Edit tour

Windows Analysis Report
NL Hybrid.exe

Overview

General Information

Sample name:	NL Hybrid.exe
Analysis ID:	1582853
MD5:	9758f9f6962c1b2244ac185c6fb4482f
SHA1:	ac2281ca5f67e2045eb0688ff5b720a77269cffc
SHA256:	8638581592e1368094aee96942006f6ed6161f58ed18b3492450c7c21dea133d
Tags:	exeuser-JaffaCakes118
Infos:

Detection

Titanium Proxy, PureLog Stealer

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected PureLog Stealer

.NET source code contains potential unpacker

AI detected suspicious sample

Machine Learning detection for sample

Performs DNS queries to domains with low reputation

Yara detected Costura Assembly Loader

Yara detected Titanium Proxy

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (may stop execution after checking a module file name)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara signature match

Classification

Process Tree

System is w10x64

NL Hybrid.exe (PID: 7516 cmdline: "C:\Users\user\Desktop\NL Hybrid.exe" MD5: 9758F9F6962C1B2244AC185C6FB4482F)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
NL Hybrid.exe	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 E7 88 44 24 2B 88 44 24 2F B0 29 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1804411315.00000000049E9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TitaniumProxy	Yara detected Titanium Proxy	Joe Security
00000000.00000003.1690509660.00000000052F2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1815304368.000000000F2A0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TitaniumProxy	Yara detected Titanium Proxy	Joe Security
00000000.00000002.1804411315.00000000048C5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TitaniumProxy	Yara detected Titanium Proxy	Joe Security
00000000.00000002.1800918798.0000000002EC1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1800918798.0000000002EC1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000003.1678746499.0000000005CC1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000003.1678746499.0000000005CC1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1806866487.0000000006420000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1806866487.0000000006420000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1807770864.0000000006B80000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1807770864.0000000006B80000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000003.1690509660.00000000048F2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000003.1690509660.00000000048F2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1802317859.00000000038C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: NL Hybrid.exe PID: 7516	JoeSecurity_TitaniumProxy	Yara detected Titanium Proxy	Joe Security
Process Memory Space: NL Hybrid.exe PID: 7516	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Click to see the 12 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.NL Hybrid.exe.f2a0000.23.raw.unpack	JoeSecurity_TitaniumProxy	Yara detected Titanium Proxy	Joe Security
0.2.NL Hybrid.exe.49e9550.5.unpack	JoeSecurity_TitaniumProxy	Yara detected Titanium Proxy	Joe Security
0.2.NL Hybrid.exe.f2a0000.23.unpack	JoeSecurity_TitaniumProxy	Yara detected Titanium Proxy	Joe Security
0.2.NL Hybrid.exe.48d14f0.8.raw.unpack	JoeSecurity_TitaniumProxy	Yara detected Titanium Proxy	Joe Security
0.2.NL Hybrid.exe.4949530.6.raw.unpack	JoeSecurity_TitaniumProxy	Yara detected Titanium Proxy	Joe Security
0.2.NL Hybrid.exe.48f9510.11.unpack	JoeSecurity_TitaniumProxy	Yara detected Titanium Proxy	Joe Security
0.2.NL Hybrid.exe.4949530.6.unpack	JoeSecurity_TitaniumProxy	Yara detected Titanium Proxy	Joe Security
0.2.NL Hybrid.exe.49e9550.5.raw.unpack	JoeSecurity_TitaniumProxy	Yara detected Titanium Proxy	Joe Security
0.2.NL Hybrid.exe.48f9510.11.raw.unpack	JoeSecurity_TitaniumProxy	Yara detected Titanium Proxy	Joe Security
0.0.NL Hybrid.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 E7 88 44 24 2B 88 44 24 2F B0 29 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
0.2.NL Hybrid.exe.6420f08.12.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.NL Hybrid.exe.6420f08.12.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.NL Hybrid.exe.6b80000.14.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.NL Hybrid.exe.6b80000.14.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.NL Hybrid.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 E7 88 44 24 2B 88 44 24 2F B0 29 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
0.3.NL Hybrid.exe.5cc1f28.0.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.3.NL Hybrid.exe.5cc1f28.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.NL Hybrid.exe.6420000.13.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.NL Hybrid.exe.6420000.13.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.3.NL Hybrid.exe.5cc1f28.0.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.3.NL Hybrid.exe.5cc1f28.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.NL Hybrid.exe.6420000.13.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.NL Hybrid.exe.6420000.13.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.NL Hybrid.exe.6b80000.14.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.NL Hybrid.exe.6b80000.14.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.NL Hybrid.exe.2ec1f36.1.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.NL Hybrid.exe.2ec1f36.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.NL Hybrid.exe.6420f08.12.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.NL Hybrid.exe.6420f08.12.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.3.NL Hybrid.exe.48f9510.2.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.3.NL Hybrid.exe.48f9510.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.3.NL Hybrid.exe.49e9550.1.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.3.NL Hybrid.exe.49e9550.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.NL Hybrid.exe.2ec1f36.1.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.NL Hybrid.exe.2ec1f36.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.3.NL Hybrid.exe.4949530.3.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.3.NL Hybrid.exe.4949530.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 32 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: NL Hybrid.exe	Virustotal: Detection: 62%			Perma Link
Source: NL Hybrid.exe	ReversingLabs: Detection: 48%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.2% probability

Machine Learning detection for sample

Source: NL Hybrid.exe

Joe Sandbox ML: detected

Source: NL Hybrid.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.67.217.81:443 -> 192.168.2.4:49730 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 172.67.217.81:443 -> 192.168.2.4:49733 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 172.67.217.81:443 -> 192.168.2.4:49734 version: TLS 1.0

Source:	Binary string: D:\a\titanium-web-proxy\titanium-web-proxy\src\Titanium.Web.Proxy\obj\Debug\net461\Titanium.Web.Proxy.pdbSHA256H source: NL Hybrid.exe, 00000000.00000002.1804411315.00000000049E9000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1804411315.00000000048C5000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1802317859.0000000003F1A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/Microsoft.Extensions.DependencyInjection/Release/net462/Microsoft.Extensions.DependencyInjection.pdb source: NL Hybrid.exe, 00000000.00000002.1808643855.0000000007710000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: NL Hybrid.pdb source: NL Hybrid.exe, 00000000.00000003.1690509660.00000000048F2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.dotnetzip.pdb.compressed source: NL Hybrid.exe, 00000000.00000003.1690509660.00000000048F2000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1802317859.00000000038C1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netfx\System.Memory.pdb source: NL Hybrid.exe, 00000000.00000002.1804411315.00000000049E9000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1811684418.000000000A2A0000.00000004.08000000.00040000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1804411315.0000000004A77000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1802317859.0000000003F1A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: NL Hybrid.exe, 00000000.00000002.1810185808.0000000008210000.00000004.08000000.00040000.00000000.sdmp, NL Hybrid.exe, 00000000.00000003.1746477161.0000000009205000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000003.1746477161.000000000943C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\titanium-web-proxy\titanium-web-proxy\src\Titanium.Web.Proxy\obj\Debug\net461\Titanium.Web.Proxy.pdb source: NL Hybrid.exe, 00000000.00000002.1804411315.00000000049E9000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1804411315.00000000048C5000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1802317859.0000000003F1A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: /_/src/CommunityToolkit.Mvvm/obj/Release/netstandard2.0/CommunityToolkit.Mvvm.pdbSHA256 source: NL Hybrid.exe, 00000000.00000002.1804411315.00000000055A5000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1809101106.0000000007A30000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: NL Hybrid.exe, 00000000.00000002.1810185808.0000000008210000.00000004.08000000.00040000.00000000.sdmp, NL Hybrid.exe, 00000000.00000003.1746477161.0000000009205000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000003.1746477161.000000000943C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: $^q,costura.communitytoolkit.mvvm.pdb.compressed source: NL Hybrid.exe, 00000000.00000002.1802317859.00000000038C1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: _.pdb source: NL Hybrid.exe, 00000000.00000003.1690509660.00000000048F2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.costura.pdb.compressed source: NL Hybrid.exe, 00000000.00000003.1690509660.00000000048F2000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1802317859.00000000038C1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.communitytoolkit.mvvm.pdb.compressed\|\|\|CommunityToolkit.Mvvm.pdb\|0B7A9A95698C41575335502FBAAB8635925C90DE\|52328 source: NL Hybrid.exe, 00000000.00000003.1690509660.00000000048F2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.telerik.networkconnections.pdb.compressed\|\|\|Telerik.NetworkConnections.pdb\|69EE2F928A16661274A22DF221B7DC4EEE75671E\|93696 source: NL Hybrid.exe, 00000000.00000003.1690509660.00000000048F2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: NL Hybrid.pdbh source: NL Hybrid.exe, 00000000.00000003.1690509660.00000000048F2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/Microsoft.Bcl.AsyncInterfaces/Release/net462/Microsoft.Bcl.AsyncInterfaces.pdbSHA256 source: NL Hybrid.exe, 00000000.00000002.1808761322.0000000007880000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: costura.costura.dll.compressedcostura.costura.pdb.compressed source: NL Hybrid.exe, 00000000.00000002.1802317859.00000000038C1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: $^q1costura.telerik.networkconnections.pdb.compressedlB^q source: NL Hybrid.exe, 00000000.00000002.1802317859.00000000038C1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: $^q costura.dotnetzip.pdb.compressed source: NL Hybrid.exe, 00000000.00000002.1802317859.00000000038C1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.telerik.networkconnections.pdb.compressed source: NL Hybrid.exe, 00000000.00000003.1690509660.00000000048F2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/Microsoft.Extensions.DependencyInjection.Abstractions/Release/net462/Microsoft.Extensions.DependencyInjection.Abstractions.pdb source: NL Hybrid.exe, 00000000.00000002.1802127449.0000000003740000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/Microsoft.Extensions.DependencyInjection.Abstractions/Release/net462/Microsoft.Extensions.DependencyInjection.Abstractions.pdbSHA256OE source: NL Hybrid.exe, 00000000.00000002.1802127449.0000000003740000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/Microsoft.Extensions.DependencyInjection/Release/net462/Microsoft.Extensions.DependencyInjection.pdbSHA256# source: NL Hybrid.exe, 00000000.00000002.1808643855.0000000007710000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: costura.costura.pdb.compressed\|\|\|Costura.pdb\|6C6000A5EAF8579850AB82A89BD6268776EB51AD\|2608 source: NL Hybrid.exe, 00000000.00000003.1690509660.00000000048F2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Threading.Tasks.Extensions\netfx\System.Threading.Tasks.Extensions.pdb source: NL Hybrid.exe, 00000000.00000002.1808793181.0000000007890000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: microsoft.extensions.dependencyinjection.abstractions costura.microsoft.extensions.dependencyinjection.abstractions.dll.compressed!microsoft.extensions.dependencyinjection"costura.microsoft.extensions.dependencyinjection.dll.compressed#microsoft.extensions.diagnostics.abstractions$costura.microsoft.extensions.diagnostics.abstractions.dll.compressed%microsoft.extensions.diagnostics&costura.microsoft.extensions.diagnostics.dll.compressed'microsoft.extensions.fileproviders.abstractions(costura.microsoft.extensions.fileproviders.abstractions.dll.compressed)microsoft.extensions.fileproviders.physical*costura.microsoft.extensions.fileproviders.physical.dll.compressed+microsoft.extensions.filesystemglobbing,costura.microsoft.extensions.filesystemglobbing.dll.compressed-microsoft.extensions.hosting.abstractions.costura.microsoft.extensions.hosting.abstractions.dll.compressed/microsoft.extensions.hosting0costura.microsoft.extensions.hosting.dll.compressed1microsoft.extensions.logging.abstractions2costura.microsoft.extensions.logging.abstractions.dll.compressed3microsoft.extensions.logging.configuration4costura.microsoft.extensions.logging.configuration.dll.compressed5microsoft.extensions.logging.console6costura.microsoft.extensions.logging.console.dll.compressed7microsoft.extensions.logging.debug8costura.microsoft.extensions.logging.debug.dll.compressed9microsoft.extensions.logging:costura.microsoft.extensions.logging.dll.compressed;microsoft.extensions.logging.eventlog<costura.microsoft.extensions.logging.eventlog.dll.compressed=microsoft.extensions.logging.eventsource>costura.microsoft.extensions.logging.eventsource.dll.compressed?microsoft.extensions.options.configurationextensions@costura.microsoft.extensions.options.configurationextensions.dll.compressedAmicrosoft.extensions.optionsBcostura.microsoft.extensions.options.dll.compressedCmicrosoft.extensions.primitivesDcostura.microsoft.extensions.primitives.dll.compressedEmicrosoft.win32.registryFcostura.microsoft.win32.registry.dll.compressedGnewtonsoft.jsonHcostura.newtonsoft.json.dll.compressedIrestsharpJcostura.restsharp.dll.compressedKsystem.buffersLcostura.system.buffers.dll.compressedMsystem.componentmodel.annotationsNcostura.system.componentmodel.annotations.dll.compressedOsystem.diagnostics.diagnosticsourcePcostura.system.diagnostics.diagnosticsource.dll.compressedQsystem.io.pipelinesRcostura.system.io.pipelines.dll.compressedSsystem.memoryTcostura.system.memory.dll.compressedUsystem.numerics.vectorsVcostura.system.numerics.vectors.dll.compressedWsystem.runtime.compilerservices.unsafeXcostura.system.runtime.compilerservices.unsafe.dll.compressedYsystem.security.accesscontrolZcostura.system.security.accesscontrol.dll.compressed[system.security.principal.windows\costura.system.security.principal.windows.dll.compressed]system.text.encodings.web^costura.system.text.encodings.web.dll.compressed_system.text.json`costura.system.text.json.dll.compressedasystem.threading.tasks.extensionsbcostura.system.
Source:	Binary string: /_/src/CommunityToolkit.Mvvm/obj/Release/netstandard2.0/CommunityToolkit.Mvvm.pdb source: NL Hybrid.exe, 00000000.00000002.1804411315.00000000055A5000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1809101106.0000000007A30000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: costura.dotnetzip.pdb.compressed\|\|\|DotNetZip.pdb\|7D85033E8C5AE9B8EF4C2C3DFC8C8AC1B64A9DBA\|587264 source: NL Hybrid.exe, 00000000.00000003.1690509660.00000000048F2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/Microsoft.Bcl.AsyncInterfaces/Release/net462/Microsoft.Bcl.AsyncInterfaces.pdb source: NL Hybrid.exe, 00000000.00000002.1808761322.0000000007880000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: costura.communitytoolkit.mvvm.pdb.compressed source: NL Hybrid.exe, 00000000.00000003.1690509660.00000000048F2000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1802317859.00000000038C1000.00000004.00000800.00020000.00000000.sdmp

Networking

Performs DNS queries to domains with low reputation

Source:

DNS query: nlhybrid.xyz

Yara detected Titanium Proxy

Source: Yara match	File source: 0.2.NL Hybrid.exe.f2a0000.23.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NL Hybrid.exe.49e9550.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NL Hybrid.exe.f2a0000.23.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NL Hybrid.exe.48d14f0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NL Hybrid.exe.4949530.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NL Hybrid.exe.48f9510.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NL Hybrid.exe.4949530.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NL Hybrid.exe.49e9550.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NL Hybrid.exe.48f9510.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1804411315.00000000049E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1815304368.000000000F2A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1804411315.00000000048C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: NL Hybrid.exe PID: 7516, type: MEMORYSTR

Source: global traffic

TCP traffic: 192.168.2.4:61204 -> 162.159.36.2:53

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: global traffic

HTTP traffic detected: GET /app3/download/fn.png HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: nlhybrid.xyzConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 172.67.217.81:443 -> 192.168.2.4:49730 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 172.67.217.81:443 -> 192.168.2.4:49733 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 172.67.217.81:443 -> 192.168.2.4:49734 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

Source: global traffic	DNS traffic detected: DNS query: nlhybrid.xyz
Source: global traffic	DNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa

Source: NL Hybrid.exe, 00000000.00000002.1804411315.00000000055A5000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1810185808.0000000008210000.00000004.08000000.00040000.00000000.sdmp, NL Hybrid.exe, 00000000.00000003.1746477161.0000000009205000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1809101106.0000000007A30000.00000004.08000000.00040000.00000000.sdmp, NL Hybrid.exe, 00000000.00000003.1746477161.000000000943C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: NL Hybrid.exe, 00000000.00000002.1804411315.00000000055A5000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1810185808.0000000008210000.00000004.08000000.00040000.00000000.sdmp, NL Hybrid.exe, 00000000.00000003.1746477161.0000000009205000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1809101106.0000000007A30000.00000004.08000000.00040000.00000000.sdmp, NL Hybrid.exe, 00000000.00000003.1746477161.000000000943C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
Source: NL Hybrid.exe, 00000000.00000002.1804411315.00000000055A5000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1810185808.0000000008210000.00000004.08000000.00040000.00000000.sdmp, NL Hybrid.exe, 00000000.00000003.1746477161.0000000009205000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1809101106.0000000007A30000.00000004.08000000.00040000.00000000.sdmp, NL Hybrid.exe, 00000000.00000003.1746477161.000000000943C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: NL Hybrid.exe, 00000000.00000002.1804411315.00000000055A5000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1810185808.0000000008210000.00000004.08000000.00040000.00000000.sdmp, NL Hybrid.exe, 00000000.00000003.1746477161.0000000009205000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1809101106.0000000007A30000.00000004.08000000.00040000.00000000.sdmp, NL Hybrid.exe, 00000000.00000003.1746477161.000000000943C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: NL Hybrid.exe, 00000000.00000002.1804411315.00000000055A5000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1810185808.0000000008210000.00000004.08000000.00040000.00000000.sdmp, NL Hybrid.exe, 00000000.00000003.1746477161.0000000009205000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1809101106.0000000007A30000.00000004.08000000.00040000.00000000.sdmp, NL Hybrid.exe, 00000000.00000003.1746477161.000000000943C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
Source: NL Hybrid.exe, 00000000.00000002.1804411315.00000000055A5000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1810185808.0000000008210000.00000004.08000000.00040000.00000000.sdmp, NL Hybrid.exe, 00000000.00000003.1746477161.0000000009205000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1809101106.0000000007A30000.00000004.08000000.00040000.00000000.sdmp, NL Hybrid.exe, 00000000.00000003.1746477161.000000000943C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: NL Hybrid.exe, 00000000.00000002.1804411315.00000000055A5000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1810185808.0000000008210000.00000004.08000000.00040000.00000000.sdmp, NL Hybrid.exe, 00000000.00000003.1746477161.0000000009205000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1809101106.0000000007A30000.00000004.08000000.00040000.00000000.sdmp, NL Hybrid.exe, 00000000.00000003.1746477161.000000000943C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
Source: NL Hybrid.exe, 00000000.00000002.1804411315.00000000055A5000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1810185808.0000000008210000.00000004.08000000.00040000.00000000.sdmp, NL Hybrid.exe, 00000000.00000003.1746477161.0000000009205000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1809101106.0000000007A30000.00000004.08000000.00040000.00000000.sdmp, NL Hybrid.exe, 00000000.00000003.1746477161.000000000943C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: NL Hybrid.exe, 00000000.00000002.1804411315.00000000055A5000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1810185808.0000000008210000.00000004.08000000.00040000.00000000.sdmp, NL Hybrid.exe, 00000000.00000003.1746477161.0000000009205000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1809101106.0000000007A30000.00000004.08000000.00040000.00000000.sdmp, NL Hybrid.exe, 00000000.00000003.1746477161.000000000943C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: NL Hybrid.exe, 00000000.00000002.1804411315.00000000055A5000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1810185808.0000000008210000.00000004.08000000.00040000.00000000.sdmp, NL Hybrid.exe, 00000000.00000003.1746477161.0000000009205000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1809101106.0000000007A30000.00000004.08000000.00040000.00000000.sdmp, NL Hybrid.exe, 00000000.00000003.1746477161.000000000943C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
Source: NL Hybrid.exe, 00000000.00000002.1804411315.00000000055A5000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1809101106.0000000007A30000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0
Source: NL Hybrid.exe, 00000000.00000002.1810185808.0000000008210000.00000004.08000000.00040000.00000000.sdmp, NL Hybrid.exe, 00000000.00000003.1746477161.0000000009205000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000003.1746477161.000000000943C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
Source: NL Hybrid.exe, 00000000.00000002.1802317859.0000000003EA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/NL%20Hybrid;component/views/pages/dashboardpage.xamld
Source: NL Hybrid.exe, 00000000.00000002.1802317859.0000000004022000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1802317859.0000000003EA5000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1802317859.0000000003E2D000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1802317859.0000000003DFC000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1802317859.0000000003DBF000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1802317859.0000000003E7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/Wpf.Ui;component/Resources/Fonts/fluentsystemicons-regular.ttfd
Source: NL Hybrid.exe, 00000000.00000002.1804411315.0000000004BA5000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000003.1728810483.0000000008143000.00000004.00000020.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000003.1729071381.0000000008143000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fontello.com
Source: NL Hybrid.exe, 00000000.00000002.1811016961.0000000008C8D000.00000004.08000000.00040000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1804411315.00000000053D2000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000003.1692147205.0000000007C8E000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1804411315.0000000004A77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontello.comFluentSystemIcons-FilledRegularFluentSystemIcons-FilledFluentSystemIcons-FilledVe
Source: NL Hybrid.exe, 00000000.00000002.1804411315.00000000055A5000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1811016961.0000000008C8D000.00000004.08000000.00040000.00000000.sdmp, NL Hybrid.exe, 00000000.00000003.1692147205.0000000007C8E000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1804411315.0000000004BA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontello.comFluentSystemIcons-RegularRegularFluentSystemIcons-RegularFluentSystemIcons-Regula
Source: NL Hybrid.exe, 00000000.00000002.1802317859.0000000003EA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/views/pages/dashboardpage.baml
Source: NL Hybrid.exe, 00000000.00000002.1802317859.0000000003EA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/views/pages/dashboardpage.bamld
Source: NL Hybrid.exe, 00000000.00000002.1802317859.0000000003EA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/views/pages/dashboardpage.xaml
Source: NL Hybrid.exe, 00000000.00000003.1746477161.000000000943C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: NL Hybrid.exe, 00000000.00000002.1802317859.0000000003F1A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nlhybrid.xyz
Source: NL Hybrid.exe, 00000000.00000002.1804411315.00000000055A5000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1810185808.0000000008210000.00000004.08000000.00040000.00000000.sdmp, NL Hybrid.exe, 00000000.00000003.1746477161.0000000009205000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1809101106.0000000007A30000.00000004.08000000.00040000.00000000.sdmp, NL Hybrid.exe, 00000000.00000003.1746477161.000000000943C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: NL Hybrid.exe, 00000000.00000002.1804411315.00000000055A5000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1810185808.0000000008210000.00000004.08000000.00040000.00000000.sdmp, NL Hybrid.exe, 00000000.00000003.1746477161.0000000009205000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1809101106.0000000007A30000.00000004.08000000.00040000.00000000.sdmp, NL Hybrid.exe, 00000000.00000003.1746477161.000000000943C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: NL Hybrid.exe, 00000000.00000002.1804411315.00000000055A5000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1810185808.0000000008210000.00000004.08000000.00040000.00000000.sdmp, NL Hybrid.exe, 00000000.00000003.1746477161.0000000009205000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1809101106.0000000007A30000.00000004.08000000.00040000.00000000.sdmp, NL Hybrid.exe, 00000000.00000003.1746477161.000000000943C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: NL Hybrid.exe, 00000000.00000002.1804411315.00000000055A5000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1810185808.0000000008210000.00000004.08000000.00040000.00000000.sdmp, NL Hybrid.exe, 00000000.00000003.1746477161.0000000009205000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1809101106.0000000007A30000.00000004.08000000.00040000.00000000.sdmp, NL Hybrid.exe, 00000000.00000003.1746477161.000000000943C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: NL Hybrid.exe, 00000000.00000003.1690509660.00000000048F2000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1802317859.0000000003CBC000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1802317859.00000000038C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.lepo.co/wpfui/2022/xaml
Source: NL Hybrid.exe, 00000000.00000002.1802317859.0000000003AC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: NL Hybrid.exe, 00000000.00000002.1804411315.00000000055A5000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1810185808.0000000008210000.00000004.08000000.00040000.00000000.sdmp, NL Hybrid.exe, 00000000.00000003.1746477161.0000000009205000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1809101106.0000000007A30000.00000004.08000000.00040000.00000000.sdmp, NL Hybrid.exe, 00000000.00000003.1746477161.000000000943C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: NL Hybrid.exe, 00000000.00000002.1802317859.00000000038C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://account-public-service-prod.ol.epicgames.com/account/api/oauth/exchange
Source: NL Hybrid.exe, 00000000.00000002.1802317859.00000000038C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://account-public-service-prod.ol.epicgames.com/account/api/oauth/tokenFgrant_type=device_code&
Source: NL Hybrid.exe, 00000000.00000002.1802317859.00000000038C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://account-public-service-prod.ol.epicgames.com/account/api/public/account/
Source: NL Hybrid.exe, 00000000.00000002.1802317859.00000000038C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://account-public-service-prod03.ol.epicgames.com/account/api/oauth/deviceAuthorization
Source: NL Hybrid.exe, 00000000.00000002.1802317859.00000000038C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://account-public-service-prod03.ol.epicgames.com/account/api/oauth/token:grant_type=client_cre
Source: NL Hybrid.exe, 00000000.00000002.1804411315.00000000055A5000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1809101106.0000000007A30000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://aka.ms/toolkit/dotnet
Source: NL Hybrid.exe, 00000000.00000002.1802317859.00000000038C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bstlar.com/Hb/nlproxykeyy/NL
Source: NL Hybrid.exe, 00000000.00000002.1802317859.00000000038C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bstlar.com/keys/validate/
Source: NL Hybrid.exe, 00000000.00000002.1802317859.00000000038C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fortnite-api.com/v2/cosmetics/br/search?
Source: NL Hybrid.exe, 00000000.00000002.1804411315.00000000055A5000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1809101106.0000000007A30000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/CommunityToolkit/dotnet
Source: NL Hybrid.exe, 00000000.00000002.1810185808.0000000008210000.00000004.08000000.00040000.00000000.sdmp, NL Hybrid.exe, 00000000.00000003.1746477161.0000000009205000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000003.1746477161.000000000943C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
Source: NL Hybrid.exe, 00000000.00000002.1804411315.00000000049E9000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1811684418.000000000A2A0000.00000004.08000000.00040000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1804411315.0000000004A77000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1802317859.0000000003F1A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/dotnet/corefx/tree/32b491939fbd125f304031c35038b1e14b4e3958
Source: NL Hybrid.exe, 00000000.00000002.1802317859.0000000003F1A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/dotnet/corefx/tree/32b491939fbd125f304031c35038b1e14b4e39588
Source: NL Hybrid.exe, 00000000.00000002.1808793181.0000000007890000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f
Source: NL Hybrid.exe, 00000000.00000002.1808793181.0000000007890000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f8
Source: NL Hybrid.exe, 00000000.00000002.1808761322.0000000007880000.00000004.08000000.00040000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1802127449.0000000003740000.00000004.08000000.00040000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1808643855.0000000007710000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/dotnet/runtime
Source: NL Hybrid.exe, 00000000.00000002.1811016961.0000000008B90000.00000004.08000000.00040000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1804411315.00000000052D1000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000003.1692147205.0000000007B92000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000003.1690509660.00000000048F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/lepoco/wpfui
Source: NL Hybrid.exe, 00000000.00000002.1802317859.0000000003AC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nlhybrid.xyz
Source: NL Hybrid.exe, 00000000.00000002.1802317859.0000000003AC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nlhybrid.xyz/app1
Source: NL Hybrid.exe, 00000000.00000002.1802317859.00000000038C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nlhybrid.xyz/app1/download/OGmdnsNSP.dllZhttps://nlhybrid.xyz/app3/download/NLUtil.exe
Source: NL Hybrid.exe, 00000000.00000002.1802317859.0000000003AC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nlhybrid.xyz/app1/download/currentversion.json
Source: NL Hybrid.exe, 00000000.00000002.1802317859.00000000038C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nlhybrid.xyz/app1vhttps://nlhybrid.xyz/app1/download/currentversion.json
Source: NL Hybrid.exe, 00000000.00000002.1802317859.00000000038C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nlhybrid.xyz/app2/login?username=
Source: NL Hybrid.exe, 00000000.00000002.1802317859.00000000038C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nlhybrid.xyz/app3/download/RealSplashScreen.png?raw=true
Source: NL Hybrid.exe, 00000000.00000002.1802317859.00000000038C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nlhybrid.xyz/app3/download/SplashScreen.png
Source: NL Hybrid.exe, 00000000.00000002.1802317859.0000000003F1A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nlhybrid.xyz/app3/download/disco
Source: NL Hybrid.exe, 00000000.00000002.1802317859.0000000003D64000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1802317859.0000000003F1A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nlhybrid.xyz/app3/download/discord.png
Source: NL Hybrid.exe, 00000000.00000002.1802317859.00000000038C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nlhybrid.xyz/app3/download/discord.pngj/NL
Source: NL Hybrid.exe, 00000000.00000002.1802317859.0000000003EA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nlhybrid.xyz/app3/download/f
Source: NL Hybrid.exe, 00000000.00000003.1798177796.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1802317859.00000000040AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nlhybrid.xyz/app3/download/fn.png
Source: NL Hybrid.exe, 00000000.00000002.1802317859.0000000003CBC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nlhybrid.xyz/app3/download/fn.pngX
Source: NL Hybrid.exe, 00000000.00000002.1802317859.00000000038C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nlhybrid.xyz/app3/download/mdnsNSP.dll
Source: NL Hybrid.exe, 00000000.00000002.1802317859.00000000038C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nlhybrid.xyz/locker/add/
Source: NL Hybrid.exe, 00000000.00000002.1802317859.00000000038C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nlhybrid.xyz/locker/clear/test/
Source: NL Hybrid.exe, 00000000.00000002.1802317859.00000000038C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nlhybrid.xyz/locker/remove/
Source: NL Hybrid.exe, 00000000.00000002.1802317859.00000000038C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nlhybrid.xyz/locker/reset/test/NSuccessfully
Source: NL Hybrid.exe, 00000000.00000002.1802317859.00000000038C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nlhybrid.xyz/stats/
Source: NL Hybrid.exe, 00000000.00000002.1802317859.0000000003F1A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nlhybrid.xyzD
Source: NL Hybrid.exe, 00000000.00000002.1802317859.00000000038C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nlhybrid.xyzvSoftware
Source: NL Hybrid.exe, 00000000.00000002.1809201204.0000000007A90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/CommunityToolkit/dotnet/5320d4f621e145c60ef4180ea66fe57f12f0f58a/
Source: NL Hybrid.exe, 00000000.00000002.1802317859.00000000038C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.discord.gg/namelessctX/C
Source: NL Hybrid.exe, 00000000.00000002.1810185808.0000000008210000.00000004.08000000.00040000.00000000.sdmp, NL Hybrid.exe, 00000000.00000003.1746477161.0000000009205000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000003.1746477161.000000000943C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.newtonsoft.com/json
Source: NL Hybrid.exe, 00000000.00000003.1746477161.000000000943C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: NL Hybrid.exe, 00000000.00000002.1810185808.0000000008210000.00000004.08000000.00040000.00000000.sdmp, NL Hybrid.exe, 00000000.00000003.1746477161.0000000009205000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000003.1746477161.000000000943C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734

