e22c9b8b3f7d0f11d490
Opcode Fuzzy Hash: a4724c0e3c7d31d6429b442f7a3140932d2d5c6e937731b9ba8f48e88f1528e9
Instruction Fuzzy Hash: 6221D3B59043599FCB10CFAAD984ADEBFF4FB48324F108519E919A7310C375A954CFA1

Function 00F0D367 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2296754094.0000000000F0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_f0d000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: f57d13f586fbc9f9acb1fedb63555cc4870eba154551605c917d94ef83ec5ab7
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: 04118B7A904284DFCB05CF54D5C4B15BBA1FB84328F24C6A9D8494B696C33AE84ADF62

Function 00F0D1AF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2296754094.0000000000F0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_f0d000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: 61970afdc57e892b2ea6fa64bebd6a1a34b943fdf32f74bca41db5aab869e836
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: AF119D75904284DFCB05CF50D9C4B15BBA1FB84328F24C6A9D8494B696C33AD85ADBA1

Function 08DB7DA0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311791642.0000000008DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8db0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dc019bddc806de56db5eefcf5f1d98219f83e379aa81d75d339aa2060ab7bb8
Instruction ID: 111ec781e2e2606f62bab305991535b9b68972da26b49eb6a6f87b5408041eb7
Opcode Fuzzy Hash: 6dc019bddc806de56db5eefcf5f1d98219f83e379aa81d75d339aa2060ab7bb8
Instruction Fuzzy Hash: 3811C034760255CFCB05DF28C898BA87BF2BF8A645F1A41AAE406DB372CB759C41CB50

Function 08DB9708 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311791642.0000000008DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8db0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87e695b8de171e2f65eb6e569bd3af37bcc0ef533ef68412803c7c840739cc52
Instruction ID: 97ceaef60776694627111864635c4c943e8c60a43f041e2571ef4d2d860c1c49
Opcode Fuzzy Hash: 87e695b8de171e2f65eb6e569bd3af37bcc0ef533ef68412803c7c840739cc52
Instruction Fuzzy Hash: 27012C353141649F9714DB6EC8948AEBBEAFF8965531454AAF502CB3B1CA71ED00CBA0

Function 08DBC43D Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311791642.0000000008DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8db0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62b22882d05b6f5bc16645324c44c0cdfa0da9c31aa9d66e6bf1d76a26caaffe
Instruction ID: ef32b54b6d87b8cd0a5db40ae92071ae7180f4853bdccb2731589dc5bcdb223b
Opcode Fuzzy Hash: 62b22882d05b6f5bc16645324c44c0cdfa0da9c31aa9d66e6bf1d76a26caaffe
Instruction Fuzzy Hash: 620124753141609FC754DB7AD8948AEBBEAEF9A66132440AAE502CB3A1CA71DC01CB60

Function 08DBAE03 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311791642.0000000008DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8db0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7350aa9cff1d526b024e4dae540688a2eb6680c07fbfafd9b73234f33af05725
Instruction ID: 7bf2ffb7fff76fdea819565f6501afa4ec868513abcaa3e28e193e429c10e4bb
Opcode Fuzzy Hash: 7350aa9cff1d526b024e4dae540688a2eb6680c07fbfafd9b73234f33af05725
Instruction Fuzzy Hash: 9AF02872F02122FFCB522B64E8441FDBFF1DB816C17144A69D48BE3280F531C9164A90

Function 08F582D0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4e53f149347cb07c654dbbf6f9d513bc6f789bbd61fd95c6053ca12dc8cd146
Instruction ID: 8c0efbda48c41cfa32f817ffaae831cd9c439b99150c264bf51eb0859c840afa
Opcode Fuzzy Hash: c4e53f149347cb07c654dbbf6f9d513bc6f789bbd61fd95c6053ca12dc8cd146
Instruction Fuzzy Hash: EF019271A29240CFD315C634D414263BFA5BB06283F0442FFDA4ACB142CB758882C7AA

Function 08DBF010 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311791642.0000000008DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8db0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52b2366301af023fc1254c0b9f7ced0ec6fe0990e9e62a0b344d9543fd5a985f
Instruction ID: 99cd82df99950156b73b758b0648e544f6d4ad67a0b2eb2d002c60c210b50051
Opcode Fuzzy Hash: 52b2366301af023fc1254c0b9f7ced0ec6fe0990e9e62a0b344d9543fd5a985f
Instruction Fuzzy Hash: 6B11C470E0024ACFDB40EFA8D8117EEBBB1EF09344F148669C916E7395DB748905CB81

Function 08DBF020 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311791642.0000000008DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8db0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f097220e6d45f01fdbdb71c9b469a3d93e5e3ac1f86879784759697a7a30b574
Instruction ID: 2a02eee07bdd924aa9c78b837154895f03da4d23c4fdddd4fdbbc7fff417f12b
Opcode Fuzzy Hash: f097220e6d45f01fdbdb71c9b469a3d93e5e3ac1f86879784759697a7a30b574
Instruction Fuzzy Hash: 9E014C70E0020ADFDB04EF68D811BEEBBB5EF49344F108629C516E7391EB759A05CB95

Function 08DBE2BF Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311791642.0000000008DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8db0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d805d2439966d25f1501151f81598dc455a22fdbc3f7b3eb77548e25640e3f72
Instruction ID: c7f824ab913474f4c75772c81cf896b8c20bfd27684c7aa9e3a22b848e991144
Opcode Fuzzy Hash: d805d2439966d25f1501151f81598dc455a22fdbc3f7b3eb77548e25640e3f72
Instruction Fuzzy Hash: 280181343142508FC7519728D858AAD7BE69FCA651B1980EAE54ACB372CE618C038B51

Function 08F57D58 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0aebee3e02ccb0d8ee66d76999cbc27fbe6a1aa1682c2fdce516c9feb38f1bf7
Instruction ID: 9d83f2d33fa7e745f01553f783f3d507c2edfa0d8b6add61565b35bf6521142d
Opcode Fuzzy Hash: 0aebee3e02ccb0d8ee66d76999cbc27fbe6a1aa1682c2fdce516c9feb38f1bf7
Instruction Fuzzy Hash: 6001283095C3C48FC342EA74C4142BABFB2AF43306F0480AED9454F68ACB7A9887C721

Function 08DBE1F6 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311791642.0000000008DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8db0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb050a80a78fe92c08f0740b0b1353553a4b45b2779f03c06cd7489dcd2584f
Instruction ID: f3ca1b251a947de22c7dc9f5ce09b5e417791e4620c19893e25c9c7ed1fa1061
Opcode Fuzzy Hash: dbb050a80a78fe92c08f0740b0b1353553a4b45b2779f03c06cd7489dcd2584f
Instruction Fuzzy Hash: 5701A23291060A9ECF10AEB4D8448DDBB76FFD5304F10872AE04627211EB719596CB90

Function 08DB9328 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311791642.0000000008DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8db0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f8cf00b03f8914c2f646d885c1e0ef43fd0ed2997e279dc3e084f74c17c516f
Instruction ID: c9bfef48d5343419f713f544c3c1751764c65e53cdcf96566217656cee35f591
Opcode Fuzzy Hash: 9f8cf00b03f8914c2f646d885c1e0ef43fd0ed2997e279dc3e084f74c17c516f
Instruction Fuzzy Hash: 3701A431A146549FCB11EB79D8848DEFFF4EF8A21070541AAE5859B362DA305D09CBA2

Function 08F52801 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 956e5d52ec35152527669b8f948c053d80eae8b2aaa66983ca737c8da21ffce8
Instruction ID: d151f09046a732362cd1f6f4f2ddc20a47aaa92fdbdeac7eeae674d1dc1c8a67
Opcode Fuzzy Hash: 956e5d52ec35152527669b8f948c053d80eae8b2aaa66983ca737c8da21ffce8
Instruction Fuzzy Hash: DAF0C2353013449FC3159F69E405A9A7FA5FBCA721F10843FE64ACB241CE35C906C7A0

Function 08F5A25D Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 190d9062463bd07ffbfc95f975f03807fb134dfaf794ae89170ec8723698c09c
Instruction ID: 5f8f581bafecde2166d7622aed6102924b55482751dc31462edf23ce6a62a497
Opcode Fuzzy Hash: 190d9062463bd07ffbfc95f975f03807fb134dfaf794ae89170ec8723698c09c
Instruction Fuzzy Hash: 2B01C92A58F3C2EFD313A778966485ABFE40E2356431E45DAD7E04A2E3C2A10469C767

Function 08DBE1F8 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311791642.0000000008DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8db0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d49805599b4c7b83d7af39cf8597ad5325b118e14adfdf7e1f818aa151ba4936
Instruction ID: 8eb8a56c86aebad4fbd8ed4a67bae0a73f0fb608e7a4b2e14393deef3af11aaa
Opcode Fuzzy Hash: d49805599b4c7b83d7af39cf8597ad5325b118e14adfdf7e1f818aa151ba4936
Instruction Fuzzy Hash: 6B01D63291060ADBCF00EEA4D8448CAFB76FFD5304F00872AE04527210EB71A595CB90

Function 08F52AD8 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a885bd2330d8bf3b8cade4dea402e1c6eec783e12400654a9f6a4f83191b6f5
Instruction ID: d314daefc6910c63ec7510dd0d057ca1e4dcf487a25151fb45c438d00374951a
Opcode Fuzzy Hash: 1a885bd2330d8bf3b8cade4dea402e1c6eec783e12400654a9f6a4f83191b6f5
Instruction Fuzzy Hash: 51F0CD30B042044BC314AF3AA84441EBFD6EBC8260300C83EE60AC7341DE30A801CBA0

Function 08F54DD9 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70779a67d70322401cb05b496c49aeb779c216aa8056eb7db232856ffc024cbd
Instruction ID: 2006a04cb6f8791304d13082ec532f7afe334f7c4778221c0e9105b2fe795865
Opcode Fuzzy Hash: 70779a67d70322401cb05b496c49aeb779c216aa8056eb7db232856ffc024cbd
Instruction Fuzzy Hash: D5F04F36704215AFDB059FA8A8488AEBFB6FB8C250710813AF919C3310DB758822DB90

Function 08F58F1C Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f34bd411d3680f6655fe775849138686342fdd8f1a2245c71e058e687ee5edaa
Instruction ID: 4f142ce0df79fb4432b9a3235d63395383d4539d50cffd849c9321e0e9cd734b
Opcode Fuzzy Hash: f34bd411d3680f6655fe775849138686342fdd8f1a2245c71e058e687ee5edaa
Instruction Fuzzy Hash: A9F0CD5352E2C0DFC30296B858210777FB6A84A19334400EBEB83CF957D620464583A3

Function 08DBEF80 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311791642.0000000008DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8db0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6984aecf3f78afa7b78b304f13f9e084405efa051388faeaaddfc8147646c1f4
Instruction ID: 5284cc22b61deef98d943e19b4d010373cfb3a66e50ed63511a3d02725f46fad
Opcode Fuzzy Hash: 6984aecf3f78afa7b78b304f13f9e084405efa051388faeaaddfc8147646c1f4
Instruction Fuzzy Hash: 70F06D353145908FC716DB3CC444CA87BF9AF8AA2131540EAE00ACB372CE61CC02C760

Function 08DBE2D0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311791642.0000000008DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8db0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1b501d4a1f91eac2971db121417a82f71d7e733e127abe805d6639a1e463dc1
Instruction ID: 3b46e583bc94f9da759b8f4a54487757e169093c2d294218187a947558017af7
Opcode Fuzzy Hash: e1b501d4a1f91eac2971db121417a82f71d7e733e127abe805d6639a1e463dc1
Instruction Fuzzy Hash: 46F054343101108FC644976DC848A7D77EA9FC9A51B1540BAE60ACB371CF71DC0287A0

Function 08F54DE0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58909d828a9f7b2318bc1b8bb6744f42f1da7018b97c587d444c16d7fe26146a
Instruction ID: 1480e2f44028e396463187670cf25d35e0391e8cb843bec36ab9b92474091935
Opcode Fuzzy Hash: 58909d828a9f7b2318bc1b8bb6744f42f1da7018b97c587d444c16d7fe26146a
Instruction Fuzzy Hash: D6F01236704219AFDB155F59D8498AEBFA6FB8C610710812AFD15C3350DB758C22DB90

Function 08F5A2D0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 274e2609ce16a727fd3ab7516f9d1e4f0e53316a8adfde628526437943d3b22d
Instruction ID: fa139220228d76c85642df5445f69169b72b68b5c673ce1469ac524157255c3b
Opcode Fuzzy Hash: 274e2609ce16a727fd3ab7516f9d1e4f0e53316a8adfde628526437943d3b22d
Instruction Fuzzy Hash: 2DF0E9326082446FDF06DB74EC4189E7FB9DF05220B1481ABE908CB222E730DD50C790

Function 08F582CF Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ae235b6e962261d4f0b82ecc60c76b9e7beee147ef60256f0332f81e6edd209
Instruction ID: c158dedb2bd9cc510b5684a3fc55a31100abbd7a08efd9921893279dd1cd0554
Opcode Fuzzy Hash: 5ae235b6e962261d4f0b82ecc60c76b9e7beee147ef60256f0332f81e6edd209
Instruction Fuzzy Hash: AEF01D71925601DBD724CA34D515777BBA5B7092C3F4482BADE0EC7501CB748881CBAA

Function 08F52AC7 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4d0d992f024e9d54c8a5b593340feb53785b9202697763f07788a0607ae0b92
Instruction ID: ed5ad8df05914d1c9e09aa42c85ff01ca669bed02e51c86f323f8305cbd3e28c
Opcode Fuzzy Hash: e4d0d992f024e9d54c8a5b593340feb53785b9202697763f07788a0607ae0b92
Instruction Fuzzy Hash: 33F0A9312043045BC711CE1AD880886FFB8EF8A270344C2AFE94AC7602DA74E809CBA0

Function 08DB11A7 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311791642.0000000008DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8db0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: beae2e8c9f2c88082e0cef3e75af2886645d3b28fbdd329d6dcac7db6db946cc
Instruction ID: 58b6ca1fdaf64c9d26a75e55ae7984cc1aeb58439c722cc2d51c967f7e478d7f
Opcode Fuzzy Hash: beae2e8c9f2c88082e0cef3e75af2886645d3b28fbdd329d6dcac7db6db946cc
Instruction Fuzzy Hash: 33F0E574A4128ADBCB04EFB8F50176DB7B5EB41245F1056EDDC09A3251EA740E119B85