System Summary

Malicious sample detected (through community Yara rule)

Source: NL Hybrid.exe, type: SAMPLE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.0.NL Hybrid.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.NL Hybrid.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen

Source: C:\Users\user\Desktop\NL Hybrid.exe	Code function: 0_2_00408C60	0_2_00408C60
Source: C:\Users\user\Desktop\NL Hybrid.exe	Code function: 0_2_0040DC11	0_2_0040DC11
Source: C:\Users\user\Desktop\NL Hybrid.exe	Code function: 0_2_00407C3F	0_2_00407C3F
Source: C:\Users\user\Desktop\NL Hybrid.exe	Code function: 0_2_00418CCC	0_2_00418CCC
Source: C:\Users\user\Desktop\NL Hybrid.exe	Code function: 0_2_00406CA0	0_2_00406CA0
Source: C:\Users\user\Desktop\NL Hybrid.exe	Code function: 0_2_004028B0	0_2_004028B0
Source: C:\Users\user\Desktop\NL Hybrid.exe	Code function: 0_2_0041A4BE	0_2_0041A4BE
Source: C:\Users\user\Desktop\NL Hybrid.exe	Code function: 0_2_00408C60	0_2_00408C60
Source: C:\Users\user\Desktop\NL Hybrid.exe	Code function: 0_2_00418244	0_2_00418244
Source: C:\Users\user\Desktop\NL Hybrid.exe	Code function: 0_2_00401650	0_2_00401650
Source: C:\Users\user\Desktop\NL Hybrid.exe	Code function: 0_2_00402F20	0_2_00402F20
Source: C:\Users\user\Desktop\NL Hybrid.exe	Code function: 0_2_004193C4	0_2_004193C4
Source: C:\Users\user\Desktop\NL Hybrid.exe	Code function: 0_2_00418788	0_2_00418788
Source: C:\Users\user\Desktop\NL Hybrid.exe	Code function: 0_2_00402F89	0_2_00402F89
Source: C:\Users\user\Desktop\NL Hybrid.exe	Code function: 0_2_00402B90	0_2_00402B90
Source: C:\Users\user\Desktop\NL Hybrid.exe	Code function: 0_2_004073A0	0_2_004073A0
Source: C:\Users\user\Desktop\NL Hybrid.exe	Code function: 0_2_02865080	0_2_02865080
Source: C:\Users\user\Desktop\NL Hybrid.exe	Code function: 0_2_028650F8	0_2_028650F8
Source: C:\Users\user\Desktop\NL Hybrid.exe	Code function: 0_2_02865108	0_2_02865108
Source: C:\Users\user\Desktop\NL Hybrid.exe	Code function: 0_2_076FEE99	0_2_076FEE99
Source: C:\Users\user\Desktop\NL Hybrid.exe	Code function: 0_2_076F6D20	0_2_076F6D20
Source: C:\Users\user\Desktop\NL Hybrid.exe	Code function: 0_2_076F6D10	0_2_076F6D10
Source: C:\Users\user\Desktop\NL Hybrid.exe	Code function: 0_2_07731908	0_2_07731908
Source: C:\Users\user\Desktop\NL Hybrid.exe	Code function: 0_2_077300F1	0_2_077300F1
Source: C:\Users\user\Desktop\NL Hybrid.exe	Code function: 0_2_07CFDDC7	0_2_07CFDDC7
Source: C:\Users\user\Desktop\NL Hybrid.exe	Code function: 0_2_07CFDDD8	0_2_07CFDDD8

Source: C:\Users\user\Desktop\NL Hybrid.exe

Code function: String function: 0040E1D8 appears 43 times

Source: NL Hybrid.exe, 00000000.00000002.1804411315.00000000055A5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWpf.Ui.dll. vs NL Hybrid.exe
Source: NL Hybrid.exe, 00000000.00000002.1804411315.00000000055A5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCommunityToolkit.Mvvm.dllN vs NL Hybrid.exe
Source: NL Hybrid.exe, 00000000.00000002.1811016961.0000000008C8D000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameWpf.Ui.dll. vs NL Hybrid.exe
Source: NL Hybrid.exe, 00000000.00000002.1810185808.0000000008210000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs NL Hybrid.exe
Source: NL Hybrid.exe, 00000000.00000003.1678271505.0000000000CED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs NL Hybrid.exe
Source: NL Hybrid.exe, 00000000.00000002.1808761322.0000000007880000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Bcl.AsyncInterfaces.dll@ vs NL Hybrid.exe
Source: NL Hybrid.exe, 00000000.00000003.1746477161.0000000009205000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs NL Hybrid.exe
Source: NL Hybrid.exe, 00000000.00000003.1690509660.00000000048F2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_.dll4 vs NL Hybrid.exe
Source: NL Hybrid.exe, 00000000.00000002.1804411315.00000000049E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTitanium.Web.Proxy.dllF vs NL Hybrid.exe
Source: NL Hybrid.exe, 00000000.00000002.1804411315.00000000049E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Memory.dllT vs NL Hybrid.exe
Source: NL Hybrid.exe, 00000000.00000003.1678227930.0000000000CD5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs NL Hybrid.exe
Source: NL Hybrid.exe, 00000000.00000003.1678371660.0000000000CF2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs NL Hybrid.exe
Source: NL Hybrid.exe, 00000000.00000002.1811684418.000000000A2A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Memory.dllT vs NL Hybrid.exe
Source: NL Hybrid.exe, 00000000.00000002.1804411315.0000000004A77000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Memory.dllT vs NL Hybrid.exe
Source: NL Hybrid.exe, 00000000.00000002.1808793181.0000000007890000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Threading.Tasks.Extensions.dllT vs NL Hybrid.exe
Source: NL Hybrid.exe, 00000000.00000002.1804411315.0000000004BA5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWpf.Ui.dll. vs NL Hybrid.exe
Source: NL Hybrid.exe, 00000000.00000002.1809101106.0000000007A30000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCommunityToolkit.Mvvm.dllN vs NL Hybrid.exe
Source: NL Hybrid.exe, 00000000.00000003.1746477161.000000000943C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs NL Hybrid.exe
Source: NL Hybrid.exe, 00000000.00000002.1802127449.0000000003740000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Extensions.DependencyInjection.Abstractions.dll@ vs NL Hybrid.exe
Source: NL Hybrid.exe, 00000000.00000002.1804411315.00000000048C5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTitanium.Web.Proxy.dllF vs NL Hybrid.exe
Source: NL Hybrid.exe, 00000000.00000002.1802317859.0000000003F1A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTitanium.Web.Proxy.dllF vs NL Hybrid.exe
Source: NL Hybrid.exe, 00000000.00000002.1802317859.0000000003F1A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Memory.dllT vs NL Hybrid.exe
Source: NL Hybrid.exe, 00000000.00000002.1808643855.0000000007710000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Extensions.DependencyInjection.dll@ vs NL Hybrid.exe
Source: NL Hybrid.exe, 00000000.00000002.1802317859.00000000038C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs NL Hybrid.exe

Source: NL Hybrid.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: NL Hybrid.exe, type: SAMPLE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.0.NL Hybrid.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.NL Hybrid.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073

Source: 0.2.NL Hybrid.exe.4949530.6.raw.unpack, TcpConnectionFactory.cs

Task registration methods: 'CreateTask'

Source: 0.2.NL Hybrid.exe.7710000.15.raw.unpack, DependencyInjectionEventSourceExtensions.cs	Suspicious method names: .DependencyInjectionEventSourceExtensions.ExpressionTreeGenerated
Source: 0.2.NL Hybrid.exe.7710000.15.raw.unpack, DependencyInjectionEventSource.cs	Suspicious method names: .DependencyInjectionEventSource.ExpressionTreeGenerated
Source: 0.2.NL Hybrid.exe.7710000.15.raw.unpack, DependencyInjectionEventSource.cs	Suspicious method names: .DependencyInjectionEventSource.ServiceRealizationFailed
Source: 0.2.NL Hybrid.exe.7710000.15.raw.unpack, DependencyInjectionEventSource.cs	Suspicious method names: .DependencyInjectionEventSource.ScopeDisposed
Source: 0.2.NL Hybrid.exe.7710000.15.raw.unpack, DependencyInjectionEventSource.cs	Suspicious method names: .DependencyInjectionEventSource.DynamicMethodBuilt
Source: 0.2.NL Hybrid.exe.7710000.15.raw.unpack, DependencyInjectionEventSource.cs	Suspicious method names: .DependencyInjectionEventSource.ServiceProviderDescriptors
Source: 0.2.NL Hybrid.exe.7710000.15.raw.unpack, DependencyInjectionEventSource.cs	Suspicious method names: .DependencyInjectionEventSource.WriteServiceProviderBuilt
Source: 0.2.NL Hybrid.exe.7710000.15.raw.unpack, DependencyInjectionEventSource.cs	Suspicious method names: .DependencyInjectionEventSource.ServiceResolved
Source: 0.2.NL Hybrid.exe.7710000.15.raw.unpack, DependencyInjectionEventSource.cs	Suspicious method names: .DependencyInjectionEventSource.ServiceProviderBuilt
Source: 0.2.NL Hybrid.exe.7710000.15.raw.unpack, DependencyInjectionEventSource.cs	Suspicious method names: .DependencyInjectionEventSource.OnEventCommand
Source: 0.2.NL Hybrid.exe.7710000.15.raw.unpack, DependencyInjectionEventSource.cs	Suspicious method names: .DependencyInjectionEventSource.CallSiteBuilt
Source: 0.2.NL Hybrid.exe.7710000.15.raw.unpack, DependencyInjectionEventSource.cs	Suspicious method names: .DependencyInjectionEventSource.ServiceProviderDisposed
Source: 0.2.NL Hybrid.exe.7710000.15.raw.unpack, DependencyInjectionEventSource.cs	Suspicious method names: .DependencyInjectionEventSource.AppendServiceDescriptor

Source: classification engine

Classification label: mal88.troj.evad.winEXE@1/2@2/1

Source: C:\Users\user\Desktop\NL Hybrid.exe

Code function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

0_2_004019F0

Source: C:\Users\user\Desktop\NL Hybrid.exe

0_2_004019F0

Source: C:\Users\user\Desktop\NL Hybrid.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WPFC347.tmp

Jump to behavior

Source: C:\Users\user\Desktop\NL Hybrid.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\NL Hybrid.exe

Command line argument: 08A

0_2_00413780

Source: NL Hybrid.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\NL Hybrid.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: NL Hybrid.exe	Virustotal: Detection: 62%
Source: NL Hybrid.exe	ReversingLabs: Detection: 48%

Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: msctfui.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: d3dcompiler_47.dll	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Section loaded: winmm.dll	Jump to behavior

Source: C:\Users\user\Desktop\NL Hybrid.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\NL Hybrid.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: NL Hybrid.exe

Static file information: File size 6482432 > 1048576

Source: NL Hybrid.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x60ca00

Source: NL Hybrid.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\a\titanium-web-proxy\titanium-web-proxy\src\Titanium.Web.Proxy\obj\Debug\net461\Titanium.Web.Proxy.pdbSHA256H source: NL Hybrid.exe, 00000000.00000002.1804411315.00000000049E9000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1804411315.00000000048C5000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1802317859.0000000003F1A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/Microsoft.Extensions.DependencyInjection/Release/net462/Microsoft.Extensions.DependencyInjection.pdb source: NL Hybrid.exe, 00000000.00000002.1808643855.0000000007710000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: NL Hybrid.pdb source: NL Hybrid.exe, 00000000.00000003.1690509660.00000000048F2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.dotnetzip.pdb.compressed source: NL Hybrid.exe, 00000000.00000003.1690509660.00000000048F2000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1802317859.00000000038C1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netfx\System.Memory.pdb source: NL Hybrid.exe, 00000000.00000002.1804411315.00000000049E9000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1811684418.000000000A2A0000.00000004.08000000.00040000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1804411315.0000000004A77000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1802317859.0000000003F1A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: NL Hybrid.exe, 00000000.00000002.1810185808.0000000008210000.00000004.08000000.00040000.00000000.sdmp, NL Hybrid.exe, 00000000.00000003.1746477161.0000000009205000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000003.1746477161.000000000943C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\titanium-web-proxy\titanium-web-proxy\src\Titanium.Web.Proxy\obj\Debug\net461\Titanium.Web.Proxy.pdb source: NL Hybrid.exe, 00000000.00000002.1804411315.00000000049E9000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1804411315.00000000048C5000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1802317859.0000000003F1A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: /_/src/CommunityToolkit.Mvvm/obj/Release/netstandard2.0/CommunityToolkit.Mvvm.pdbSHA256 source: NL Hybrid.exe, 00000000.00000002.1804411315.00000000055A5000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1809101106.0000000007A30000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: NL Hybrid.exe, 00000000.00000002.1810185808.0000000008210000.00000004.08000000.00040000.00000000.sdmp, NL Hybrid.exe, 00000000.00000003.1746477161.0000000009205000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000003.1746477161.000000000943C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: $^q,costura.communitytoolkit.mvvm.pdb.compressed source: NL Hybrid.exe, 00000000.00000002.1802317859.00000000038C1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: _.pdb source: NL Hybrid.exe, 00000000.00000003.1690509660.00000000048F2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.costura.pdb.compressed source: NL Hybrid.exe, 00000000.00000003.1690509660.00000000048F2000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1802317859.00000000038C1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.communitytoolkit.mvvm.pdb.compressed\|\|\|CommunityToolkit.Mvvm.pdb\|0B7A9A95698C41575335502FBAAB8635925C90DE\|52328 source: NL Hybrid.exe, 00000000.00000003.1690509660.00000000048F2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.telerik.networkconnections.pdb.compressed\|\|\|Telerik.NetworkConnections.pdb\|69EE2F928A16661274A22DF221B7DC4EEE75671E\|93696 source: NL Hybrid.exe, 00000000.00000003.1690509660.00000000048F2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: NL Hybrid.pdbh source: NL Hybrid.exe, 00000000.00000003.1690509660.00000000048F2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/Microsoft.Bcl.AsyncInterfaces/Release/net462/Microsoft.Bcl.AsyncInterfaces.pdbSHA256 source: NL Hybrid.exe, 00000000.00000002.1808761322.0000000007880000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: costura.costura.dll.compressedcostura.costura.pdb.compressed source: NL Hybrid.exe, 00000000.00000002.1802317859.00000000038C1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: $^q1costura.telerik.networkconnections.pdb.compressedlB^q source: NL Hybrid.exe, 00000000.00000002.1802317859.00000000038C1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: $^q costura.dotnetzip.pdb.compressed source: NL Hybrid.exe, 00000000.00000002.1802317859.00000000038C1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.telerik.networkconnections.pdb.compressed source: NL Hybrid.exe, 00000000.00000003.1690509660.00000000048F2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/Microsoft.Extensions.DependencyInjection.Abstractions/Release/net462/Microsoft.Extensions.DependencyInjection.Abstractions.pdb source: NL Hybrid.exe, 00000000.00000002.1802127449.0000000003740000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/Microsoft.Extensions.DependencyInjection.Abstractions/Release/net462/Microsoft.Extensions.DependencyInjection.Abstractions.pdbSHA256OE source: NL Hybrid.exe, 00000000.00000002.1802127449.0000000003740000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/Microsoft.Extensions.DependencyInjection/Release/net462/Microsoft.Extensions.DependencyInjection.pdbSHA256# source: NL Hybrid.exe, 00000000.00000002.1808643855.0000000007710000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: costura.costura.pdb.compressed\|\|\|Costura.pdb\|6C6000A5EAF8579850AB82A89BD6268776EB51AD\|2608 source: NL Hybrid.exe, 00000000.00000003.1690509660.00000000048F2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Threading.Tasks.Extensions\netfx\System.Threading.Tasks.Extensions.pdb source: NL Hybrid.exe, 00000000.00000002.1808793181.0000000007890000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: microsoft.extensions.dependencyinjection.abstractions costura.microsoft.extensions.dependencyinjection.abstractions.dll.compressed!microsoft.extensions.dependencyinjection"costura.microsoft.extensions.dependencyinjection.dll.compressed#microsoft.extensions.diagnostics.abstractions$costura.microsoft.extensions.diagnostics.abstractions.dll.compressed%microsoft.extensions.diagnostics&costura.microsoft.extensions.diagnostics.dll.compressed'microsoft.extensions.fileproviders.abstractions(costura.microsoft.extensions.fileproviders.abstractions.dll.compressed)microsoft.extensions.fileproviders.physical*costura.microsoft.extensions.fileproviders.physical.dll.compressed+microsoft.extensions.filesystemglobbing,costura.microsoft.extensions.filesystemglobbing.dll.compressed-microsoft.extensions.hosting.abstractions.costura.microsoft.extensions.hosting.abstractions.dll.compressed/microsoft.extensions.hosting0costura.microsoft.extensions.hosting.dll.compressed1microsoft.extensions.logging.abstractions2costura.microsoft.extensions.logging.abstractions.dll.compressed3microsoft.extensions.logging.configuration4costura.microsoft.extensions.logging.configuration.dll.compressed5microsoft.extensions.logging.console6costura.microsoft.extensions.logging.console.dll.compressed7microsoft.extensions.logging.debug8costura.microsoft.extensions.logging.debug.dll.compressed9microsoft.extensions.logging:costura.microsoft.extensions.logging.dll.compressed;microsoft.extensions.logging.eventlog<costura.microsoft.extensions.logging.eventlog.dll.compressed=microsoft.extensions.logging.eventsource>costura.microsoft.extensions.logging.eventsource.dll.compressed?microsoft.extensions.options.configurationextensions@costura.microsoft.extensions.options.configurationextensions.dll.compressedAmicrosoft.extensions.optionsBcostura.microsoft.extensions.options.dll.compressedCmicrosoft.extensions.primitivesDcostura.microsoft.extensions.primitives.dll.compressedEmicrosoft.win32.registryFcostura.microsoft.win32.registry.dll.compressedGnewtonsoft.jsonHcostura.newtonsoft.json.dll.compressedIrestsharpJcostura.restsharp.dll.compressedKsystem.buffersLcostura.system.buffers.dll.compressedMsystem.componentmodel.annotationsNcostura.system.componentmodel.annotations.dll.compressedOsystem.diagnostics.diagnosticsourcePcostura.system.diagnostics.diagnosticsource.dll.compressedQsystem.io.pipelinesRcostura.system.io.pipelines.dll.compressedSsystem.memoryTcostura.system.memory.dll.compressedUsystem.numerics.vectorsVcostura.system.numerics.vectors.dll.compressedWsystem.runtime.compilerservices.unsafeXcostura.system.runtime.compilerservices.unsafe.dll.compressedYsystem.security.accesscontrolZcostura.system.security.accesscontrol.dll.compressed[system.security.principal.windows\costura.system.security.principal.windows.dll.compressed]system.text.encodings.web^costura.system.text.encodings.web.dll.compressed_system.text.json`costura.system.text.json.dll.compressedasystem.threading.tasks.extensionsbcostura.system.
Source:	Binary string: /_/src/CommunityToolkit.Mvvm/obj/Release/netstandard2.0/CommunityToolkit.Mvvm.pdb source: NL Hybrid.exe, 00000000.00000002.1804411315.00000000055A5000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1809101106.0000000007A30000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: costura.dotnetzip.pdb.compressed\|\|\|DotNetZip.pdb\|7D85033E8C5AE9B8EF4C2C3DFC8C8AC1B64A9DBA\|587264 source: NL Hybrid.exe, 00000000.00000003.1690509660.00000000048F2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/Microsoft.Bcl.AsyncInterfaces/Release/net462/Microsoft.Bcl.AsyncInterfaces.pdb source: NL Hybrid.exe, 00000000.00000002.1808761322.0000000007880000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: costura.communitytoolkit.mvvm.pdb.compressed source: NL Hybrid.exe, 00000000.00000003.1690509660.00000000048F2000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1802317859.00000000038C1000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.3.NL Hybrid.exe.92fc138.5.raw.unpack, DynamicUtils.cs	.Net Code: CreateSharpArgumentInfoArray
Source: 0.3.NL Hybrid.exe.92fc138.5.raw.unpack, LateBoundReflectionDelegateFactory.cs	.Net Code: CreateDefaultConstructor
Source: 0.3.NL Hybrid.exe.943c158.4.raw.unpack, DynamicUtils.cs	.Net Code: CreateSharpArgumentInfoArray
Source: 0.3.NL Hybrid.exe.943c158.4.raw.unpack, LateBoundReflectionDelegateFactory.cs	.Net Code: CreateDefaultConstructor
Source: 0.2.NL Hybrid.exe.4949530.6.raw.unpack, WinCertificateMaker.cs	.Net Code: MakeCertificate

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.NL Hybrid.exe.6420f08.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NL Hybrid.exe.6b80000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.NL Hybrid.exe.5cc1f28.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NL Hybrid.exe.6420000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.NL Hybrid.exe.5cc1f28.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NL Hybrid.exe.6420000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NL Hybrid.exe.6b80000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NL Hybrid.exe.2ec1f36.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NL Hybrid.exe.6420f08.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.NL Hybrid.exe.48f9510.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.NL Hybrid.exe.49e9550.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NL Hybrid.exe.2ec1f36.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.NL Hybrid.exe.4949530.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1690509660.00000000052F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1800918798.0000000002EC1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1678746499.0000000005CC1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1806866487.0000000006420000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1807770864.0000000006B80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1690509660.00000000048F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1802317859.00000000038C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: NL Hybrid.exe PID: 7516, type: MEMORYSTR

Source: C:\Users\user\Desktop\NL Hybrid.exe

0_2_004019F0

Source: NL Hybrid.exe

Static PE information: real checksum: 0x23bfb should be: 0x63655d

Source: C:\Users\user\Desktop\NL Hybrid.exe	Code function: 0_2_0040E21D push ecx; ret	0_2_0040E230
Source: C:\Users\user\Desktop\NL Hybrid.exe	Code function: 0_2_0040BB97 push dword ptr [ecx-75h]; iretd	0_2_0040BBA3
Source: C:\Users\user\Desktop\NL Hybrid.exe	Code function: 0_2_076FA47B push esp; retf	0_2_076FA489
Source: C:\Users\user\Desktop\NL Hybrid.exe	Code function: 0_2_076F50AA push 8B048C58h; iretd	0_2_076F50AF
Source: C:\Users\user\Desktop\NL Hybrid.exe	Code function: 0_2_076F9FC3 pushfd ; iretd	0_2_076F9FF1
Source: C:\Users\user\Desktop\NL Hybrid.exe	Code function: 0_2_076F3FA0 push 5DFB1715h; ret	0_2_076F3FB9
Source: C:\Users\user\Desktop\NL Hybrid.exe	Code function: 0_2_076F9FB3 pushad ; iretd	0_2_076F9FC1
Source: C:\Users\user\Desktop\NL Hybrid.exe	Code function: 0_2_076F5A62 push ds; retf 0003h	0_2_076F5A6F
Source: C:\Users\user\Desktop\NL Hybrid.exe	Code function: 0_2_07737659 push esp; retf	0_2_07737664
Source: C:\Users\user\Desktop\NL Hybrid.exe	Code function: 0_2_07A254E5 push es; iretd	0_2_07A254EA
Source: C:\Users\user\Desktop\NL Hybrid.exe	Code function: 0_2_07A26065 push ds; iretd	0_2_07A2606A
Source: C:\Users\user\Desktop\NL Hybrid.exe	Code function: 0_2_07A26072 push ds; iretd	0_2_07A2607A
Source: C:\Users\user\Desktop\NL Hybrid.exe	Code function: 0_2_07A2607B push ds; iretd	0_2_07A2608A
Source: C:\Users\user\Desktop\NL Hybrid.exe	Code function: 0_2_07A2696A push esp; iretd	0_2_07A26991
Source: C:\Users\user\Desktop\NL Hybrid.exe	Code function: 0_2_07CF25D3 push FFFFFF8Bh; iretd	0_2_07CF2598
Source: C:\Users\user\Desktop\NL Hybrid.exe	Code function: 0_2_07CF6CE5 pushfd ; iretd	0_2_07CF6CE9

Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\NL Hybrid.exe	Memory allocated: 2860000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Memory allocated: 38C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Memory allocated: 36C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Memory allocated: 7B90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Memory allocated: 78B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Memory allocated: 91A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Memory allocated: 7E20000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\NL Hybrid.exe

0_2_004019F0

Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 599390	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 599281	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 599172	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 599061	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 598922	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 598797	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 598470	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 598335	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 598225	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 598032	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 597897	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 597788	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 597678	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 597553	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 597428	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 597303	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 597178	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 597053	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 596928	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 596803	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 596678	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 596553	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 596428	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 596303	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 596178	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 596053	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 595939	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 595803	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 595678	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 595477	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 595348	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 595207	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 595069	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 594935	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 594790	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 594505	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 594366	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 594256	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 594131	Jump to behavior

Source: C:\Users\user\Desktop\NL Hybrid.exe	Window / User API: threadDelayed 2745			Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Window / User API: threadDelayed 6990			Jump to behavior

Source: C:\Users\user\Desktop\NL Hybrid.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess			graph_0-50334
Source: C:\Users\user\Desktop\NL Hybrid.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep			graph_0-50379

Source: C:\Users\user\Desktop\NL Hybrid.exe TID: 7612	Thread sleep time: -29514790517935264s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe TID: 7612	Thread sleep time: -200000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe TID: 7612	Thread sleep time: -99863s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe TID: 7612	Thread sleep time: -99719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe TID: 7612	Thread sleep time: -99426s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe TID: 7612	Thread sleep time: -99265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe TID: 7612	Thread sleep time: -99051s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe TID: 7612	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe TID: 7780	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe TID: 7612	Thread sleep time: -99889s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe TID: 7612	Thread sleep time: -99780s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe TID: 7612	Thread sleep time: -99671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe TID: 7612	Thread sleep time: -99562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe TID: 7612	Thread sleep time: -599390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe TID: 7612	Thread sleep time: -599281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe TID: 7612	Thread sleep time: -599172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe TID: 7612	Thread sleep time: -599061s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe TID: 7612	Thread sleep time: -598922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe TID: 7612	Thread sleep time: -598797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe TID: 7612	Thread sleep time: -598687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe TID: 7612	Thread sleep time: -598578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe TID: 7612	Thread sleep time: -598470s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe TID: 7612	Thread sleep time: -598335s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe TID: 7612	Thread sleep time: -598225s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe TID: 7612	Thread sleep time: -598032s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe TID: 7612	Thread sleep time: -597897s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe TID: 7612	Thread sleep time: -597788s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe TID: 7612	Thread sleep time: -597678s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe TID: 7612	Thread sleep time: -597553s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe TID: 7612	Thread sleep time: -597428s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe TID: 7612	Thread sleep time: -597303s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe TID: 7612	Thread sleep time: -597178s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe TID: 7612	Thread sleep time: -597053s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe TID: 7612	Thread sleep time: -596928s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe TID: 7612	Thread sleep time: -596803s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe TID: 7612	Thread sleep time: -596678s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe TID: 7612	Thread sleep time: -596553s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe TID: 7612	Thread sleep time: -596428s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe TID: 7612	Thread sleep time: -596303s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe TID: 7612	Thread sleep time: -596178s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe TID: 7612	Thread sleep time: -596053s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe TID: 7612	Thread sleep time: -595939s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe TID: 7612	Thread sleep time: -595803s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe TID: 7612	Thread sleep time: -595678s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe TID: 7612	Thread sleep time: -595477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe TID: 7612	Thread sleep time: -595348s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe TID: 7612	Thread sleep time: -595207s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe TID: 7612	Thread sleep time: -595069s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe TID: 7612	Thread sleep time: -594935s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe TID: 7612	Thread sleep time: -594790s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe TID: 7612	Thread sleep time: -594505s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe TID: 7612	Thread sleep time: -594366s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe TID: 7612	Thread sleep time: -594256s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe TID: 7612	Thread sleep time: -594131s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 99863	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 99719	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 99426	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 99265	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 99051	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 99889	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 99780	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 99671	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 99562	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 599390	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 599281	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 599172	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 599061	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 598922	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 598797	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 598470	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 598335	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 598225	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 598032	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 597897	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 597788	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 597678	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 597553	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 597428	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 597303	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 597178	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 597053	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 596928	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 596803	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 596678	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 596553	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 596428	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 596303	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 596178	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 596053	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 595939	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 595803	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 595678	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 595477	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 595348	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 595207	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 595069	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 594935	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 594790	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 594505	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 594366	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 594256	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Thread delayed: delay time: 594131	Jump to behavior

Source: NL Hybrid.exe, 00000000.00000003.1795420267.0000000007B23000.00000004.00000020.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000003.1797890105.0000000007B24000.00000004.00000020.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000003.1741237760.0000000007B23000.00000004.00000020.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000003.1778614110.0000000007B23000.00000004.00000020.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000003.1797365153.0000000007B23000.00000004.00000020.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1809372286.0000000007B27000.00000004.00000020.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000003.1793863051.0000000007B23000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\NL Hybrid.exe

API call chain: ExitProcess graph end node

graph_0-50336

Source: C:\Users\user\Desktop\NL Hybrid.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\NL Hybrid.exe

Code function: 0_2_07CF2400 LdrInitializeThunk,

0_2_07CF2400

Source: C:\Users\user\Desktop\NL Hybrid.exe

Code function: 0_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_0040CE09

Source: C:\Users\user\Desktop\NL Hybrid.exe

0_2_004019F0

Source: C:\Users\user\Desktop\NL Hybrid.exe

0_2_004019F0

Source: C:\Users\user\Desktop\NL Hybrid.exe

Code function: 0_2_0040ADB0 GetProcessHeap,HeapFree,

0_2_0040ADB0

Source: C:\Users\user\Desktop\NL Hybrid.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\NL Hybrid.exe	Code function: 0_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0040CE09
Source: C:\Users\user\Desktop\NL Hybrid.exe	Code function: 0_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0040E61C
Source: C:\Users\user\Desktop\NL Hybrid.exe	Code function: 0_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00416F6A
Source: C:\Users\user\Desktop\NL Hybrid.exe	Code function: 0_2_004123F1 SetUnhandledExceptionFilter,	0_2_004123F1

Source: C:\Users\user\Desktop\NL Hybrid.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\NL Hybrid.exe

Code function: GetLocaleInfoA,

0_2_00417A20

Source: C:\Users\user\Desktop\NL Hybrid.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Controls.Ribbon\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Controls.Ribbon.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\netstandard\v4.0_2.0.0.0__cc7b13ffcd2ddd51\netstandard.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WPFC347.tmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NL Hybrid.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\NL Hybrid.exe

Code function: 0_2_00412A15 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00412A15

Source: C:\Users\user\Desktop\NL Hybrid.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.NL Hybrid.exe.6420f08.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NL Hybrid.exe.6b80000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.NL Hybrid.exe.5cc1f28.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NL Hybrid.exe.6420000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.NL Hybrid.exe.5cc1f28.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NL Hybrid.exe.6420000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NL Hybrid.exe.6b80000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NL Hybrid.exe.2ec1f36.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NL Hybrid.exe.6420f08.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.NL Hybrid.exe.48f9510.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.NL Hybrid.exe.49e9550.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NL Hybrid.exe.2ec1f36.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.NL Hybrid.exe.4949530.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1800918798.0000000002EC1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1678746499.0000000005CC1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1806866487.0000000006420000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1807770864.0000000006B80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1690509660.00000000048F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.NL Hybrid.exe.6420f08.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NL Hybrid.exe.6b80000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.NL Hybrid.exe.5cc1f28.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NL Hybrid.exe.6420000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.NL Hybrid.exe.5cc1f28.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NL Hybrid.exe.6420000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NL Hybrid.exe.6b80000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NL Hybrid.exe.2ec1f36.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NL Hybrid.exe.6420f08.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.NL Hybrid.exe.48f9510.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.NL Hybrid.exe.49e9550.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NL Hybrid.exe.2ec1f36.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.NL Hybrid.exe.4949530.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1800918798.0000000002EC1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1678746499.0000000005CC1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1806866487.0000000006420000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1807770864.0000000006B80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1690509660.00000000048F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	31 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Native API	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	23 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
NL Hybrid.exe	62%	Virustotal		Browse
NL Hybrid.exe	49%	ReversingLabs	Win32.Infostealer.Tinba
NL Hybrid.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://nlhybrid.xyz/app3/download/disco	0%	Avira URL Cloud	safe
http://foo/bar/views/pages/dashboardpage.bamld	0%	Avira URL Cloud	safe
https://nlhybrid.xyz/stats/	0%	Avira URL Cloud	safe
https://nlhybrid.xyz/app3/download/fn.pngX	0%	Avira URL Cloud	safe
https://www.discord.gg/namelessctX/C	0%	Avira URL Cloud	safe
https://nlhybrid.xyz/app1/download/currentversion.json	0%	Avira URL Cloud	safe
https://nlhybrid.xyzD	0%	Avira URL Cloud	safe
http://fontello.comFluentSystemIcons-RegularRegularFluentSystemIcons-RegularFluentSystemIcons-Regula	0%	Avira URL Cloud	safe
https://nlhybrid.xyz/app2/login?username=	0%	Avira URL Cloud	safe
https://nlhybrid.xyz/app1/download/OGmdnsNSP.dllZhttps://nlhybrid.xyz/app3/download/NLUtil.exe	0%	Avira URL Cloud	safe
https://nlhybrid.xyz/app3/download/SplashScreen.png	0%	Avira URL Cloud	safe
http://defaultcontainer/Wpf.Ui;component/Resources/Fonts/fluentsystemicons-regular.ttfd	0%	Avira URL Cloud	safe
https://fortnite-api.com/v2/cosmetics/br/search?	0%	Avira URL Cloud	safe
http://schemas.lepo.co/wpfui/2022/xaml	0%	Avira URL Cloud	safe
https://nlhybrid.xyz/app1	0%	Avira URL Cloud	safe
https://nlhybrid.xyz/app3/download/f	0%	Avira URL Cloud	safe
http://foo/bar/views/pages/dashboardpage.baml	0%	Avira URL Cloud	safe
https://nlhybrid.xyz/app3/download/discord.png	0%	Avira URL Cloud	safe
http://defaultcontainer/NL%20Hybrid;component/views/pages/dashboardpage.xamld	0%	Avira URL Cloud	safe
https://nlhybrid.xyz/app3/download/RealSplashScreen.png?raw=true	0%	Avira URL Cloud	safe
https://nlhybrid.xyz/locker/clear/test/	0%	Avira URL Cloud	safe
https://nlhybrid.xyz/app3/download/fn.png	0%	Avira URL Cloud	safe
https://nlhybrid.xyz/locker/reset/test/NSuccessfully	0%	Avira URL Cloud	safe
http://fontello.comFluentSystemIcons-FilledRegularFluentSystemIcons-FilledFluentSystemIcons-FilledVe	0%	Avira URL Cloud	safe
https://nlhybrid.xyz/app1vhttps://nlhybrid.xyz/app1/download/currentversion.json	0%	Avira URL Cloud	safe
https://nlhybrid.xyz/app3/download/mdnsNSP.dll	0%	Avira URL Cloud	safe
https://nlhybrid.xyz	0%	Avira URL Cloud	safe
https://nlhybrid.xyz/locker/remove/	0%	Avira URL Cloud	safe
http://nlhybrid.xyz	0%	Avira URL Cloud	safe
https://nlhybrid.xyzvSoftware	0%	Avira URL Cloud	safe
https://nlhybrid.xyz/locker/add/	0%	Avira URL Cloud	safe
http://foo/views/pages/dashboardpage.xaml	0%	Avira URL Cloud	safe
https://nlhybrid.xyz/app3/download/discord.pngj/NL	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
nlhybrid.xyz	172.67.217.81	true	true		unknown
171.39.242.20.in-addr.arpa	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://nlhybrid.xyz/app3/download/fn.png	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://account-public-service-prod.ol.epicgames.com/account/api/public/account/	NL Hybrid.exe, 00000000.00000002.1802317859.00000000038C1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f8	NL Hybrid.exe, 00000000.00000002.1808793181.0000000007890000.00000004.08000000.00040000.00000000.sdmp	false		high
https://aka.ms/toolkit/dotnet	NL Hybrid.exe, 00000000.00000002.1804411315.00000000055A5000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1809101106.0000000007A30000.00000004.08000000.00040000.00000000.sdmp	false		high
https://nlhybrid.xyz/app3/download/disco	NL Hybrid.exe, 00000000.00000002.1802317859.0000000003F1A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://fontello.comFluentSystemIcons-RegularRegularFluentSystemIcons-RegularFluentSystemIcons-Regula	NL Hybrid.exe, 00000000.00000002.1804411315.00000000055A5000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1811016961.0000000008C8D000.00000004.08000000.00040000.00000000.sdmp, NL Hybrid.exe, 00000000.00000003.1692147205.0000000007C8E000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1804411315.0000000004BA5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://foo/bar/views/pages/dashboardpage.bamld	NL Hybrid.exe, 00000000.00000002.1802317859.0000000003EA5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.newtonsoft.com/json	NL Hybrid.exe, 00000000.00000002.1810185808.0000000008210000.00000004.08000000.00040000.00000000.sdmp, NL Hybrid.exe, 00000000.00000003.1746477161.0000000009205000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000003.1746477161.000000000943C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://account-public-service-prod.ol.epicgames.com/account/api/oauth/tokenFgrant_type=device_code&	NL Hybrid.exe, 00000000.00000002.1802317859.00000000038C1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nlhybrid.xyzD	NL Hybrid.exe, 00000000.00000002.1802317859.0000000003F1A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bstlar.com/Hb/nlproxykeyy/NL	NL Hybrid.exe, 00000000.00000002.1802317859.00000000038C1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nlhybrid.xyz/stats/	NL Hybrid.exe, 00000000.00000002.1802317859.00000000038C1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://nlhybrid.xyz/app2/login?username=	NL Hybrid.exe, 00000000.00000002.1802317859.00000000038C1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://nlhybrid.xyz/app1/download/currentversion.json	NL Hybrid.exe, 00000000.00000002.1802317859.0000000003AC9000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.discord.gg/namelessctX/C	NL Hybrid.exe, 00000000.00000002.1802317859.00000000038C1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/dotnet/runtime	NL Hybrid.exe, 00000000.00000002.1808761322.0000000007880000.00000004.08000000.00040000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1802127449.0000000003740000.00000004.08000000.00040000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1808643855.0000000007710000.00000004.08000000.00040000.00000000.sdmp	false		high
https://github.com/lepoco/wpfui	NL Hybrid.exe, 00000000.00000002.1811016961.0000000008B90000.00000004.08000000.00040000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1804411315.00000000052D1000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000003.1692147205.0000000007B92000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000003.1690509660.00000000048F2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nlhybrid.xyz/app3/download/fn.pngX	NL Hybrid.exe, 00000000.00000002.1802317859.0000000003CBC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://raw.githubusercontent.com/CommunityToolkit/dotnet/5320d4f621e145c60ef4180ea66fe57f12f0f58a/	NL Hybrid.exe, 00000000.00000002.1809201204.0000000007A90000.00000004.00000020.00020000.00000000.sdmp	false		high
https://nlhybrid.xyz/app1/download/OGmdnsNSP.dllZhttps://nlhybrid.xyz/app3/download/NLUtil.exe	NL Hybrid.exe, 00000000.00000002.1802317859.00000000038C1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://nlhybrid.xyz/app3/download/SplashScreen.png	NL Hybrid.exe, 00000000.00000002.1802317859.00000000038C1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://nlhybrid.xyz/app3/download/f	NL Hybrid.exe, 00000000.00000002.1802317859.0000000003EA5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://nlhybrid.xyz/app3/download/RealSplashScreen.png?raw=true	NL Hybrid.exe, 00000000.00000002.1802317859.00000000038C1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://defaultcontainer/NL%20Hybrid;component/views/pages/dashboardpage.xamld	NL Hybrid.exe, 00000000.00000002.1802317859.0000000003EA5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://account-public-service-prod.ol.epicgames.com/account/api/oauth/exchange	NL Hybrid.exe, 00000000.00000002.1802317859.00000000038C1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nlhybrid.xyz/app1	NL Hybrid.exe, 00000000.00000002.1802317859.0000000003AC9000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/dotnet/corefx/tree/32b491939fbd125f304031c35038b1e14b4e39588	NL Hybrid.exe, 00000000.00000002.1802317859.0000000003F1A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	NL Hybrid.exe, 00000000.00000002.1802317859.0000000003AC9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://fortnite-api.com/v2/cosmetics/br/search?	NL Hybrid.exe, 00000000.00000002.1802317859.00000000038C1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/JamesNK/Newtonsoft.Json	NL Hybrid.exe, 00000000.00000002.1810185808.0000000008210000.00000004.08000000.00040000.00000000.sdmp, NL Hybrid.exe, 00000000.00000003.1746477161.0000000009205000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000003.1746477161.000000000943C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://defaultcontainer/Wpf.Ui;component/Resources/Fonts/fluentsystemicons-regular.ttfd	NL Hybrid.exe, 00000000.00000002.1802317859.0000000004022000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1802317859.0000000003EA5000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1802317859.0000000003E2D000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1802317859.0000000003DFC000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1802317859.0000000003DBF000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1802317859.0000000003E7C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/dotnet/corefx/tree/32b491939fbd125f304031c35038b1e14b4e3958	NL Hybrid.exe, 00000000.00000002.1804411315.00000000049E9000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1811684418.000000000A2A0000.00000004.08000000.00040000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1804411315.0000000004A77000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1802317859.0000000003F1A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.lepo.co/wpfui/2022/xaml	NL Hybrid.exe, 00000000.00000003.1690509660.00000000048F2000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1802317859.0000000003CBC000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1802317859.00000000038C1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/CommunityToolkit/dotnet	NL Hybrid.exe, 00000000.00000002.1804411315.00000000055A5000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1809101106.0000000007A30000.00000004.08000000.00040000.00000000.sdmp	false		high
https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f	NL Hybrid.exe, 00000000.00000002.1808793181.0000000007890000.00000004.08000000.00040000.00000000.sdmp	false		high
http://fontello.com	NL Hybrid.exe, 00000000.00000002.1804411315.0000000004BA5000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000003.1728810483.0000000008143000.00000004.00000020.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000003.1729071381.0000000008143000.00000004.00000020.00020000.00000000.sdmp	false		high
https://nlhybrid.xyz/app3/download/discord.png	NL Hybrid.exe, 00000000.00000002.1802317859.0000000003D64000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1802317859.0000000003F1A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://foo/bar/views/pages/dashboardpage.baml	NL Hybrid.exe, 00000000.00000002.1802317859.0000000003EA5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://nlhybrid.xyz/locker/clear/test/	NL Hybrid.exe, 00000000.00000002.1802317859.00000000038C1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://fontello.comFluentSystemIcons-FilledRegularFluentSystemIcons-FilledFluentSystemIcons-FilledVe	NL Hybrid.exe, 00000000.00000002.1811016961.0000000008C8D000.00000004.08000000.00040000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1804411315.00000000053D2000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000003.1692147205.0000000007C8E000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000002.1804411315.0000000004A77000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://nlhybrid.xyz/app3/download/mdnsNSP.dll	NL Hybrid.exe, 00000000.00000002.1802317859.00000000038C1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://james.newtonking.com/projects/json	NL Hybrid.exe, 00000000.00000003.1746477161.000000000943C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nlhybrid.xyz/locker/reset/test/NSuccessfully	NL Hybrid.exe, 00000000.00000002.1802317859.00000000038C1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nlhybrid.xyz	NL Hybrid.exe, 00000000.00000002.1802317859.0000000003F1A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://nlhybrid.xyz/app1vhttps://nlhybrid.xyz/app1/download/currentversion.json	NL Hybrid.exe, 00000000.00000002.1802317859.00000000038C1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://nlhybrid.xyzvSoftware	NL Hybrid.exe, 00000000.00000002.1802317859.00000000038C1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://nlhybrid.xyz/locker/remove/	NL Hybrid.exe, 00000000.00000002.1802317859.00000000038C1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://nlhybrid.xyz	NL Hybrid.exe, 00000000.00000002.1802317859.0000000003AC9000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://nlhybrid.xyz/locker/add/	NL Hybrid.exe, 00000000.00000002.1802317859.00000000038C1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.newtonsoft.com/jsonschema	NL Hybrid.exe, 00000000.00000003.1746477161.000000000943C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://foo/views/pages/dashboardpage.xaml	NL Hybrid.exe, 00000000.00000002.1802317859.0000000003EA5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.nuget.org/packages/Newtonsoft.Json.Bson	NL Hybrid.exe, 00000000.00000002.1810185808.0000000008210000.00000004.08000000.00040000.00000000.sdmp, NL Hybrid.exe, 00000000.00000003.1746477161.0000000009205000.00000004.00000800.00020000.00000000.sdmp, NL Hybrid.exe, 00000000.00000003.1746477161.000000000943C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://account-public-service-prod03.ol.epicgames.com/account/api/oauth/deviceAuthorization	NL Hybrid.exe, 00000000.00000002.1802317859.00000000038C1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nlhybrid.xyz/app3/download/discord.pngj/NL	NL Hybrid.exe, 00000000.00000002.1802317859.00000000038C1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bstlar.com/keys/validate/	NL Hybrid.exe, 00000000.00000002.1802317859.00000000038C1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://account-public-service-prod03.ol.epicgames.com/account/api/oauth/token:grant_type=client_cre	NL Hybrid.exe, 00000000.00000002.1802317859.00000000038C1000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.217.81	nlhybrid.xyz	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1582853
Start date and time:	2024-12-31 16:59:21 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	NL Hybrid.exe
Detection:	MAL
Classification:	mal88.troj.evad.winEXE@1/2@2/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 91% Number of executed functions: 214 Number of non-executed functions: 36
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.28.90.27, 172.202.163.200, 20.242.39.171, 20.109.210.53, 13.107.246.45
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
11:00:17	API Interceptor	53x Sleep call for process: NL Hybrid.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
172.67.217.81	SW_PC_Interact2.3.5_Build6.exe	Get hash	malicious	DBatLoader	Browse
	SW_PC_Interact2.3.5_Build6.exe	Get hash	malicious	DBatLoader	Browse
	http://halffreesk.live	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	http://trezorbridge.org/	Get hash	malicious	Unknown	Browse	104.16.79.73
	http://knoxoms.com	Get hash	malicious	Unknown	Browse	188.114.97.3
	EdYEXasNiR.exe	Get hash	malicious	LummaC, Amadey, Babadeda, LummaC Stealer, Stealc, Vidar	Browse	188.114.96.3
	SMmAznmdAa.exe	Get hash	malicious	LummaC	Browse	104.21.48.1
	DypA6KbLrn.lnk	Get hash	malicious	Unknown	Browse	104.21.87.65
	IOnqEVA4Dz.lnk	Get hash	malicious	Unknown	Browse	172.67.129.82
	HngJMpDqxP.lnk	Get hash	malicious	Unknown	Browse	188.114.97.3
	https://br.custmercompa.de/	Get hash	malicious	Unknown	Browse	172.67.139.222
	tyPafmiT0t.exe	Get hash	malicious	44Caliber Stealer, BlackGuard, Rags Stealer	Browse	188.114.96.3
	vEtDFkAZjO.exe	Get hash	malicious	RL STEALER, StormKitty	Browse	104.21.85.189

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	file.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.217.81
	PO_2024_056209_MQ04865_ENQ_1045.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	172.67.217.81
	RtU8kXPnKr.exe	Get hash	malicious	Quasar	Browse	172.67.217.81
	PO_KB#67897.cmd	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	172.67.217.81
	Requested Documentation.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	172.67.217.81
	Dotc67890990.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.217.81
	INQUIRY.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	172.67.217.81
	Technonomic.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	172.67.217.81
	HALKBANK EKSTRE.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.217.81
	EPIRTURMEROOO0060.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.217.81

Process:	C:\Users\user\Desktop\NL Hybrid.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2898
Entropy (8bit):	5.353343974040986
Encrypted:	false
SSDEEP:	48:MIHK5HKlYHKh3ouHgJHreylHKoAH8EHitHo6hAHKzeSHajHKx1qHGicrEHKtHAHO:Pq5qlYqh3ou0aylqb5CtI6eqzTWqxw1C
MD5:	A6C7A231110DFAA739DC745D157C9EC2
SHA1:	626296948C9832FC53AEEAAE643F3CDF54E8507F
SHA-256:	4D41604F69F79878955A682BDD7F24DE92394D0CDB5BF9F0FA4F817536FC4A03
SHA-512:	A497C6BDDA1D1C16A730C13557D43BDD5B11A723331BB761433F48A715946F0B86BD96CFB3DE1CBAED5EB6F8409F5C0233947526A7742175A2A3E44DFC0548D9
Malicious:	true
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\4d760e3e4675c4a4c66b64205fb0d001\WindowsBase.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\17470ef0c7a174f38bdcadacc3e310ad\PresentationCore.ni.dll",0..3,"System.Xaml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b7

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WPFC347.tmp

Download File

Process:	C:\Users\user\Desktop\NL Hybrid.exe
File Type:	PNG image data, 308 x 410, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	219821
Entropy (8bit):	7.99619731359913
Encrypted:	true
SSDEEP:	6144:6RlMXKjqXY73o/HogPM5JFAuTJo0LG34K2r2:6jfjYYU/HogPM53T9g2a
MD5:	6D17B966A6C779B8004AC3CC73B263CA
SHA1:	87CBA11F4F7C45FFA6A508AC8376F90D108A6B7F
SHA-256:	397DB4AD18B72B08F011B66101D245D909071ACF802DFC7D2C73D322F0F919FA
SHA-512:	2B7A2FD9DEF630507A49A137940D01CB99BF8E001AAD900F60DB742067388FBF666F0C1B190DB00048FA0A76AC837B6531D8D50458C936D4DC778B99989FB2C0
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR...4............... .IDATx....%.Y&.E..w.^....].l.....`.3..;.. .3.0...,.3.5....2...$....4H....k..Uwuu.w......=.........{U.]].............._x.~.......}..M....^.....".}.v..?......W....+.b........^.>.c!....,u.z.}..zA.37rB.i;<..D.._tej..n..1..dD..B.g...1.7..t:.^..wzo.@^......k.9S...V.0..{.....wjC...{.HE.J...AMir'.%B......Jg.<.F....d}...W;..J=..:`..Bv........u.[.....$..*.....2...}.h\....`....m.FlL^....I-....+...F..%.}R...(.l"..+1.S....L.6...,........E..nQ...nn.X....V..Ld....m.M..R...".......n68.C..>Bu.}.....bx......._iF..t.^%diI..`..T..<........,&._[q.M..6.d......h#.....~..6.M..UEV...f...6.W..fh.x2...^..@..X...;a.^.......H4.{.z..W.f....v.O.F.....X9./}....q.........%..n}0....A.c.uj.....'.~...-;>.....k..(...5..H.o...Dy..8.0...E].y#h7...<...m.&..O.y.H.........ZgF..g..i.V...+...0..h.KT.......K@b.....a...0..T.v._.Z......./.8.....\|..?...."n4./Ap....}.....'z..W!...........^....;......a..{]/...K.....nl_..I.F..C.....x..g.5D..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.997692654622295
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	NL Hybrid.exe
File size:	6'482'432 bytes
MD5:	9758f9f6962c1b2244ac185c6fb4482f
SHA1:	ac2281ca5f67e2045eb0688ff5b720a77269cffc
SHA256:	8638581592e1368094aee96942006f6ed6161f58ed18b3492450c7c21dea133d
SHA512:	d31714fcd91c13f5f1ae78cadf5fa205538bcdbe1e2549a1a2310433cc3a36ac34855cf16eef00e153c7ec565666bd77ff29b3dce75e97cb229387df93af0618
SSDEEP:	196608:XmTCV2GK0Nu92FRI0C93iZPPBg/tOrQBg4:J2GH8nt3/iQB3
TLSH:	3566331631A39BF7EA700CF611C4CBB91CF63CA50F7A9757AADD21A81F2005676B29C1
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......h..-,q.~,q.~,q.~2#.~?q.~...~+q.~,q.~\q.~2#n~.q.~2#i~.q.~2#{~-q.~Rich,q.~.................;......PE..L...t..P..........#........

File Icon


Icon Hash:	b23969ccd47069b2

Static PE Info

General

Entrypoint:	0x40cd2f
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x5000A574 [Fri Jul 13 22:47:16 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	bf5a4aa99e5b160f8521cadd6bfe73b8

Entrypoint Preview

Instruction
call 00007F76A9265296h
jmp 00007F76A925F459h
mov edi, edi
push ebp
mov ebp, esp
sub esp, 20h
mov eax, dword ptr [ebp+08h]
push esi
push edi
push 00000008h
pop ecx
mov esi, 0041F058h
lea edi, dword ptr [ebp-20h]
rep movsd
mov dword ptr [ebp-08h], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
mov dword ptr [ebp-04h], eax
pop esi
test eax, eax
je 00007F76A925F5BEh
test byte ptr [eax], 00000008h
je 00007F76A925F5B9h
mov dword ptr [ebp-0Ch], 01994000h
lea eax, dword ptr [ebp-0Ch]
push eax
push dword ptr [ebp-10h]
push dword ptr [ebp-1Ch]
push dword ptr [ebp-20h]
call dword ptr [0041B000h]
leave
retn 0008h
ret
mov eax, 00413563h
mov dword ptr [004228E4h], eax
mov dword ptr [004228E8h], 00412C4Ah
mov dword ptr [004228ECh], 00412BFEh
mov dword ptr [004228F0h], 00412C37h
mov dword ptr [004228F4h], 00412BA0h
mov dword ptr [004228F8h], eax
mov dword ptr [004228FCh], 004134DBh
mov dword ptr [00422900h], 00412BBCh
mov dword ptr [00422904h], 00412B1Eh
mov dword ptr [00422908h], 00412AABh
ret
mov edi, edi
push ebp
mov ebp, esp
call 00007F76A925F54Bh
call 00007F76A9265DD0h
cmp dword ptr [ebp+00h], 00000000h

Rich Headers

Programming Language:

[ASM] VS2008 build 21022
[IMP] VS2005 build 50727
[C++] VS2008 build 21022
[ C ] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x215b4	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x26000	0x60c978	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1b1c0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x20da0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1b000	0x184	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x19718	0x19800	7e0293b3adaf38eb399a7a96a2662023	False	0.5789483762254902	data	6.748587638365796	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x1b000	0x6db4	0x6e00	5826801f33fc1b607aa8e942aa92e9fa	False	0.5467329545454546	data	6.442956247632331	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x22000	0x30c0	0x1600	2fe51a72ede820cd7cf55a77ba59b1f4	False	0.3126775568181818	data	3.2625868398009703	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x26000	0x60c978	0x60ca00	b91b567d97c71ad8e52b958fe9467e5e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x261b4	0xe98	Device independent bitmap graphic, 32 x 56 x 32, image size 3584, resolution 3779 x 3779 px/m	0.3498394004282655
RT_RCDATA	0x2704c	0x60a841	data	1.0003108978271484
RT_RCDATA	0x631890	0x20	data	1.28125
RT_GROUP_ICON	0x6318b0	0x14	data	1.1
RT_VERSION	0x6318c4	0x35e	data	0.425754060324826
RT_MANIFEST	0x631c24	0xd53	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.38463793608912344

Imports

DLL	Import
KERNEL32.dll	RaiseException, GetLastError, MultiByteToWideChar, lstrlenA, InterlockedDecrement, GetProcAddress, LoadLibraryA, FreeResource, SizeofResource, LockResource, LoadResource, FindResourceA, GetModuleHandleA, Module32Next, CloseHandle, Module32First, CreateToolhelp32Snapshot, GetCurrentProcessId, SetEndOfFile, GetStringTypeW, GetStringTypeA, LCMapStringW, LCMapStringA, GetLocaleInfoA, HeapFree, GetProcessHeap, HeapAlloc, GetCommandLineA, HeapCreate, VirtualFree, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, VirtualAlloc, HeapReAlloc, HeapSize, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetModuleHandleW, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, ReadFile, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, FlushFileBuffers, SetFilePointer, SetHandleCount, GetFileType, GetStartupInfoA, RtlUnwind, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, GetSystemTimeAsFileTime, InitializeCriticalSectionAndSpinCount, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, CompareStringA, CompareStringW, SetEnvironmentVariableA, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, SetStdHandle, CreateFileA
ole32.dll	OleInitialize
OLEAUT32.dll	SafeArrayCreate, SafeArrayAccessData, SafeArrayUnaccessData, SafeArrayDestroy, SafeArrayCreateVector, VariantClear, VariantInit, SysFreeString, SysAllocString

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 31, 2024 17:00:17.982146025 CET	49730	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:17.982211113 CET	443	49730	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:17.982273102 CET	49730	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:18.022809982 CET	49730	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:18.022835970 CET	443	49730	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:18.494085073 CET	443	49730	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:18.494168997 CET	49730	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:18.666621923 CET	49730	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:18.666651964 CET	443	49730	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:18.666991949 CET	443	49730	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:18.721271992 CET	49730	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:18.842592001 CET	49730	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:18.842679977 CET	443	49730	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:18.842746973 CET	49730	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:19.264589071 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:19.264638901 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:19.264714956 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:19.265762091 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:19.265773058 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:19.324074984 CET	49734	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:19.324120045 CET	443	49734	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:19.324193954 CET	49734	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:19.324479103 CET	49734	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:19.324500084 CET	443	49734	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:19.720968008 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:19.721120119 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:19.723629951 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:19.723661900 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:19.723939896 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:19.768245935 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:19.768465042 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:19.805130005 CET	443	49734	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:19.808502913 CET	49734	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:19.815335035 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:19.826117992 CET	49734	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:19.826147079 CET	443	49734	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:19.827195883 CET	443	49734	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:19.831886053 CET	49734	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:19.831973076 CET	443	49734	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:19.832151890 CET	49734	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:19.953634977 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:19.953680038 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:19.953721046 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:19.953741074 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:19.953753948 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:19.953764915 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:19.953852892 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:19.953876972 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:19.953891993 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:19.953999996 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:19.954150915 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:19.954229116 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:19.954236984 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:19.958303928 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:19.958334923 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:19.958394051 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:19.958436966 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:19.958441973 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:19.958456039 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:20.002801895 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:20.039983034 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.040047884 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.040074110 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.040117979 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:20.040138006 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.040527105 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:20.040828943 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.040880919 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.040980101 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:20.040990114 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.041023016 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.041050911 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.041076899 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.041078091 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:20.041086912 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.041119099 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:20.041649103 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.041711092 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.041749954 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.041749954 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:20.041762114 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.041801929 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:20.042246103 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.042285919 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.042326927 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.042349100 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:20.042355061 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.042366028 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.042375088 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:20.042414904 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.042440891 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.042444944 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:20.042459011 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.042473078 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:20.096307039 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:20.096321106 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.126638889 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.126668930 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.126703978 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:20.126720905 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.126842022 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:20.126859903 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.127197981 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.127403975 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.127413034 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.127435923 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:20.127448082 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.127475023 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:20.127648115 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.127814054 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:20.127827883 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.127985001 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.128026009 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.128052950 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:20.128060102 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.128070116 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.128082991 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:20.128242970 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:20.128271103 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.128429890 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:20.128659010 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.128803968 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:20.129059076 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.129090071 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.129117012 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:20.129123926 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.129144907 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:20.129157066 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.129436970 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:20.129445076 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.129674911 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:20.129951954 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.130017042 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.130043983 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:20.130060911 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.130086899 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:20.130090952 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.130165100 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:20.130172968 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.130875111 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.130944967 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:20.130959034 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.131148100 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:20.213454008 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.213542938 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.213560104 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:20.213572025 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.213627100 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:20.213627100 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:20.213741064 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.213812113 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:20.214171886 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.214287996 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.214291096 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:20.214303017 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.214349985 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:20.214418888 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.214540958 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:20.214550018 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.214719057 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.214791059 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.214834929 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:20.214843988 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.214864016 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:20.215070009 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:20.215176105 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.215233088 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.215265989 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.215292931 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:20.215292931 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:20.215302944 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.215327024 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:20.215740919 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.215775013 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.215908051 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.215970993 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:20.215980053 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.215996981 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:20.216114998 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:20.216671944 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.216727972 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.216749907 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:20.216762066 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.216782093 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:20.216896057 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.216934919 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.216965914 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:20.216965914 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:20.216974020 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.216991901 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.217005014 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:20.217036963 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:20.217041016 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.217084885 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:20.217664957 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.217725992 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.217771053 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.217784882 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:20.217797995 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.217823982 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:20.217864990 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:20.217864990 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:20.217906952 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.217974901 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:20.217988014 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.218241930 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:20.218693972 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.218739033 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.218795061 CET	443	49733	172.67.217.81	192.168.2.4
Dec 31, 2024 17:00:20.218817949 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:20.218818903 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:20.219525099 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:20.220091105 CET	49733	443	192.168.2.4	172.67.217.81
Dec 31, 2024 17:00:44.487916946 CET	61204	53	192.168.2.4	162.159.36.2
Dec 31, 2024 17:00:44.492791891 CET	53	61204	162.159.36.2	192.168.2.4
Dec 31, 2024 17:00:44.492862940 CET	61204	53	192.168.2.4	162.159.36.2
Dec 31, 2024 17:00:44.497632027 CET	53	61204	162.159.36.2	192.168.2.4
Dec 31, 2024 17:00:44.935447931 CET	61204	53	192.168.2.4	162.159.36.2
Dec 31, 2024 17:00:44.940459967 CET	53	61204	162.159.36.2	192.168.2.4
Dec 31, 2024 17:00:44.940506935 CET	61204	53	192.168.2.4	162.159.36.2