Function 08DB3459 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311791642.0000000008DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8db0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d49e2a3c7f160685d60cd4d4deb99b7676389a3c2d299ed5b2cd4a1df83f037
Instruction ID: 47f8fdc5cfd4b53d5ecb2ab6711a189ff173f7397b35e0b6be5ae3b33cb235c9
Opcode Fuzzy Hash: 1d49e2a3c7f160685d60cd4d4deb99b7676389a3c2d299ed5b2cd4a1df83f037
Instruction Fuzzy Hash: F4F0E531505388FFCF121BA5A8099DA7FB8EF45261F018176FD0586252D6718554D6B2

Function 08F5AEEA Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfde5b184eecd33d6a1d9103c903459af15f6fa8d1d589882c6da8969f4a2efd
Instruction ID: 8c769e1d790852ba9e07a27039adf7567328b47013f15519cfbcc2a24606b99e
Opcode Fuzzy Hash: cfde5b184eecd33d6a1d9103c903459af15f6fa8d1d589882c6da8969f4a2efd
Instruction Fuzzy Hash: F3F0B430A45345DFDF019FB0DC5EAAEBB72AF46311F008266EA22662E1C7744826CB11

Function 08DBEF90 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311791642.0000000008DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8db0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da8482a7116df56cc5f91501e01f16538681c7325bbeea458c631b7031fd4c06
Instruction ID: 9a185701fb134c8878ee6456f4c9abecd4262ddf1f483ae4be0b8df5118ab9d1
Opcode Fuzzy Hash: da8482a7116df56cc5f91501e01f16538681c7325bbeea458c631b7031fd4c06
Instruction Fuzzy Hash: FDF0ED353604158FC714DB2DD844D9977E9EFC9A6531640BAF10ACB372DE61DC02CB90

Function 08DBE278 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311791642.0000000008DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8db0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8c972d39f69271b85bdbb6559daf3a434215b1cf8c80ce5a9ebad90ada53b14
Instruction ID: 508fec9e3eed2c678040f7f4367598eef774989a0abef24bdfd225bfbd458f32
Opcode Fuzzy Hash: b8c972d39f69271b85bdbb6559daf3a434215b1cf8c80ce5a9ebad90ada53b14
Instruction Fuzzy Hash: 16E09271B006154B5B08EBBFA45086AF7EBAFEC650304C17FD10E87675EE319C018A84

Function 08DB9770 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311791642.0000000008DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8db0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a49dc6a3688d1d31be8a3a8fd21ba313372d99483c05bb7ce387e54b493c56a6
Instruction ID: f578f5d11ec6b7b309da68b136e7581f1cf5de7c052edf086c407f3c4acbb365
Opcode Fuzzy Hash: a49dc6a3688d1d31be8a3a8fd21ba313372d99483c05bb7ce387e54b493c56a6
Instruction Fuzzy Hash: D2F0A030609391EFC31AAF3D946086A3FE5EF5621130589AFE0968B3A2CA75D842CB41

Function 08F59D78 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91617fe005739c37d066d23020cfa7734d13d14bbe181b9341111fb72de0bc21
Instruction ID: 60a0b2047643d2e28702e84271d084546ddabaa220a64e43615bb8cad42f2d27
Opcode Fuzzy Hash: 91617fe005739c37d066d23020cfa7734d13d14bbe181b9341111fb72de0bc21
Instruction Fuzzy Hash: 7CE0923370C240CFC74D2674A5115347FB7AB4221370644A3CFC78F69FD5AA48028B62

Function 08DBAAC4 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311791642.0000000008DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8db0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4b4729f37f3426a907e5516f4cce16b6e72d613bbe3d4ff554de7936a453705
Instruction ID: 12fcf8e1622b27bbb020be80a501625d538a24b4219650ef6d7a82f73334c86b
Opcode Fuzzy Hash: f4b4729f37f3426a907e5516f4cce16b6e72d613bbe3d4ff554de7936a453705
Instruction Fuzzy Hash: AAE0C231703124E78A18121BB4684FF7799DEC86E2759412DE40BD3240EE50DC0382B0

Function 08DBE268 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311791642.0000000008DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8db0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6379aeb58aa343aec40c17024bb612d776233796c0e3188a9aca8a422bca1d0e
Instruction ID: 2be7917f5a57e9c3ddb10ddcb82c19097ba13d53c5bd481833c07b1f1c0b754e
Opcode Fuzzy Hash: 6379aeb58aa343aec40c17024bb612d776233796c0e3188a9aca8a422bca1d0e
Instruction Fuzzy Hash: 75E020707047900FD72697BA98504FABFF2AEDD150308C1AFD44ACB553D9315C078785

Function 08DBAAC8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311791642.0000000008DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8db0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4222df1a383f7105273e7fedafdd9d3814cefe975fc149d4cf5f392d059a1f14
Instruction ID: 70d877e2b6459279d67410ef7af713ed114b2b2ea2be65616096f3d4fc2155be
Opcode Fuzzy Hash: 4222df1a383f7105273e7fedafdd9d3814cefe975fc149d4cf5f392d059a1f14
Instruction Fuzzy Hash: 9ED0C231302125E74A19522BA4248FF7699CFC46D2754413DE00BC3240DE50CC0282B0

Function 08DBDE54 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311791642.0000000008DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8db0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5ba7ca086cf06c646b914cfb1f127c237280e707c9737282754fc8bd8e41e2c
Instruction ID: 874bd32fa1628c3102c3a437229886ce59d2e0685efcbb63770721cc2f25bf36
Opcode Fuzzy Hash: e5ba7ca086cf06c646b914cfb1f127c237280e707c9737282754fc8bd8e41e2c
Instruction Fuzzy Hash: E0D05B37585010C6D5109A14BCD17D97755EBC4341F59CE59E543D7148CC5AD5464251

Function 08DBEFD1 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311791642.0000000008DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8db0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29ed6fca6d84f6776be4ee48d4ca2b917a55a534b8823c2dd730d0a3aebc18e1
Instruction ID: fd7d14b32369da590312ae376cba7ac8b1c6668975fd7c29f1ad1d2a63e0a324
Opcode Fuzzy Hash: 29ed6fca6d84f6776be4ee48d4ca2b917a55a534b8823c2dd730d0a3aebc18e1
Instruction Fuzzy Hash: 7DE0263714D2A08ED311C724E891BC83F20AF4A152F0D49EAC092CF046C81E88868322

Function 08F5C0D7 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cae2dfed803a42386a1a9b71153181bf4e9d2215799755611f9cc7d5ecd9a19
Instruction ID: bc1d2de724387706d3e28ab057fa85be1d14247a0a9267bdfd6e9f71f3fe7a5f
Opcode Fuzzy Hash: 8cae2dfed803a42386a1a9b71153181bf4e9d2215799755611f9cc7d5ecd9a19
Instruction Fuzzy Hash: 86E0123264C318EB83249A7968215B67BAEA748313B108157EF0BE6E48D9619D4106A6

Function 08F58140 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bfa04f190e93b6812d508fa25bfda34d803753c238c75150fbf04cde5bad329
Instruction ID: 5dfbea12364899234507cfcd91db230d109b8024b2bc935f278f5805c857b6f7
Opcode Fuzzy Hash: 2bfa04f190e93b6812d508fa25bfda34d803753c238c75150fbf04cde5bad329
Instruction Fuzzy Hash: 7DE0D874518745CFD302EB74C8257277BB0EF46205F15C49BD9A68B6A7CA309C0BC761

Function 08DB11B8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311791642.0000000008DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8db0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ed906ebda1b247b3793ba89edf785b35bfabc81fcf01a560eabd784488e4e9b
Instruction ID: ce248dfe7fac7115ada07ddc3f166883ae417b9660f27af45f01864a104e8497
Opcode Fuzzy Hash: 9ed906ebda1b247b3793ba89edf785b35bfabc81fcf01a560eabd784488e4e9b
Instruction Fuzzy Hash: BDE046B0A00289EBCB04EBB8E905AADB7B9EB44240F1046ADD905A3251DA746E00AB81

Function 08F5B8F8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f18ec538f4e2ee8996a32f32f7ac6e17bd9e7b23eefafce9f17240714aa81985
Instruction ID: ea596c979cf78d2d45e6e14441db474663f703cbe6dcf80042fbd987457559ac
Opcode Fuzzy Hash: f18ec538f4e2ee8996a32f32f7ac6e17bd9e7b23eefafce9f17240714aa81985
Instruction Fuzzy Hash: EED05E23A0C14CDBC620E6B9944167ABFE8A7442337004886DF0BC3304DB31890283F3

Function 08F50DF1 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5578115240757291ae7c15c7e385be7a628c522359acd2ef6065419dc33e6921
Instruction ID: 9cccada1b2d9e8f69c83bd2b5fa36f9bd40b3bd733272e40f4117219b35df1a5
Opcode Fuzzy Hash: 5578115240757291ae7c15c7e385be7a628c522359acd2ef6065419dc33e6921
Instruction Fuzzy Hash: 56E08C30800B0CEECB40EE74C84969A3FE8AB02312F00C12AEA49DA000FA30D2D5CF81

Function 08F59D88 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ee280f00044ecd04a0a2777ed5cb748048c516bda99e23d61997337c64f94dd
Instruction ID: 023296e92c7a86a60e98ff134075aaf501f63eba489a665913e73ec8c5593a07
Opcode Fuzzy Hash: 5ee280f00044ecd04a0a2777ed5cb748048c516bda99e23d61997337c64f94dd
Instruction Fuzzy Hash: E6D0A73330C104C7CA5C36787509A39BFA7AB80313B004062DFCB8678FD9E688128692

Function 08F5C093 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43c3a0b3018e35fccf61988701f04509587a0c4870ea41ff7501ad68d5f03643
Instruction ID: 5a57e30448732a012606ae5ed1ca39e6f296beb1a7dd30b33ed7aad59c292459
Opcode Fuzzy Hash: 43c3a0b3018e35fccf61988701f04509587a0c4870ea41ff7501ad68d5f03643
Instruction Fuzzy Hash: 93D05E0320D3C4CFCB0292B8192407D3F3AAB8A30B31545CBCB4BCBC57C55508068763

Function 08DBB3C4 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311791642.0000000008DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8db0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50663d2f738a55482a53e32c76245b654459dfc36f6f9bb33de3474722231fb3
Instruction ID: d64ad07e400987a8b7e686ebdb22a32c2215a53149a91f672a83504b57692cde
Opcode Fuzzy Hash: 50663d2f738a55482a53e32c76245b654459dfc36f6f9bb33de3474722231fb3
Instruction Fuzzy Hash: EEE08C38A01340CFC3189F69F0408AA3BE6FF9621630584BFD04A8B730C632D881CB40

Function 08F5AE9E Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0af67402ee27d654b32fea67891edc4bc3e8238337e8c47faaa068c7e42bb8e2
Instruction ID: 6e5c1af946c5a09b33aecc2b0a4acbf6bc3cf08bbe01ecb50da909f920f4336c
Opcode Fuzzy Hash: 0af67402ee27d654b32fea67891edc4bc3e8238337e8c47faaa068c7e42bb8e2
Instruction Fuzzy Hash: 94E08CB1D08789CFD305CF75886226EFBF1BF82320F14816AD52496266D7304946CB92

Function 08F520D0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b558765b2b31894dc0900fd29da24a1f9896e70df1a684718a8c474e305aac8
Instruction ID: da5ec843c3b9edede951aa5d37732bbaab3b1e8625c02c233851918ded63e514
Opcode Fuzzy Hash: 8b558765b2b31894dc0900fd29da24a1f9896e70df1a684718a8c474e305aac8
Instruction Fuzzy Hash: 13D02E22B142088B8300AFB190073BA3A9AAF82202F029028E60AC7281CF30C901DB01

Function 08DB9219 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311791642.0000000008DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8db0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bb4aa229015a0c9f9222224647b56cf06317179b5b6c6e34c8c45250336a9d0
Instruction ID: 2c2775ab77475b9f056ae1fdc3a415d64753b398f0d538986e159456ed8d94bd
Opcode Fuzzy Hash: 1bb4aa229015a0c9f9222224647b56cf06317179b5b6c6e34c8c45250336a9d0
Instruction Fuzzy Hash: 2DE01230149284AFCB478F34C4A5CAD7FB19F1721070580FAE985CF263C631890ACB51

Function 08F50DF8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63d1f8e00b94794525d3532e28338de7de11cbf36a8daaa766a093463f454167
Instruction ID: 85d560045c5ffdd667b18913779a8bcd7047a2e87b2bfa98f4d410186dd67579
Opcode Fuzzy Hash: 63d1f8e00b94794525d3532e28338de7de11cbf36a8daaa766a093463f454167
Instruction Fuzzy Hash: 13E01271810A0CDECB40EF75D94459E7BE8AB15311F50C53AE94DDA110FA30D2D5CF81

Function 08F5C2E0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa1a944541a1f1cc03924e77e302a76494a4d757c2b4bfc4b82bf2a449a0707f
Instruction ID: c7ae9a0269741b3cabb08a530456a9d18d49b257c5c71c2cdc2c55e16366e85a
Opcode Fuzzy Hash: fa1a944541a1f1cc03924e77e302a76494a4d757c2b4bfc4b82bf2a449a0707f
Instruction Fuzzy Hash: 90D0C92610E3CD9ED75262B8646B0B97F382E0351331A01D7EA879D993C90944D6C3F3

Function 08F520D8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1296a71bd26f908a8fb994903fe848263314d6f6da82924ecd5dfac1fb17ed3
Instruction ID: 2cc8e1d1ab43a070cedd679c959ea5efcf870de5afe5fd1fe89f433ddcdd2e92
Opcode Fuzzy Hash: b1296a71bd26f908a8fb994903fe848263314d6f6da82924ecd5dfac1fb17ed3
Instruction Fuzzy Hash: CFD0A73171020C8B93002FB2940737637DEAB85601B419014F70AC3180CF34E901C711

Function 08F56681 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 962a9f0140bc34cac20381f2ee39f688ad4294788088c18fe693b47205deb380
Instruction ID: cf3ab81879213a0df4608d84b1990a77052ad777e271866f85accd0650582703
Opcode Fuzzy Hash: 962a9f0140bc34cac20381f2ee39f688ad4294788088c18fe693b47205deb380
Instruction Fuzzy Hash: 8FD0123600D7DE9FC31216B0B80A4F77F385A1313638600D7E956CD853DA1E58E087A7

Function 08DB91EE Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311791642.0000000008DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8db0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0311af299bbcff575a9914484068a8f61e30bd1b5e3c19790ad214fc4514296f
Instruction ID: 9b0b4ce9dd2c5875dee7e14dbdbb5acb3ec47c5954793db7d37d165687e59e68
Opcode Fuzzy Hash: 0311af299bbcff575a9914484068a8f61e30bd1b5e3c19790ad214fc4514296f
Instruction Fuzzy Hash: 80D0A7254083984DC703F63C84580CC7FB06E4313070507AAD0D5DF0A2FA14058DD3A2

Function 08F5C0A0 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f433d4f5ae448435bb8b3e59242934b2b916fa031d22d5adcaf7b4bbf1525a7
Instruction ID: fb2d3b6c9ad556541eedd97edcc611e94f66772b857f56b939882cac53c6e51f
Opcode Fuzzy Hash: 5f433d4f5ae448435bb8b3e59242934b2b916fa031d22d5adcaf7b4bbf1525a7
Instruction Fuzzy Hash: F3C08C1320C30CCB8804A1BC2C1443C3A7E2B883073104107CF0FC3D0ACE12480106A3

Function 08F5BCB0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 042db73e0ba947289a88a77adc050f213de117fea4d6da0d1a042970b3fff5a9
Instruction ID: 93600a0acd70c00051cf798fef8be2c598e726da3984ef66db6a3f290fdd29a1
Opcode Fuzzy Hash: 042db73e0ba947289a88a77adc050f213de117fea4d6da0d1a042970b3fff5a9
Instruction Fuzzy Hash: 5AD0CAB28082A0DFC300CBA1ED9A8883BF0FE1E211308299AC4068B222D320A8119B80

Function 08F5E318 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6da55d1c159b2c771a3101afbd61ed3f5ed3b19492ecf60ab75576bbc78e2356
Instruction ID: 3f7f4f483d388f25f1e8154e72638e860e6f6a72e02b680801f46c8c73d7bbe0
Opcode Fuzzy Hash: 6da55d1c159b2c771a3101afbd61ed3f5ed3b19492ecf60ab75576bbc78e2356
Instruction Fuzzy Hash: B1C02BB000134AC7C3502FF4F90E76837689B00313F810034E90D90030CBB854C0CA36

Function 08DB9228 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311791642.0000000008DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8db0000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d6f2623337c38ef8749255ff78b3cbedb78fba73e040c9434c39499d8169e63
Instruction ID: 61412fa5721fa0801f19765b42d0f6ac58f054d2697597a3f249e516f761f0d5
Opcode Fuzzy Hash: 1d6f2623337c38ef8749255ff78b3cbedb78fba73e040c9434c39499d8169e63
Instruction Fuzzy Hash: 87C00235140108AFC740DF55D445D95BBA9EB59660B1180A1F9484B722C632E9119A90

Function 08F5C2F0 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6de7cbb6e08c4005e11d7451f21fab4de35cf6993a774f42d2d5cb1e4afe638d
Instruction ID: a458aff82b15fd8ac78e34a50cd0ca013a04a007882b1ac85f47e9e650fbc206
Opcode Fuzzy Hash: 6de7cbb6e08c4005e11d7451f21fab4de35cf6993a774f42d2d5cb1e4afe638d
Instruction Fuzzy Hash: 1AB0122700C30CC2451021F8202B135362C3304A037000116EF0F70800D941145300F3

Function 08F5B9C1 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c1dba68fc62f121a8215ab36963ddde51b0ee5e70118c203da45c6950152ff2
Instruction ID: 41ae043d62cfe614ab6b52f727e7f74ef6ca1c85972be409410f41ab35c22ded
Opcode Fuzzy Hash: 3c1dba68fc62f121a8215ab36963ddde51b0ee5e70118c203da45c6950152ff2
Instruction Fuzzy Hash: EAC04CB1B50259AFDB118A71EE5ED6D7776AB05A21F101524EB1266194D76045018A40

Function 08F5770C Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8ef894d74df497e62003f3079264dce54eac0918331f71dc97daa512c65338d
Instruction ID: 4ab198637c4cb3a0f65f4743801332b79e54a2b2abf0e7d907e4b09e1aa4b3a7
Opcode Fuzzy Hash: a8ef894d74df497e62003f3079264dce54eac0918331f71dc97daa512c65338d
Instruction Fuzzy Hash: 9DB0123A199500E351007BB45C89D3A7C50EBB1B02B409E157F0800070DA714539E627

Function 08F56690 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2311951594.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f50000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6eb7ffd04028ea3001bbf60ab69376685b1c87995f54d45a777f448537256bd
Instruction ID: b59d7e19dc414109460fb0c288d1462e93d9e863f7d08c49e8f4d0e5ff877e95
Opcode Fuzzy Hash: f6eb7ffd04028ea3001bbf60ab69376685b1c87995f54d45a777f448537256bd
Instruction Fuzzy Hash: B7A01122008A0CCA820022A0B00E03B3B2C222222A3C00020EE2B8C000BA2F3830088A

Analysis Process: NotepadUpdate.exePID: 4896, Parent PID: 3840COMMON

Execution Graph

Execution Coverage:	24.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	12
Total number of Limit Nodes:	1

Executed Functions

Function 02E22E7A Relevance: 2.0, APIs: 1, Instructions: 454
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 02E23359

Memory Dump Source

Source File: 0000001B.00000002.2451964809.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2e20000_NotepadUpdate.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 00678048a4ffc5229eab75b20b67b85ae0548db7e208bc08354699e25b650e76
Instruction ID: 9e3199a1d60fe6a8543a6f13d669d067e639d53c34a0de1104304f285d84a50e
Opcode Fuzzy Hash: 00678048a4ffc5229eab75b20b67b85ae0548db7e208bc08354699e25b650e76
Instruction Fuzzy Hash: 77E1C532F4536547DB14CABD8CD03AEB3E76FC8224F58D269E916DB384EB7898059B40

Function 02E232D0 Relevance: 1.6, APIs: 1, Instructions: 63
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 02E23359

Memory Dump Source

Source File: 0000001B.00000002.2451964809.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2e20000_NotepadUpdate.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 0760e1c67722b9600b333fdc54e2d6e6825ff994ac6135be9ed6f74387c556a0
Instruction ID: 4a13bd84a495bef2b2e56a33ffdd0c2e1c43ee5145dd9cf974b99431292918a1
Opcode Fuzzy Hash: 0760e1c67722b9600b333fdc54e2d6e6825ff994ac6135be9ed6f74387c556a0
Instruction Fuzzy Hash: 2E21F2B1D013499FDB10CFAAD980ADEFBF5FF88310F20842AE519A7250C775A910CBA5

Function 02E23397 Relevance: 1.6, APIs: 1, Instructions: 57
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 02E23359

Memory Dump Source

Source File: 0000001B.00000002.2451964809.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2e20000_NotepadUpdate.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 41d86983071981d8bffdfa2f83c990a839a9187ce96eeb9fcdc618adfa666e15
Instruction ID: af94cafa35c6653d646acc881644476244af4bdafc4f953bedcfcf3b17b17691
Opcode Fuzzy Hash: 41d86983071981d8bffdfa2f83c990a839a9187ce96eeb9fcdc618adfa666e15
Instruction Fuzzy Hash: 5A1101729002599FCB01DF69D8007CEBBE2AF88314F14C41AE059E7250DB398845CB51

Analysis Process: NotepadUpdate.exePID: 280, Parent PID: 4004COMMON

Execution Graph

Execution Coverage:	9.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	234
Total number of Limit Nodes:	12

Executed Functions

Function 02E9D570 Relevance: 6.1, APIs: 4, Instructions: 135
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 02E9D5FE
GetCurrentThread.KERNEL32 ref: 02E9D63B
GetCurrentProcess.KERNEL32 ref: 02E9D678
GetCurrentThreadId.KERNEL32 ref: 02E9D6D1

Memory Dump Source

Source File: 0000001E.00000002.2427529329.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_2e90000_NotepadUpdate.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: aac86d6f63577f1b57d1e90ffb2b9075e713187f76e282243a9d6bd1c606244c
Instruction ID: 81bbd07b7468c72ca3a50fedc1bc1c900b97476d187f842650bc957ffa3b82d3
Opcode Fuzzy Hash: aac86d6f63577f1b57d1e90ffb2b9075e713187f76e282243a9d6bd1c606244c
Instruction Fuzzy Hash: 0F5166B1900349CFDB14DFA9D948BAEBFF1FF88318F20845AE009A7261DB746944CB65

Function 02E9D580 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 02E9D5FE
GetCurrentThread.KERNEL32 ref: 02E9D63B
GetCurrentProcess.KERNEL32 ref: 02E9D678
GetCurrentThreadId.KERNEL32 ref: 02E9D6D1

Memory Dump Source

Source File: 0000001E.00000002.2427529329.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_2e90000_NotepadUpdate.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: a18f1325d1592bed78fe743824cd4593934cb8c7f3383b21430527b36862335c
Instruction ID: 0e46e4a3636a9287bcac2da72d8e401a95597b1749824342855df80261132cd3
Opcode Fuzzy Hash: a18f1325d1592bed78fe743824cd4593934cb8c7f3383b21430527b36862335c
Instruction Fuzzy Hash: 9F5135B190034ACFDB14DFA9D948BAEBBF1FF88318F20845AE019A7251DB746944CB65

Function 07BE5CDC Relevance: 1.7, APIs: 1, Instructions: 247
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07BE5F1E

Memory Dump Source

Source File: 0000001E.00000002.2441119493.0000000007BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7be0000_NotepadUpdate.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: ac42d6270f037f5a4e88751b49c5fc9b47d48c6a5e09c7122db68cfb84686210
Instruction ID: b0dbb6b7d5d331251fe52680c73ab7b3a890eeacc655403b9247e0decff03089
Opcode Fuzzy Hash: ac42d6270f037f5a4e88751b49c5fc9b47d48c6a5e09c7122db68cfb84686210
Instruction Fuzzy Hash: C6914AB1D0025ADFEB24CF68CC44BEDBBB6EF48314F1485A9E818A6240DB749995CF91

Function 07BE5CE8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07BE5F1E

Memory Dump Source

Source File: 0000001E.00000002.2441119493.0000000007BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7be0000_NotepadUpdate.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 5287840ec6ad5dcd7900b9c9505397ba347a83b880a660a8f8e3ab3029c37996
Instruction ID: 9d2942862f9f6a907282161a04b5ad16b980a9b0936562abb0a28a2daf7371ac
Opcode Fuzzy Hash: 5287840ec6ad5dcd7900b9c9505397ba347a83b880a660a8f8e3ab3029c37996
Instruction Fuzzy Hash: 5B914AB1D0021ADFEF24CF68CC44BDDBBB6EF44314F1485A9E819A6240DB749995CF91

Function 02E9B300 Relevance: 1.7, APIs: 1, Instructions: 205
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02E9B566

Memory Dump Source

Source File: 0000001E.00000002.2427529329.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_2e90000_NotepadUpdate.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 88df20367b01732169a99a6c67592cfc3848f96d526d9c010cf552b971e6b479
Instruction ID: 9d4a6af83098040d53094a972abf7df26ef4e20b4d2596f512fad4fb8ce211b3
Opcode Fuzzy Hash: 88df20367b01732169a99a6c67592cfc3848f96d526d9c010cf552b971e6b479
Instruction Fuzzy Hash: 63811670A00B058FDB24DF69E44479ABBF1BF88308F10892ED486DBB50EB74E945CB91

Function 02E9590C Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02E959C9

Memory Dump Source

Source File: 0000001E.00000002.2427529329.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_2e90000_NotepadUpdate.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 31c98d9de099ee9fe7c522a40da962fb60d9dc682acceaebd6826c9c8f76cb1d
Instruction ID: bf7fc2546e704ddd73580c7a820fd088b8cae1bc604ced2661fa1479ab4ae052
Opcode Fuzzy Hash: 31c98d9de099ee9fe7c522a40da962fb60d9dc682acceaebd6826c9c8f76cb1d
Instruction Fuzzy Hash: 3B41E1B1C00719CFEF25CFA9C984B9EBBB5BF48304F64815AD408AB251DBB56949CF50

Function 02E944B4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02E959C9

Memory Dump Source

Source File: 0000001E.00000002.2427529329.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_2e90000_NotepadUpdate.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 444c7b30255821fbd0e72da52f855b453c9905cd1d83b13ab9b65f4e83c606a8
Instruction ID: aa5da908d767e06a1fb38f20163691398d522b4bcf16113d64cba2fe718ca7bb
Opcode Fuzzy Hash: 444c7b30255821fbd0e72da52f855b453c9905cd1d83b13ab9b65f4e83c606a8
Instruction Fuzzy Hash: CB41DF71C00719CFEF25CFA9C984B9EBBB5BF48304F60805AD408AB251DBB56949CF90

Function 07BE5A59 Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07BE5AF0

Memory Dump Source

Source File: 0000001E.00000002.2441119493.0000000007BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7be0000_NotepadUpdate.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 66ba5d4bb380ae6a5916e4a0c7a55b7dc18b00d004d6771b8480bdd1404ae688
Instruction ID: 431eb2f27c5df785758cd4e217266024aa212814bead8e50bd23837e223b8a4b
Opcode Fuzzy Hash: 66ba5d4bb380ae6a5916e4a0c7a55b7dc18b00d004d6771b8480bdd1404ae688
Instruction Fuzzy Hash: 292128B19003599FDB10CFA9C885BDEBBF5FF48314F10842AE559A7340D7789950CBA5