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 31, 2024 17:00:17.928144932 CET	63848	53	192.168.2.4	1.1.1.1
Dec 31, 2024 17:00:17.937733889 CET	53	63848	1.1.1.1	192.168.2.4
Dec 31, 2024 17:00:44.487463951 CET	53	63096	162.159.36.2	192.168.2.4
Dec 31, 2024 17:00:44.959899902 CET	54941	53	192.168.2.4	1.1.1.1
Dec 31, 2024 17:00:44.967179060 CET	53	54941	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 31, 2024 17:00:17.928144932 CET	192.168.2.4	1.1.1.1	0xdd8f	Standard query (0)	nlhybrid.xyz	A (IP address)	IN (0x0001)	false
Dec 31, 2024 17:00:44.959899902 CET	192.168.2.4	1.1.1.1	0xec32	Standard query (0)	171.39.242.20.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 31, 2024 17:00:17.937733889 CET	1.1.1.1	192.168.2.4	0xdd8f	No error (0)	nlhybrid.xyz		172.67.217.81	A (IP address)	IN (0x0001)	false
Dec 31, 2024 17:00:17.937733889 CET	1.1.1.1	192.168.2.4	0xdd8f	No error (0)	nlhybrid.xyz		104.21.24.64	A (IP address)	IN (0x0001)	false
Dec 31, 2024 17:00:44.967179060 CET	1.1.1.1	192.168.2.4	0xec32	Name error (3)	171.39.242.20.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

HTTP Request Dependency Graph

nlhybrid.xyz

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49733	172.67.217.81	443	7516	C:\Users\user\Desktop\NL Hybrid.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 16:00:19 UTC	246	OUT	GET /app3/download/fn.png HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: nlhybrid.xyz Connection: Keep-Alive
2024-12-31 16:00:19 UTC	962	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 16:00:19 GMT Content-Type: image/png Content-Length: 219821 Connection: close Content-Disposition: attachment; filename=fn.png Last-Modified: Fri, 06 Dec 2024 00:16:55 GMT Cache-Control: max-age=14400 ETag: "1733444215.0149584-219821-2091977069" CF-Cache-Status: REVALIDATED Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FswOoSNNxFi5%2Bx4MX152n60qBAOCzGBL9TpIpb5ExQBolwPkRC%2FNAk8Wg5evDnVdqiruNBDUNQfFJz8BRZJ8aEY9T5xi%2FO3PBQUoXdj5AyYJrM7xIerKTbLoUGpO31c%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fab7b5be9c80f69-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1639&min_rtt=1632&rtt_var=626&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2827&recv_bytes=860&delivery_rate=1728833&cwnd=250&unsent_bytes=0&cid=9b88f417f23c5029&ts=239&x=0"
2024-12-31 16:00:19 UTC	407	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 01 34 00 00 01 9a 08 06 00 00 00 81 97 bf 01 00 00 20 00 49 44 41 54 78 9c ec bd 07 b4 25 c9 59 26 f8 45 9a eb 9f 77 f5 5e d9 2e d3 d5 5d ed bb 85 6c cb 1b 90 84 e0 60 05 33 c0 b2 3b 87 c3 20 96 33 cc 30 b0 b3 ec 2c cc 9e 33 c3 9c 35 c0 02 cb cc 32 0b 07 e1 24 10 92 06 8d 34 48 8c 0c 92 90 6b b5 da 55 77 75 75 97 77 cf fb eb ef cd cc 88 3d ff 1f 99 f7 e6 cd eb f2 d6 7b 55 dd 5d 5d 7f 9f d7 af de bd 99 91 11 91 11 7f fc e6 fb ff 5f 78 7f 7e 9f c2 b8 c0 a0 a4 94 ea 7d c7 e0 4d ee 2e f5 ea 5e c7 ef 94 df e9 f0 97 22 f2 7d 8c 76 94 ff 3f d5 ef 9a 9e 9d e9 f0 fc 57 08 c5 1e db 2b 89 62 be 87 97 e3 eb ea f7 0a 5e c2 3e f7 63 21 83 92 d8 04 2c 75 0c 7a d4 7d 07 d6 7a 41 a3 33 37 72 42 06 69 3b 3c 84 e8 44 a9 Data Ascii: PNGIHDR4 IDATx%Y&Ew^.]l`3; 30,352$4HkUwuuw={U]]_x~}M.^"}v?W+b^>c!,uz}zA37rBi;<D
2024-12-31 16:00:19 UTC	1369	IN	Data Raw: 05 dd 32 a6 0e 13 7d ab 68 5c b7 e9 e6 d3 ab 60 ed dc 08 9e 6d f1 46 6c 4c 5e e4 11 dd cc 49 2d 97 ec e2 cc 2b a3 e7 d7 46 d0 0f 25 9a 7d 52 a2 eb c4 28 7f 6c 22 e0 a8 d7 2b 31 f5 53 9f c2 c6 80 db 4c ec 36 dd a6 97 8c 2c 96 ce 02 09 ad 97 a8 d2 45 e3 0c 6e 51 bd d8 ed 6e 6e f2 58 12 90 cf bc a2 56 c7 01 4c 64 f1 ae eb d3 fe 6d ba 4d b7 e9 a6 52 ab 84 d6 22 91 f5 11 08 a3 f6 aa 6e 36 38 d5 43 8a 8b 3e 42 75 d3 7d fd af db ae ef a0 85 f6 62 78 9d 9c 03 d1 b6 e2 d8 e1 5f 69 46 ef db 74 9b 5e 25 64 69 49 a6 c3 60 bb f9 54 07 f2 3c 0e c6 14 fb b7 d7 e7 b3 8e 0c 2c 26 dc a2 5f 5b 71 db b8 4d b7 e9 36 bd 64 d4 9d a1 a1 0b f3 1a 68 23 ab ae cd f4 ba 7e d7 e8 36 d3 b9 4d b7 e9 55 45 56 cf c1 de 66 08 b7 e9 36 dd a6 57 10 f5 66 68 af 78 32 00 e5 02 5e b1 fb 40 84 Data Ascii: 2}h\`mFlL^I-+F%}R(l"+1SL6,EnQnnXVLdmMR"n68C>Bu}bx_iFt^%diI`T<,&_[qM6dh#~6MUEVf6Wfhx2^@
2024-12-31 16:00:19 UTC	1369	IN	Data Raw: 26 de 02 e3 f0 af 40 9e ff 3f 20 46 ee 1f f8 fe 57 34 11 13 aa 2d 6b 49 82 22 28 a2 54 73 b4 d4 14 6b 22 2d a0 72 95 d5 3c 31 f2 81 ee 97 8d bc 06 6a e9 af 80 cc b1 26 d3 23 06 97 98 82 71 e8 43 5d ef 53 f3 1f 05 64 1f a0 a8 74 60 ec fb 1f 20 f6 7c 00 b0 47 3a 5f 93 3d 0c e3 d8 ff 02 35 f5 7e c8 a7 7e 54 4b 52 e9 c3 4d 69 8a bc b6 43 27 20 46 1e e9 dc 0f 23 0d e3 f8 bf 86 d8 ff 13 ed 63 1b 7f 03 d4 ca 67 80 c5 4f 40 4c 7d 77 f7 bc 82 f9 33 5a 15 66 86 e6 cf 5d 75 9e a5 53 e3 e1 bf 86 98 fe 9e ce 37 9a 36 c4 d4 bb 60 4e bd 0b ea ea 9f 02 ce 36 90 e8 e1 7c b8 c5 e9 36 43 eb 42 c6 dd bf 01 b5 fa 39 a0 72 21 9e 5a 73 ab 50 6a 2f 8c d7 7d b6 3b ec 82 ec 38 c9 b9 98 83 15 40 72 06 f2 c2 6f c2 9c fb a0 96 38 3a 5d 35 f9 4e c8 f9 3f 6b dd eb f5 55 88 d9 1f ef de Data Ascii: &@? FW4-kI"(Tsk"-r<1j&#qC]Sdt` \|G:_=5~~TKRMiC' F#cgO@L}w3Zf]uS76`N6\|6CB9r!ZsPj/};8@ro8:]5N?kU
2024-12-31 16:00:19 UTC	1369	IN	Data Raw: f5 54 a9 de 36 b8 40 9a 8b 43 04 bc 75 d6 3a 27 c4 bc 2e 52 7d d4 e9 4e 0c 8b 16 ba 78 d5 c3 36 6e 0a 43 eb c4 90 5e 2e f8 3f 66 68 dc 99 24 54 62 1c ee d3 3f 03 f3 6d 27 81 c4 70 0b 03 14 dd 16 8a e8 5e b9 bd ff c3 a5 0e 96 56 b5 f8 31 a3 71 6a 20 ec 94 58 d5 ec a2 72 f6 4b 45 de 93 0c 08 92 8c ae fd 69 47 86 46 cc d4 20 90 aa 1f 0b 19 25 c2 b2 29 ca ba 3b 7c ef 60 e3 b7 27 a1 28 7c 88 73 86 e9 54 dc 82 85 9a 3d 5d 6f 51 4e 89 63 25 39 f0 bc 1f 79 85 9d e7 33 6b 90 a1 61 2b 4e 8f da 00 e4 dd 65 89 53 fa 29 d5 05 3b 1e 04 c5 83 de 66 68 bb 4f 61 66 f5 ca 01 2e 7b 10 a9 7d 50 f9 93 90 cf fd 33 18 0f ff b1 9f 34 4f 6f 1c d5 b5 4e a9 8e 24 94 52 f1 a5 8d 4a f2 2a c6 d8 49 ad e0 b4 df 35 3f db 43 3f f2 4f 6e 0e c9 79 25 2e 5c 09 64 0e 68 a3 7e e9 22 90 6d 37 Data Ascii: T6@Cu:'.R}Nx6nC^.?fh$Tb?m'p^V1qj XrKEiGF %);\|`'(\|sT=]oQNc%9y3ka+NeS);fhOaf.{}P34OoN$RJ*I5?C?Ony%.\dh~"m7
2024-12-31 16:00:19 UTC	1369	IN	Data Raw: d2 dc 2b 68 21 64 93 15 7e 83 c1 67 41 44 07 c4 4d 45 0c 04 5e 9b eb 12 0e c9 16 51 5b 86 77 e6 b7 3a 1b 4c 09 36 51 78 11 8a 54 19 d5 34 46 37 99 9a 03 64 ef 04 b6 be 05 f9 f4 cf 41 0c dd d9 de 46 00 66 2c 9e 86 b2 a7 1b 53 23 52 04 22 fd 26 bc f3 bf ed cf db 6e 20 c8 0d a8 c2 69 08 62 6a d7 f3 12 08 82 b0 f5 0d 48 bf 4f e1 59 15 c1 58 ea 5b da 59 61 76 69 9f 9e 5d 3c dd b1 0d 04 6d 10 7e cb ab 74 45 fb 33 71 e4 c0 38 d4 fa 57 75 cd 01 3b d3 c6 af 58 62 5a fe af 3a b5 34 c5 7a 76 3a b2 ed 29 a0 72 4e cf 33 3a 58 9e 2b 0b 10 b9 49 a8 53 ff 23 e4 da 97 20 e6 7e 08 82 62 46 7d 70 30 d5 14 50 1b 5f 83 bc f6 17 50 db 8f 41 10 33 8b d4 37 10 a9 3d 50 cb 9f 86 57 bd d6 0e df e1 39 db d6 76 4d 8e dd ec 40 f4 39 4d cb 99 ff 4d a7 ff ee d0 86 da 7a 92 d7 4c f3 bd Data Ascii: +h!d~gADME^Q[w:L6QxT4F7dAFf,S#R"&n ibjHOYX[Yavi]<m~tE3q8Wu;XbZ:4zv:)rN3:X+IS# ~bF}p0P_PA37=PW9vM@9MMzL
2024-12-31 16:00:19 UTC	1369	IN	Data Raw: d6 da 18 ec 7a 44 e5 8c a3 52 b5 00 6f 49 f5 54 a2 79 88 d2 81 2b 55 c3 a4 06 f4 df dc 61 d5 32 2e 23 53 fe 85 1d 13 47 f6 1b c3 80 d4 7f 4f a9 f6 13 37 72 4f e7 f7 18 e7 e5 de 22 1b 5a f9 79 f2 41 1e cf 4d 8d a9 22 e6 06 9d 6c 91 f1 6a 94 0f 8e 72 7b c1 cf 2f 16 93 6e 45 1b 5a e7 35 b7 1b 6b e1 fa 9c 78 4d 53 53 ab 08 17 48 48 71 db 93 bb 2c ad 75 92 d0 ac f0 97 fd 5b 68 97 97 55 c8 9e 46 b6 5b 49 7f 1b a1 88 82 a8 83 21 f4 bc 36 67 44 cf ce b7 33 b0 4e d7 bf 24 87 7a 0c a6 dd 7e 4b ff 8e de 2a f2 89 08 18 17 61 c9 e8 c7 e8 12 41 b0 03 a7 d1 6e d1 4d 61 90 d7 a1 2a ef 64 98 cd 21 75 d6 60 44 48 b5 e8 35 fe 16 e6 16 b2 bb 0d c2 d8 94 1f 44 bf 5b 6c 2d ca 5e 9a a1 4f 71 67 2c c8 cf df b8 de 1f 99 d4 d1 90 ac 72 fa a9 52 74 78 5e d4 ae b6 33 46 d6 4b 8a eb Data Ascii: zDRoITy+Ua2.#SGO7rO"ZyAM"ljr{/nEZ5kxMSSHHq,u[hUF[I!6gD3N$z~KaAnMad!u`DH5D[l-^Oqg,rRtx^3FK
2024-12-31 16:00:19 UTC	1369	IN	Data Raw: ab db c6 d2 2f bf fb 5b 95 3b 29 ee d7 81 94 d1 94 e1 0d 3e 82 bd c6 d3 a5 0c 4e 2c bd 30 84 11 64 4b 85 ae 7a ae af f2 8d 93 c1 8b 8d 8e 2b da df 57 6f b9 fc 5b 96 fa 30 f5 96 25 11 61 7e 22 f2 7d f8 df 51 46 a8 ad 21 cd 1c 5a 54 98 43 46 4f ec d0 b5 82 37 a2 e8 d0 56 f3 21 86 69 86 fa 45 d2 9c e9 a7 93 ee 30 2e 83 64 33 93 19 5b 50 53 a0 b1 ee b9 28 8c d2 b6 eb 90 3a 2e c2 1a 80 61 c0 12 94 c9 d6 85 0d 1b 46 22 81 64 c2 e6 b0 21 62 3b 86 aa 43 09 9b 25 2c e9 7a 2c 45 59 42 4b 84 c2 34 78 0c 6c 12 97 06 60 4a 28 5b 31 13 6a 24 3f f5 5c 28 c2 70 71 0c 6e 42 ab df ca cf 16 4c ff 36 6d 2d 8d 98 26 54 bd 0e d8 a6 cf cc 94 3e 49 68 4c 24 9c 58 09 fd 19 97 ee b3 20 48 e0 09 a4 51 b2 57 7b 8a 55 67 62 45 ae b4 58 ac b6 ac 8e 05 18 48 12 32 3a 48 39 9a f4 e7 7d Data Ascii: /[;)>N,0dKz+Wo[0%a~"}QF!ZTCFO7V!iE0.d3[PS(:.aF"d!b;C%,z,EYBK4xl`J([1j$?\(pqnBL6m-&T>IhL$X HQW{UgbEXH2:H9}
2024-12-31 16:00:19 UTC	1369	IN	Data Raw: 01 c9 07 ae 56 2d 49 8c 32 d9 a3 a8 15 3b d6 d6 38 22 c8 68 30 5a 9e ef 86 47 59 4f 36 db f8 02 db a1 af fe 32 23 b6 4c 4e 13 45 cc 4a 32 63 53 b0 48 5a a3 cf 7d 6f 30 4b 60 b2 a9 c6 d3 b5 2a c0 a3 b1 e9 89 9e 6f ea cf 7c 2f 2a 4b 68 96 9f 5b 9d 0c 9b d4 46 d2 b4 60 27 7c 3d db 51 b0 5d a0 ee 08 54 3d b7 71 8e a8 1b bc fd 68 c1 e5 46 86 31 35 33 8d 8b a7 9e 87 5b ab 23 c1 83 95 50 16 70 f4 d8 11 56 43 e9 74 20 46 22 6c 83 55 38 c7 30 1a 8b dc bb 09 22 4e b0 69 99 85 d2 02 70 6a 90 d5 12 2c 78 f0 84 a9 25 5a c3 b7 01 39 75 c8 5a 55 6f 26 43 ab 24 61 8a 9e e8 b7 42 8e d6 7e 36 38 23 b4 fe 1b 36 45 36 3e cb 8e 90 b3 00 ae 64 aa 00 d2 d0 fe 9c 86 14 a6 ff 62 bb 8f a9 85 08 56 57 a5 cf d8 a2 2a 74 3b c3 6a 25 15 95 a0 a2 83 89 7c 20 c3 26 15 d5 2e c1 ed 36 05 Data Ascii: V-I2;8"h0ZGYO62#LNEJ2cSHZ}o0K`o\|/Kh[F`'\|=Q]T=qhF153[#PpVCt F"lU80"Nipj,x%Z9uZUo&C$aB~68#6E6>dbVW*t;j%\| &.6
2024-12-31 16:00:19 UTC	1369	IN	Data Raw: ad 3e a3 32 84 f4 99 a9 6a 78 39 15 c3 42 54 23 d2 52 f8 9e 5a c3 df bf 04 53 69 30 31 61 84 fa 81 96 b9 34 7f f9 97 7e e9 df b4 c6 57 f9 86 54 61 34 5d b8 b4 f9 24 49 68 0e 54 23 c7 7b 87 04 48 2a 48 5b ab 27 c8 08 40 78 75 47 23 8a c9 ce 24 1d 1d f6 42 2a 09 e3 53 64 33 e9 ad d2 9f 99 be a8 4c 72 be 45 e2 a8 07 ec 99 99 c1 c4 f8 04 9e 3f 75 0a d5 5a 8d dd b4 74 7a 96 ca 65 0e 4c b3 12 96 36 5c 92 94 e4 f9 27 3b 01 ed fc 71 f0 1c 84 6a f2 a9 a8 ca d4 4d 35 ed f6 b9 2f f4 52 7f e9 45 6c af af b1 5b 99 a4 84 54 26 85 62 a1 84 6c 26 a3 a1 23 d5 3a b6 56 56 91 49 26 b5 1a 40 35 5f d3 19 76 22 ac 2d af f2 c2 c9 64 d2 6c 77 68 84 73 89 d0 7c 76 f8 61 ef 4f 97 ef d0 25 35 4b e0 5d eb f6 d3 62 b7 ee 33 0f 81 2d ab 99 b0 58 e8 d3 95 df 9f ff 1e fd 1f 5b ea 39 0a Data Ascii: >2jx9BT#RZSi01a4~WTa4]$IhT#{HH['@xuG#$BSd3LrE?uZtzeL6\';qjM5/REl[T&bl&#:VVI&@5_v"-dlwhs\|vaO%5K]b3-X[9
2024-12-31 16:00:19 UTC	1369	IN	Data Raw: 4c 8c 8d 61 64 64 04 a9 5c 16 55 d2 20 12 36 c6 26 c7 31 35 35 85 99 c9 09 28 3b 81 c9 99 49 fc f0 07 7f 04 a7 f6 1e c0 d7 3e ff 79 ac 5c 9b 47 61 71 19 63 d3 63 98 da 37 87 62 3e 8f 82 a5 5d f8 9e 53 63 26 ba bd b2 82 7a b9 84 ca d6 16 b6 d6 56 e1 9d 7a 1e 77 3e f8 10 f6 1c 3c 04 99 50 b8 eb f8 11 7c ed d9 d3 58 38 23 f9 7d 4f 7b 12 99 84 09 91 4e a0 5c 29 22 97 cd c1 0b 95 d7 a3 75 3f 96 1b c6 ea b5 05 2c 9c bb 80 83 c7 8f a2 4c d0 a5 48 95 29 e1 a3 17 9a 91 33 fe bf 77 01 91 d1 af 09 2f a4 ce 36 e4 a6 d0 be d5 c1 e1 aa e1 ac 30 42 b8 12 c1 b1 a2 81 54 e8 a3 f3 1b 4e 0c c9 ac 91 0e 46 66 1e 52 b5 b9 28 7c 1c c1 40 e3 69 8d 37 35 9a 01 9d a1 ef d9 eb 49 4c ae 11 de 28 1a 41 fd 71 a9 23 43 6b 52 13 b9 0d 76 0c 08 a4 cd 24 2c 4f c0 76 04 ea 64 80 37 04 1c Data Ascii: Ladd\U 6&155(;I>y\Gaqcc7b>]Sc&zVzw><P\|X8#}O{N\)"u?,LH)3w/60BTNFfR(\|@i75IL(Aq#CkRv$,Ovd7

Target ID:	0
Start time:	11:00:12
Start date:	31/12/2024
Path:	C:\Users\user\Desktop\NL Hybrid.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\NL Hybrid.exe"
Imagebase:	0x400000
File size:	6'482'432 bytes
MD5 hash:	9758F9F6962C1B2244AC185C6FB4482F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_TitaniumProxy, Description: Yara detected Titanium Proxy, Source: 00000000.00000002.1804411315.00000000049E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000003.1690509660.00000000052F2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TitaniumProxy, Description: Yara detected Titanium Proxy, Source: 00000000.00000002.1815304368.000000000F2A0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TitaniumProxy, Description: Yara detected Titanium Proxy, Source: 00000000.00000002.1804411315.00000000048C5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1800918798.0000000002EC1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1800918798.0000000002EC1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000003.1678746499.0000000005CC1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000003.1678746499.0000000005CC1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1806866487.0000000006420000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1806866487.0000000006420000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1807770864.0000000006B80000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1807770864.0000000006B80000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000003.1690509660.00000000048F2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000003.1690509660.00000000048F2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1802317859.00000000038C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	6.7%
Dynamic/Decrypted Code Coverage:	4%
Signature Coverage:	15.5%
Total number of Nodes:	329
Total number of Limit Nodes:	31

Executed Functions

Function 004019F0 Relevance: 146.0, APIs: 34, Strings: 49, Instructions: 747
comprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 004019FD
_getenv.LIBCMT ref: 00401ABA
GetCurrentProcessId.KERNEL32 ref: 00401ACD
CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00401AD6
Module32First.KERNEL32 ref: 00401C48
CloseHandle.KERNEL32(00000000,?,?,00000008,00000000), ref: 00401C9D
Module32Next.KERNEL32(00000000,?), ref: 00401D02
Module32Next.KERNEL32(00000000,?), ref: 00401DB6
CloseHandle.KERNEL32(00000000), ref: 00401DC4
GetModuleHandleA.KERNEL32(00000000), ref: 00401DCB
FindResourceA.KERNEL32(00000000,00000000,00000008), ref: 00401E90
LoadResource.KERNEL32(00000000,00000000), ref: 00401E9E
LockResource.KERNEL32(00000000), ref: 00401EA7
SizeofResource.KERNEL32(00000000,00000000), ref: 00401EB3
_malloc.LIBCMT ref: 00401EBA
_memset.LIBCMT ref: 00401EDD
SizeofResource.KERNEL32(00000000,?), ref: 00401F02

Strings

v, xrefs: 0040206A
v, xrefs: 0040212C
[, xrefs: 00401B37
h, xrefs: 00401A6F
U, xrefs: 004020F5
{, xrefs: 0040211D
5, xrefs: 00402109
%, xrefs: 004020FA
E, xrefs: 00401E0F
{, xrefs: 0040205B
W, xrefs: 00402033
:, xrefs: 00401B28
', xrefs: 00402006
!, xrefs: 0040201A
W, xrefs: 00401B14
x, xrefs: 00401B78
x, xrefs: 00402088
x, xrefs: 00401E69
V, xrefs: 00401E19
!, xrefs: 004020CF
), xrefs: 0040202E
6, xrefs: 004020C5
!, xrefs: 00401B1E
{, xrefs: 00401B4B
v, xrefs: 00401B5A
8, xrefs: 00401BA9
', xrefs: 00401AF6
x, xrefs: 0040214A
o, xrefs: 00402097
V, xrefs: 00402038
*, xrefs: 004020E1
W, xrefs: 004020E6
., xrefs: 0040201F
., xrefs: 00401B0A
W, xrefs: 00401B23
_._, xrefs: 00402257
0, xrefs: 00401BBD
v, xrefs: 00401E4B
o, xrefs: 00402159
{, xrefs: 00401E3C
[, xrefs: 00402047
", xrefs: 00401B0F
o, xrefs: 00401B8D
*, xrefs: 00401A1F
D, xrefs: 00401DFB
___, xrefs: 0040227D
4, xrefs: 00401B64
4, xrefs: 00402136
4, xrefs: 00402074

Memory Dump Source

Source File: 00000000.00000002.1798930253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1798907082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1798958969.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1798983883.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799006241.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799027503.0000000000A31000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799225081.0000000000A32000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NL Hybrid.jbxd

Similarity

API ID: Resource$HandleModule32$CloseNextSizeof$CreateCurrentFindFirstInitializeLoadLockModuleProcessSnapshotToolhelp32_getenv_malloc_memset
String ID: !$!$!$"$%$'$'$)$*$*$.$.$0$4$4$4$5$6$8$:$D$E$U$V$V$W$W$W$W$[$[$_._$___$h$o$o$o$v$v$v$v$x$x$x$x${${${${
API String ID: 1430744539-2962942730
Opcode ID: f33ec6517a8e462eea4e7ce496cce69d106849ef0d44fd50fc6c48668fb332a6
Instruction ID: 7b7814addfdf4b3cbdaef5ede101091f5fb3e94df766619d88950efa0d528cfd
Opcode Fuzzy Hash: f33ec6517a8e462eea4e7ce496cce69d106849ef0d44fd50fc6c48668fb332a6
Instruction Fuzzy Hash: B3628C2100C7C19EC321DB388888A5FBFE55FA6328F484A5DF1E55B2E2C7799509C76B

Function 07731908 Relevance: 5.7, Strings: 4, Instructions: 673
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te^q, xrefs: 07731C92
TJcq, xrefs: 0773199B
pbq, xrefs: 07731F0E
xbaq, xrefs: 07731963

Memory Dump Source

Source File: 00000000.00000002.1808675744.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_NL Hybrid.jbxd

Similarity

API ID:
String ID: TJcq$Te^q$pbq$xbaq
API String ID: 0-1954897716
Opcode ID: da162da23fa9f09f8acce60669970bd154f20192b07578ef653228efbb00cac4
Instruction ID: a3bc9f86a51366ec20f1744b7d7ec4759817c0ba016fed0b85fdb447504c1466
Opcode Fuzzy Hash: da162da23fa9f09f8acce60669970bd154f20192b07578ef653228efbb00cac4
Instruction Fuzzy Hash: EB5237B5A10618DFCB05DFA8C984EA9BBB2FF49300F5585A8E5099B272CB31ED51DF40

Function 077300F1 Relevance: 3.6, Strings: 2, Instructions: 1146
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 0773039C
K7+p^, xrefs: 07730AAB, 07730AB0

Memory Dump Source

Source File: 00000000.00000002.1808675744.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_NL Hybrid.jbxd

Similarity

API ID:
String ID: $^q$K7+p^
API String ID: 0-423093251
Opcode ID: f7e1f08ba154c6c29af349832042920a4dcde9b3a7c47a052aba69bfad6bc507
Instruction ID: 808283713810d44f6e8d36a3fe76abe808fd774ca38f94d25c3c0de7fad0103b
Opcode Fuzzy Hash: f7e1f08ba154c6c29af349832042920a4dcde9b3a7c47a052aba69bfad6bc507
Instruction Fuzzy Hash: C1B20C74A10228DFCB54DF68D8996ADBBF6FB88300F1485A9E40A9B351DF349D81DF81

Function 028650F8 Relevance: 2.7, Strings: 2, Instructions: 209
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'^q, xrefs: 028651A7
4'^q, xrefs: 028651D2

Memory Dump Source

Source File: 00000000.00000002.1800680087.0000000002860000.00000040.00000800.00020000.00000000.sdmp, Offset: 02860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2860000_NL Hybrid.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: f487f2733bea3cdf3f136a13048120f9c6b03bd01435b35232059868388a44ee
Instruction ID: 516987bdf4ca0c2b06a55f508dbdeb2037d62ef351b57cf8c05309af09bcb86a
Opcode Fuzzy Hash: f487f2733bea3cdf3f136a13048120f9c6b03bd01435b35232059868388a44ee
Instruction Fuzzy Hash: D1817BB09016549FDB48EF6AE891A9ABFF3FFC4305F14D829D4089B269EB346805CF51

Function 02865080 Relevance: 2.7, Strings: 2, Instructions: 203
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'^q, xrefs: 028651A7
4'^q, xrefs: 028651D2

Memory Dump Source

Source File: 00000000.00000002.1800680087.0000000002860000.00000040.00000800.00020000.00000000.sdmp, Offset: 02860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2860000_NL Hybrid.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 0f1bcbcaa591ad5e9ac4ed29f8b92ca415a9fafd31dea3f633ef11ae89632fed
Instruction ID: f121e8167a6cffe14311ca5148ca430729ae03aaa818367c1392ab5bbc4c174f
Opcode Fuzzy Hash: 0f1bcbcaa591ad5e9ac4ed29f8b92ca415a9fafd31dea3f633ef11ae89632fed
Instruction Fuzzy Hash: 29816B709016549FDB48EF6AE890A9ABFF3FFC4305F14C929D4089B269EB346905CF51

Function 07CF2400 Relevance: 1.5, APIs: 1, Instructions: 5libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(?,00000003), ref: 07CF2403

Memory Dump Source

Source File: 00000000.00000002.1809691757.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7cf0000_NL Hybrid.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8d876e1a1f1192dd7af919465dce0a7098815582291da37eabbceddb9b4c6d25
Instruction ID: 45ef5a3527d4ac56cd56210727fe94283215edb6e9cd946abbc49d8a5e661c73
Opcode Fuzzy Hash: 8d876e1a1f1192dd7af919465dce0a7098815582291da37eabbceddb9b4c6d25
Instruction Fuzzy Hash: 9C900235044A0C8F4644379574199D57B5C964456E7801051A50D41D095A5574504995

Function 076FEE99 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c6f669e6054f9c787de180e69d52b788d2b9082a772088b93a9a50b61934949
Instruction ID: 225777d4519053897bd8f8df5ecea83cd2decd73515b31bae0d060c6487ca062
Opcode Fuzzy Hash: 0c6f669e6054f9c787de180e69d52b788d2b9082a772088b93a9a50b61934949
Instruction Fuzzy Hash: ECC15C71E0021A8FCB55DFA4C850B9DBBB2FF89304F118599D50ABB261DB70AE86CF50