Function 07BE5A60 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07BE5AF0

Memory Dump Source

Source File: 0000001E.00000002.2441119493.0000000007BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7be0000_NotepadUpdate.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 666107f07a0dac79840b5d0ad67b8556f3937ed4b75cbe5a7341d159c1823ce1
Instruction ID: 7484c3d6db74a5264909dea894bc5f67570d627655f8f73cdce4422d5ba2b847
Opcode Fuzzy Hash: 666107f07a0dac79840b5d0ad67b8556f3937ed4b75cbe5a7341d159c1823ce1
Instruction Fuzzy Hash: 342126B19003599FDB10CFA9C881BDEBBF5FF48314F10842AE959A7240D7B89950CBA4

Function 07BE5B48 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07BE5BD0

Memory Dump Source

Source File: 0000001E.00000002.2441119493.0000000007BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7be0000_NotepadUpdate.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: f5a39d0cbdeba3ec7d4fa1ca969798968b006176d681562985365a519f37e57b
Instruction ID: 3678083420ce979dabbe748fb01fdd3697913751084d7fded0bd4a23def64f83
Opcode Fuzzy Hash: f5a39d0cbdeba3ec7d4fa1ca969798968b006176d681562985365a519f37e57b
Instruction Fuzzy Hash: AD214AB18003499FDB10DFAAC881BDEFBF4FF48314F10842AE558A7240C7789550CBA1

Function 07BE58C0 Relevance: 1.6, APIs: 1, Instructions: 64
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07BE5946

Memory Dump Source

Source File: 0000001E.00000002.2441119493.0000000007BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7be0000_NotepadUpdate.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: d1bfa2778e4a4684c4a98372b56b5624ab6cde151b16e1273d4fc743e35e64df
Instruction ID: fd38242cd7936af06a8168df512a9f2b9622a9a198af634fc2c3293b3bb0424f
Opcode Fuzzy Hash: d1bfa2778e4a4684c4a98372b56b5624ab6cde151b16e1273d4fc743e35e64df
Instruction Fuzzy Hash: CB216DB59003098FDB10CFAAC4857EEBBF4EF48324F14842AD558A7380C7789554CF90

Function 02E9D7C0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02E9D84F

Memory Dump Source

Source File: 0000001E.00000002.2427529329.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_2e90000_NotepadUpdate.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0728045341f2e344d772a1037525b5c30bc52b9d906fc833cb7582b4e48b7c57
Instruction ID: 35621557798160bbf08b0bf5d352d8779ff40074cecc1cd8cfb3e4f1f19ffa9d
Opcode Fuzzy Hash: 0728045341f2e344d772a1037525b5c30bc52b9d906fc833cb7582b4e48b7c57
Instruction Fuzzy Hash: 902103B5900219EFDB10CF99D984AEEBBF8FF48324F14845AE918A3310D378A950CF60

Function 07BE5B50 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07BE5BD0

Memory Dump Source

Source File: 0000001E.00000002.2441119493.0000000007BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7be0000_NotepadUpdate.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 73b58a76486d0f29be35cefe94e41aefd7fb423525c0315f7c28ba8c6895a799
Instruction ID: bd41be131f2650941babf41b0f4a58cfb5a4c05b4a9e6da9da7f6d6ae1041a73
Opcode Fuzzy Hash: 73b58a76486d0f29be35cefe94e41aefd7fb423525c0315f7c28ba8c6895a799
Instruction Fuzzy Hash: AD2128B18003499FDB10DFAAC881BDEFBF5FF48314F14842AE558A7240D778A550CBA5

Function 07BE58C8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07BE5946

Memory Dump Source

Source File: 0000001E.00000002.2441119493.0000000007BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7be0000_NotepadUpdate.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 0ccc09457d048d52736f602c900957a962ad36771418a19f121f8d9ca175b9d3
Instruction ID: 4a6c2620133dfa74d830e3ddd8eecdeb9294cec4fbfa0f40e45df72ece8e495e
Opcode Fuzzy Hash: 0ccc09457d048d52736f602c900957a962ad36771418a19f121f8d9ca175b9d3
Instruction Fuzzy Hash: 87213AB59003098FEB10DFAAC8857EEBBF4EF48324F14842AD559A7340D778A944CFA5

Function 02E9D7C8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02E9D84F

Memory Dump Source

Source File: 0000001E.00000002.2427529329.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_2e90000_NotepadUpdate.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 5b13730f5d9055f8017a8ae3c658be0593165f45481bfce76d4888a6fdcb01c6
Instruction ID: 68b6a1eeaa37c69361adf90aa8d4a0df608eb3621bdbc61c3552d5e36681d6a9
Opcode Fuzzy Hash: 5b13730f5d9055f8017a8ae3c658be0593165f45481bfce76d4888a6fdcb01c6
Instruction Fuzzy Hash: 5621E4B5900249DFDB10CF9AD984ADEBFF8FB48324F14845AE918A3310D378A950CF60

Function 07BE5998 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07BE5A0E

Memory Dump Source

Source File: 0000001E.00000002.2441119493.0000000007BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7be0000_NotepadUpdate.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 10361a3c9b45119d2b2dfd3fd4f8a0a223b08a2c0c0a8da7d0c7490a85afd7e7
Instruction ID: 42dd25fdb071a4658f53839b7b1a543c13dcafe9204b12ad65c954cfa65cc4f9
Opcode Fuzzy Hash: 10361a3c9b45119d2b2dfd3fd4f8a0a223b08a2c0c0a8da7d0c7490a85afd7e7
Instruction Fuzzy Hash: 0F115CB29003499FDB10DFAAC845BDFBFF5EF88324F148819E515A7250C7759550CBA1

Function 07BE59A0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07BE5A0E

Memory Dump Source

Source File: 0000001E.00000002.2441119493.0000000007BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7be0000_NotepadUpdate.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c4528f11193a2ccf5b01ac106f85cbcd33311c63e0ab7c025bb0a69b920064b9
Instruction ID: 3e01d6540a9a1e61fc0adc0f3b899b6de96ce75e7c11f3cfc423a959c14c846a
Opcode Fuzzy Hash: c4528f11193a2ccf5b01ac106f85cbcd33311c63e0ab7c025bb0a69b920064b9
Instruction Fuzzy Hash: 201129B29003499FDB10DFAAC845BDEBBF5EF88324F148819E515A7250C775A550CBA1

Function 07BE5811 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07BE587A

Memory Dump Source

Source File: 0000001E.00000002.2441119493.0000000007BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7be0000_NotepadUpdate.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: c53bda608684a57a4ef446e10150d493170b57d2d92344ee21df1ef696af3cb7
Instruction ID: 3f34ce1852b3dc85bdcec0bd715c3ad5e3a514737b1a2815682cf006e2bcd918
Opcode Fuzzy Hash: c53bda608684a57a4ef446e10150d493170b57d2d92344ee21df1ef696af3cb7
Instruction Fuzzy Hash: 42112EB1D003498FDB20DFAAC4457DEFBF4AF88724F148459D519A7240D7796540CB95

Function 07BE5818 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07BE587A

Memory Dump Source

Source File: 0000001E.00000002.2441119493.0000000007BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7be0000_NotepadUpdate.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 6be0f86c8511d8afc104d0e884f1ff3c47ba66a74bcb0533ba1545172ceb3a5d
Instruction ID: ff891bdf107ab9dc215db9cc4024b854a958478f7a8143ee4e68129cc5cd2978
Opcode Fuzzy Hash: 6be0f86c8511d8afc104d0e884f1ff3c47ba66a74bcb0533ba1545172ceb3a5d
Instruction Fuzzy Hash: 46113AB1D003498FEB20DFAAC84579EFBF8EF88724F24845AD519A7240CB79A540CB95

Function 02E9B500 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02E9B566

Memory Dump Source

Source File: 0000001E.00000002.2427529329.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_2e90000_NotepadUpdate.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 3059ecbd2ff2ef941d058372f6585c05f5ce47d39c14354dffa41fbb74e568e6
Instruction ID: 52411a4cb2bbec41d5a34409bf2de97427947e25c87200797468e33463829b53
Opcode Fuzzy Hash: 3059ecbd2ff2ef941d058372f6585c05f5ce47d39c14354dffa41fbb74e568e6
Instruction Fuzzy Hash: 7E110FB6C003498FDB10CF9AD444A9EFBF9AB88328F10841AD418A7210D3B9A545CFA1

Function 07BE8FB8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07BE901D

Memory Dump Source

Source File: 0000001E.00000002.2441119493.0000000007BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7be0000_NotepadUpdate.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: d8aa40bb4cb84b91ad9ffd9195d0de767f74b111afd8cb8fab8ff7ea5522f397
Instruction ID: 26ae9e0815fc76645acb077fc200dea011977fa92fd9c40cf8b402e369831b8f
Opcode Fuzzy Hash: d8aa40bb4cb84b91ad9ffd9195d0de767f74b111afd8cb8fab8ff7ea5522f397
Instruction Fuzzy Hash: 1B11F5B58003499FDB10DF9AD485BDEBFF8EB48324F10845AD514A7601D3B9A984CFA5

Function 07BE26FC Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07BE901D

Memory Dump Source

Source File: 0000001E.00000002.2441119493.0000000007BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7be0000_NotepadUpdate.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: e028036ba625680b0c26b89fa4310f24e05c88c516e99bcf9f860f9ba2fb0319
Instruction ID: adc19a904992c23a75722abf83823588be00b598c8e84b86543645f886688ce5
Opcode Fuzzy Hash: e028036ba625680b0c26b89fa4310f24e05c88c516e99bcf9f860f9ba2fb0319
Instruction Fuzzy Hash: 6911F5B58003499FDB10DF9AC884BDEBBF8EB48720F10845AE515A7301D3B9A944CFA5

Function 07916D8D Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

G, xrefs: 07916D34

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID: G
API String ID: 0-985283518
Opcode ID: bdec0d859674e3463be1cd143e570dcb2747584ac23d5564ab49bd33fa0b7e9c
Instruction ID: 2e0b4e0cefcbb9a2bd49fb97e274b7fd90ce4ff6010e9aae335813d401c9d81e
Opcode Fuzzy Hash: bdec0d859674e3463be1cd143e570dcb2747584ac23d5564ab49bd33fa0b7e9c
Instruction Fuzzy Hash: 96417EB4E0420EDFCB05DFA8C8405EDBBB5EF49358F1089A9D512AB250DF719A25CBA1

Function 0791837F Relevance: 1.3, Strings: 1, Instructions: 35COMMON

Download Yara Rule

Strings

8, xrefs: 07918413

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID: 8
API String ID: 0-4194326291
Opcode ID: 5653875d37d30067945de98b94bd9a7a3eed8a4d410c52f433328c6fd90290c7
Instruction ID: 465766df916f07bef0899a131cf39e36c60e66926af1cb7861ee32468e5d7e81
Opcode Fuzzy Hash: 5653875d37d30067945de98b94bd9a7a3eed8a4d410c52f433328c6fd90290c7
Instruction Fuzzy Hash: BBF0FCB0B1420DDFFB244B78D814B7E3765EB41328F044866D4439B583DAB48422D7E6

Function 0791839F Relevance: 1.3, Strings: 1, Instructions: 34COMMON

Download Yara Rule

Strings

8, xrefs: 07918413

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID: 8
API String ID: 0-4194326291
Opcode ID: 480ea2431e267be37d7ba31127e855fb18a11e7f9b41b82686d9b965de867a53
Instruction ID: abff8d060c9c24ef80f6344385628a959f3ca9321b441c5c1d5be6b08cc56906
Opcode Fuzzy Hash: 480ea2431e267be37d7ba31127e855fb18a11e7f9b41b82686d9b965de867a53
Instruction Fuzzy Hash: 0DF0C8B0750209DFEB208A24DC66BA97361EB5072CF184892DC069F682E6F09861D7D2

Function 07916D20 Relevance: 1.3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

Strings

G, xrefs: 07916D34

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID: G
API String ID: 0-985283518
Opcode ID: 55d9a1437531b31d4575f0a82ab744306c7ca3e02e3f4028ab9049b1cec02db7
Instruction ID: acefe520e2c3fcc8fb4676f0398b0ddd15490d1b5ea01554946193f8c46d0424
Opcode Fuzzy Hash: 55d9a1437531b31d4575f0a82ab744306c7ca3e02e3f4028ab9049b1cec02db7
Instruction Fuzzy Hash: F5D02BB590C2089FC306CE10AC010FCBB39CB43224F0400C3D508D7542CF344E2447E6

Function 07916D30 Relevance: 1.3, Strings: 1, Instructions: 11COMMON

Download Yara Rule

Strings

G, xrefs: 07916D34

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID: G
API String ID: 0-985283518
Opcode ID: eb16613286d662b2c4de9ee8a6f0854bda349ac3474af5675745fb61637da9df
Instruction ID: 0615867f1678cbd2079c1cd5eaa4093b564fb5151ccc29357bf0d9ee0db0856e
Opcode Fuzzy Hash: eb16613286d662b2c4de9ee8a6f0854bda349ac3474af5675745fb61637da9df
Instruction Fuzzy Hash: 3BC012F1A0810CEBC704CE90DD0662CB7ACD702219F000488D90E43600CFB51E309B86

Function 07913478 Relevance: .5, Instructions: 458COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5be8e409ce9f10e1b21397e2c69fa9923e41f835ef3ac65487bea1eeae53a54
Instruction ID: 3ea2620b7c09c0e6d08a6948dacaba4be214be55cf01585bc87fc1a4139dcdef
Opcode Fuzzy Hash: c5be8e409ce9f10e1b21397e2c69fa9923e41f835ef3ac65487bea1eeae53a54
Instruction Fuzzy Hash: BAE1D1F0F0020ADFCB16AB68D4486AEBFF5EF86218F5544A9D446A73A5D730C871CB81

Function 07910480 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84c12d847773eb70736c85a744ce1db5064ebc2e46e841126da6659ba7f53ab2
Instruction ID: 066278bc2fe5e1a307a20201eb92d94b8e714f57b5505c008576c88208a189e1
Opcode Fuzzy Hash: 84c12d847773eb70736c85a744ce1db5064ebc2e46e841126da6659ba7f53ab2
Instruction Fuzzy Hash: DAF1E775D1061A8BCF10DFA8C854AEDB7B5FF48300F1086A9D94AB7254EB70AA85CF90