Function 0040CBF7 Relevance: 21.1, APIs: 14, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_fast_error_exit.LIBCMT ref: 0040CC41
__mtinit.LIBCMT ref: 0040CC47
_fast_error_exit.LIBCMT ref: 0040CC52
__RTC_Initialize.LIBCMT ref: 0040CC58
__ioinit.LIBCMT ref: 0040CC61
__amsg_exit.LIBCMT ref: 0040CC6C
GetCommandLineA.KERNEL32 ref: 0040CC72
___crtGetEnvironmentStringsA.LIBCMT ref: 0040CC7D
__setargv.LIBCMT ref: 0040CC87
__amsg_exit.LIBCMT ref: 0040CC92
__setenvp.LIBCMT ref: 0040CC98
__amsg_exit.LIBCMT ref: 0040CCA3
__cinit.LIBCMT ref: 0040CCAB
__amsg_exit.LIBCMT ref: 0040CCB6

Memory Dump Source

Source File: 00000000.00000002.1798930253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1798907082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1798958969.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1798983883.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799006241.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799027503.0000000000A31000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799225081.0000000000A32000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NL Hybrid.jbxd

Similarity

API ID: __amsg_exit$_fast_error_exit$CommandEnvironmentInitializeLineStrings___crt__cinit__ioinit__mtinit__setargv__setenvp
String ID:
API String ID: 2598563909-0
Opcode ID: 2d668fad8e0b173589b4563f5a4f7b2cb6976b6486fb72b9956ee4840b6c9fb0
Instruction ID: 67c2b95978a5c3de314e94e7eee78366e8702871eb07600154e5c77a41a3d030
Opcode Fuzzy Hash: 2d668fad8e0b173589b4563f5a4f7b2cb6976b6486fb72b9956ee4840b6c9fb0
Instruction Fuzzy Hash: 5321E770A05304DAFB207BB3E98676932B46F00309F00453FE508B62D2EB7C89918A5C

Function 07A25A32 Relevance: 9.0, Strings: 7, Instructions: 294
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`Q^q, xrefs: 07A25CF2
$^q, xrefs: 07A25AE2
$^q, xrefs: 07A25BEE
$^q, xrefs: 07A25CAD
$^q, xrefs: 07A25BFE
$^q, xrefs: 07A25CBD
$^q, xrefs: 07A25AF2

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID: `Q^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-348381173
Opcode ID: 39d181ed6474b1533d15ee7aec4c0222c2f6c8ab34f1eee0c710fe5bd24749ca
Instruction ID: 18dc2ee2ee62f373f32e5e8ad2e62498424a97f3de229a28920dd28dd70314b5
Opcode Fuzzy Hash: 39d181ed6474b1533d15ee7aec4c0222c2f6c8ab34f1eee0c710fe5bd24749ca
Instruction Fuzzy Hash: 28B1E8B0E0012ACFCB18DFACD4486AE77F5FF89310F1485A9D425AB250EB349C52DBA1

Function 004018F0 Relevance: 6.3, APIs: 5, Instructions: 77
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(?), ref: 00401906
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000001), ref: 0040192F
GetLastError.KERNEL32 ref: 00401940
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401958
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401980

Memory Dump Source

Source File: 00000000.00000002.1798930253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1798907082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1798958969.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1798983883.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799006241.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799027503.0000000000A31000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799225081.0000000000A32000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NL Hybrid.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLastlstrlen
String ID:
API String ID: 3322701435-0
Opcode ID: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
Instruction ID: 001f8acd6346668203df0e37acbb0982e2c141f20d3592a2a78c171e7710dcce
Opcode Fuzzy Hash: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
Instruction Fuzzy Hash: 4011C4756003247BD3309B15CC88F677F6CEB86BA9F008169FD85AB291C635AC04C6F8

Function 0040AF66 Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_malloc.LIBCMT ref: 0040AF80

Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4

std::bad_alloc::bad_alloc.LIBCMT ref: 0040AFA3

Part of subcall function 0040AEFC: std::exception::exception.LIBCMT ref: 0040AF08

std::bad_exception::bad_exception.LIBCMT ref: 0040AFB7
__CxxThrowException@8.LIBCMT ref: 0040AFC5

Memory Dump Source

Source File: 00000000.00000002.1798930253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1798907082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1798958969.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1798983883.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799006241.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799027503.0000000000A31000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799225081.0000000000A32000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NL Hybrid.jbxd

Similarity

API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
String ID:
API String ID: 1411284514-0
Opcode ID: 2a036851afa6ddc1d7df3bddf1a8d8bff45cbcbf2885913663491285a515d732
Instruction ID: 8b9ae61c6da4be1dff3a05d3864a1109474d1d20ea1a05e38be312cad591667e
Opcode Fuzzy Hash: 2a036851afa6ddc1d7df3bddf1a8d8bff45cbcbf2885913663491285a515d732
Instruction Fuzzy Hash: 67F0BE21A0030662CA15BB61EC06D8E3B688F4031CB6000BFE811761D2CFBCEA55859E

Function 07A2B9E0 Relevance: 5.2, Strings: 4, Instructions: 172
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(bq, xrefs: 07A2BB71
(bq, xrefs: 07A2BAF7
(bq, xrefs: 07A2BA50
(bq, xrefs: 07A2BB23

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID: (bq$(bq$(bq$(bq
API String ID: 0-2632976689
Opcode ID: 66577a9cd7a5d2f212c77a0c5ff13bdd7cc4d6d25ba143db1b696104a54998bd
Instruction ID: 5434aaacd6083b610a7e5074c193da150a620fab836272f95af34e9cda93c547
Opcode Fuzzy Hash: 66577a9cd7a5d2f212c77a0c5ff13bdd7cc4d6d25ba143db1b696104a54998bd
Instruction Fuzzy Hash: 7651E271B002158FC7189B79D8586AEBBE6FFC9311B10C52AE51AD7790EF34AD02CB90

Function 0040E7EE Relevance: 3.0, APIs: 2, Instructions: 8
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___crtCorExitProcess.LIBCMT ref: 0040E7F6

Part of subcall function 0040E7C3: GetModuleHandleW.KERNEL32(mscoree.dll,?,0040E7FB,00000001,?,0040B886,000000FF,0000001E,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018), ref: 0040E7CD
Part of subcall function 0040E7C3: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0040E7DD
Part of subcall function 0040E7C3: CorExitProcess.MSCOREE(00000001,?,0040E7FB,00000001,?,0040B886,000000FF,0000001E,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018), ref: 0040E7EA

ExitProcess.KERNEL32 ref: 0040E7FF

Memory Dump Source

Source File: 00000000.00000002.1798930253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1798907082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1798958969.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1798983883.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799006241.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799027503.0000000000A31000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799225081.0000000000A32000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NL Hybrid.jbxd

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID:
API String ID: 2427264223-0
Opcode ID: 65da83064d662722dc3cf0b1a9484b1fe75efcd2066e1800ec5593f74242e35d
Instruction ID: d9ec683f250bcd397ae0bae66fbc2b9097e114182cfe22e5ca4178904d999afd
Opcode Fuzzy Hash: 65da83064d662722dc3cf0b1a9484b1fe75efcd2066e1800ec5593f74242e35d
Instruction Fuzzy Hash: ADB09B31000108BFDB112F13DC09C493F59DB40750711C435F41805071DF719D5195D5

Function 076FE170 Relevance: 2.6, Strings: 2, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(bq, xrefs: 076FE1A0
(bq, xrefs: 076FE1CC

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID: (bq$(bq
API String ID: 0-4224401849
Opcode ID: 3112fe8d40a0eec5570883bc474fa38cec807df7f7bcdc98f1eb161c1aa7b8fb
Instruction ID: 83a409f4b94e6e98ab85f433d331c5fbd067dd2f0db7a26621f2602a8e302a97
Opcode Fuzzy Hash: 3112fe8d40a0eec5570883bc474fa38cec807df7f7bcdc98f1eb161c1aa7b8fb
Instruction Fuzzy Hash: 16012475B092A50FE30627BE181012E6E96DBD765135580BEDA0BD73C2CD298E06C7A2

Function 0286DCD8 Relevance: 1.6, APIs: 1, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 0286DD4C

Memory Dump Source

Source File: 00000000.00000002.1800680087.0000000002860000.00000040.00000800.00020000.00000000.sdmp, Offset: 02860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2860000_NL Hybrid.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: c4e999f1ebf389f117a4a924578f6d937aa5c3d0b2f4a6f8d9e0a7f6aae2e170
Instruction ID: 9458076fe4eeb31c1de0d6aabf8702e97c610c42ab61caa04ff1131d86f416ca
Opcode Fuzzy Hash: c4e999f1ebf389f117a4a924578f6d937aa5c3d0b2f4a6f8d9e0a7f6aae2e170
Instruction Fuzzy Hash: 3711F7B5D002499FCB10DFAAC844AEEFBF4EF88324F108419D519A7240CB74A945CFA1

Function 00401870 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040AF66: _malloc.LIBCMT ref: 0040AF80

SysAllocString.OLEAUT32 ref: 00401898

Memory Dump Source

Source File: 00000000.00000002.1798930253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1798907082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1798958969.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1798983883.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799006241.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799027503.0000000000A31000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799225081.0000000000A32000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NL Hybrid.jbxd

Similarity

API ID: AllocString_malloc
String ID:
API String ID: 959018026-0
Opcode ID: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
Instruction ID: c2922591c351a4c461934d9b8210169c8be4224f150a02a6988c85a72df9e820
Opcode Fuzzy Hash: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
Instruction Fuzzy Hash: BEF02073501322A7E3316B658841B47B6E8DF80B28F00823FFD44BB391D3B9C85082EA

Function 0040D534 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32(00000000,00001000,00000000), ref: 0040D549

Memory Dump Source

Source File: 00000000.00000002.1798930253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1798907082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1798958969.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1798983883.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799006241.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799027503.0000000000A31000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799225081.0000000000A32000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NL Hybrid.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
Instruction ID: a29dbb507fbbbc11cf477c5ad410ace9233c9b691e3651c0b65acef059567112
Opcode Fuzzy Hash: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
Instruction Fuzzy Hash: E8D05E36A54348AADB11AFB47C08B623BDCE388396F404576F80DC6290F678D641C548

Function 07CF23F0 Relevance: 1.5, APIs: 1, Instructions: 15libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(?,00000003), ref: 07CF2403

Memory Dump Source

Source File: 00000000.00000002.1809691757.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7cf0000_NL Hybrid.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8637333904ba10a398d44437ebb97a03e8dd109d33a140037543c1c20cd67848
Instruction ID: 891a081ad260da53beb07f908ce208fecef74b0ebe84f2f6b5a450bbc2a4418c
Opcode Fuzzy Hash: 8637333904ba10a398d44437ebb97a03e8dd109d33a140037543c1c20cd67848
Instruction Fuzzy Hash: 7CC08C29048B8C1FCA13221078307C17F3CBB4256CF0022C3E4688AC8386041B4D8AB2

Function 0040EA0A Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

_doexit.LIBCMT ref: 0040EA16

Part of subcall function 0040E8DE: __lock.LIBCMT ref: 0040E8EC
Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E923
Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E938
Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E962
Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E978
Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E985
Part of subcall function 0040E8DE: __initterm.LIBCMT ref: 0040E9B4
Part of subcall function 0040E8DE: __initterm.LIBCMT ref: 0040E9C4

Memory Dump Source

Source File: 00000000.00000002.1798930253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1798907082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1798958969.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1798983883.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799006241.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799027503.0000000000A31000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799225081.0000000000A32000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NL Hybrid.jbxd

Similarity

API ID: __decode_pointer$__initterm$__lock_doexit
String ID:
API String ID: 1597249276-0
Opcode ID: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction ID: a0257ab8b89ab24c4dda27abc63ac43d0f25756bab2839dd78a8b277d7454467
Opcode Fuzzy Hash: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction Fuzzy Hash: D2B0923298420833EA202643AC03F063B1987C0B64E244031BA0C2E1E1A9A2A9618189

Function 0040AD50 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0040AD5A

Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4

Memory Dump Source

Source File: 00000000.00000002.1798930253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1798907082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1798958969.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1798983883.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799006241.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799027503.0000000000A31000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799225081.0000000000A32000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NL Hybrid.jbxd

Similarity

API ID: AllocateHeap_malloc
String ID:
API String ID: 501242067-0
Opcode ID: 3374a06f9b3d2d068d2f82a32e0eba00299d11aef8e131c065cca21440f1d622
Instruction ID: 1d107a11a906ec6b97ad05ef89e0782f1ba8d3b6ff8f86867a68f26e47426dd2
Opcode Fuzzy Hash: 3374a06f9b3d2d068d2f82a32e0eba00299d11aef8e131c065cca21440f1d622
Instruction Fuzzy Hash: 8DB012B7804201ABC504E650E58680BB7DCEAE0200F81C879F04886070D338E504874B

Function 076F11C8 Relevance: 1.5, Strings: 1, Instructions: 230COMMON

Download Yara Rule

Strings

Deq, xrefs: 076F1267

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID: Deq
API String ID: 0-948982800
Opcode ID: 61d9e18d699c36a82288d45937bb9954af59a270e7e0b1679e85abcc07a8cddf
Instruction ID: a6301b5277d4e2c2d1eb184aaa405c2802b7dc26a83b8e07bc675e95a8572293
Opcode Fuzzy Hash: 61d9e18d699c36a82288d45937bb9954af59a270e7e0b1679e85abcc07a8cddf
Instruction Fuzzy Hash: D381E3B07002549FC718DF69D454A6EBBE2FF89350F108959D50ADB3A5DF34AC02CB91

Function 07A26478 Relevance: 1.4, Strings: 1, Instructions: 176COMMON

Download Yara Rule

Strings

(bq, xrefs: 07A264C5

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: 1e1a02ea2bcf5404a50d351a6bff14ee558b4839402a78d414cd516b9532759a
Instruction ID: d6194fac389dd12ea3ab670dd52b57dae7dcea99178234e2ddf94d8745f8e76c
Opcode Fuzzy Hash: 1e1a02ea2bcf5404a50d351a6bff14ee558b4839402a78d414cd516b9532759a
Instruction Fuzzy Hash: 6A61C0B5E012589FCB15CFA9D8506DEBFF1EF88310F14806AE459AB351CB349D86CBA1

Function 076F8B48 Relevance: 1.4, Strings: 1, Instructions: 133COMMON

Download Yara Rule

Strings

Te^q, xrefs: 076F8BC1

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: e5f4e0d534513607fb48fc8279e37145e7223ac1a60f346580bdad01ed2b80e1
Instruction ID: 607259f2e4a49cd7c11e0404306ce1790299f28d5a189d2d2d69f84e049c8c0e
Opcode Fuzzy Hash: e5f4e0d534513607fb48fc8279e37145e7223ac1a60f346580bdad01ed2b80e1
Instruction Fuzzy Hash: 1D4192B0715607CFDB149B78E8593AD7AF2EB49311F1418AAD603EB384CB784982CB95

Function 07732237 Relevance: 1.4, Strings: 1, Instructions: 132COMMON

Download Yara Rule

Strings

TJcq, xrefs: 07732289

Memory Dump Source

Source File: 00000000.00000002.1808675744.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_NL Hybrid.jbxd

Similarity

API ID:
String ID: TJcq
API String ID: 0-1911830065
Opcode ID: b5dda4a610e6ac623ed56de3d1a138bde01fe375b55353c4083eb97e19efe4c6
Instruction ID: 26af74bb48ecfab6a2168400d6ea70e3399675dbebf31d158ab178c80b126fe6
Opcode Fuzzy Hash: b5dda4a610e6ac623ed56de3d1a138bde01fe375b55353c4083eb97e19efe4c6
Instruction Fuzzy Hash: 0441D4717005109BD715ABE8D81A73F7EEAEBC8754F158829E5078B3C6CE389C068BD2

Function 076F11D8 Relevance: 1.4, Strings: 1, Instructions: 125COMMON

Download Yara Rule

Strings

Deq, xrefs: 076F1267

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID: Deq
API String ID: 0-948982800
Opcode ID: 199879239dec4146ef2f5833d38e141d3df609819c3dd0ccd7faa087271a9f0f
Instruction ID: 7d6d6ed20e7649e9bad53da17f2ddaf43fcbee587a4b36567d3d41eaacf49403
Opcode Fuzzy Hash: 199879239dec4146ef2f5833d38e141d3df609819c3dd0ccd7faa087271a9f0f
Instruction Fuzzy Hash: 5851ADB0600614DFCB18EF29D484A59BBF2FF89350B558969D41AAB3A5DB30FC41CB90

Function 07730007 Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

s, xrefs: 0773001C

Memory Dump Source

Source File: 00000000.00000002.1808675744.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_NL Hybrid.jbxd

Similarity

API ID:
String ID: s
API String ID: 0-453955339
Opcode ID: d6c8bf61899b398508e421ca488c314eaee6325d26dbccf2dc0335b9a4c26658
Instruction ID: 68c50f39a664ffab0574418aa9393dcc59ee4b453db296202cb1a19b7d926a43
Opcode Fuzzy Hash: d6c8bf61899b398508e421ca488c314eaee6325d26dbccf2dc0335b9a4c26658
Instruction Fuzzy Hash: 7C2105B09083849FDB028BB4D85479A7FF5EF87310F0844AAE085DB397CA784D84CBA1

Function 07A2CA90 Relevance: 1.3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

Strings

8bq, xrefs: 07A2CAF9

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID: 8bq
API String ID: 0-187764589
Opcode ID: 19d922f52f35c63006240079373d78f4da65b9a70ea98514235ac571a61ddb40
Instruction ID: 91f6566124daec74c1400f5fabf81db99a08aa8adb278878effec9ccf26803b7
Opcode Fuzzy Hash: 19d922f52f35c63006240079373d78f4da65b9a70ea98514235ac571a61ddb40
Instruction Fuzzy Hash: 212192B5B042159BDF05DB68E851ADE7BB5FB89325F004025E901B7384CB30A905DFA1

Function 07A2B998 Relevance: 1.3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

Strings

(bq, xrefs: 07A2BA50

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: 9acd44259a615ecf0f3ecbaf07a9bbba6de70fe3c74bfcd79461948b856471b5
Instruction ID: 12bff4f526fc294ff815541147e6b9349b53cce5d7911de32356ef94ef082e34
Opcode Fuzzy Hash: 9acd44259a615ecf0f3ecbaf07a9bbba6de70fe3c74bfcd79461948b856471b5
Instruction Fuzzy Hash: 581155B02153228FC3139B3CD8983DEBBA1EF81351F14885BC46A83661EF30A957C794

Function 07A2B9D1 Relevance: 1.3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

Strings

(bq, xrefs: 07A2BA50

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: f557c2e23639c984cfbc44ec61240cff98b8e8f89af8f653add2b90e77f20eb1
Instruction ID: 9e7d32ac29f82203900a86e2a27f50a2cf1eb47cf8f64f43be5084438afc6b96
Opcode Fuzzy Hash: f557c2e23639c984cfbc44ec61240cff98b8e8f89af8f653add2b90e77f20eb1
Instruction Fuzzy Hash: 3711A0B1B102128FC7559B6DD8443AEBBE6EBC8251B24812AD41AD3650EF30AD42CBA0

Function 0286DEA8 Relevance: 1.3, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 0286DF0A

Memory Dump Source

Source File: 00000000.00000002.1800680087.0000000002860000.00000040.00000800.00020000.00000000.sdmp, Offset: 02860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2860000_NL Hybrid.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 68b50a323eeeda539580e04fd00450fa99e75397a95ba0c07e6153842b2a8c4f
Instruction ID: b2b99eb5aaac2eac089d5192abb00357f5f4b2fd72b79c949f941ba1731cacb7
Opcode Fuzzy Hash: 68b50a323eeeda539580e04fd00450fa99e75397a95ba0c07e6153842b2a8c4f
Instruction Fuzzy Hash: 4E113AB5D003488FCB10DFAAC4497EFFBF4EB88324F208419D519A7240CB74A944CBA4

Function 07A23E83 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46d6f53c77578afbad60fbd5f0ec354ccc70cfe1cb953e01bc400c6677b2a2b5
Instruction ID: f36a4dfcbf84eef80ba027ddebbbcdf3197f08438e9bded5bc48b33452107733
Opcode Fuzzy Hash: 46d6f53c77578afbad60fbd5f0ec354ccc70cfe1cb953e01bc400c6677b2a2b5
Instruction Fuzzy Hash: C7C1BFB0B14668CFDB14EF6CD00876A7BF2EB89311F108525E4169B395CB389C4ADF92

Function 076F7AE1 Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5f2f1421910cf2c307888fe01e158e0b84b06bedcf99253bd4561ef81498a6e
Instruction ID: eaf16664d0c7f2cf17c7dbd63f2bd8c1c9269a5e941647210fa4072afc18c84d
Opcode Fuzzy Hash: a5f2f1421910cf2c307888fe01e158e0b84b06bedcf99253bd4561ef81498a6e
Instruction Fuzzy Hash: 57818CB0A10119CFEB24DF68E4587ADBBF1FB4A311F945826E603A7384DB749982CF51

Function 07A2D4B8 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cebdc7fcba992fcc1da23facdb074e4aa50deadc08fa29ff4de60967f554b313
Instruction ID: 737ad5c859bac8bda209c3b3062d1d405ffb0c003dc005f88b218ffa0df61a2c
Opcode Fuzzy Hash: cebdc7fcba992fcc1da23facdb074e4aa50deadc08fa29ff4de60967f554b313
Instruction Fuzzy Hash: 5751846281F3E55FD703A73CACB00DA7FB18E53A2570A06C7D0949B0A3D5185A8DC7AB

Function 076F7AF0 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a832bff489a963c005636cc204067d9ee1aa92696f9f1ba6e19265898fc7539f
Instruction ID: 3d4a2f37b06d4aa842ad39c98f802212af5b1c86460298738d4ea91351d14dd9
Opcode Fuzzy Hash: a832bff489a963c005636cc204067d9ee1aa92696f9f1ba6e19265898fc7539f
Instruction Fuzzy Hash: 6E818CB0A10119CFEB14DF68E4587ADBBF1FB4A311F945826E603A7384DBB49982CF51

Function 07A28C98 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 601c50c83638e490bd73d74b7db30d90e0a2b101d3665f6ab9a30f6b15ac8573
Instruction ID: 852f8a72fa8833d784df6551a475449e61be5dd98a67c24114868050f954c6ee
Opcode Fuzzy Hash: 601c50c83638e490bd73d74b7db30d90e0a2b101d3665f6ab9a30f6b15ac8573
Instruction Fuzzy Hash: 0071B1B1B00628CFD714EBACD05876A7BA6E788311F148429F616D7388CF3CAC46DB91

Function 076F7D45 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 323278e9d503ba4456fb3967a20c9618ab43475059d65ef2a8755b8e87fcf13c
Instruction ID: 99f47fc4aea19b4b4a52c077801284b5687a65b7797e83de3c7fd6db5a82835e
Opcode Fuzzy Hash: 323278e9d503ba4456fb3967a20c9618ab43475059d65ef2a8755b8e87fcf13c
Instruction Fuzzy Hash: E471ABB0A10119CFEB14DF68E4587ADBBF1FB0A311F946866E603A7284D7B49982CF51

Function 076F7C74 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48dad4582a75badb3281bd036178eda141e08e4572f9a62020b22dd86b798c45
Instruction ID: 9f8984899f05b3aac5a895b693953e6715341d946e448942c19e1905348abd80
Opcode Fuzzy Hash: 48dad4582a75badb3281bd036178eda141e08e4572f9a62020b22dd86b798c45
Instruction Fuzzy Hash: 9071ABB0A10119CFEB14DF68E4587ADBBF1FB0A311F946866E603A7284D7B49982CF51

Function 07A28C88 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9101ed09cb26d054cd89bc9c9d4c85e34502f12197b1ad86c749622f4e405bd4
Instruction ID: 200a7564315b77ada1ed1e190c146ab8a07bdaebed0191387a83625d57ae1847
Opcode Fuzzy Hash: 9101ed09cb26d054cd89bc9c9d4c85e34502f12197b1ad86c749622f4e405bd4
Instruction Fuzzy Hash: 4D61C2B1700518CFD714EBACE45876E7BAAE788310F148429F616D7388CF389D46DB91

Function 07A2CE10 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d60b1720b331e8b1e3b386ac7e541cf4a3e672fa915db3bde18cb1f4ea705864
Instruction ID: 1f30d95a91295531b99505b2ed5fec1846286e69ff45645415581216a00048fa
Opcode Fuzzy Hash: d60b1720b331e8b1e3b386ac7e541cf4a3e672fa915db3bde18cb1f4ea705864
Instruction Fuzzy Hash: 9A7197B1A14228DFDB14DF6CC444BADBBF5EB49320F044565E512AB295C734EC86EB60

Function 07A2581A Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fae69aaf4a1b9cdd3147e79d87f73622d78130e08f2406a4a9d80e13a749d8e3
Instruction ID: 5cc14685529ff01e81337f00ea5a829463abafe566545dcb5f41d1bbf05f0af2
Opcode Fuzzy Hash: fae69aaf4a1b9cdd3147e79d87f73622d78130e08f2406a4a9d80e13a749d8e3
Instruction Fuzzy Hash: 3E512130604702CBC724DF24E844BABBBA5FFC5304F814AA9E4D85B195DF71A9A9C783

Function 076F98F0 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1a229d083450cff293bcf6c9aa523fd7b1181c7735027faf1ec954d44c2ecc6
Instruction ID: 4343a5cb9e4f662d2d9f5a922025aed25c96db971d2b3a5dd55731a8ec43aa23
Opcode Fuzzy Hash: b1a229d083450cff293bcf6c9aa523fd7b1181c7735027faf1ec954d44c2ecc6
Instruction Fuzzy Hash: 3351AEA6A4D7C25FE7034724AC667D57FB0AF53715F4B41C7D9818F4E3E618280A83A2

Function 07A25638 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94fe2f9f1da94a3790c56f8369a964cf3db8e947da8549f30d541167fc1ad8b7
Instruction ID: 1e209aa6ad64a31cc5de71b967773ecb989be5b49edc497374a0dba92920d0a2
Opcode Fuzzy Hash: 94fe2f9f1da94a3790c56f8369a964cf3db8e947da8549f30d541167fc1ad8b7
Instruction Fuzzy Hash: 0451F0B1600320DFC706EB78D8806ABB7A6FF84301F548AADE41A4F245DF75A946DBD0

Function 07A26D50 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e65ae03dda99277b1bbbbca6dd152f48d02111af0c8479c98b1ed5d9316f92b1
Instruction ID: 66e3d253708f8d613bfa439e271f7776f64234eb8e56acac6e3366c54c04df05
Opcode Fuzzy Hash: e65ae03dda99277b1bbbbca6dd152f48d02111af0c8479c98b1ed5d9316f92b1
Instruction Fuzzy Hash: D241E4B47096029FC749BB34E49953E7AE6FFC8204B048959E556C7381EF39CC069793

Function 07A26D40 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2746468ede523df32412b33a77efc0d83bcc87d25641e8a3c8b83b0419c8af67
Instruction ID: 9be39a9cd4cd0529adf3efcce9bdbb36d59bfd108091b4534313ada7c0ae9953
Opcode Fuzzy Hash: 2746468ede523df32412b33a77efc0d83bcc87d25641e8a3c8b83b0419c8af67
Instruction Fuzzy Hash: D441E1B47096019FC749EB24E49953E7AE6FBC8214B088659E55ACB3C1DF388C069B92

Function 07A246C0 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 828b8d5665a8554de1aa5f85a5c91ee48a459494350ed60979c3ca17f7e4558b
Instruction ID: dc1d5c6ecf237b14b516c32f74126f95f7ccd2fda7086e6432a11860b20b0ea3
Opcode Fuzzy Hash: 828b8d5665a8554de1aa5f85a5c91ee48a459494350ed60979c3ca17f7e4558b
Instruction Fuzzy Hash: E841E5B0A106A4CFDB10EF6CD0443AE7BB6EB8E311F044525D4229B785CB75AD829FA1

Function 07A24697 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95937902e5a03ec76e85e53166bbeefa331ab46c851be61e3504784de56f376a
Instruction ID: cbe083c6da804ce84f893a58670d8716277fe2b6f13711086717a73f7d0451b1
Opcode Fuzzy Hash: 95937902e5a03ec76e85e53166bbeefa331ab46c851be61e3504784de56f376a
Instruction Fuzzy Hash: 7E4111B07106E4CFDB11AF6CD45436D3BB2EB8B312F044966D0228B686CB75AC869F52

Function 076F77F8 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82c52c3c2220a4cd49afa0cf6decb5ad2767ed5dab9328633c0be1f37f5e0239
Instruction ID: 1738f0e5f90b70d3eb61a59e3b2ef31e02e29050e8aa8000aaaeb954b354572d
Opcode Fuzzy Hash: 82c52c3c2220a4cd49afa0cf6decb5ad2767ed5dab9328633c0be1f37f5e0239
Instruction Fuzzy Hash: F931F4B07006455FD701A67CE81476E2AC6EB89314F80883EE227CB382DEA89D46C791

Function 07A246D0 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d46817c95ffd93ed12f88c739f9e7352d9845c3f16874ee948c3b37e864304d8
Instruction ID: f7312f23c5e3e158f84616ddd2f3e69f0697e2646b060756359f965c562aedd5
Opcode Fuzzy Hash: d46817c95ffd93ed12f88c739f9e7352d9845c3f16874ee948c3b37e864304d8
Instruction Fuzzy Hash: F241D7B0B106A4CFDB10EF6CD4447AD7BB5EB8E311F044525D0229B785CBB5AD829FA1

Function 07A25648 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c7c26d4cdbe0faa3da3990cc36a415fdd1d887222bb398336334df837439c02
Instruction ID: 7d082dc7ccb340da8f2c6b19e64c2dd8661c1d34775d2c5d5b77a9434c9f44ee
Opcode Fuzzy Hash: 9c7c26d4cdbe0faa3da3990cc36a415fdd1d887222bb398336334df837439c02
Instruction Fuzzy Hash: F24151B16003259FC706AB78C8806ABB7A6FFC4301F548AA8E41A4F249DF75A955DBD0

Function 07A2A2D8 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7f620405e3131a2bd6d82d34cb0a80d349b8252aade054c8717f8f99073a6cd
Instruction ID: b454dabb8d0c5c6d3aa19efbec186260fe383ea22f2e52facf833985d23c0c19
Opcode Fuzzy Hash: c7f620405e3131a2bd6d82d34cb0a80d349b8252aade054c8717f8f99073a6cd
Instruction Fuzzy Hash: F831B6B67043159FD704DBB8A851A6F67DAEFD0264B10883EDA1ACB640EF34DC0587E1

Function 07A2C7E8 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14fb7750aaf4a375d1309c42455997488e1dba1993e2b600b7b3132a30a8d016
Instruction ID: f3d45fbfcd6f697b9966683aed464aac1d3e18094936cd2c2fe26eb0ec7b6e32
Opcode Fuzzy Hash: 14fb7750aaf4a375d1309c42455997488e1dba1993e2b600b7b3132a30a8d016
Instruction Fuzzy Hash: 1431D5B0B002159BDB089F79E4252AE7BF6EFC8319F108428D555EB384EF349946DB62