Function 07910471 Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b00fc31e27745588219f399d573ab8b1ad0ce77940a1a625b6b9486bbf23556e
Instruction ID: b824be2bf4b4eb36dfacf87eab0f7704c14830bd08dbcc7cdf4e224d5db7ac5f
Opcode Fuzzy Hash: b00fc31e27745588219f399d573ab8b1ad0ce77940a1a625b6b9486bbf23556e
Instruction Fuzzy Hash: 51E1E875D1061E8BCF10DFA8C9546EDB7B5FF48300F1086AAD94AB7254EB70AA85CF90

Function 07914AA1 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05a6d3a26d1dccbb27a4e596dcc2c0c26ed02a61a898be1ec53c330e0553554a
Instruction ID: 18730940ac8064a23e7ef906c36aa7fef64ae3779e4ddf78d2c842183c3d7a12
Opcode Fuzzy Hash: 05a6d3a26d1dccbb27a4e596dcc2c0c26ed02a61a898be1ec53c330e0553554a
Instruction Fuzzy Hash: 2DB1E675910619CFDB10EF68C840A9CFBB5FF49304F05C699E949BB211EB30AA99CF90

Function 07912AD8 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 457b0a2e08db911f7eee6b59197c86164f2acd78488a8753cf7fef6522790f28
Instruction ID: 1bf311e6475891b77a4ed2a26905ae8065d69cc114208d4b230262862eca168b
Opcode Fuzzy Hash: 457b0a2e08db911f7eee6b59197c86164f2acd78488a8753cf7fef6522790f28
Instruction Fuzzy Hash: 45719DB5B002198FDB18EF69D8047AEBBF6FFC8314F108469D506A7240DB389D05CBA5

Function 07912D98 Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dc7bd576e0ee48b9012a43ba76c515743e1c0484c60ca4cd778b8dcee479454
Instruction ID: 0663f46326ca0d358da42571c237ad8b15f9091c594d0d9ea6c7d8b8fba01b3e
Opcode Fuzzy Hash: 0dc7bd576e0ee48b9012a43ba76c515743e1c0484c60ca4cd778b8dcee479454
Instruction Fuzzy Hash: 1971B1B070020A9FDB25EB69D8447AEBBEAFFC8314F108429E50697390CF759D51CB50

Function 0791778F Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06b234e2ccd1dcbda3737755cf3cc0fea99deee68e76d4e20494eaa6f41abbd7
Instruction ID: aa9a052c20bbd8d580358412003c287a8c9ad7767f7dd0b4ae1b613a479d529b
Opcode Fuzzy Hash: 06b234e2ccd1dcbda3737755cf3cc0fea99deee68e76d4e20494eaa6f41abbd7
Instruction Fuzzy Hash: 7371F034B042459FD701ABA8E455AAEBBB2FF89300F0485E9D8859F387CB746D4AC7D1

Function 0791ED18 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f2d2a9785abdc363b8f8eea5881a04824a3843de39738386ebf92d95d3b8e5c
Instruction ID: 5b7ea0ef014e24c401fcfb44a50fdac342de6d60f8fe0ecf6a059033bf7dd44b
Opcode Fuzzy Hash: 1f2d2a9785abdc363b8f8eea5881a04824a3843de39738386ebf92d95d3b8e5c
Instruction Fuzzy Hash: 4271F2B4E1420DCFDB08CFA9C884AEDBBB6BF8A305F14842AD819AB355D7705946CF50

Function 079177C8 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feb9d8c138c57a1bad39ec057b07ca89290477ad1f3972e3b52d89daec7cafe7
Instruction ID: df138673a89b4246319f89317dac876612b026cf67daf2d24152c99ae4a0fa9f
Opcode Fuzzy Hash: feb9d8c138c57a1bad39ec057b07ca89290477ad1f3972e3b52d89daec7cafe7
Instruction Fuzzy Hash: 6B618234B041059FD704AFA8E455AAEBBB2FF88300F1489A9D9855F386CF746D46C7D1

Function 07910C38 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a79f7003edd7233866e5125a1f3a7a4bac17d6f27db9c5b78c560b9bba26fd2e
Instruction ID: 1a8416fe3be86487db11cb60f1ede0794b0668b2d37ef6127dc673f4a3bb2ace
Opcode Fuzzy Hash: a79f7003edd7233866e5125a1f3a7a4bac17d6f27db9c5b78c560b9bba26fd2e
Instruction Fuzzy Hash: 89512C74A1060ACFCF14EFA8C8809ADF7B5FF89314B518669D456B7314EB30E985CB50

Function 07911800 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 224e5314f3eabf5dd317acc37a8849f28bcdd66bdd0ce41359f843bad69fdf11
Instruction ID: cc4b8e8d9acf3ba2b18fc93a480b588f0e373d440fa01a5a5b96a9729ea4179b
Opcode Fuzzy Hash: 224e5314f3eabf5dd317acc37a8849f28bcdd66bdd0ce41359f843bad69fdf11
Instruction Fuzzy Hash: 26419DB0B1160EEFDB18DF78E444AAEBBBABF85304B1484A9E50297780DF35D811CB51

Function 07910E40 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2db5eaca0a04e197d8b04e60b87088a0782850363b83533ecd791bc8299b63a1
Instruction ID: 6ef43aa0e498430324fc802314f49195c4afc4a704deb58910bbbb3fa43f4792
Opcode Fuzzy Hash: 2db5eaca0a04e197d8b04e60b87088a0782850363b83533ecd791bc8299b63a1
Instruction Fuzzy Hash: 1E518335A10609CFCB00EFA8D8849EDFBB5FF89304F00855AE516AB321EB71A955CB91

Function 07910C2A Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 497712fdd81b684ec2e08cf46fbac4d28ecb3a46801504ace5cc5f743e13687a
Instruction ID: 88516d731f37c2db05e6ccceeeea8deca1213483b003a56b739638721b116d54
Opcode Fuzzy Hash: 497712fdd81b684ec2e08cf46fbac4d28ecb3a46801504ace5cc5f743e13687a
Instruction Fuzzy Hash: 37416D75A0070ACFCF14EFA8C8805ADF7B5FF89314B118669D856A7311EB34E995CB80

Function 07917A46 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81660fb04fe0927fcd0dd1fff107fd9ebf7055bd2a4f898365f2e38efb4cacec
Instruction ID: 204bbba105d9841e90b6e0305732d01bfa9ca06e1df5eb05071e958b53592656
Opcode Fuzzy Hash: 81660fb04fe0927fcd0dd1fff107fd9ebf7055bd2a4f898365f2e38efb4cacec
Instruction Fuzzy Hash: 4141EC7061C39A8FC74597B5981816D7FB2AB86229F004897D643C7382DBB84D51CBA2

Function 07919250 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2f06be38c7b84ff740f6705a7b841c4c147476efc30be57206d570bf9f1b60f
Instruction ID: 4e669b8785d2451f6bf7e5d297b035930167403d72287e6c864cfc5ba0161482
Opcode Fuzzy Hash: d2f06be38c7b84ff740f6705a7b841c4c147476efc30be57206d570bf9f1b60f
Instruction Fuzzy Hash: 1131F8F4B1828EDFDB049BA4842057E77B5EBCA228F114C56D503AB3C5DAB56C1387A2

Function 07911198 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 821eb1563abc35f529f7b936c43b3216cd9e5b99705a28cb2b818b2ff3c6d869
Instruction ID: 59ce5505c0e5f714d0119cab99730d14618fbaf15a8011deb068b48b209d528c
Opcode Fuzzy Hash: 821eb1563abc35f529f7b936c43b3216cd9e5b99705a28cb2b818b2ff3c6d869
Instruction Fuzzy Hash: FE319071E1021DEFDB18DFA8D84459DBBB6FF88310F00856AE601A7360DB709C51CB91

Function 07916B44 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04f53d9d323491d872130d6a0ecf50cf1e3c2432b7472d678acaf786e62a1907
Instruction ID: 0ee3b8ee2da430e8de2c45ffad343fa7d28b5b6dd098963bcb043bef5a819131
Opcode Fuzzy Hash: 04f53d9d323491d872130d6a0ecf50cf1e3c2432b7472d678acaf786e62a1907
Instruction Fuzzy Hash: 7531C1B4A0410DCFD714DB68D4507AA7BB6EB86318F14882AC616AB381CFB99C52CB91

Function 0791A2E0 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81c636d7fbecd15e00feb06602e7a17f9cec0a179976f146ca119d462690abb1
Instruction ID: 82c6eb54bc167125b5fe753e2015bce69340835deb82cce51dbe8f3b9cd2f28b
Opcode Fuzzy Hash: 81c636d7fbecd15e00feb06602e7a17f9cec0a179976f146ca119d462690abb1
Instruction Fuzzy Hash: 773158B19002099FDF14DFA9D884ADEBFF9EB88324F10842AE508A7310D774A955CBA0

Function 079117E3 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5aaa79960a5e2be4101256e470a625c028527e816b162db89364fc385888f1f7
Instruction ID: f4562be58cb982c40cda695c90ca98e492f3717c19c6bc7ed4369ef3f5ba7b97
Opcode Fuzzy Hash: 5aaa79960a5e2be4101256e470a625c028527e816b162db89364fc385888f1f7
Instruction Fuzzy Hash: A93103B4A5130EAFDB198F24D404B6D7BBAAF85304F1480A9E602D7791DF34C900CB52

Function 0791C308 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73802ca148f6dec957bbe2468dfc07c5bac42377dccfde2016f5b54b4738814d
Instruction ID: a51e21a4cda80fadd48a51da84219b95f78b02dcf0beb1b0f7adb3ab7ebcc5b7
Opcode Fuzzy Hash: 73802ca148f6dec957bbe2468dfc07c5bac42377dccfde2016f5b54b4738814d
Instruction Fuzzy Hash: 5921E4B07DC10DDFD72986599810679766BABC371CF648836D0078B6C5CAF58C2387B6

Function 07912D88 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 469a248454bb696268e6c3ad2a6a2fafc464e6bea2e084d49f43a64ae23bdd8a
Instruction ID: ce90ef08a52224d672d183cbfdaf413929b322e9961f3a8d6d2bea573f915411
Opcode Fuzzy Hash: 469a248454bb696268e6c3ad2a6a2fafc464e6bea2e084d49f43a64ae23bdd8a
Instruction Fuzzy Hash: 233141B1A01209EFDB54EF64D8447AEBBF6FF88304F10882AE5169B390DB759D50CB50

Function 079122F0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faafb17a0ef1e9f551f023fd4f7b5e712ff04e108f1adbad61524bef6d0b95e7
Instruction ID: 83b7478dc2005a00a3bfd456b43752e5adf2dfaf23fcd5edfb37040e017e22bd
Opcode Fuzzy Hash: faafb17a0ef1e9f551f023fd4f7b5e712ff04e108f1adbad61524bef6d0b95e7
Instruction Fuzzy Hash: C831BCB53002099FD744EF69D980B6A77EAFFC9614F108469E509CB315DF34AC028B61

Function 0791C460 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c09ce91fb2a01cff3b65a63b6a6d2ef9e2672287144d323f4efabd66a7dcfb9
Instruction ID: 87420deca8b5bbcb4b40cf71df845390f4c6e765cb83a307c4d8d0b5e127c8dd
Opcode Fuzzy Hash: 8c09ce91fb2a01cff3b65a63b6a6d2ef9e2672287144d323f4efabd66a7dcfb9
Instruction Fuzzy Hash: C431A7F1EAC61DCFD7548A6DD8506B9B7A5AB4B318F004A37A102D7291C3B4D5B0CBB2

Function 07916568 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c43e0359f14e8ba1e36369faa1cbeef0d3962abfb3395a5b9dc5de185437dce
Instruction ID: ed135bc368293c80f51b24e81f3324a9c60ffefe64db7669f8505cb802adb04d
Opcode Fuzzy Hash: 1c43e0359f14e8ba1e36369faa1cbeef0d3962abfb3395a5b9dc5de185437dce
Instruction Fuzzy Hash: DA31E4B5E1060EDFCB40DFA8D9905EEBBF6EB88358F104469D505F7250EB749A50CBA0

Function 0791C1A1 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b33f9c08030143c9409d24a7ca24006fedcbdcaa55295829930e39306611da76
Instruction ID: e96de22f13f623fced7fb2792a06ab282235dc908e4ca1986ddaab256b609dfd
Opcode Fuzzy Hash: b33f9c08030143c9409d24a7ca24006fedcbdcaa55295829930e39306611da76
Instruction Fuzzy Hash: 9D21BFB4AAC25DDBC7128AEC8850379B774AB47358F048CE7C517C6249C2A5D925C7B2

Function 07910FC0 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99f62876ac74a014a9c8740fd37d8c3165356abb47c48f7e01a5caeb31805dc3
Instruction ID: e2938c490f645892f7797d2babb8b9486c870422ca6cf967a0abba8481518463
Opcode Fuzzy Hash: 99f62876ac74a014a9c8740fd37d8c3165356abb47c48f7e01a5caeb31805dc3
Instruction Fuzzy Hash: B1314331A106099FCB04EFA8C894CDDBBB5FF89300F018699E5156B264FB70A989CB91

Function 07916C11 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35547e2151fee6e4e7448265f45e03ebc8d064c2807c705765893c8a77e05214
Instruction ID: f662cd1fcbc528e51f766a02448e29c45d091814ec5b735c9708009d822b40c7
Opcode Fuzzy Hash: 35547e2151fee6e4e7448265f45e03ebc8d064c2807c705765893c8a77e05214
Instruction Fuzzy Hash: B531BFB0A0810DCFC754DF58D45076A77B6EB8631CF14886AC617AB381CFBA9C62CB81

Function 07910FD0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6b5c97c34600661c801f78305aae4cc8c4b12a9dded254b01aeef39ec39f634
Instruction ID: 4b3966b5962974c741ad840b80b27b0fe2d89d79e74599aa1585b5a0a419da0a
Opcode Fuzzy Hash: d6b5c97c34600661c801f78305aae4cc8c4b12a9dded254b01aeef39ec39f634
Instruction Fuzzy Hash: 9C31F035A20609DFCB04EFA8C894CDDBBB5FF89310F018659E5156B264FB70A989CB91