Function 07A2B499 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 407a893a8f73ffb0e42192578d4c2fdd5ec34991afde799fa385733db9f97186
Instruction ID: 3498b1dd6b4eb4d2e2313525e893f0d0ca379f86498be2c1d6374dce5ab462da
Opcode Fuzzy Hash: 407a893a8f73ffb0e42192578d4c2fdd5ec34991afde799fa385733db9f97186
Instruction Fuzzy Hash: CB312F75300211CFC714DB29E898B6EBBE6EFC8311B15C46AE85ACB765DA74DC02DB60

Function 07A27420 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a7388e5a07840f7d4aeeb786d12841c2d26211027795f24f3c33ac8bd4cc055
Instruction ID: 8bf9bd8e2690fed30db3131d00ef649861946c2acd5ae8e78945b510e3431298
Opcode Fuzzy Hash: 8a7388e5a07840f7d4aeeb786d12841c2d26211027795f24f3c33ac8bd4cc055
Instruction Fuzzy Hash: 673170B03002228FDB15DF2ED990A29B7A7EFC52167118929E629CB350DF74ED47DB90

Function 07A2D86B Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38f0b83a3cc827b8ce4009c0d44e31ae69a55bc1c059045c0865414bf072baf1
Instruction ID: 693dc726f291583d7d8c8e3811eb28db9301313757aaa77faf66926f356a21c8
Opcode Fuzzy Hash: 38f0b83a3cc827b8ce4009c0d44e31ae69a55bc1c059045c0865414bf072baf1
Instruction Fuzzy Hash: 58415C74B005188FDB08EFACD054B9D7BB6EB89314F108565E412AB396CB38ED46DF91

Function 07A27411 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 072ce716fa6a27815ca9112b5939e2421194c9d348cd4ef837037ad10bf86833
Instruction ID: 88ef492b1252cbfb9287142864db3e14080270bbc00782084df666a70e937a6c
Opcode Fuzzy Hash: 072ce716fa6a27815ca9112b5939e2421194c9d348cd4ef837037ad10bf86833
Instruction Fuzzy Hash: 593193B03002228FDB15DF2DD990629B7A7EFD52057048929E725CB740DF74ED079B80

Function 07A2DB0A Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fe6cedf4c466a6332a61a38d0a2ee41762af3d1b9c3d04eaf6c813f9c8f5222
Instruction ID: a7b04e61558f3a2230486c3caa21c75e9235e5e4b7299d3ab06950a1f6648440
Opcode Fuzzy Hash: 8fe6cedf4c466a6332a61a38d0a2ee41762af3d1b9c3d04eaf6c813f9c8f5222
Instruction Fuzzy Hash: 2E3117B4A045198FDB18EF6CC084B9CBBF1EB49318F148165E425AB3A6C738ED46DF51

Function 07A2D96D Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6680edabf33394240e495b8123d94ec8b469d358e72bd70599fd0227e0d3ff91
Instruction ID: b5580194aedc63a5576160e2f9ae0dfce7c92578f0c33bb6c6da40b21147b6a3
Opcode Fuzzy Hash: 6680edabf33394240e495b8123d94ec8b469d358e72bd70599fd0227e0d3ff91
Instruction Fuzzy Hash: 973116B4A046188FDB18EF6CC084B9DBBF1EB49318F148165E425AB3A6C738ED46DF51

Function 076F8130 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0c195c653f2b492e8f10d2e9f13660d5bfb59262db51a32cca4d970b2176426
Instruction ID: 5db9226d80ae6afd58855851a15fb26517c432baf93c46f39fa21fbe1d4f8e5b
Opcode Fuzzy Hash: b0c195c653f2b492e8f10d2e9f13660d5bfb59262db51a32cca4d970b2176426
Instruction Fuzzy Hash: 7A3190B1A00606CFDB09DF74D948BEDBBB2BF49310F1446A9E502A73A1CB709D41CB90

Function 076F7581 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f7900483852fbf6ea6029400c3bb81e408b8fda654f79e683238ba658b5f241
Instruction ID: b95eb683222c70aa7dd41675fe78955b602b9a9f85b6b26c8a23e7a22b7f6661
Opcode Fuzzy Hash: 8f7900483852fbf6ea6029400c3bb81e408b8fda654f79e683238ba658b5f241
Instruction Fuzzy Hash: 3E21A1B03046145FC716AB7CD85427F7BAAEB85350F548829F21BCB385CE74AD058BE2

Function 00C1EBAC Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1799611776.0000000000C1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c1d000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a06eae994eefa4dc9e33c1151423316eddc1d1dfb63fc48cc3eeb94c0d8fe0f
Instruction ID: c76cb6f1b426dcd28aa8d77aa4f63312c820586dee9a3b0bc82eea76d7738c2b
Opcode Fuzzy Hash: 7a06eae994eefa4dc9e33c1151423316eddc1d1dfb63fc48cc3eeb94c0d8fe0f
Instruction Fuzzy Hash: E031FB72504200EFCF059F54CDC4F56BF76FB98310F248599ED0A4A256C336D895EBA1

Function 07A26510 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f89e614d7d7d005496ddb6d9386e813f94862956ef209629ba5f6751c5dd3a24
Instruction ID: 119aa70ae6fb00d35633a2510ec4b5ebb1e987321b5553d6ec6e0d9272edb113
Opcode Fuzzy Hash: f89e614d7d7d005496ddb6d9386e813f94862956ef209629ba5f6751c5dd3a24
Instruction Fuzzy Hash: 743158B0D012599FCB14CFAAC580ADEBFF5BF88310F248029E519AB350CB349946DFA5

Function 07A242BA Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28a537c74a00478d8d586efc2d55444c2868506cd7d1d91e547de972959529fe
Instruction ID: 4b16ebe625e73e45ce1ed0fce5b9e002aa5747413a71a22106f619bde3b07f79
Opcode Fuzzy Hash: 28a537c74a00478d8d586efc2d55444c2868506cd7d1d91e547de972959529fe
Instruction Fuzzy Hash: C4316170B145A48FCB15ABACE01836E7BA6EB88311F118525E516CB389CF349C469BA2

Function 07A2DB5D Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1af64a2d072cfe023cceecfb3b24ecd726940773280baffaf0a2a29788a788f6
Instruction ID: bec9acdc99e2ae9fc044a3a3eec2b8568d5cdc1f94a4b8809da6cc9f75839a93
Opcode Fuzzy Hash: 1af64a2d072cfe023cceecfb3b24ecd726940773280baffaf0a2a29788a788f6
Instruction Fuzzy Hash: E3319EB4A04619CFDB08DF6CC444B9CBBB1EB49318F108261D421AB392C734ED4ADF50

Function 00C1EAB0 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1799611776.0000000000C1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c1d000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97574420097e90ed9ba8ebae06be721a5e6013c18b72e8b9d566d2d08cef0a80
Instruction ID: 6ea60e9722bc2b1d7b0669f88b53fafd53f70ec63b1dead85a1e56812492eb56
Opcode Fuzzy Hash: 97574420097e90ed9ba8ebae06be721a5e6013c18b72e8b9d566d2d08cef0a80
Instruction Fuzzy Hash: 9D2129B2504200EFCF059F54D9C4F66BFA6FB88310F24C6A9ED0A4B256C336D856EB61

Function 07A2DA94 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 777d175efca2a6a45bfad68b6074cf18963d8d68c306c5ae57bcef425f51fdf8
Instruction ID: 691349d5cdd34f61aeebba6a0cab31a6a1489dc201e3defbd21e78ea897e2889
Opcode Fuzzy Hash: 777d175efca2a6a45bfad68b6074cf18963d8d68c306c5ae57bcef425f51fdf8
Instruction Fuzzy Hash: 723129B4A045188FDB08EF6CC084B9CBBF1EB49314F148665E425AB3A6C734ED45DF51

Function 00C1D69C Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1799611776.0000000000C1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c1d000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3cd0260bb57e446e77d9828fce230d5fb04e1408f2971dddbc022af0deda535
Instruction ID: a1fff5e0bd7c5c9b455f3730014842509884da5335a8bc8e4ded2cd9863ee262
Opcode Fuzzy Hash: d3cd0260bb57e446e77d9828fce230d5fb04e1408f2971dddbc022af0deda535
Instruction Fuzzy Hash: D0213BB5504240DFCF05DF04D9C4F66BFA5FB99310F24C668E90A0B299C336D856EBA1

Function 00C0D164 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1799528122.0000000000C0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0d000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc00aa9490d4e2ff51047afd28da71c2ebc135a60a4034a782bd5512a8fe19c8
Instruction ID: f4de236d5fe5bbcc0192e2c79a5b31a4770a21f78e1597a9c9516dea2282ed05
Opcode Fuzzy Hash: fc00aa9490d4e2ff51047afd28da71c2ebc135a60a4034a782bd5512a8fe19c8
Instruction Fuzzy Hash: 44214BB5504240EFCB05CF94D9C0B2ABFA5FB98324F24C668E90A0B285C336D816DBA1

Function 07A2DB35 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb41ecd0786ef3871f806edf399d907ead8ed95106fff8026700eca1ebca89d7
Instruction ID: ed7f45b4d3453b1da784426ffd6ff85b1fa1e3a19530c83b95c241a87362499d
Opcode Fuzzy Hash: eb41ecd0786ef3871f806edf399d907ead8ed95106fff8026700eca1ebca89d7
Instruction Fuzzy Hash: 49314B74A04618CFDB09EF6CC044A9CBBF2EB49318F148165D421AB3A6C734ED49CF60

Function 07A2DA6D Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dc6ebc22bb43569a71465fe8a1024bff5476620538586ee28f94ad7a991a2bb
Instruction ID: cb64191760dd09fbc571e751b0355234e4a34881173190e7b9b5085aacc8f998
Opcode Fuzzy Hash: 0dc6ebc22bb43569a71465fe8a1024bff5476620538586ee28f94ad7a991a2bb
Instruction Fuzzy Hash: B9314B74A04658CFDB09EF6CC444A9CBBF2EB49318F548165D421AB3A6C734ED49CF60

Function 07A2DB82 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0e4b9a18b4cddec8e2795767ca6d8ae6ec25bc51999007f8d1a321615d237e5
Instruction ID: 5e91a5c8ca16ee97dca0540fe1e5fd365eddc6d4c2cd3b3444edd969c23ab639
Opcode Fuzzy Hash: e0e4b9a18b4cddec8e2795767ca6d8ae6ec25bc51999007f8d1a321615d237e5
Instruction Fuzzy Hash: 7D314B74A00619CFDB08EF6CC044A9CBBB5EB49318F148261D421AB3A6C734ED4ADF50

Function 07A2AC00 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4be2ae235d654f685b0b30a213775a22b24a7ad2e2683248c13b80b42718d4c
Instruction ID: 778b610118404961cc8a02d77a172777a8c16f1f6264bcbcba80dfb86ca457e7
Opcode Fuzzy Hash: c4be2ae235d654f685b0b30a213775a22b24a7ad2e2683248c13b80b42718d4c
Instruction Fuzzy Hash: 4011C473F0D3611FD70697BC6CA06DA7FE9CFC2621B0540A7D44CCB582E9158806C3A6

Function 076FD188 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c2f66fffbec076381e26eb9ffbcb446a5512cf78b5e2eae7190f5b8b2f7c700
Instruction ID: 1fcb08a40247403a34d284a1dbdd2ea1e5a87c687afb46e3bd0eb1134dc5b5db
Opcode Fuzzy Hash: 2c2f66fffbec076381e26eb9ffbcb446a5512cf78b5e2eae7190f5b8b2f7c700
Instruction Fuzzy Hash: FD21D1B43105048BD715EB78E46837E7AAAEBC9355F008425E207C738DCB34AC49CB93

Function 07A2D90E Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a15a038b781d95f8aeab1a888b6bb8865cd4c06d666782f8b6d5ba75f62dc3d
Instruction ID: a648f593ec5a0c1fa26c9bf49bf6aa38375659914ad07faa69163407830431d5
Opcode Fuzzy Hash: 3a15a038b781d95f8aeab1a888b6bb8865cd4c06d666782f8b6d5ba75f62dc3d
Instruction Fuzzy Hash: DF312974A046188FDB04EF6CC444B9DBBF1EB49318F148565D421AB3A6C778ED45DF60

Function 00C1D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1799611776.0000000000C1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c1d000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03becb3e3d1cef096b587622408c7283adabe73133cbe80c74f8bd36337a1530
Instruction ID: 9d6d98ad9c0cff6a9a382d949dc6221dd6e86bdac956528b48ab17915528a87a
Opcode Fuzzy Hash: 03becb3e3d1cef096b587622408c7283adabe73133cbe80c74f8bd36337a1530
Instruction Fuzzy Hash: 6621D375604200DFCB14DF14D9C4B56BBA5EB99314F24C5ADD80A4B346C33AD887DA61

Function 07A2D858 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f709f0f5a55fe5eb31a49009295f9e948d17ff3233734d3eb2846f220690102
Instruction ID: eba633985dce5e71831676919e431c3d7496e0baec8aaf56b716006e03b282ca
Opcode Fuzzy Hash: 4f709f0f5a55fe5eb31a49009295f9e948d17ff3233734d3eb2846f220690102
Instruction Fuzzy Hash: BB314974A04618CFDB08DF6CC444A9CBBF2EB49314F148165E426AB3A2C734ED45DF50

Function 07A2DAF0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efef91aecf2229c79bb6cee368144dc299e77ae22fa33cac59bd458cccda7bd0
Instruction ID: 7a5b0a5497390ad7bd5acc28a40c83f07e8317a51dfe6b1c0a98359187842fec
Opcode Fuzzy Hash: efef91aecf2229c79bb6cee368144dc299e77ae22fa33cac59bd458cccda7bd0
Instruction Fuzzy Hash: 2D312A74A04619CFDB08EF6CC444B9CBBB5EB49318F108565E421AB396C738ED49DF51

Function 07A2B3E8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e490d0a209da42b173a1498c522475edb18508ce357f9535f7795e59eaf0f1d
Instruction ID: 1483082eacd5618b4305c94ca29f6fedcf7fc781b2a30cae5684fbb7c2bcb0c3
Opcode Fuzzy Hash: 5e490d0a209da42b173a1498c522475edb18508ce357f9535f7795e59eaf0f1d
Instruction Fuzzy Hash: 33110B72341216ABD3249679DC40FAFB75AEFC4754F10403AE609CB280EA7198029795

Function 07A2D7CF Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16ef9a3ca00700b2d7777cf2f2806707fb90840412c5ca539af4f2c824be96f9
Instruction ID: 058e3bb17aac68b909ba589332c52e2d2e542953072c2b9c8fbb93455a3ce64a
Opcode Fuzzy Hash: 16ef9a3ca00700b2d7777cf2f2806707fb90840412c5ca539af4f2c824be96f9
Instruction Fuzzy Hash: 15215A74A006188FDB04EF6CC444A9CBBB2EB49314F108665E421AB3A2C738ED45DF61

Function 00C1EBA7 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1799611776.0000000000C1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c1d000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f3a4c72fe698087502441b8dc6b750e7f9668b0d5c50766013daa2ea6c9e3ec
Instruction ID: b0fea9d185b295d9dd1d60e87b323ef5734b5c08fed52b5fe142314d1b8009c5
Opcode Fuzzy Hash: 2f3a4c72fe698087502441b8dc6b750e7f9668b0d5c50766013daa2ea6c9e3ec
Instruction Fuzzy Hash: 7B21C576500240DFCF12CF50C9C4B55BF72FB88320F248299ED094A22AC336D8A6DF91

Function 076F31A2 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 360518a09eb508bc0c7e279627ae966e7af5e096ff13f3ba369442e1033fd6a4
Instruction ID: b68b374e9fadfa64f1ac93b2759041488d7a55e2c1c902608228a112fd998c8b
Opcode Fuzzy Hash: 360518a09eb508bc0c7e279627ae966e7af5e096ff13f3ba369442e1033fd6a4
Instruction Fuzzy Hash: B601AD6F068EC11AC30356F4BB391D4FF207907A70308829BC09581B039325A31E8FE5

Function 00C1D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1799611776.0000000000C1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c1d000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 101458a922f859a53987bc403f40f7917594a3764b1cc93870b05af80c78c8fc
Instruction ID: c71cd71fbac5d9538da3a903cca0751bc183c3490abdfea2dee854ce978b995d
Opcode Fuzzy Hash: 101458a922f859a53987bc403f40f7917594a3764b1cc93870b05af80c78c8fc
Instruction Fuzzy Hash: 072192755093C08FCB02CF24D994715BF71EB46314F28C5EAD8498F2A7C33A984ADB62

Function 00C1EAAB Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1799611776.0000000000C1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c1d000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a1f6b2acf32a93065e81676f195d27871273dc5a141a9c8840b6bfb7dba7c4f
Instruction ID: 3ccadebec990a63f93622bb2c8456fd4d864a7fd2322265bae3db6d3e880093e
Opcode Fuzzy Hash: 0a1f6b2acf32a93065e81676f195d27871273dc5a141a9c8840b6bfb7dba7c4f
Instruction Fuzzy Hash: 8E21BBB6504240DFCF02CF10D9C4B56BF72FB88324F24C6A9ED094A656C336D966DB91

Function 00C1D697 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1799611776.0000000000C1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c1d000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 594afe6d9e3fbc86027e4aae70ed4c2490e428242055e4768c965e3b79ba8791
Instruction ID: 391c156f27b34b02bf39e93046964a4edf9bde295c80d5ceff015a96ecd9eb51
Opcode Fuzzy Hash: 594afe6d9e3fbc86027e4aae70ed4c2490e428242055e4768c965e3b79ba8791
Instruction Fuzzy Hash: 5D21AE76504240DFCF06CF00D9C4B56BFB2FB89314F2486A9D9090A25AC33AD966DB91

Function 00C0D15F Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1799528122.0000000000C0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0d000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3667df4613307f4818b667f06717f2300abd079ab2269aba2c7ca6de8d8ab1c2
Instruction ID: d7332514f912f489698fe66c162938d1f0eba6ed08b5d2c0000a86a57e3efffe
Opcode Fuzzy Hash: 3667df4613307f4818b667f06717f2300abd079ab2269aba2c7ca6de8d8ab1c2
Instruction Fuzzy Hash: 1F21AF76504280DFCB16CF50D9C4B16BF72FB98314F24C6A9DD4A0B256C33AD966CB91

Function 076F3188 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcc679027b7d9e44f7934d8d90bb9250935738bbb167429f9c203c81dc6a9d59
Instruction ID: b62188d04188bbb1fb526141f9795c123c6632e52c5d50c6d388429fa45dda2e
Opcode Fuzzy Hash: bcc679027b7d9e44f7934d8d90bb9250935738bbb167429f9c203c81dc6a9d59
Instruction Fuzzy Hash: 21016D6B058E819BC3071AB4B73A0D0FF307903630318428BD09585A53C32A63598FA5

Function 07A23418 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cabaef324bdcd975fd74397b0ce80f2c3a9faae984aa29012ae1394bedbdddf
Instruction ID: 4e5eaf3a1ec395349dbfb87cdf8962c633654421350ab76bc6bbad85fa2212bd
Opcode Fuzzy Hash: 2cabaef324bdcd975fd74397b0ce80f2c3a9faae984aa29012ae1394bedbdddf
Instruction Fuzzy Hash: 0511A370A042689FDF129AACDC047D97BB5E74A312F4084B6D937A3281C77C594BDB52

Function 076F8E01 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6de3a5430334bc2b091b1afeb806e4b61f1f2305665509e27339b8b5a08a26df
Instruction ID: 226c75218bec4fac9a0395ea57933b653fd9fb5e6e59a4fabb85707f8e648b25
Opcode Fuzzy Hash: 6de3a5430334bc2b091b1afeb806e4b61f1f2305665509e27339b8b5a08a26df
Instruction Fuzzy Hash: 6301F7757042068FD3518E5DDD00BA6BBFAFB8A750F1040ABF60AC7391CA3C8D028B51

Function 07A2ADB1 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17ff3910363ab53025cabc7b425d2d5699fb90bb60e0618d3bbaafbcd755fb38
Instruction ID: 0b1b769525fcf24e419b6747b8967c33268023604aff8169e6900202228b1989
Opcode Fuzzy Hash: 17ff3910363ab53025cabc7b425d2d5699fb90bb60e0618d3bbaafbcd755fb38
Instruction Fuzzy Hash: 2911E2B5D006599FCB10DF9AD484ADEFBF4FB88320F10842AE969A7250C374A945CFA1

Function 07A2BD80 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77ee905241f851118297906ce4d97a849ee9daf1c4e533df27f0694c30b7ea6b
Instruction ID: 7beec393255ab9dc62dcab688cb6e577de6954f7f54826ab549c67f096fc15e9
Opcode Fuzzy Hash: 77ee905241f851118297906ce4d97a849ee9daf1c4e533df27f0694c30b7ea6b
Instruction Fuzzy Hash: 7C0145F1319A619FE714533CE2093F9B7A5E7C2320F040436D51AC3281F6A85C46A366

Function 07A2ADB8 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 172ae8d97b7c9f19d5e9df26d12e98ba16848d375bc6e504ee9a13f632b530d0
Instruction ID: 618ec84599908517d2d56ea97396ad4988a1557fb58097e15649893eae8e2468
Opcode Fuzzy Hash: 172ae8d97b7c9f19d5e9df26d12e98ba16848d375bc6e504ee9a13f632b530d0
Instruction Fuzzy Hash: 2511C3B5D00259DFCB10DF9AD584ADEFBF4FB48320F10842AE969A7250C774A945CFA1

Function 076F8F20 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 594be6a6ded2c20de2a7fcff0f42c488f0b0af5dc895ada6bf59920f8e07924a
Instruction ID: 461ad5b96f74f36139f43e652b3cbe5a115d387c603b0d26bc02deb70cd18d5d
Opcode Fuzzy Hash: 594be6a6ded2c20de2a7fcff0f42c488f0b0af5dc895ada6bf59920f8e07924a
Instruction Fuzzy Hash: F50126703221028FE72059759C013667AE7EBA57E1F2C44AAE603C7348CA348D42C792

Function 07A2BC90 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4623ed4f5b11d78aabf0fd4b7e770e4ba08ff7a0a93301a9431cb6874490d1c5
Instruction ID: 61bd1b5f06fe28f3b1dae681f1c95e5ef5a87d6dccb044c07dc0e335f8886601
Opcode Fuzzy Hash: 4623ed4f5b11d78aabf0fd4b7e770e4ba08ff7a0a93301a9431cb6874490d1c5
Instruction Fuzzy Hash: 6B0184F4624924CBD7155B2CE444BA937A1EBD9311F008826E42687354DBB859829BA9

Function 07A27E40 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00785814e5be781406d2e920f2aed2e744a24b3ba68b763fa353b95b3c1ee538
Instruction ID: e2e36189e2d012634a5ce741b7916076d64d905ad6bd324cbb3b854a592b0ef1
Opcode Fuzzy Hash: 00785814e5be781406d2e920f2aed2e744a24b3ba68b763fa353b95b3c1ee538
Instruction Fuzzy Hash: 7F018C353001508FD744DB28E448E6E77EADFC9225B18856AE51ACB3A1DF35AC468BA1

Function 076F8F30 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6bf77dbefed442b22177ecf91552979be4f2cdeafecf36925c488da18c047ed
Instruction ID: 8bbb7125e71ebbb07ce17970dc3b814a3db246c6eb01a101e0f4e4f8f25d8915
Opcode Fuzzy Hash: f6bf77dbefed442b22177ecf91552979be4f2cdeafecf36925c488da18c047ed
Instruction Fuzzy Hash: 0301D6703375479FD72016795C1532A7AE7ABAA3E1F1C84AAE603C7389DA348C428792

Function 07A2E738 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6b38f3c804f281565299c2f675b1169c9482c94c4d3167422679b6f7252e73b
Instruction ID: 44cfea9260163afd416974f80c1148cfc4ae5bc1609430aec029b4c3788d788b
Opcode Fuzzy Hash: c6b38f3c804f281565299c2f675b1169c9482c94c4d3167422679b6f7252e73b
Instruction Fuzzy Hash: 1A0147717042104FC7206B2E949853ABFDADFC8520318C02EEC85C7310DE74CC439B91

Function 07A2D699 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bd56df5ab980a154291844a6afb47b56ed1321fe43eeec04902eef35861e759
Instruction ID: c4eb94f0b42e0a48e02267d2cb95c09579b80886c7aa50ba826a7c65874f708b
Opcode Fuzzy Hash: 8bd56df5ab980a154291844a6afb47b56ed1321fe43eeec04902eef35861e759
Instruction Fuzzy Hash: CD012632A1021A9BCB189F68C4115EEFFB5DF84311F10482AC497E7240CF70550A8BD2

Function 07A23428 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8d5cd5276b83197a6d60a751e088a4d85b42a13cf465bfa3d1abdb2904d394c
Instruction ID: 7472145342cd7750dc97e6a8da50e5399873d4e1ca2cb19d93417970e8f36222
Opcode Fuzzy Hash: f8d5cd5276b83197a6d60a751e088a4d85b42a13cf465bfa3d1abdb2904d394c
Instruction Fuzzy Hash: 2F01C470A00228DBDF119A9CE8087DD7BB5E78A712F004576DA37A3284D77C5947DA92

Function 07A2F469 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9f65112736f211dfff64597f92f5213a567472fdb796048e165d2209be2e5d2
Instruction ID: e39080ffa5b1ca57c79bd88b38b0c46810996b85a4a9f55b05b85f297b97c8a0
Opcode Fuzzy Hash: f9f65112736f211dfff64597f92f5213a567472fdb796048e165d2209be2e5d2
Instruction Fuzzy Hash: AC0180B160071A9FC229AB38C411B6ABAA6ABC1715F10C83DD0298B791DF759846DBD1

Function 07A2CCB8 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a1ab21a082b89794678a66df0c512d2718bb2d28b43611e39496f4acbe3e16b
Instruction ID: 3305795a83f49ee8de91848a2317f73d05e39e26bbdc44668792304334347b2a
Opcode Fuzzy Hash: 3a1ab21a082b89794678a66df0c512d2718bb2d28b43611e39496f4acbe3e16b
Instruction Fuzzy Hash: 6A01F1B0A14269CFDB209B1CE8043ED7BB4FB4A330F4015BAD522E7290D7789D069BB1

Function 07730040 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808675744.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4f0654704253bc6abea5281ac3dde7575333dcd15cf22a6b8be8f24b485df26
Instruction ID: 2bfe582c0aae3268bb32e472d9257a929f66e78153f0220f086ab28467043ded
Opcode Fuzzy Hash: d4f0654704253bc6abea5281ac3dde7575333dcd15cf22a6b8be8f24b485df26
Instruction Fuzzy Hash: 5A1170B0E00258ABDB54DFA9E45879EBFF6EB89340F008429E445A7385DF745880CFA1

Function 07A259F2 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e33e94b12af4c3321f2339ce39c6132145ead36675567ba702b8999dc8730b76
Instruction ID: 84322f1bc9979c33df60d595830929820c9ed7e9db9a985c354dadb02bc7f462
Opcode Fuzzy Hash: e33e94b12af4c3321f2339ce39c6132145ead36675567ba702b8999dc8730b76
Instruction Fuzzy Hash: D6F0F431A043129FC700EF78F50591A7BAAEFC2218B0149AAE50D8F251DA39AD468B82

Function 07A28801 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6331a5f502ba5f79eea113d47b790084155ed639cdde05a6a66dd6d00a59960
Instruction ID: fbf836a4054de3681f1aed199aae607177f307275278c57917f2115288704534
Opcode Fuzzy Hash: d6331a5f502ba5f79eea113d47b790084155ed639cdde05a6a66dd6d00a59960
Instruction Fuzzy Hash: 5F0144B17042105FCB04EB6EA89093FB6EAEFC5260704842DF12ED3381DF74AD028789

Function 07A2BCA0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94f096402f7397f1e3fe6446649545b547097821506be4241735b4f28862fbf6
Instruction ID: d9c682722aba6cc85802fc5695b737122e2d635c67d044723c82dc059ac43679
Opcode Fuzzy Hash: 94f096402f7397f1e3fe6446649545b547097821506be4241735b4f28862fbf6
Instruction Fuzzy Hash: 7A0175F0624934CBD715572CE404BA937A5EBD9312F008826E42787354EBB859829B95

Function 07A24590 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d3d554bd14fe5ab4f8f80c79d34b6a49b46625afb675efdc6c71f90d85cc6e1
Instruction ID: 2701993f5c29375033b1ba9b3e602b44c4f7cb02f76f871a61049e74b404b8e3
Opcode Fuzzy Hash: 0d3d554bd14fe5ab4f8f80c79d34b6a49b46625afb675efdc6c71f90d85cc6e1
Instruction Fuzzy Hash: AC017C32E0064B9BCB00DBB8D9415EDB7B2EFD9310F650652D60577150EBB13A5ACBA2

Function 00C0D005 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1799528122.0000000000C0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0d000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 101a89622e2bc8ad571e03f932e6127e8f2071675cd711cd6404b36a5482cceb
Instruction ID: 8e0c28dc4003e4e84c5b4979f1bf1997b0108a9858662748206e38afe0cb32f6
Opcode Fuzzy Hash: 101a89622e2bc8ad571e03f932e6127e8f2071675cd711cd6404b36a5482cceb
Instruction Fuzzy Hash: D9014C6140E3C09EE7128B258C94B56BFB4DF53228F19C0DBE9998F1E7C2695C49C772

Function 00C0D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1799528122.0000000000C0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0d000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0487229b74714f3d4dfb4ad1c754ba22bc881269084a6be8c58940b2e7cdea34
Instruction ID: 003ccc347a592e20171aecb3eec36b271a644c04e29b9234c6b80a9409547630
Opcode Fuzzy Hash: 0487229b74714f3d4dfb4ad1c754ba22bc881269084a6be8c58940b2e7cdea34
Instruction Fuzzy Hash: 1501F2714083449AE7208AAACCC4B66BFD8DF51329F18C41AED5E0B2C2C6789941C6B1

Function 076F6701 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b7b8d50f07db0df39ea60d7c952631a7dbe2e5c50b00b3a13265f252841faeb
Instruction ID: 444b61955b87d75ee61d1eff96c0b8a8bdbec0ea4e24d93372f555f5ace5e254
Opcode Fuzzy Hash: 0b7b8d50f07db0df39ea60d7c952631a7dbe2e5c50b00b3a13265f252841faeb
Instruction Fuzzy Hash: BBF0627150E3C48FC703DB64AE200E5BFB29E4311036942DBD184DB263CA258B158792

Function 07A2A727 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8c0c3472af16d6e4dcf25e1473c2b63a0914fa733524366da7bee374d6be55a
Instruction ID: a02e27b01d48d8b7b7c73436310c2811bae77539c60a459a99a88589fc446a29
Opcode Fuzzy Hash: b8c0c3472af16d6e4dcf25e1473c2b63a0914fa733524366da7bee374d6be55a
Instruction Fuzzy Hash: 410136363145505FC705DB2DD85CEAE77EAAFC9611B09C0A9F50EC7375CE259C018B91

Function 07A2CD6B Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16297029938502df32b98feb54198ebb344a02882964ba1727412db38beb116e
Instruction ID: ed5039cb4e3bb716199f4374c0e61979ac5e7f7900f58a634b4c63e4a2a816c0
Opcode Fuzzy Hash: 16297029938502df32b98feb54198ebb344a02882964ba1727412db38beb116e
Instruction Fuzzy Hash: 26F02872D10109ABDB189B78C4156EFFFF99F44310F50452AD042E7240DE7064068BE2

Function 07A2E748 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e781a48af4c32628fb719e4d18d0169b8cffc8cced13e0003ed087c91da0d220
Instruction ID: 7c7de9700e4d5251ea51911d9210d2c4e6d9c7e78cbdcc78c84e1b8293130b13
Opcode Fuzzy Hash: e781a48af4c32628fb719e4d18d0169b8cffc8cced13e0003ed087c91da0d220
Instruction Fuzzy Hash: DCF0F4357002108BC7246B3A949857EBBDAEFC8621318C02AEC95C7314CF74CC43AB81

Function 07A2D618 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2c5bd9b721951deb5f0c4bca5a8e4aed7c75a93294fdf8f7d21e3d63f4763ad
Instruction ID: 81bf161becc37f9c3fee2549a893fbd498017069579eefd983ab88562466aef3
Opcode Fuzzy Hash: a2c5bd9b721951deb5f0c4bca5a8e4aed7c75a93294fdf8f7d21e3d63f4763ad
Instruction Fuzzy Hash: 3C016232E1060B97CB04DBA9D8401DDF7B7EFD9320F254616D51177250EB70394AC761

Function 07A2353F Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7dafa299580ebfde4a871db80305356e20aa8d7c83ecbb0fe0e2c4160ea37f6
Instruction ID: 6dfc69eb99261b749d4c47b275818bcbc3c823f30376dc0b17c69bfb44f90dfb
Opcode Fuzzy Hash: e7dafa299580ebfde4a871db80305356e20aa8d7c83ecbb0fe0e2c4160ea37f6
Instruction Fuzzy Hash: 07F0C276A10209EBEF09EA68C4656EFBFA69F84310F04842AD406A7240DE74990B96D2

Function 07A2B260 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60c3f336ec7be26befe921e243df823a1f0c8e45e5a2d0a49c3d1aafa2120d50
Instruction ID: 738f2f0a2140698a192164a00a2c811785aeaccd11d06388396638916022bb9b
Opcode Fuzzy Hash: 60c3f336ec7be26befe921e243df823a1f0c8e45e5a2d0a49c3d1aafa2120d50
Instruction Fuzzy Hash: 9CF0C2F13042589FDB0197ADE85576BBBDDEB89351F004466E209CB282DA25AD0287B5

Function 07A28810 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6f39988bbebb1571eeca4d13437b1cd1f96d114721427e308a42b6681b5517e
Instruction ID: 49be120f032715fb93dc556c865334b71415a76f2172f22a963848273a43c899
Opcode Fuzzy Hash: c6f39988bbebb1571eeca4d13437b1cd1f96d114721427e308a42b6681b5517e
Instruction Fuzzy Hash: 20F0F6B17002141F8A44AB6E989083FB6EAFFC9260354442DE52ED7381DF745C024795

Function 07733760 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808675744.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8864ff7d0e184dee35d0685659653937b028ceccec409141eed8370b9ea041dd
Instruction ID: cdf0db502274d0bf39fbdd0818a3bbcb9953269b36d520b2ab8c47f2260e5b9a
Opcode Fuzzy Hash: 8864ff7d0e184dee35d0685659653937b028ceccec409141eed8370b9ea041dd
Instruction Fuzzy Hash: ACF0F6B3A0011097CB209EA5D84676EFBE9DB87667F05C439E81AD3101DA35D90286D0

Function 076F9043 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eafa5e0702a0b0d578dea354afdf0e4a30f01a2b3a745736fa78713ee86e69df
Instruction ID: c43a110d0789470c034d839c4916eed74ca37f8d378c10fb39068340aba048c2
Opcode Fuzzy Hash: eafa5e0702a0b0d578dea354afdf0e4a30f01a2b3a745736fa78713ee86e69df
Instruction Fuzzy Hash: 7B01F975B08340CBC71ACB65E4446397765DBC6715B08805EE603C7392CE79ED05CBA2

Function 07A2F570 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94c0184c1e0653f829f2a462fcd698c7d19506025ec3276a3456db12dbb0a99c
Instruction ID: 3ec67166d5dac44f164ba635bd74455cf5125c43942411a1a4323b1a314e0e0d
Opcode Fuzzy Hash: 94c0184c1e0653f829f2a462fcd698c7d19506025ec3276a3456db12dbb0a99c
Instruction Fuzzy Hash: E2F028713003515FC7116F2EE84068ABBAAEBC1310B04456AE315CB345DB749D0687D4

Function 07A2F478 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8940ce016018695abc41ebd8ea3156ea0210968724f58ecde450c84327347759
Instruction ID: 8de1ee3e5f591b38ccdfd2bf6c88d69066765541f7d02d99a5b03f0967a39a96
Opcode Fuzzy Hash: 8940ce016018695abc41ebd8ea3156ea0210968724f58ecde450c84327347759
Instruction Fuzzy Hash: 1401A2B070072A9BC228AB39D415B6EB6A6EBC1715F10C93DD02A4B780DF75A807DBD1

Function 07A245A0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e183f011e492c0dc47a7baa6133cd511090e939b3b5408e89f998f988dd1ed7
Instruction ID: 2ca461fb54ef620e4992309c52bca2d0ba6d2363c8c44f4f0f23b6120b9e3b78
Opcode Fuzzy Hash: 6e183f011e492c0dc47a7baa6133cd511090e939b3b5408e89f998f988dd1ed7
Instruction Fuzzy Hash: 28016932E0060B96CB00DBA8D9405DEB7B6EFC9720F620661D60537150EBB13A9ACAA1

Function 076F14A0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0974360a5daf673e9f1f8d8dcbf9aa99ec7d9e7f722e185a589e28b18c7a81f6
Instruction ID: ee156aeb19522bfbf36a27e78187d26aca6a644a0b48cafc55c28b79e53c811c
Opcode Fuzzy Hash: 0974360a5daf673e9f1f8d8dcbf9aa99ec7d9e7f722e185a589e28b18c7a81f6
Instruction Fuzzy Hash: 83F0E2313053580FD308262D2C287BB5F8AABC9750F15816FF149CB3A2CE258C4643A1

Function 07A24617 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 822997e7befa85bf67fe11947e19dac4623ad96f89e44658dffcf721e4900558
Instruction ID: eb83a1f1865abf5b01a6033a02d39e234da6d3332ce139b7ff10f437f83cc36f
Opcode Fuzzy Hash: 822997e7befa85bf67fe11947e19dac4623ad96f89e44658dffcf721e4900558
Instruction Fuzzy Hash: CCF0C272A10259DBCB15DBA4D4265EFBFB69F88310F014426D412AB241DE70590BC7C7

Function 07A28FC8 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 812edff3563dcbd2dec68219fea173dfe76a5f57689f91aba90b07d9428f8bfc
Instruction ID: 30a2eb0ef6633e0c1d3d70a7c9dcb1ead964fb87da8f95a5b3c9a2c17f3c4dd4
Opcode Fuzzy Hash: 812edff3563dcbd2dec68219fea173dfe76a5f57689f91aba90b07d9428f8bfc
Instruction Fuzzy Hash: F201F7713047608FC702CB24D485EDA7BB2FF89309B048B89E44A47325CB747D45CB94

Function 076F5FE1 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f5e65aba8e66f4761c42102481757e33890227b4efe46073b9423d78e839dcc
Instruction ID: 07c1fb0efe8870ae82e1c9da89c5a6497b82590fa72d8a5ed6ba6a7ea867c306
Opcode Fuzzy Hash: 5f5e65aba8e66f4761c42102481757e33890227b4efe46073b9423d78e839dcc
Instruction Fuzzy Hash: 7CF020613093C01FC21763B8AC302A67F268EC326539642ABE289CBA53CA1159168796

Function 07A2A738 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c1532957f4f792847d677deaad079ff97fc0055905799de3bb511ac224ae61a
Instruction ID: 79e16933b50e698ec49d71975dffa43e6ca8d384202c315db18b1630c4e75c52
Opcode Fuzzy Hash: 9c1532957f4f792847d677deaad079ff97fc0055905799de3bb511ac224ae61a
Instruction Fuzzy Hash: 19F0A9353104149FC708EB6DD85CE6D77EAAFCDA11B19C0A9F50AC7375CE659C018B90

Function 00C0D25B Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1799528122.0000000000C0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0d000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 398f16188aa096b83c1e9c61d1578704ff89da5013adfa19c519a42fa877115e
Instruction ID: 4b1f3761d48726f70a7b494702de2f158a11268406bf78ffa827e0bc513bbb04
Opcode Fuzzy Hash: 398f16188aa096b83c1e9c61d1578704ff89da5013adfa19c519a42fa877115e
Instruction Fuzzy Hash: 21F0F9B6600640AFD7209F0AD985C67FBEDEFC4770719C59AE84A4B652C671EC42CEA0

Function 07A28FD8 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32061ac4f9428fe31e8e23ea6d4a61e64d738304080e87d6e6952f4600ee5e3d
Instruction ID: 5f51ed90f9a52bf0326d29e684c59c0185e1f696ae8d8a8d634be9370818da2d
Opcode Fuzzy Hash: 32061ac4f9428fe31e8e23ea6d4a61e64d738304080e87d6e6952f4600ee5e3d
Instruction Fuzzy Hash: B301A431304B258FC745DB24E886EDABBA1FB88759B048B59F44A47315CEB03845CB94

Function 07A2C792 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5f31e21e12280eac2c14b70e538a76998af44c3c5eca30832a666f4c881446d
Instruction ID: 9240ebecadb6491ecad99af9c3d3b824047e36aaa511191176acccd05382569c
Opcode Fuzzy Hash: c5f31e21e12280eac2c14b70e538a76998af44c3c5eca30832a666f4c881446d
Instruction Fuzzy Hash: 51F0A0708493889FC746EBB8A8021DD7FB0AF07220F1500EBD499D7183E7B84A05CBE2

Function 07A2B270 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ad16a09b2ac5dad1a6c6df96614e70b1f278f245f16c8b95eb0f8e5af484b89
Instruction ID: d0278ba111442e1acdab1fc152a4c3683c0dbd44d591392cd36ec263d11a5168
Opcode Fuzzy Hash: 7ad16a09b2ac5dad1a6c6df96614e70b1f278f245f16c8b95eb0f8e5af484b89
Instruction Fuzzy Hash: 39F089F1300258DFDB00975DE45562B7BDDE7C9354F104425E209CB245DA34AC0297B5

Function 07A25D30 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4943b12e6ec43b6a03036048184f00df016f665c7eed57edac70bd1e6347471
Instruction ID: 7be47da9a7f594ac5c709991b86925e411678874087a8921b308d67e4cf214bb
Opcode Fuzzy Hash: f4943b12e6ec43b6a03036048184f00df016f665c7eed57edac70bd1e6347471
Instruction Fuzzy Hash: EDF03774A0121A8FDB08EF69C4083EEBBF2AF8C300F604169D409A7394DB7A5E55CBD5

Function 07733770 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808675744.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf532113a61008efa5e2e9deaaa5a241c12a63e93247d2fe19b014b60717ab2b
Instruction ID: c34d96a00f1a46e46a8e2cd2b361908f8ed68681bb1bfa1e68b860dee3a4c2fd
Opcode Fuzzy Hash: cf532113a61008efa5e2e9deaaa5a241c12a63e93247d2fe19b014b60717ab2b
Instruction Fuzzy Hash: 91F0E9F2E0412497CB208EA6D84566EFBE9EB866A3F05C179E419D7101DA349A018AD4

Function 076F9050 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63a91255b8950740d3692158e6aa5c8fcdb197637b12fb08a6d42c5c45ea7ed8
Instruction ID: c1b9347a898c32ec148e9b74416f2f840da009a4d46e3a8d430185386c12895f
Opcode Fuzzy Hash: 63a91255b8950740d3692158e6aa5c8fcdb197637b12fb08a6d42c5c45ea7ed8
Instruction Fuzzy Hash: 2CF0E97570430097C7165B6AE40457E779AD7C5725B04802AF90687391CD79AD05C762

Function 00C0D24C Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1799528122.0000000000C0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c0d000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7e991f8cb0c8b212e94cb653c56f39e1126161136073dddc6975a6915a2407d
Instruction ID: 422b63349df62f29db16913331dd67378b41f01e1f7ff6dcb09655c0874eb6c0
Opcode Fuzzy Hash: d7e991f8cb0c8b212e94cb653c56f39e1126161136073dddc6975a6915a2407d
Instruction Fuzzy Hash: EBF0E775104680AFD725DF06CD85C62BBF9EFC572072AC59DA84A5B2A2C631EC42CB61

Function 07A2CD78 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 450ba0224079179e9074db7df2a2b8643b11538b8b5ae02844dcadc8d28ba74e
Instruction ID: 2c3f8e197fcec2910e4a756e4e3e45350cfff051d6549fa4ed561b311c116803
Opcode Fuzzy Hash: 450ba0224079179e9074db7df2a2b8643b11538b8b5ae02844dcadc8d28ba74e
Instruction Fuzzy Hash: 25F08272E10219ABDF05EB68C455AEFBFBA9F84310F518426D412B7280DE70690796E2

Function 07A2A7E0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bac067c68ab7a53b6af5f39a72eda701f475fc6f2e28cd7492c4dd9b35ddc9d8
Instruction ID: bc60a7c58799de50b068242033b2e5d3d0d5c9dd695f2114fc4dac405bb58d77
Opcode Fuzzy Hash: bac067c68ab7a53b6af5f39a72eda701f475fc6f2e28cd7492c4dd9b35ddc9d8
Instruction Fuzzy Hash: 1DE092B37410F8578B157B3968004AEBBDA8FC41A5318047BDA42C7742EF199C4B93E9

Function 076F14B0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54e48ded8869fb2de1946d64687d6fb23dd7373c89cd18a445c9c5a0e86b8e35
Instruction ID: 8243a14fc748bf1faad58566683f774780482a37dfb2e88cb6c34f9e18912e13
Opcode Fuzzy Hash: 54e48ded8869fb2de1946d64687d6fb23dd7373c89cd18a445c9c5a0e86b8e35
Instruction Fuzzy Hash: 98E0126170022817D308267E5865B2B99CEEBC9B51F14842EA20DCB395CD658C4153E5

Function 07A2B351 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96a7444c9d8d27f5ed4cf7d014ee3936efda8d78df69ea753c5ab76b70f681fd
Instruction ID: 90504352cfa83acff9ad6227b85a3c8e8a140527a915235a3e18a3061f3431e2
Opcode Fuzzy Hash: 96a7444c9d8d27f5ed4cf7d014ee3936efda8d78df69ea753c5ab76b70f681fd
Instruction Fuzzy Hash: 4FE02232715258DFC311EB68E844AED7BB6DFC6252B1941DBE40EC7662CB214D028B92

Function 07A23DC6 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca6bb0b60ae381aeae55b7091f34a05f02fc0dc4eb96d5608d39096a3fe23fd3
Instruction ID: 6963d2eda8b774aa6a95b7cc6b42a77c44fcc97a9ea3266da5a92b0068245c2d
Opcode Fuzzy Hash: ca6bb0b60ae381aeae55b7091f34a05f02fc0dc4eb96d5608d39096a3fe23fd3
Instruction Fuzzy Hash: 67F0F4B4A12229CFEF50DF6CE48479977F1FB4A300F009865E426E7258D73CA8829F10

Function 0773250F Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808675744.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10f9a8e6aaad517d01e8bbbfbcb3846d49edda8a5019d47a7321fcce2059b3b8
Instruction ID: 12fe11008e14714f6bd2c29eeb96fb5dfc47aab6734de6dc89bb4e5338ff2f54
Opcode Fuzzy Hash: 10f9a8e6aaad517d01e8bbbfbcb3846d49edda8a5019d47a7321fcce2059b3b8
Instruction Fuzzy Hash: C1E09BB5A041089BD700EAE4D8565697BFADB84214B5089A5D409D7311DE36CA0357C1

Function 076F7510 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f42c5efd07d5b4cabecdaf9fc123b8401fd3d91d7c9174abd0535d5344e7221
Instruction ID: 8f79f33ec6fa06e06dd6432433f164c9c4eb3966440d71b980bd7bc0427f50bf
Opcode Fuzzy Hash: 0f42c5efd07d5b4cabecdaf9fc123b8401fd3d91d7c9174abd0535d5344e7221
Instruction Fuzzy Hash: 9CF0E5743045549FC7017734B8367293BA5D786318F40285AE50BD3785DFA92D26CB96

Function 07A28370 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89ba2883bd1c4bcff5f07f209b8162ca2837432daeda8ceadfaade9e333f49a4
Instruction ID: 55e91572042b410833801a3d3e777391baf9962aad60b21178020d67784ba5ce
Opcode Fuzzy Hash: 89ba2883bd1c4bcff5f07f209b8162ca2837432daeda8ceadfaade9e333f49a4
Instruction Fuzzy Hash: 26F0E931505798DBC711AB39C81099ABBB4EFC2351F0485AFD8891B211EF31A886C791

Function 07A27DE8 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51e115dd8f9297e66699886f0f9d464d1e466e40004bf6066a735b0114acaa8a
Instruction ID: 2e00e5f8bb02e0a59e565c16dbed19db9069389591b19474a577acf5b757d59c
Opcode Fuzzy Hash: 51e115dd8f9297e66699886f0f9d464d1e466e40004bf6066a735b0114acaa8a
Instruction Fuzzy Hash: 20E02B20B082D04FC606537880311AE3ED79FC611474884FEC68E9B782CE185C0783DB

Function 076F3F5F Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6d213d2063e98363dec5638644b7bfb81fb87b7e1c2a3d79b720413aebcab5f
Instruction ID: e03c8cb26c7f480c50e9e8da6900217cc84ae1a6c291ff7237618986a08fa302
Opcode Fuzzy Hash: c6d213d2063e98363dec5638644b7bfb81fb87b7e1c2a3d79b720413aebcab5f
Instruction Fuzzy Hash: BCE0866230D2D05FC61693FCB8186FA7FAECBC6628B0506EFF188C7352CA545D4183A1

Function 07A273F0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5527dff2c8374c2826b459494bc93e96eebeaa32b85bdc8e03584345b1f22524
Instruction ID: ca77f67652f6111191849810f94725812a1268b60c0de72cf1fade083b955139
Opcode Fuzzy Hash: 5527dff2c8374c2826b459494bc93e96eebeaa32b85bdc8e03584345b1f22524
Instruction Fuzzy Hash: 57F08C75A0E3C4AFD702CB78AD220AD7FB4DF82214B4900DAD648DB292D6752E14DB52

Function 076F5348 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9692f9f5a94b2490ab68815021f4de188786219856e23a19d90a0c12fe8110d9
Instruction ID: 2e9519891d3690bb1f7d981387304b0169074f386623433b66de5380730dd06f
Opcode Fuzzy Hash: 9692f9f5a94b2490ab68815021f4de188786219856e23a19d90a0c12fe8110d9
Instruction Fuzzy Hash: 53F05EB1A00155CFEB24DFA4C945B5ABBF1BF09341F010054DA0677690DB64AE02CB42

Function 076F8224 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 515c15715b7b2d8a81eb72309eecf2fe15ccac5ea2860e426495271e8cabc79e
Instruction ID: 7353ffc43b0d42ccc7b318f5409d3bd431ea3be6369a580c57956fb5c1717a7a
Opcode Fuzzy Hash: 515c15715b7b2d8a81eb72309eecf2fe15ccac5ea2860e426495271e8cabc79e
Instruction Fuzzy Hash: B4F0E7B490120BDFDB14DFD0D9597AEBBB2BF04310F240459E50273290CB741A45CB80

Function 076F7520 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25e02a57d0b1742d51a7b41f4bbffde2903db609b44bc673c6e4d9a1ac7de394
Instruction ID: 9e0a450251902afd035d8f4dcb15529124a2680b1d6860d67adbbe5a3656ef3e
Opcode Fuzzy Hash: 25e02a57d0b1742d51a7b41f4bbffde2903db609b44bc673c6e4d9a1ac7de394
Instruction Fuzzy Hash: A0E04FB0310428DBCB407774B42526D36DAE789215F802825E60BC3B44DF6979128E96

Function 07A28380 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31ddc72d76b57546a51f4ca912e94fda9edaab6d9a31a5b5974d7c24f784a4d4
Instruction ID: 6ff9a11ce652a9838d768f5147f81a2c7a8b567b8031c197d7b6e3fa7d4124c8
Opcode Fuzzy Hash: 31ddc72d76b57546a51f4ca912e94fda9edaab6d9a31a5b5974d7c24f784a4d4
Instruction Fuzzy Hash: 14E06D32600B58DBC315AA79C81089AB3A9EFC5350F108A6ED95A5B321EF31A982D791

Function 076F6041 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8716fd77aba1b710d822f77deeea4348e8ad7abb6e3da8d2da1518eb362769eb
Instruction ID: 0f5fa735be101f1234c5f3e2f5340d6860f69edbc0a305c5207fb9cce5ded778
Opcode Fuzzy Hash: 8716fd77aba1b710d822f77deeea4348e8ad7abb6e3da8d2da1518eb362769eb
Instruction Fuzzy Hash: 3DE012A294E3C00EC31303789D301687F310C5351C35E48EBC0CACFAA3D01A8C89CB6A

Function 07A2A420 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 441bcd53e8451737322f35362afee1281152153eae5d17f5217183ca8d8fae17
Instruction ID: d0757d0ce53479f7201d5191699e96618f8d47de47ffbafb269d3a46941a6fb8
Opcode Fuzzy Hash: 441bcd53e8451737322f35362afee1281152153eae5d17f5217183ca8d8fae17
Instruction Fuzzy Hash: C3E0DF70A05218EFCB00DFA8F84179C7BF9DF41214F1045A9E508C3642DA316E009B45

Function 07732718 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808675744.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 348842f268def8aa47a2939090e14dc20137bcdbb34330ab6fd7f5c98a967966
Instruction ID: a45217a47522616be243fd327103dd32a2aa46283b23f91c174749c8417eee92
Opcode Fuzzy Hash: 348842f268def8aa47a2939090e14dc20137bcdbb34330ab6fd7f5c98a967966
Instruction Fuzzy Hash: 8BE012B2D0520DABCB00EAB4D8076AD77FADB05319F904DA6D509D7211E939DE015782

Function 0773A4CB Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808675744.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60db2eae4d1414e7391ba88208ffdfd99f594acd66c04052866171447ffdc3f4
Instruction ID: 87bdd910c4010246a6c0d23c671722ba982bf6e309dcda8c4d4d2c9aef0dc0a8
Opcode Fuzzy Hash: 60db2eae4d1414e7391ba88208ffdfd99f594acd66c04052866171447ffdc3f4
Instruction Fuzzy Hash: D1F034B4A00324CFDB24CF54C884769BBF2BB49250F2558E4E84AA3782DB345E80CF92

Function 076F9008 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 992f0b59f45b39370e184d722ecb8b820f9a93718573c2e9bc0c5d29dbebd1fa
Instruction ID: 6f343a4b51fd153bf6fe8635d069c821736b20405c4f1654d7833558fa7a8617
Opcode Fuzzy Hash: 992f0b59f45b39370e184d722ecb8b820f9a93718573c2e9bc0c5d29dbebd1fa
Instruction Fuzzy Hash: C9E0C23220A6904FCB058B98E81B66DBB709F89900B04858AE44BC7651CE249C0687C1

Function 076F7AB9 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 207dd10e728139f7ffc15eb2bbbb846d47733a987265d7ee4f1713bce2b60326
Instruction ID: 9580040a3ae55b19527d47b78de3a032d3c5e5bb95141abfb129132d31ad60f1
Opcode Fuzzy Hash: 207dd10e728139f7ffc15eb2bbbb846d47733a987265d7ee4f1713bce2b60326
Instruction Fuzzy Hash: AAD05E352092400FC38ACA58EE108E1BF629F9522432493AFE449C73A2DA22AF038660

Function 076F9900 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e7fdc9638f20afcb8900b0022fc2e63d89ec10c15083c13048586133dea2097
Instruction ID: 8b2b1a1cce6d50277674b252f79009beda2c6681aeb913117f3686bdf66a7e76
Opcode Fuzzy Hash: 7e7fdc9638f20afcb8900b0022fc2e63d89ec10c15083c13048586133dea2097
Instruction Fuzzy Hash: 2BD05E21320214138509226AB4129BE7A8F8BC5768B15402AFA058B382CED96D0253EA

Function 07A273A0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de197a7cd5989794c21ce3272add3e5f3c8a623010c9555364afa7a5358879e4
Instruction ID: 5da2b4c3c396758e7213e1f9ef3853eec4b80af71de007e99549fe8482913537
Opcode Fuzzy Hash: de197a7cd5989794c21ce3272add3e5f3c8a623010c9555364afa7a5358879e4
Instruction Fuzzy Hash: BDE0D874909388AFC701CFB8ED520ADBFB4DF82204B400199D108D3241DA702E10DB52

Function 076F82E0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 142340af93c4029786e1895324670a101eae98d55fd8081fe4ebd83383904275
Instruction ID: 08b3f8956b6286f333c1f82c307010165d6215d4af67d4bd5d2bf4fa636b0aef
Opcode Fuzzy Hash: 142340af93c4029786e1895324670a101eae98d55fd8081fe4ebd83383904275
Instruction Fuzzy Hash: 92D01772A1520EABCB10DFB0DD015AEB7ECEB05105B1406E9AD0ED3200EE32DA11D691

Function 076F82D0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 941cc3b5150c10d2ab33f6309f9a58e260e527303f9469ae36fda17e19052bb2
Instruction ID: 6a4a80c593706dc58beb74358001f6084075df13ef236256cc0f7b9cce7bae75
Opcode Fuzzy Hash: 941cc3b5150c10d2ab33f6309f9a58e260e527303f9469ae36fda17e19052bb2
Instruction Fuzzy Hash: E2E08CB2909246EFC702CBB0DD094ADBFB99F1120571501EAE44AD3221EB318E02C711

Function 076F3F70 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c72d6441206120e3ee9d80ef69fe16d9c4833c19ff433d1bcd15cdccb7d0c39
Instruction ID: fdc0bc60600bfcd5569dea8e70efff46ac8dcb3a41e26bbd7cb8a533d3bbb131
Opcode Fuzzy Hash: 8c72d6441206120e3ee9d80ef69fe16d9c4833c19ff433d1bcd15cdccb7d0c39
Instruction Fuzzy Hash: BCD0C972314025ABC60862DEE845AAAB6EEDBCAA69B40467AF60DC3740CE51AC0147F5

Function 07739860 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808675744.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 634d47812a22f9f0ed6eb9edfeb9a2a368674b426c622ecf1785bdb7b2765600
Instruction ID: ce0438ca9cdb0680b5ae61c46229e4ac485da3877e01607c997e6cd2ce82b664
Opcode Fuzzy Hash: 634d47812a22f9f0ed6eb9edfeb9a2a368674b426c622ecf1785bdb7b2765600
Instruction Fuzzy Hash: 5CF015B4900324CFDB25DF64C8946A8B7B2BF49341F5048A9E84AA3741DB349E82CF91

Function 076F1198 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2d345126b1977fce8fc12fda2a5eb4b4528b1221cd658fa37843fe604bae46c
Instruction ID: 5f5497b3b32acd0c5a59f557165659877b5a55e6a1c82f5338e6e7b16c5c89bf
Opcode Fuzzy Hash: f2d345126b1977fce8fc12fda2a5eb4b4528b1221cd658fa37843fe604bae46c
Instruction Fuzzy Hash: A2D05E5660A6E10BC7039AA8AA512E56F169F4323470947D7E19A8B2E7CE180B06C3D2

Function 07A2B328 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b417d3ad3cc745508176dcef2cbb02ad9c20977874d9852caa0ed156ead1719e
Instruction ID: efd0d43afc329ff12d4cba632889de3bc9be80521032b6e5bd534ad3fdb75284
Opcode Fuzzy Hash: b417d3ad3cc745508176dcef2cbb02ad9c20977874d9852caa0ed156ead1719e
Instruction Fuzzy Hash: 16D05E753242809FC345CB28D8919D5BBA09FBE21131880ABE808CF392D632ED43C7A1

Function 076F4D32 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99ac65a8ae96a49343d540053f2a3027bd69616058ccdb1c498ecd2d244b7c51
Instruction ID: f81b6b08bf86f59d2b1db4ad668d94a6bc2a670bebcac83ef88df160b714ffc4
Opcode Fuzzy Hash: 99ac65a8ae96a49343d540053f2a3027bd69616058ccdb1c498ecd2d244b7c51
Instruction Fuzzy Hash: 04E01AB5A00114CFDB14DF94C941F5DBBF1BF09301F110054EA0667691D620AD028F41

Function 07A2E001 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffba8cf476eaf358d5765c3e33aa20eb1dd246291848efd3ff9e7002c215e7d5
Instruction ID: fdc9f60eaa21f6b0f1a4a03ca4f1256b28afb529557d33966cd44358875838ba
Opcode Fuzzy Hash: ffba8cf476eaf358d5765c3e33aa20eb1dd246291848efd3ff9e7002c215e7d5
Instruction Fuzzy Hash: B6D0A7743483405FD30ACAB4CC618A4BFB1DFAA210325D4AEE48CCB362E6329E13D710

Function 076F4DFB Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa8b40d030e8f077ad1aaeedf0c38ad8b1177804fd9f559112f533a5cbfcb0e1
Instruction ID: a72362ffb3f42d7899e37d59044c076ba6a53e68889f1a06a022fbc9dd82e572
Opcode Fuzzy Hash: aa8b40d030e8f077ad1aaeedf0c38ad8b1177804fd9f559112f533a5cbfcb0e1
Instruction Fuzzy Hash: 92E08CB1E041A9CBEB20DFE4C881BAEBBB2BB01301F411064CA476B649CB745D06C682

Function 07A2C7B0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87af23f4682004cb43db13c00d7179277487da16b2c4ce96a8ae380fafbf0f84
Instruction ID: 2e62776889002a5fbc208c86553197c947f49e8fd869a85288eb627006faa2f8
Opcode Fuzzy Hash: 87af23f4682004cb43db13c00d7179277487da16b2c4ce96a8ae380fafbf0f84
Instruction Fuzzy Hash: 98D042B1D042299FCB80EFADA9062DEBBF8AB49210F114066D51DE3205E7755A109BE1

Function 076F520A Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d80e231d9aa51e85677c552f24270ff858ebaa6c0d7f58d22d60f44755a79818
Instruction ID: f81f69d6b1b9e476394bb193c1a61a4f955a76dbacf3f1f00f0d8175a498e803
Opcode Fuzzy Hash: d80e231d9aa51e85677c552f24270ff858ebaa6c0d7f58d22d60f44755a79818
Instruction Fuzzy Hash: 5ED05EB1909052CAE720AFA8888236E7BF9AF05362F0512D5CF9766546DE289D168682