Function 07916559 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9093e296db2a693b5955b3316f9d576647f4487876cd2d41352734ff490ef943
Instruction ID: 386dd30d3dbb4f2ce81f0764582f04e3e12bc6d0bd4fc44a5a60bfbe2d37affc
Opcode Fuzzy Hash: 9093e296db2a693b5955b3316f9d576647f4487876cd2d41352734ff490ef943
Instruction Fuzzy Hash: 833135B5E1424E9FCB41DFA8C8905EEBBF5EB88358F10846AD501F7240EB749A54CBA1

Function 079129E0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65597ce81952af183e01bf8f9118214a2b877225ccde546ba26ff5b1861b6ba5
Instruction ID: 845f0822c78acf85956d4f8a3b6b1c2f65b0c1ce5a64e9e13d9e3afdb0bb7847
Opcode Fuzzy Hash: 65597ce81952af183e01bf8f9118214a2b877225ccde546ba26ff5b1861b6ba5
Instruction Fuzzy Hash: 1B21C7B4700105DFDB24EFA9EA44B6ABBF8FF85359F004429E519D7680DB74D911CB90

Function 0138D36C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2425481822.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_138d000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bf299e7a1c92ba38ff34aef812755d5aca3de594eb10aa2d87d0fda31afa120
Instruction ID: 33f1ee5e53f481ad80980e568faf91956f1e58a4596bf900ecb73578dd05f972
Opcode Fuzzy Hash: 2bf299e7a1c92ba38ff34aef812755d5aca3de594eb10aa2d87d0fda31afa120
Instruction Fuzzy Hash: 1D214675504304EFDB05EF98D9C0B26BB65FB84318F20C56DE90A4B2D2C7B6D846CA61

Function 0138D1B4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2425481822.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_138d000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2836128cf4e685c107c3e8ec7de0bba218c60f6265f448fdf482d01d07b96335
Instruction ID: 6107589dd16004ff1ab85c37b1637d52ffaf0675196fb7c17e9abe28e27f6ffa
Opcode Fuzzy Hash: 2836128cf4e685c107c3e8ec7de0bba218c60f6265f448fdf482d01d07b96335
Instruction Fuzzy Hash: 82212675504304EFDB05EF94D5C0F26BB65FB84328F20C56DE9094B692C776D846CB61

Function 07910290 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf4768e4d61e24c5282f7be84f13ed63e3d50781837848a20bd285d9fb7fccf8
Instruction ID: 833122feb6bac0d77ca82b44e23c596ed43d496d5809007b382db2fa01197115
Opcode Fuzzy Hash: cf4768e4d61e24c5282f7be84f13ed63e3d50781837848a20bd285d9fb7fccf8
Instruction Fuzzy Hash: B3218375B102098FCF44DF68C9949EEBBB9FF89300B018579D905E7355EB30A945CBA0

Function 079102A0 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2811de64e21273ff1b75d24363700b5b9a82f904d613bded1529f6d2bf14f39d
Instruction ID: 46f54ccd6188b3b352acd586d02676ea85bf87e69c921a02a3ff431303da0b38
Opcode Fuzzy Hash: 2811de64e21273ff1b75d24363700b5b9a82f904d613bded1529f6d2bf14f39d
Instruction Fuzzy Hash: CB214175A1020A8FCF44EF69C8849EEF7B9FF88300B518569D905B7355EB30A945CBA0

Function 079159EB Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e069a57863eacd00e93fee4ee5883b2558f9e9fabe7e9b4ada873dc0a8ed51cf
Instruction ID: 87c2fe8d03d04d1db75054b1c433a194669708d377a718ca14257bd2b97eb054
Opcode Fuzzy Hash: e069a57863eacd00e93fee4ee5883b2558f9e9fabe7e9b4ada873dc0a8ed51cf
Instruction Fuzzy Hash: 2D2148B58043499FCB10CFAAC484ADEBFF4EB49314F10841AE919A7311D7B4A551CBA1

Function 0791C536 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77ec9d2f8cb478c9b654bc023c11454a282ff994d2e373f9260c9227e4baa747
Instruction ID: 3f1423ea1aac0de200612f1a8b92076278f70a59f5acd4687234d46dfeba7311
Opcode Fuzzy Hash: 77ec9d2f8cb478c9b654bc023c11454a282ff994d2e373f9260c9227e4baa747
Instruction Fuzzy Hash: AE2184F0EAC61DCBD710866DC460779B361AB4B31CF004A27A112C7690C7F4E5B0CAB6

Function 07918E68 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daf516c9b78cb991c220ab6b4bf4b8e2637c074d1e918c6b291366937b735c2b
Instruction ID: 5ba5b5ca97d8436c799847c97e85babeb0c7b844195456e3ef364359c53fb8fc
Opcode Fuzzy Hash: daf516c9b78cb991c220ab6b4bf4b8e2637c074d1e918c6b291366937b735c2b
Instruction Fuzzy Hash: B21127B192C28CDFC321B6609414E757B969B4313CF14CCABD546CB142C3BE8822A7A3

Function 079122E2 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33f6fea6abf14baadbac05d6ab4bbe9d09838daadd80b8af4028041ab332806d
Instruction ID: 2aa43f93cb553f7becb0bc57094d39cf282ff0eaea42e257fcae7ea2f39d2f0b
Opcode Fuzzy Hash: 33f6fea6abf14baadbac05d6ab4bbe9d09838daadd80b8af4028041ab332806d
Instruction Fuzzy Hash: 7021DEB03053059FD704EF68D980BAA3BEAFBCA210F144039D909CB359EF3898428B60

Function 07913FC8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fc1fa4c61f62168d3c21d646bb124dd5f57b88a38fcd275855266946b47d9dd
Instruction ID: ef1a440896d44887e4be59fb637f66dc05fcbd1ac469da5f4637b536854b631f
Opcode Fuzzy Hash: 5fc1fa4c61f62168d3c21d646bb124dd5f57b88a38fcd275855266946b47d9dd
Instruction Fuzzy Hash: 4111E331B083049FD754AB7E981059EBFFADFC6660B0584ABE945DB391EA319C0683E1

Function 079129D0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1762e85ddc57125eb56abc6e2bbebdb6bb6a9fce355b807471e0183887118b0f
Instruction ID: 9a1a4d2940964e030fc97b5bdf653e03d93b6cfc7b7600c65dd5bf1e60a1521c
Opcode Fuzzy Hash: 1762e85ddc57125eb56abc6e2bbebdb6bb6a9fce355b807471e0183887118b0f
Instruction Fuzzy Hash: 6211A2B4700106CFCB24EFA8D944A9A7BF5FF85354F005069E916D7281DB78D915C7A0

Function 079159F4 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86d62d8e4e9b2f05a044d3d1796f97ab1fc307ec2bf9600e646b2de085a8f6f8
Instruction ID: a6bf95501f7c8a226776feec3079f537b6fd4ad6025b343842ed098c847993cb
Opcode Fuzzy Hash: 86d62d8e4e9b2f05a044d3d1796f97ab1fc307ec2bf9600e646b2de085a8f6f8
Instruction Fuzzy Hash: 1E2103B58003499FCB10DF9AD884BDEBFF4FB48324F10841AE919A7210C7B8A954CFA1

Function 0138D1AF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2425481822.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_138d000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: 085836bc77ad2a4e167d9663fec82dc696e3f7c9c49706635927de2fdde5cd98
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: D211DD75504380CFCB02DF54D5C0B15BFB1FB84328F24C6A9D8494B696C33AD40ACBA1

Function 0138D367 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2425481822.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_138d000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: fa13105adf468c6107b647b75659047cb852be09531477d24d54880d6ffb0e21
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: 7D11BB76504380CFCB06DF58D5C4B55BBA2FB84218F24C6A9D8094B696C33AE44ACB62

Function 07914DD0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81acaf5072e5e70fa9735bc537b8806c8339156e68506ca4544e0c9e2ba71d00
Instruction ID: bba199c9c7580691611066632ebf16646bd1d65f3fdc88722c17783c31b8cf9f
Opcode Fuzzy Hash: 81acaf5072e5e70fa9735bc537b8806c8339156e68506ca4544e0c9e2ba71d00
Instruction Fuzzy Hash: 3F016D32304259AF9B455FA5AC048EEBFA7FB892607008026F905C3351DB358C21CB91

Function 0137D76D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2425382935.000000000137D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0137D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_137d000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4007fab0fb6f245993035d4d8990f5e5367cc992e26510ac7d5239271d1eebcb
Instruction ID: bb4bcc904e65e5c5edd4a235b339c0c465ccab8cabb2d726c362768115a3e7eb
Opcode Fuzzy Hash: 4007fab0fb6f245993035d4d8990f5e5367cc992e26510ac7d5239271d1eebcb
Instruction Fuzzy Hash: 6701F2710083C89AF7204EA9DDC0B66FFDCEF41228F08C01AEE091A686C7BC9840CA71

Function 079182D0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abb002f6a7b8dc4c0159f7e51919c283e38d340ec2e09ef2c4295b80ef4ed1e0
Instruction ID: 358aa73260a920c2306522a171efa71b5a90a7d959276945188550aa940bc54d
Opcode Fuzzy Hash: abb002f6a7b8dc4c0159f7e51919c283e38d340ec2e09ef2c4295b80ef4ed1e0
Instruction Fuzzy Hash: BE012DB061924ACFD316C724D414A657B75BB032ACF088AEBD445CB543C7B48852D756

Function 079182C1 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63c3e06b94d5498fd0ac20fe08106cda6517967b83cc9b57ce7b94c4c32795f0
Instruction ID: 44ff056ac08427ab2429c92663bf8f55be0ebc0aa1eb622ea13a4008d836675a
Opcode Fuzzy Hash: 63c3e06b94d5498fd0ac20fe08106cda6517967b83cc9b57ce7b94c4c32795f0
Instruction Fuzzy Hash: EA0184F161964A8FE316CA14D910F70BBA5F7032BCF488AEBD446CB543C3789851D7A6

Function 07917D58 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3de531d20e65ca846ec27b92a662c8738932f0b7f429ba4b77e6ca940c11463
Instruction ID: 5f7b7b802247f805882cdea2c589943000f49a554b6759ee41158be08508b516
Opcode Fuzzy Hash: f3de531d20e65ca846ec27b92a662c8738932f0b7f429ba4b77e6ca940c11463
Instruction Fuzzy Hash: 4201F57495C38D8FD70296B4C4146A97FB6AB8330DF0880BED0855F282C7BE9997C722

Function 07912800 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1db1910a5261f766b3d897491454c4da77ee859708763716f5ff27af253ab5b
Instruction ID: bb4f6078f95b8b63b4ccec8b2f04d0a0504b13ead5be446f1353aea450887bb7
Opcode Fuzzy Hash: f1db1910a5261f766b3d897491454c4da77ee859708763716f5ff27af253ab5b
Instruction Fuzzy Hash: 56F0C2323002049FC3189F69E805AD67FAAFFC5321F10C03AE645CB350CA35C906CBA0

Function 07918F1C Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 786d471784c9ff96118723546aa2e34e64a430bee587b961f079475625316ef6
Instruction ID: 040f42394e99e7c3ca4e0e2c79fa2526bf066be98652551b4382bf5e5283c15f
Opcode Fuzzy Hash: 786d471784c9ff96118723546aa2e34e64a430bee587b961f079475625316ef6
Instruction Fuzzy Hash: 7FF02BE256D29CDFD302A6641C218713FA6D59713CF0488CBE543CB693D5A88424A7E3

Function 0137D76C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2425382935.000000000137D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0137D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_137d000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 462db0664cb3a7b19e55be85a1b970b34d075560b6c70a7761a84db919b96980
Instruction ID: 699a7dd3f2d5174ad07181d6c744efe28bc85b8760d8db1701f689f826bb5bf0
Opcode Fuzzy Hash: 462db0664cb3a7b19e55be85a1b970b34d075560b6c70a7761a84db919b96980
Instruction Fuzzy Hash: 53F0C2714053849EE7208E0ADCC4B62FF98EF81628F18C05AEE081B686C3B8A840CB71

Function 0791A2D0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a78a744d9a777de5bd4e3f6c47bc41a2ea9d43be448dd42f5bb1d23b9a62c221
Instruction ID: 0d79f34256d0aaa93539656bc96717913741e549d65e070907ea9dfeee864cb7
Opcode Fuzzy Hash: a78a744d9a777de5bd4e3f6c47bc41a2ea9d43be448dd42f5bb1d23b9a62c221
Instruction Fuzzy Hash: 6DF0E972208148AFDF05DF64EC418DE7FBADF85264F05C0ABE408DB262D6309D51C7A1

Function 07914DE0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8e59d9101f37593ed1d558d350256cc4bb491cae766da577f77da0d6dfd01a8
Instruction ID: f952c6592a13a7b86e428f62ebe585bae5abc7a4270716237ecbc299917b8af9
Opcode Fuzzy Hash: e8e59d9101f37593ed1d558d350256cc4bb491cae766da577f77da0d6dfd01a8
Instruction Fuzzy Hash: 22F01D36700219AF9B459F95E8448AEBFABFB8C620710802AFE19C3350DB758D219B90

Function 0791AEEA Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f93949e9543b7d2eb6c9f24423dbce900a48f7b762fd8e56bccc3c64f095c80b
Instruction ID: 03dbbd83da9351dbab0a307db6aa2a3c83ed6e2c1465697ce3ca4795af2ceca4
Opcode Fuzzy Hash: f93949e9543b7d2eb6c9f24423dbce900a48f7b762fd8e56bccc3c64f095c80b
Instruction Fuzzy Hash: 74F02470A45349DFDF01DBB0DC0EAADBB72AF47308F01C252E512662D0C7744826CB51

Function 07912AC7 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b196d05c116891331e04c5a4fce2a9362432407d69a26310fadc6adce352ad63
Instruction ID: ba925840cd5a637ddd39cc51eefa45479c342c6e53601e04e5c8c91bdd1d0145
Opcode Fuzzy Hash: b196d05c116891331e04c5a4fce2a9362432407d69a26310fadc6adce352ad63
Instruction Fuzzy Hash: E9F015326023029FC719DF6AD884986BBB5FF89260354C86AE949C7611EA74A845CBA0

Function 07917D51 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5f223310333f792142c79f0b3ab54af683aafade71213a71ed2609f71c6e581
Instruction ID: 425dc08725669a9f0dde05ee952a11819f287fc967595813e7ac3e583eab4fbe
Opcode Fuzzy Hash: d5f223310333f792142c79f0b3ab54af683aafade71213a71ed2609f71c6e581
Instruction Fuzzy Hash: E0F020785EC21E8EC31042B094006747B2AD78330EF14C0A9C0480E182C77FC883C7A2