Function 076F5F80 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b05683acba5df385442cc72157d7850f8aab04a8aab467e2e4813a3f79e66155
Instruction ID: 68828a851b828816bb498e930cca935f35809413076fbce6130bc9a9906aadbc
Opcode Fuzzy Hash: b05683acba5df385442cc72157d7850f8aab04a8aab467e2e4813a3f79e66155
Instruction Fuzzy Hash: F8D0C93100A3C48FC303DF35AA19CD17FA4AE0772470A01DFE1848B233DA64EA00C752

Function 076F7ED0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce098b4d13b57a9252b800111bbbe14017fb5961a86c606cd607e0e09275080a
Instruction ID: b53b5383516d97ca0df904238d3834986aa593e90a78774a2d356350df2ddaa7
Opcode Fuzzy Hash: ce098b4d13b57a9252b800111bbbe14017fb5961a86c606cd607e0e09275080a
Instruction Fuzzy Hash: D3C04CA709E3D44FD71396E0BE291F0BF6198120703194383E189D5A638A1657958651

Function 076F1DEB Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f0786bd58b4759b9fd8716cac109d56723580842e4c4e4d250a3115623f2df1
Instruction ID: fb1bb651a41c4ab8c34ee6fa2f5e7554c6a63ed5aaea5add522844726d2de4d4
Opcode Fuzzy Hash: 2f0786bd58b4759b9fd8716cac109d56723580842e4c4e4d250a3115623f2df1
Instruction Fuzzy Hash: 88E046F0E1016ACFEB148B64D8047ADB6B0BB06B51F4104AADA57A2240D7344D01CE82

Function 07A2A430 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6fd6f30a5ce1ea9bbd62cf6dda4251228c406bd1e986a9c42b45cf264b377f2
Instruction ID: 5e575e8447048cd48f2e756c8bb726e0ae923c1f087c22b5567faa9bde008baf
Opcode Fuzzy Hash: c6fd6f30a5ce1ea9bbd62cf6dda4251228c406bd1e986a9c42b45cf264b377f2
Instruction Fuzzy Hash: 38D05EB0A0121DEFCB00EFA8E90165DB7F9EB84215B2085E9E608D3241EA312F00DB80

Function 07A273B0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13f08ce27ce8706d114c7903034b22ab7709ac5d34926565027990fc8bdba0e6
Instruction ID: 6dfc7221d381021de1146636b9de421f8111486410a0970760043fffda2d3ecf
Opcode Fuzzy Hash: 13f08ce27ce8706d114c7903034b22ab7709ac5d34926565027990fc8bdba0e6
Instruction Fuzzy Hash: 8FD05EB0A1130CFFCB00DFE8EA0255DB7F9EB84219B5045A8E608D3380EA312F10DB81

Function 07A2B360 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60e3e040a77dd66ab85aaf34a13448ae3f300259ff097b413423f7ed468d073f
Instruction ID: 2646c90b548a08e37718557d557143c41c497e74944ef5d995d25c11403d6afe
Opcode Fuzzy Hash: 60e3e040a77dd66ab85aaf34a13448ae3f300259ff097b413423f7ed468d073f
Instruction Fuzzy Hash: 41D0A932300210A7C214224AA808B6AB79ADBC8622B10802AE20AC32508E6098038290

Function 07732728 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808675744.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85804fa6a0fb6b2988903fae564630238a0d0e74d62b3fba9bca4601d950f795
Instruction ID: 054d2cc3ca6195cdbf1218384e4ea0a2f793bbdb3324f77f854070c75269d710
Opcode Fuzzy Hash: 85804fa6a0fb6b2988903fae564630238a0d0e74d62b3fba9bca4601d950f795
Instruction Fuzzy Hash: 13D0C9B5D0120CEBCB00EFF499094AEBBFEDF45211BA049E6D508D7211FD359A105BD2

Function 077318C8 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808675744.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 371b2073441ba5a896e7fc960b691d89aeff9dc4af0d89587c0b5f22602bab0f
Instruction ID: f94b17344fc0138235d59df3e188d3fbf0a65e1423fec76def14e73da94d0af1
Opcode Fuzzy Hash: 371b2073441ba5a896e7fc960b691d89aeff9dc4af0d89587c0b5f22602bab0f
Instruction Fuzzy Hash: AFD05E7580120CABCB00DFE4940946E7BFADF4820074044A69508D3210FD319A009BC1

Function 076F6020 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41b79b12f0b14a3b270ee8b112f603ac78182d24168fc657435863b7c22138d3
Instruction ID: d08d3a96486d857c3433a351e37fbca77006188ef865bded3173725615858428
Opcode Fuzzy Hash: 41b79b12f0b14a3b270ee8b112f603ac78182d24168fc657435863b7c22138d3
Instruction Fuzzy Hash: 8FC08C3204E3C00FC717A674BC302E2BF220C5316935642DBE8C8CAF23C62A57A28B12

Function 076F9018 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee008d06e06a903ebc92436981bbe1bbb45f97d7406d727af525e3a91d0f6f79
Instruction ID: 964d207ad19d6226d6b7b9a4d318795e9905de5d26a997ae771192b186c5fd8b
Opcode Fuzzy Hash: ee008d06e06a903ebc92436981bbe1bbb45f97d7406d727af525e3a91d0f6f79
Instruction Fuzzy Hash: 25D012752156249BCA04568DB40DAADFBADDBCDA51F004056F90BC3241DFA55D0147E5

Function 07A27DD9 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 041d6c43122a1e71b4e843278154f8bda370459653a19fec5720f371752cfc2a
Instruction ID: 4b844523fc7d0ef94a66a82968271c8b6e22908f4f8dddeb2ea8c688980ffa9e
Opcode Fuzzy Hash: 041d6c43122a1e71b4e843278154f8bda370459653a19fec5720f371752cfc2a
Instruction Fuzzy Hash: FDD0A734A04292E3E6141158E0146A9FB999BC6220F08805AD88967641CE59180142D5

Function 07A2CB72 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fec0ae6468a5edaac7738c11a7651f3a3449510d1b72919f139cb5afc271651a
Instruction ID: 5adc4c4c02ebe650d03c475582aa2ac713fcc2247e58134515bc98af40d4a35f
Opcode Fuzzy Hash: fec0ae6468a5edaac7738c11a7651f3a3449510d1b72919f139cb5afc271651a
Instruction Fuzzy Hash: 05D05B75700505CFCB04DF98E4509DEB7B1FB85329F104095D6055B754C7309D05DF91

Function 07732760 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808675744.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d31bda66cc9c6bff84a1c300597039af2b633aa29c7fb41e6997b67d950407a0
Instruction ID: f9c0b2a292e4c0c7607107174e13ee9c88370863d9eb849575a5d725721ae116
Opcode Fuzzy Hash: d31bda66cc9c6bff84a1c300597039af2b633aa29c7fb41e6997b67d950407a0
Instruction Fuzzy Hash: 09C012326080084BD644E1A8D843B24B3DACB8862CF98CD6EA40D87212DA3BEC038890

Function 077324F0 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808675744.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ee2404f51f5c8e1cd33d0ad45ac2c73749327b433829bfc2aedc5d8de7ac19a
Instruction ID: 2070e9c938b0d51915f334c198b63b4332de2c7c9a4207d6850d6d2ae592a75c
Opcode Fuzzy Hash: 9ee2404f51f5c8e1cd33d0ad45ac2c73749327b433829bfc2aedc5d8de7ac19a
Instruction Fuzzy Hash: B4C08C321080040BC204F1A4EC43B24B3DCC7C062CFC8C86DA91EC7342CA3AEC0381C2

Function 076F80D1 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9653f41edabb74eb89672a91d1327d7b05347bef4d99494ea384cfa04010de34
Instruction ID: 624b811a959315dc2fb477affa208731b27ea67a27974708e41c0aace7636343
Opcode Fuzzy Hash: 9653f41edabb74eb89672a91d1327d7b05347bef4d99494ea384cfa04010de34
Instruction Fuzzy Hash: E5D0C9351496C09FC302C738E9185983F70AF47524B2502DBE0C8CB673C7156A1A8701

Function 076F8EA8 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34e38921daab58bfb31a54b41dd490db8c5f36cea7b7c9e0b7493fa7119abc41
Instruction ID: 43ede2bb6aeea9fb1a6c953885006ca1e264ea39c898ec877573535f4e1acae5
Opcode Fuzzy Hash: 34e38921daab58bfb31a54b41dd490db8c5f36cea7b7c9e0b7493fa7119abc41
Instruction Fuzzy Hash: 4ED0C93A045584AFCB82DF60E849C947F74FF152707058082FA448BA32DB32DA62DB51

Function 07737688 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808675744.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49ef463ddac3929c12946d61a6c40d964c1cbb59e718034ba1a1ee948349637f
Instruction ID: 6d3a2e63e350b52dcfef666ec46d512d60f4b44e591715f0181a49bcb9a43aee
Opcode Fuzzy Hash: 49ef463ddac3929c12946d61a6c40d964c1cbb59e718034ba1a1ee948349637f
Instruction Fuzzy Hash: 46E07574A01318CFDB54CF14C844A99BBB2FB4A310F2081D5D809A3751DA35AD81CF41

Function 0773495F Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808675744.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5778d9b45a4259583703d4ab8fdac72611814af2e0392d064fa02e13044f6749
Instruction ID: 89aa164de529dfac7e47fec5eb7579f9cd6b03c34d5177d344e5b56b15b57bfc
Opcode Fuzzy Hash: 5778d9b45a4259583703d4ab8fdac72611814af2e0392d064fa02e13044f6749
Instruction Fuzzy Hash: 1AD02EB0E00220CBCB009B90C48036A37B0AB46390F2004F1C80A63B82DB384D80CB83

Function 076F01F0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa52dee1bb1be1464e5dc654ebf0f729750b2496775e0ceeca0e619919b610a3
Instruction ID: 1fd4aa6cdd88b2449cece044a9434f13e0b682bf60059577fb175435b7cb4264
Opcode Fuzzy Hash: aa52dee1bb1be1464e5dc654ebf0f729750b2496775e0ceeca0e619919b610a3
Instruction Fuzzy Hash: 9AD0C9319197848FC3428B68E84A4147BB0BF07670311C0EAD8898BA32D621BC148B86

Function 076F5FC1 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bf31548dfb9f33389d865e476270bafa8ef42db696ef5961a885fe64a39a9f6
Instruction ID: 369b9413580a7aac17a7e05cda2f703a284a49dfb333bc8718e585522c759baf
Opcode Fuzzy Hash: 7bf31548dfb9f33389d865e476270bafa8ef42db696ef5961a885fe64a39a9f6
Instruction Fuzzy Hash: 06D0C97415C6C04FC3538B68D824A917F745E5B56439640DAE099CBA33C221A9118B11

Function 07A24E0A Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9031550fede35351988fc93e7bec0021a9252a7941f536bd6b41bce6db2a50d
Instruction ID: da5f1385fecda42443571fd670d9f77d0c64270c986f9d9ba164189f8d48a45a
Opcode Fuzzy Hash: e9031550fede35351988fc93e7bec0021a9252a7941f536bd6b41bce6db2a50d
Instruction Fuzzy Hash: 08D0A934308180CFD308CB28D888E11BBA0DF9A218B14C0DEE84CCF657CA72EC62C720

Function 076F11A8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fff2487a6ee90e477f8e35c7869136bf2e57db71aaef943cfa7ea07852719020
Instruction ID: 2eb91e5cdf9687eff087978fbf28d1d8a6b6ba7d89ceb9ec266494667e144e58
Opcode Fuzzy Hash: fff2487a6ee90e477f8e35c7869136bf2e57db71aaef943cfa7ea07852719020
Instruction Fuzzy Hash: 36C08C2130482813C10625CCA0152AA7A8EC786764B00402BB20A873828E540E0282D6

Function 076F8DE1 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 205ffd89d99a1e2b98a7d9adc2e9842667d11c44d1d3535599444b72c1140c30
Instruction ID: 81da0cac42800d1c20d69aa9fd6caf316092e37417db75644a2f5790b0f7215a
Opcode Fuzzy Hash: 205ffd89d99a1e2b98a7d9adc2e9842667d11c44d1d3535599444b72c1140c30
Instruction Fuzzy Hash: DAC08C2208E3C00FC71386B0BC240F17F61AC2602130942D7F0C8E4573C60402018311

Function 076F1BE4 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a8e6e128f861e778c2c06787a4aed0feb0a729d9ae5103c911e19227f9151d4
Instruction ID: b6506bfa81ded8e1fc13b51f440bc4f7b7cc0905f15cb3e7f53bc1db4c1234c4
Opcode Fuzzy Hash: 5a8e6e128f861e778c2c06787a4aed0feb0a729d9ae5103c911e19227f9151d4
Instruction Fuzzy Hash: 36D05EF0E10165CFEB048F54D85576CBBB1BB0AB41F411469EA57A3240DB345C018E82

Function 076F19D2 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eae0d8980b90631b5151156b9a06fcf715cea65fd48d2c440815e22aab48db00
Instruction ID: 52a48123cdf58c56b682c1d16147a2f09848bcb5b41008e653475d386f0aa6c4
Opcode Fuzzy Hash: eae0d8980b90631b5151156b9a06fcf715cea65fd48d2c440815e22aab48db00
Instruction Fuzzy Hash: 75D0A7F1910551CFEB040F24D41572977A1B709B51F45143CE91793240CF24D80289C1

Function 07A25A00 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d41a9ee47f58b26f6def0f27c4de59e2d09c76b545f3522043f23f6bf4818bd
Instruction ID: 8a29d9c5308bb3295dd76ce32ff9531ac13158ec9fa59604a7eea75961fdb385
Opcode Fuzzy Hash: 0d41a9ee47f58b26f6def0f27c4de59e2d09c76b545f3522043f23f6bf4818bd
Instruction Fuzzy Hash: 5BD0123150031A8FCB01BBB4F40A5193B5AEB40A0D3400D64A20F4B241DF7D59458B85

Function 077327A0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808675744.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc089daeff9cbc9d4ae87ceb792d5fc9487c6ed9216a8102cb5be46971a47a82
Instruction ID: 81b16020861a8c85d7b8032408745499e2babd150630ff8dbd2112e8b7645435
Opcode Fuzzy Hash: dc089daeff9cbc9d4ae87ceb792d5fc9487c6ed9216a8102cb5be46971a47a82
Instruction Fuzzy Hash: A5B0926200024867C6006AB0EC4B3B5BFD8C384E2DF84AC14E00E81201C93DDC078492

Function 076F5FA0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 161fe8072968f9815ca092f4f99800aecf07cac269b91e6f8c7ba36bd4834249
Instruction ID: 96d459cfbb9e8e3112eddd898d92ca9cb10693514951d50ef2bd364fb4ddcb74
Opcode Fuzzy Hash: 161fe8072968f9815ca092f4f99800aecf07cac269b91e6f8c7ba36bd4834249
Instruction Fuzzy Hash: 77C0024240EBD109C71712F95AAA756BFBC4C830A97CD48CFD4DEC6E63D114A4A4C766

Function 076F7AC8 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction ID: 89f7625bcd3042e5662e2b0f59687678129b36ffb3fe7dec0c562e4284fda470
Opcode Fuzzy Hash: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction Fuzzy Hash: 05C04C753042085F9344DA9DD851C26F7E9DBD8614714C06DA90DC7351EA72FD13C694

Function 07A29580 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f744d8e891c39b2cbcfc79d151ee30b4276de4893d7d8ff2da8185ac3f8e7e40
Instruction ID: f1ef420bd91c6d4c582367ff95dcb3c4542b223ccff249a894924efe6dbc2ac5
Opcode Fuzzy Hash: f744d8e891c39b2cbcfc79d151ee30b4276de4893d7d8ff2da8185ac3f8e7e40
Instruction Fuzzy Hash: 42D023751081804FD300CB54DD524957F105F91364F05809ED4498F103C3188935DB13

Function 07A2E010 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction ID: 89f7625bcd3042e5662e2b0f59687678129b36ffb3fe7dec0c562e4284fda470
Opcode Fuzzy Hash: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction Fuzzy Hash: 05C04C753042085F9344DA9DD851C26F7E9DBD8614714C06DA90DC7351EA72FD13C694

Function 07A24E18 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction ID: 89f7625bcd3042e5662e2b0f59687678129b36ffb3fe7dec0c562e4284fda470
Opcode Fuzzy Hash: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction Fuzzy Hash: 05C04C753042085F9344DA9DD851C26F7E9DBD8614714C06DA90DC7351EA72FD13C694

Function 076F8EB8 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9360f6c3753071abd6b5a8e86689413885372535260cb3c19a445abdef9116e5
Instruction ID: 740b9759760942d22b17a3cca9430a66c5404184698edbd653c299f37843b55b
Opcode Fuzzy Hash: 9360f6c3753071abd6b5a8e86689413885372535260cb3c19a445abdef9116e5
Instruction Fuzzy Hash: ECC04C39140108EFCB419F55D844C45BBA9FF19770741C051F9494B632C732E960DB50

Function 07732770 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808675744.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Function 07732500 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808675744.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Function 076F6710 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Function 077338E3 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808675744.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 667eaf5cacf420bb4048b20057a650ff74b51cc61058b5f412c0d2c88400dd9c
Instruction ID: 63ae63694c77ecdd2dd82ef91e0e431cbbd458b0955a208a343e85d83edc5283
Opcode Fuzzy Hash: 667eaf5cacf420bb4048b20057a650ff74b51cc61058b5f412c0d2c88400dd9c
Instruction Fuzzy Hash: 53C04C70610205CBC7209BD0D8596AD7B72FB40395B204524F41296115EA3158428A50

Function 076FF3E0 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baad0a259d3cfe47c21bbaf2eafb97263218d365dda18e40d84c0aa9a9699784
Instruction ID: fdf5037c59b9e90c9c622f46e89206012a58bb2097b72ff4ad4ac5d3dc21d0d5
Opcode Fuzzy Hash: baad0a259d3cfe47c21bbaf2eafb97263218d365dda18e40d84c0aa9a9699784
Instruction Fuzzy Hash: D1B0123010231E4FC7807B75F409544775EEE503077404A31B40D0A005596C3CD247D5

Function 076F0200 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ab4bbdd17a120ddc1ef3c4cf224515beb75f8373d4b4482147fda78e6e90976
Instruction ID: 20159973dc6c4478fa717a34ac84a2881d4813b9dc5cbab7339b5de6a68ee492
Opcode Fuzzy Hash: 8ab4bbdd17a120ddc1ef3c4cf224515beb75f8373d4b4482147fda78e6e90976
Instruction Fuzzy Hash: 0DB01231250208CFC300DB6CE444C0033FCAF4DA1431000D0F10C8B331C721FC008A40

Function 076F828B Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc0055066e4002886363794e3e4445ff016631935264cf9903e955f87b8dc2ac
Instruction ID: e3035e1df7ffdbc822d593d919369507016f68dfc9301ef73b291b06a96b9eaf
Opcode Fuzzy Hash: cc0055066e4002886363794e3e4445ff016631935264cf9903e955f87b8dc2ac
Instruction Fuzzy Hash: 27B0123BB400199ACB00D6C8F4504ECFB30EBD4332F004033C300620008B31157AC760

Function 076F80E0 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ab4bbdd17a120ddc1ef3c4cf224515beb75f8373d4b4482147fda78e6e90976
Instruction ID: 20159973dc6c4478fa717a34ac84a2881d4813b9dc5cbab7339b5de6a68ee492
Opcode Fuzzy Hash: 8ab4bbdd17a120ddc1ef3c4cf224515beb75f8373d4b4482147fda78e6e90976
Instruction Fuzzy Hash: 0DB01231250208CFC300DB6CE444C0033FCAF4DA1431000D0F10C8B331C721FC008A40

Function 076F5F90 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9595624a4e0f29354b960da1d05594d8c04970dc059046f5c46c3cadfcc90daf
Instruction ID: 19ae7ab630e199ca59750321b9417556a7d636762dfce4460639e4203ee02302
Opcode Fuzzy Hash: 9595624a4e0f29354b960da1d05594d8c04970dc059046f5c46c3cadfcc90daf
Instruction Fuzzy Hash: ABB01230140208CFC300DF5DE549C013FECEF08A0434100D0F1088B732C721FC008A51

Function 076F98D8 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: def00bc290c3a8fef6fcc3cb573e33cb5537891a7ae03bb5f56ce998df01ad3b
Instruction ID: c463b4762146e9bf21c8d5d413b2973bdf77c6db28ec42916fc230795f7fce42
Opcode Fuzzy Hash: def00bc290c3a8fef6fcc3cb573e33cb5537891a7ae03bb5f56ce998df01ad3b
Instruction Fuzzy Hash: A1B0928A90D7C01FC24E26244C9264A2F302802800BCE50CA485887156E90C990D834B

Function 076F6030 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4479f6843b8251eec09b49567758e10e34a1ca2a8c17af55015f877035dd8e4
Instruction ID: 9025ebc612bbc03b67834557c6f88c5450c8e996a11c44ef8eeb7bd1538261a3
Opcode Fuzzy Hash: b4479f6843b8251eec09b49567758e10e34a1ca2a8c17af55015f877035dd8e4
Instruction Fuzzy Hash: 80A02238202B0C82820832BAA000830338C0800A0C38080B8820C0AE200833F8A0888A

Function 077327B0 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808675744.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb3ca9439e4960ff8e75b877552099527640dce70f8b822e46c8a7724c56b749
Instruction ID: 7c51a3e8a25de434d1703b13865daaec0c46f9c4ba6438f1f9dfb8d45122c4e3
Opcode Fuzzy Hash: fb3ca9439e4960ff8e75b877552099527640dce70f8b822e46c8a7724c56b749
Instruction Fuzzy Hash: 3990223200020C8B020023C0380A228BF0CC0C0C003800000B00C002020E30E80200C0

Function 076F3200 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 403c439c2caed8217b350bc6d14ff1bd19a7cb7fc8b84bda2ad71575ea09712a
Instruction ID: 55f850f0f7092542518cf9aaabf15753e4de0b0a4265b69bb65e5fde9c98cb74
Opcode Fuzzy Hash: 403c439c2caed8217b350bc6d14ff1bd19a7cb7fc8b84bda2ad71575ea09712a
Instruction Fuzzy Hash: F790223000020C8B800023C8380A320BB0CA000C003800000F00C002020E22A00000C0

Function 076F5FB0 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58d81f9186706d201855b1b9055ea43950c675518a679ee4e357cf0c80beb883
Instruction ID: da6a72429bf0a080d36a760f38c96699cbd6904f1811bc45555c8e5501be1e39
Opcode Fuzzy Hash: 58d81f9186706d201855b1b9055ea43950c675518a679ee4e357cf0c80beb883
Instruction Fuzzy Hash: FE90223002020C8B088023C0300A220BB8C80000083800008B00C000028F20200000C0

Function 076F8DF0 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 669b665bd068a96aff173a6eab82ce4a4e28f7a216565e967c1a2de75a212166
Instruction ID: 8410a5aba93d618a7a4d0c16c189c675631a570933ce4013233a8081615b38bf
Opcode Fuzzy Hash: 669b665bd068a96aff173a6eab82ce4a4e28f7a216565e967c1a2de75a212166
Instruction Fuzzy Hash: 8790023149560C9F4A4027D5B40A7A57BDDD5445277880061B54D415015E55645185D5

Non-executed Functions

Function 07CFDDC7 Relevance: 13.9, Strings: 10, Instructions: 1351COMMON

Download Yara Rule

Strings

{2j^, xrefs: 07CFF3C5, 07CFF3CA
4'^q, xrefs: 07CFEFD5
4'^q, xrefs: 07CFE6C9
2j^, xrefs: 07CFE71F, 07CFE724
4'^q, xrefs: 07CFE80D
4'^q, xrefs: 07CFDDF2
4'^q, xrefs: 07CFE8C6
$^q, xrefs: 07CFEF4A
4'^q, xrefs: 07CFEEBF
4'^q, xrefs: 07CFE403

Memory Dump Source

Source File: 00000000.00000002.1809691757.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7cf0000_NL Hybrid.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$$^q${2j^$2j^
API String ID: 0-3092342800
Opcode ID: 6eec4aa7e6e4f033dfc0b519df12199449d1a84148e942086a0c5cee4e059b23
Instruction ID: 6b83c487057bd4e5e985f6de99bdf8ad2133c9df5bdc66c6278c99bc41c76b81
Opcode Fuzzy Hash: 6eec4aa7e6e4f033dfc0b519df12199449d1a84148e942086a0c5cee4e059b23
Instruction Fuzzy Hash: 67E2E7B09102289FCB56DF64D8446DDBBFAFF89300F4085E9D509AB251EF316E949F82

Function 07CFDDD8 Relevance: 13.8, Strings: 10, Instructions: 1342COMMON

Download Yara Rule

Strings

{2j^, xrefs: 07CFF3C5, 07CFF3CA
4'^q, xrefs: 07CFEFD5
4'^q, xrefs: 07CFE6C9
2j^, xrefs: 07CFE71F, 07CFE724
4'^q, xrefs: 07CFE80D
4'^q, xrefs: 07CFDDF2
4'^q, xrefs: 07CFE8C6
$^q, xrefs: 07CFEF4A
4'^q, xrefs: 07CFEEBF
4'^q, xrefs: 07CFE403

Memory Dump Source

Source File: 00000000.00000002.1809691757.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7cf0000_NL Hybrid.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$$^q${2j^$2j^
API String ID: 0-3092342800
Opcode ID: 1bced5b0ecc037bceb1124e31dcf4bc508dd308c58e837401a6daf44ab750983
Instruction ID: c28d400baa4a20778607e86378393ecfd6a463350ae5c4899bc5e7cc6b1af038
Opcode Fuzzy Hash: 1bced5b0ecc037bceb1124e31dcf4bc508dd308c58e837401a6daf44ab750983
Instruction Fuzzy Hash: 4DE2E7B09102289FCB56DF64D8446DDBBFAFF89300F4085E9D509AB251EF316E949F82

Function 0040CE09 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 004136F4
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00413709
UnhandledExceptionFilter.KERNEL32(0041FB80), ref: 00413714
GetCurrentProcess.KERNEL32(C0000409), ref: 00413730
TerminateProcess.KERNEL32(00000000), ref: 00413737

Memory Dump Source

Source File: 00000000.00000002.1798930253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1798907082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1798958969.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1798983883.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799006241.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799027503.0000000000A31000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799225081.0000000000A32000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NL Hybrid.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
Instruction ID: 93bf0ba95bc2a0faef8203f21c221f33afe887fd41373e09ae0fa508b254143b
Opcode Fuzzy Hash: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
Instruction Fuzzy Hash: A521C3B4601204EFD720DF65E94A6457FB4FB08356F80407AE50887772E7B86682CF4D

Function 00408C60 Relevance: 4.1, Strings: 3, Instructions: 377COMMON

Download Yara Rule

Strings

@, xrefs: 00409092
PA, xrefs: 00408E3D
@, xrefs: 00408D03

Memory Dump Source

Source File: 00000000.00000002.1798930253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1798907082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1798958969.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1798983883.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799006241.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799027503.0000000000A31000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799225081.0000000000A32000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NL Hybrid.jbxd

Similarity

API ID:
String ID: @$@$PA
API String ID: 0-3039612711
Opcode ID: 524773d1bc2011db47f0014430bcd25baf081f96639b8f8b2c6f9a821cea509b
Instruction ID: 284407f43597d2b1529aa5dbb826e4f49811f0ea4eaa41d9cabafce47d44ff82
Opcode Fuzzy Hash: 524773d1bc2011db47f0014430bcd25baf081f96639b8f8b2c6f9a821cea509b
Instruction Fuzzy Hash: 64E159316083418FC724DF28C58066BB7E1AFD9314F14493EE8C5A7391EB79D949CB8A

Function 02865108 Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

4'^q, xrefs: 028651A7
4'^q, xrefs: 028651D2

Memory Dump Source

Source File: 00000000.00000002.1800680087.0000000002860000.00000040.00000800.00020000.00000000.sdmp, Offset: 02860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2860000_NL Hybrid.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 4492f4ff184baede9089966c0a37d5701709e2c0173c00729171da0917c5d7ce
Instruction ID: 54fb48fbaa9d62135138043cc700ad5c3564d87fdf5440ae49688af2e0560de6
Opcode Fuzzy Hash: 4492f4ff184baede9089966c0a37d5701709e2c0173c00729171da0917c5d7ce
Instruction Fuzzy Hash: CD713C70A016549FDB48EF6AE890A9ABFF3FBC8305F14D929D4049B269EF342905CF50

Function 0040ADB0 Relevance: 2.5, APIs: 2, Instructions: 23memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0040ADD0
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0040ADE1

Memory Dump Source

Source File: 00000000.00000002.1798930253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1798907082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1798958969.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1798983883.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799006241.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799027503.0000000000A31000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799225081.0000000000A32000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NL Hybrid.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
Instruction ID: 72dd180cd7110ee49b406fd12918c6a771032a3efea8c67e715e4993f3fed615
Opcode Fuzzy Hash: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
Instruction Fuzzy Hash: 54E09A312003009FC320AB61DC08FA337AAEF88311F04C829E55A936A0DB78EC42CB58

Function 004123F1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000123AF), ref: 004123F6

Memory Dump Source

Source File: 00000000.00000002.1798930253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1798907082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1798958969.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1798983883.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799006241.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799027503.0000000000A31000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799225081.0000000000A32000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NL Hybrid.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 4924e8eeaf860e2c76ee0bfea96ab0c911441afc8f12962253436aa9ca0899ee
Instruction ID: 17be93bd3878235df00445469c4c747c8dbd7a907b9f456768254b9c32cbcc1b
Opcode Fuzzy Hash: 4924e8eeaf860e2c76ee0bfea96ab0c911441afc8f12962253436aa9ca0899ee
Instruction Fuzzy Hash: CA900270661144D7865017705D0968669949B4C6427618471653DD4098DBAA40505569

Function 00407C3F Relevance: .8, Instructions: 783COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1798930253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1798907082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1798958969.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1798983883.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799006241.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799027503.0000000000A31000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799225081.0000000000A32000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8976f0a61fc1960936828f21bd26f3318fd330ab7a4f50ce487ee3b945538f04
Instruction ID: d5e3495c9826dce769b252ea72d1bcaf7b5d46a24141b332915225fd3cdae7ad
Opcode Fuzzy Hash: 8976f0a61fc1960936828f21bd26f3318fd330ab7a4f50ce487ee3b945538f04
Instruction Fuzzy Hash: 9852A471A047129FC708CF29C99066AB7E1FF88304F044A3EE896E7B81D739E955CB95

Function 004073A0 Relevance: .6, Instructions: 633COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1798930253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1798907082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1798958969.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1798983883.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799006241.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799027503.0000000000A31000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799225081.0000000000A32000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20055dc05f39624d89f9d13173d00032c9ddb5f23ed3028259e70998ae7a08b4
Instruction ID: 17d22deff8d32e931318445bbea846c6b698fa6fcc44f6923348d96d7e24b863
Opcode Fuzzy Hash: 20055dc05f39624d89f9d13173d