Function 07910DE8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e72215dd1b6cde717ab3b2c9098d69e3373e56b26447d354838714b8a2c9fa0a
Instruction ID: fd5e41fcc4c6f7989cb1fe3f81c223a7c2522b4951301b90808f1cda02b36528
Opcode Fuzzy Hash: e72215dd1b6cde717ab3b2c9098d69e3373e56b26447d354838714b8a2c9fa0a
Instruction Fuzzy Hash: 88E0657190830C9ECB41AF3898050CA3BF8AF16210B01C06AE899CB122F63182E8CF90

Function 0791C092 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5a7d96852317c98d58dc649c9ca00f297de1bddb2260ad91bbd1365ab453695
Instruction ID: be1841e8d41d7749ac12167d20775c1c2a5b221c8a38fae3fc6f5f944d4650f3
Opcode Fuzzy Hash: c5a7d96852317c98d58dc649c9ca00f297de1bddb2260ad91bbd1365ab453695
Instruction Fuzzy Hash: 90E0C2A82EC28CCFCE0692B52C241B93F39D587218F044C87D10B87082CA95982102B3

Function 0791C0C8 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82ac5831771e3febe7f4e4870beb42781ae32bcea242f7081218035bff5e5fd5
Instruction ID: ff5dba440af6bbdc72fad3f3f14b66c206603436cf388a50c02c81646becfb12
Opcode Fuzzy Hash: 82ac5831771e3febe7f4e4870beb42781ae32bcea242f7081218035bff5e5fd5
Instruction Fuzzy Hash: 64E068B05EC10CDBCBA08A049E023A177B9F70730CF008967D90BA6600D6E40C604AB2

Function 07919D78 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6511da354ebea47d49b390152301f2bd1df8066a06467855ffae3c1eaf1d0bb
Instruction ID: 3467e61bfbab567f480e640d41f0c2b0079685646e3bd3f7767f9e2dd3a6b5d9
Opcode Fuzzy Hash: b6511da354ebea47d49b390152301f2bd1df8066a06467855ffae3c1eaf1d0bb
Instruction Fuzzy Hash: 91E0126812C18CCBC6886564843DA75B76B678323DF1089B6F10749685D9A674614781

Function 0791B8F2 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 871590001a9c088f4ef5218a59b9a28f2cc97030387f41ac63bf4032e15a5700
Instruction ID: 444e880e9d531b9103210ea6a995e2d342f5c666d1cced39c4e310a72f2f238a
Opcode Fuzzy Hash: 871590001a9c088f4ef5218a59b9a28f2cc97030387f41ac63bf4032e15a5700
Instruction Fuzzy Hash: A5E086E163C14CD7C764955564415393BAF974712CF004C96A40787205D9E5492387B3

Function 079120C8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f2951735f8308cf77afb51b0a036344ae63c450e846a28004492b0305b928db
Instruction ID: a561e203f5663de900d0aec490832a31719ad06450b9d0cbbf31b500afb59ca6
Opcode Fuzzy Hash: 6f2951735f8308cf77afb51b0a036344ae63c450e846a28004492b0305b928db
Instruction Fuzzy Hash: B9E086717893098FD31DAFF998163B43FE9BF4120470650A6D546CB1A2DA289941E751

Function 07918140 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9f04c2125ae7a867363926b33d20ddad3a366d9d2ddc9a9947999ec0d8231d6
Instruction ID: 0c990bdcafc80a3017f5a7fad47ed38eb7259fb248f01e848912ebbaf44eddab
Opcode Fuzzy Hash: d9f04c2125ae7a867363926b33d20ddad3a366d9d2ddc9a9947999ec0d8231d6
Instruction Fuzzy Hash: 51E0927810964ACFD302DB74D82462677B1EF46218F04CCDB84968B2A6CA34AC1BD751

Function 0791AE9B Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f7469fb1756c8f82e62daa712ee771cbc56b41d266c5a3e691d55a6430890a9
Instruction ID: 6d840ccc8b34d97c024c295bad06aa85acde108dda32c61cf37a1142a6d0d4a2
Opcode Fuzzy Hash: 6f7469fb1756c8f82e62daa712ee771cbc56b41d266c5a3e691d55a6430890a9
Instruction Fuzzy Hash: DEE01AB1D19789CFC716CF78C8A62AABFB2FE47208F19C5ABD05497116C3705466CB82

Function 07919D88 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61fd628cbeeb889eebda30b67f61593abed6b939abe37a7a57fb5860a3e1ad65
Instruction ID: 69b29247d76820d08316b6ffc5d6edf97ce6e3689d4d7e0ae217db278c0c489b
Opcode Fuzzy Hash: 61fd628cbeeb889eebda30b67f61593abed6b939abe37a7a57fb5860a3e1ad65
Instruction Fuzzy Hash: 5FD0129C22C1CCC7C6883578543C6397166578323CF004CA5B10789385D9E6B8304752

Function 0791B8F8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b53dac68b8550feadc497c9c4d361d4300e39bc2633a32220e372bd65d9c4b2c
Instruction ID: c21c5d7fcc499522d9f687056f36c3f54acaf5ac92a9a970d73b4a93856720b5
Opcode Fuzzy Hash: b53dac68b8550feadc497c9c4d361d4300e39bc2633a32220e372bd65d9c4b2c
Instruction Fuzzy Hash: 0AD05EE1A3C14CDBC664AA99544053977AFA74B23CF104C96A80B87304E9F5093387B3

Function 0791C2E0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f8866c86c52266b09bc06fa65032517fa80ce83413d0382a5f6a44d6c6d03b5
Instruction ID: 17dce500e57c460f42eb2793255929d22b75c81bdf9c3f8a111f122af4b032d3
Opcode Fuzzy Hash: 3f8866c86c52266b09bc06fa65032517fa80ce83413d0382a5f6a44d6c6d03b5
Instruction Fuzzy Hash: DDD0A7B429C3CC9FF70762A528240F53F285843218B050CE7E146DBB83C945C8A687B3

Function 07910DF8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41f51a2d01422d850bc7f847395f141029464dcf4f195893874e3ea0f6e41c61
Instruction ID: 5204530ddd5678e228d2ab31b9e925f6eaa72ed05308f7639c0f3e00cc2c90d3
Opcode Fuzzy Hash: 41f51a2d01422d850bc7f847395f141029464dcf4f195893874e3ea0f6e41c61
Instruction Fuzzy Hash: F2E0177181060CDECB80EF79D90459E7BF8AB05224F00C53AE85D9A110FA32D2E8CFC0

Function 079120D8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4b45af1e193a256cb07de48ed5cd30c384c4056cbb1fd3880e5a3851cb530dd
Instruction ID: fa44dfc4b99046ffda9d03956e12361f4c61cc7c193646ffea543a211f98b8e2
Opcode Fuzzy Hash: e4b45af1e193a256cb07de48ed5cd30c384c4056cbb1fd3880e5a3851cb530dd
Instruction Fuzzy Hash: F1D0A77070420D87D308BFBA9C1A37537DEBB806053419024A50AC7180CE28E801D661

Function 0791A2A8 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8dd1e2bc3d621424e2f567a45d6a9f4abbb2089212f076bc0a8d3c488f9a837
Instruction ID: c4a1b57a24eb840ad669bb59711c9c7f60fb60a1e696dc1c2985997de121303c
Opcode Fuzzy Hash: b8dd1e2bc3d621424e2f567a45d6a9f4abbb2089212f076bc0a8d3c488f9a837
Instruction Fuzzy Hash: EDC0127614D6915ED317E1502D104A91B6196D66107088493D14586193C120452A9363

Function 0791C0A0 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4da7d20aa350c30f59a93ba7b13ef1a0605967eab5d6591305de342c2efee329
Instruction ID: 6100a21ac876ad9d796dbd9d609496f9e078ad3fa5c4507b848e66faa18bdc46
Opcode Fuzzy Hash: 4da7d20aa350c30f59a93ba7b13ef1a0605967eab5d6591305de342c2efee329
Instruction Fuzzy Hash: 6AC08CD82FC28CCB8D04A2A8281463C3B7E258B31DF104C07C61F42208DED2D8300A37

Function 07916681 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 315414346859014e695503428b7b44e64b0d6115e537e93449a750f2658f8a38
Instruction ID: 174272cfc54b38135eb2921fc169907a1b04c5c736179224c5ac9a6958e34248
Opcode Fuzzy Hash: 315414346859014e695503428b7b44e64b0d6115e537e93449a750f2658f8a38
Instruction Fuzzy Hash: 97D012A145D3DB9EC356566474150B33F35690326830944D7F4458D453D95918E08351

Function 0791E318 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d21bcaebcf85d3275684fa87be2eb4724ceb0a7f91b8a69b24cc3ad15b602f0
Instruction ID: 6c21f1b22ab39b9124445c50b206ea0aac5ef728fea1aa1cb13c1ef3ccaa548f
Opcode Fuzzy Hash: 3d21bcaebcf85d3275684fa87be2eb4724ceb0a7f91b8a69b24cc3ad15b602f0
Instruction Fuzzy Hash: B3C08CB000574ACBC3103BE8B90E36832685B01606F450110E449914208BA89890C6A6

Function 0791BCB0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c551d548263d5b4168b22095517b74746a56680f375bc6314b368048a38622c1
Instruction ID: 43f16bad798807cfd0540e8087cc1666d7a4470e52c9bf905a0d3529e70194a9
Opcode Fuzzy Hash: c551d548263d5b4168b22095517b74746a56680f375bc6314b368048a38622c1
Instruction Fuzzy Hash: E7D012B2418155DFC300CB51ED96C893FF0BE1E300704098AD0154B366D330A411DB84

Function 0791C2F0 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 548ad75ba2bfb32b7a45ed20bb18fa786e71ea8dfae51607148cb09c6c23f247
Instruction ID: 1b112d920e188631821ecca6dbec2fc19c87dfacac3cc8b20cec3ca3b9b28b38
Opcode Fuzzy Hash: 548ad75ba2bfb32b7a45ed20bb18fa786e71ea8dfae51607148cb09c6c23f247
Instruction Fuzzy Hash: 51B012E41FC24CC3F64022D42028135361C3007A1CF000CD2A20F70F0019C1D8710473

Function 0791770C Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d53a9c4bc8ce5ec42a160332d1f333b8ee9f563fde66b99830cf7c80466895cb
Instruction ID: a32d3471ebf8e18435243bbce24f23d992ba6492630a0f09b87c0c8a66862794
Opcode Fuzzy Hash: d53a9c4bc8ce5ec42a160332d1f333b8ee9f563fde66b99830cf7c80466895cb
Instruction Fuzzy Hash: 65B012B51A9505E751017FE44D4093A6880EBF6705F00DD45370A62060CAF14938D317

Function 0791B9C1 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0accaca06e295e14adc6dd8a3ed510329295296e33ad4f8feb503d72efa900a0
Instruction ID: a9b04e8e90476355173742686819f8a588c3e87c4c38caa42862d9c0276f1cf6
Opcode Fuzzy Hash: 0accaca06e295e14adc6dd8a3ed510329295296e33ad4f8feb503d72efa900a0
Instruction Fuzzy Hash: 11C04CF0B7421EAFDB118B51EE46E6D76777B45A08F100910B61266298D6A05511CA80

Function 07916690 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2440465136.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7910000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f356ea676ef2dd7b2f94b3096a0dd9a9a00712b5ca0f2920170781e7a78e62a9
Instruction ID: e6b7d6660bceccc599b0f636f5fdd6a1307981f96167e402813626c8af34be97
Opcode Fuzzy Hash: f356ea676ef2dd7b2f94b3096a0dd9a9a00712b5ca0f2920170781e7a78e62a9
Instruction Fuzzy Hash: 6BA011A08BCA0CCE83882280B00A03A3B3C2003A8CB000800F80A080002EAA38300088

Analysis Process: NotepadUpdate.exePID: 6864, Parent PID: 280COMMON

Execution Graph

Execution Coverage:	25.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	8
Total number of Limit Nodes:	0

Executed Functions

Function 00C52E7A Relevance: 2.0, APIs: 1, Instructions: 452
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 00C53359

Memory Dump Source

Source File: 00000021.00000002.2545674567.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_c50000_NotepadUpdate.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 81228bf8cd0daf885978a83f49d8381a6e2367956b99c02f95aa27c548aa2439
Instruction ID: 6b4567fe8a5ad979b1a0c0a366b365eb8d3164735876f96dc97a493bb18a0498
Opcode Fuzzy Hash: 81228bf8cd0daf885978a83f49d8381a6e2367956b99c02f95aa27c548aa2439
Instruction Fuzzy Hash: 08E1E235F047854BDB18CAB98CD03AE72E36FC8362F588229DD25DB3C5EA349E855744

Function 00C532D0 Relevance: 1.6, APIs: 1, Instructions: 63
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 00C53359

Memory Dump Source

Source File: 00000021.00000002.2545674567.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_c50000_NotepadUpdate.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 7b2f36839a9d247e1f932e3c5997645a028c42e07ded7be5dfc4dce8c9552a56
Instruction ID: c6c486470da5be72c53a8ca443d7543eeaca08c4599a0f80cfd90ded29461273
Opcode Fuzzy Hash: 7b2f36839a9d247e1f932e3c5997645a028c42e07ded7be5dfc4dce8c9552a56
Instruction Fuzzy Hash: 632103B5D013499FDB10CFAAD980ADEFBF5FF48310F20842AE919A7250C775A910CBA5

Analysis Process: NotepadUpdate.exePID: 5684, Parent PID: 4004COMMON

Execution Graph

Execution Coverage:	10%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	216
Total number of Limit Nodes:	12

Executed Functions

Function 07A35CDC Relevance: 1.7, APIs: 1, Instructions: 247
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07A35F1E

Memory Dump Source

Source File: 00000023.00000002.2540446411.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7a30000_NotepadUpdate.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 109d6944ef606a005c25a183facf7cedd470f056cc82a7c6e5e06ecea4577bb4
Instruction ID: abe6c729a1388c44b68aef52e6c60cf80332f9bf758718c3a8ef2fea8e27abaf
Opcode Fuzzy Hash: 109d6944ef606a005c25a183facf7cedd470f056cc82a7c6e5e06ecea4577bb4
Instruction Fuzzy Hash: 2AA16EB1D0125ADFEF14CFA9C8457EEBBB2BF48310F148169E829A7240DB749991CF91

Function 07A35CE8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07A35F1E

Memory Dump Source

Source File: 00000023.00000002.2540446411.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7a30000_NotepadUpdate.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: f7cc0d84277d7c4666742cb34cca74b1ceef7ce9ea7efadefbab478c296cf9b7
Instruction ID: 3bd18df211ad81e12f70c8601613752b3f2f6d8e327026d486d50eb0a54cdf63
Opcode Fuzzy Hash: f7cc0d84277d7c4666742cb34cca74b1ceef7ce9ea7efadefbab478c296cf9b7
Instruction Fuzzy Hash: C4915EB1D0121ADFEF14CFA9C8457EDBBB2BF48310F1481A9E829A7240DB749995CF91

Function 07A391E7 Relevance: 1.6, APIs: 1, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000023.00000002.2540446411.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7a30000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebf8fd2359234428b3358264eee5e5e4ac6c615e1052d1ef89c1182ea24b8e91
Instruction ID: 989677b1596fbc0c3729d6c083e8298408aa818e0786eabbc25257557dfa43da
Opcode Fuzzy Hash: ebf8fd2359234428b3358264eee5e5e4ac6c615e1052d1ef89c1182ea24b8e91
Instruction Fuzzy Hash: 472168F29043169EDB61DF65E9057BBBBF4AFC4224F04455FE429E7141D7B4A900CBA0

Function 07A35A59 Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07A35AF0

Memory Dump Source

Source File: 00000023.00000002.2540446411.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7a30000_NotepadUpdate.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: de9889bf6ecea7587b596e0f3a1166ace516028261a753ad745f2e9ac38e53ce
Instruction ID: 0760bce1a6a0d9dcea7cec424a4ccf1f196c4cf7d5d16fc01e070e627336a1e7
Opcode Fuzzy Hash: de9889bf6ecea7587b596e0f3a1166ace516028261a753ad745f2e9ac38e53ce
Instruction Fuzzy Hash: 9C214BB5D003499FDB10CFA9C885BDEBBF4FF48320F10842AE568A7240D7789550CBA1

Function 07A39150 Relevance: 1.6, APIs: 1, Instructions: 72
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07A3911D

Memory Dump Source

Source File: 00000023.00000002.2540446411.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7a30000_NotepadUpdate.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: fbb090d1db9f25e75a7822f020208947e76fe1ef36fc55847353b165dec1d399
Instruction ID: 8a383439863c10fc823109932db2212db7421b56372ffe792dde65090ba9b34b
Opcode Fuzzy Hash: fbb090d1db9f25e75a7822f020208947e76fe1ef36fc55847353b165dec1d399
Instruction Fuzzy Hash: 3F21BFB2D042299FDB11DFA4D9097EFBBF4AF85318F14404AE855B7245C7B42940CBA1

Function 07A358C0 Relevance: 1.6, APIs: 1, Instructions: 70
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07A35946

Memory Dump Source

Source File: 00000023.00000002.2540446411.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7a30000_NotepadUpdate.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: e0afb196a4adf8dc69eb152428765814f198205144920e39d9c461a812132f56
Instruction ID: 92667f98d086d6ec560967ee159d2a6bb2e10bfc9465912d368a669c1ea6b875
Opcode Fuzzy Hash: e0afb196a4adf8dc69eb152428765814f198205144920e39d9c461a812132f56
Instruction Fuzzy Hash: 0A217AB1D003099FDB10CFAAC4857EEBBF4EF88324F108429E568A7280C7789944CB95

Function 07A35A60 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07A35AF0

Memory Dump Source

Source File: 00000023.00000002.2540446411.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7a30000_NotepadUpdate.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 5a6c3823206c53c4702f38c286deac404a4da9527205022ff2b80e6704bb12f2
Instruction ID: 84da57fa315faa9c7d9367e32459b72a6eabe0cf35f7f33ba629c8a57a907062
Opcode Fuzzy Hash: 5a6c3823206c53c4702f38c286deac404a4da9527205022ff2b80e6704bb12f2
Instruction Fuzzy Hash: 3E2128B1D003599FDB10CFA9C885BDEBBF5FF48310F108429E529A7240D7789550CBA5

Function 07A35B48 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07A35BD0

Memory Dump Source

Source File: 00000023.00000002.2540446411.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7a30000_NotepadUpdate.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 8dfff1adb8936401c13e02bc5b4be5ce94949836ead9ebcaadf400a0ded606e3
Instruction ID: ce50c0bf99262456efadd954489aba0980283e869399d6cd5fb797225a19aab2
Opcode Fuzzy Hash: 8dfff1adb8936401c13e02bc5b4be5ce94949836ead9ebcaadf400a0ded606e3
Instruction Fuzzy Hash: E32136B1C043499FDB10CFAAC881BEEBBF4FF48320F10842AE558A7240D7789950CBA1

Function 07A35B50 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07A35BD0

Memory Dump Source

Source File: 00000023.00000002.2540446411.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7a30000_NotepadUpdate.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 03d332c14114bdfbcdebf12dab579f97bd496751b0a8b55219a38fbcde5fcbc2
Instruction ID: 87adf6dc26b6821ff017a5866dbab1864afc14ab32adf8957e1b183af61e3382
Opcode Fuzzy Hash: 03d332c14114bdfbcdebf12dab579f97bd496751b0a8b55219a38fbcde5fcbc2
Instruction Fuzzy Hash: AE2116B1C003499FDB10CFAAC881BEEBBF5FF48320F108429E558A7240D7789550CBA5

Function 07A358C8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07A35946

Memory Dump Source

Source File: 00000023.00000002.2540446411.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7a30000_NotepadUpdate.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: e947e799d2e4c035b270a116e2729d47511e59c8151a53e43680568b43ce4cfc
Instruction ID: 3b2745a6f9bbb150a236f896d93ce758d55f94449f730e4ec67be472d3ccaf58
Opcode Fuzzy Hash: e947e799d2e4c035b270a116e2729d47511e59c8151a53e43680568b43ce4cfc
Instruction Fuzzy Hash: 0D2138B1D003098FDB10DFAAC4857AEBBF4AF88320F148429E559A7240CB789944CFA5

Function 07A35998 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07A35A0E

Memory Dump Source

Source File: 00000023.00000002.2540446411.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7a30000_NotepadUpdate.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 479e3a26b3948167c5198f20c5758ee0a825a81342be6917104fe007496cd08f
Instruction ID: e0984a88fbc41306496528822a02091ac65099dda3abfcde7a6f0a17124a9c9c
Opcode Fuzzy Hash: 479e3a26b3948167c5198f20c5758ee0a825a81342be6917104fe007496cd08f
Instruction Fuzzy Hash: 931167728002499FDB10CFAAC845BEFBFF5EF88320F108819E529A7210C7759950CBA1

Function 07A359A0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07A35A0E

Memory Dump Source

Source File: 00000023.00000002.2540446411.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7a30000_NotepadUpdate.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c8857b08a4c6b7c48501d331c87c42ad4b90017f796e4a03fe408cbbd9c51a2c
Instruction ID: 6a5682859df6a5633d7d8f3cdebd20993994926d3efe2e9011807ad4bcec19a8
Opcode Fuzzy Hash: c8857b08a4c6b7c48501d331c87c42ad4b90017f796e4a03fe408cbbd9c51a2c
Instruction Fuzzy Hash: 80112672D002499FDB10DFAAC845BDFBBF5EF88320F148819E529A7250C775A550DBA1

Function 07A35811 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07A3587A

Memory Dump Source

Source File: 00000023.00000002.2540446411.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7a30000_NotepadUpdate.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 20aec9b1ce5453dcfd4fe9557ca6934b44cfbe3a4303a1e62dd4c79bc305b17c
Instruction ID: 33c35adaacc6c1a6883eb9c31272242977cda170799a162a0efbdd3ed67fcba8
Opcode Fuzzy Hash: 20aec9b1ce5453dcfd4fe9557ca6934b44cfbe3a4303a1e62dd4c79bc305b17c
Instruction Fuzzy Hash: 42115BB1D003498FDB10DFAAC4457EEFBF4AF88320F248419D519A7240CB75A940CBA5

Function 07A35818 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07A3587A

Memory Dump Source

Source File: 00000023.00000002.2540446411.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7a30000_NotepadUpdate.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: f72286d2bce741daa34de85afc861e3553e15fd27af2aee5c5820da3ea7fd282
Instruction ID: 2f5d15a25c44d1503dd1c8e166dbf23bc41ab231b3070eae4815f005bdc510be
Opcode Fuzzy Hash: f72286d2bce741daa34de85afc861e3553e15fd27af2aee5c5820da3ea7fd282
Instruction Fuzzy Hash: 841106B1D003498FDB20DFAAC4457AFFBF5AF88724F248419D519A7240CB79A944CBA5

Function 07A32730 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07A3911D

Memory Dump Source

Source File: 00000023.00000002.2540446411.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7a30000_NotepadUpdate.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: ce1910289dc5153409b788a9fa52e03560c17c0bdfc030f4619c605a03df1227
Instruction ID: 7bad226447d60efb77c3722041ae1a4b0d19ed546f3529bbabea41093ff94b0d
Opcode Fuzzy Hash: ce1910289dc5153409b788a9fa52e03560c17c0bdfc030f4619c605a03df1227
Instruction Fuzzy Hash: C811E3B58003499FDB10DF99D589BDEBBF8EB48324F108459E525A7200C3B5A944CFA5

Function 07A390BA Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07A3911D

Memory Dump Source

Source File: 00000023.00000002.2540446411.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7a30000_NotepadUpdate.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: ecca740088aa0df44758d70b703aa138c5699a16493e8cb6afbad2209f588d0b
Instruction ID: 7b1c3a9062d6a7520cbd201ebc51de1b975de7c44c77fcaf4aaf6d7debe7741a
Opcode Fuzzy Hash: ecca740088aa0df44758d70b703aa138c5699a16493e8cb6afbad2209f588d0b
Instruction Fuzzy Hash: 2311F5B58003499FDB10CF9AD445BDEBFF8EB48324F10841AE564A3600C3B5A544CFA1

Function 075817DF Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2539404689.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7580000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90e84caa452932b1f0a46753d8135b943362533a22f3b4f6c0f25aa59ecf4a2d
Instruction ID: 2b45fab40608887350af41505963567f46463f9c4e2570205ee411c3f5b0a885
Opcode Fuzzy Hash: 90e84caa452932b1f0a46753d8135b943362533a22f3b4f6c0f25aa59ecf4a2d
Instruction Fuzzy Hash: 4331B0B0A1170A9FEB24EF64D55AAA97BB6BF8A300F14406EE406E7251CB34C901CB52

Function 010AD36C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2509261909.00000000010AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_10ad000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 789889ae8ade5052fb7ecd1c8b0880e757cd8f834e13ab56a41ae78076478c21
Instruction ID: 0bff4c59b22c9d5e7d3db211644d50bc81e79a7f6c2e06bfe9eb31d58425a98a
Opcode Fuzzy Hash: 789889ae8ade5052fb7ecd1c8b0880e757cd8f834e13ab56a41ae78076478c21
Instruction Fuzzy Hash: BE216472500300EFCB05CF94D5C0B2ABBA1FB88314F60C5ADE94A0F692C77AD846CB61

Function 010AD1B4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2509261909.00000000010AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_10ad000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b9e9cc56b4b0d9fe28f1b16f23a9626bdfcef12c54bddc68529597c43b2c9c8
Instruction ID: 5e9444ecabceafc969dda9c6e5ceefdcfb172f6e9e6f18f0b35f5a4aee408f2e
Opcode Fuzzy Hash: 8b9e9cc56b4b0d9fe28f1b16f23a9626bdfcef12c54bddc68529597c43b2c9c8
Instruction Fuzzy Hash: 61213475504300EFDB05DFD4D9C0B2ABBA1FB84324F60C5ADE9890B652C77AD806CB61

Function 010AD1AF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2509261909.00000000010AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_10ad000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: ccc8446fe454556cc89949c75b667e09ac9e12e7a616d60d002511286339924b
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: 1911DD75504280CFCB02CF94D5C4B15BFA1FB84328F24C6A9D8894B656C33AD40ACBA1

Function 010AD367 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2509261909.00000000010AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_10ad000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: 49a675731a54e635959aafd615aeca4bd60a2c267c2fc0f0c87260a67b21e3c9
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: BE11BB76504280CFCB02CF94D5C4B55BBB1FB84318F24C6A9D8494BA56C33AE44ACB62

Function 0758770C Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2539404689.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7580000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1f097e9d1b55664b378b9c3b16bbd835df0be0da9bfb65d705a95ceaa0f559d
Instruction ID: a2e452664ccf7f0141d465e64bafbd57ce551fc4854f109a67ad14b6d30da43e
Opcode Fuzzy Hash: a1f097e9d1b55664b378b9c3b16bbd835df0be0da9bfb65d705a95ceaa0f559d
Instruction Fuzzy Hash: C1B012B51A8501E370407FE44C849BB7C50FBF6700F50DD06370A70060C9B24569D32B

Function 0758770B Relevance: .0, Instructions: 1COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2539404689.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7580000_NotepadUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7902699be42c8a8e46fbbb4501726517e86b22c56a189f7625a6da49081b2451
Instruction ID: f1e17605925ed1a30a107447fa6b318daa173da8e92ad69f31823c934e5b3a0c
Opcode Fuzzy Hash: 7902699be42c8a8e46fbbb4501726517e86b22c56a189f7625a6da49081b2451
Instruction Fuzzy Hash:

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VenomRAT

Threatname: AsyncRAT

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AtkzppDHiyvcIR.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NotepadUpdate.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cxtgkwci.qj0.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ibhtjzfo.ypb.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ijpj24ya.nmi.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l3cl1cpp.bdd.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_piua2r1b.hpv.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r5lxwd5x.dm0.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s5b2fau4.rl3.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ulrg0hze.e5y.ps1

Windows Analysis Report
file.exe

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre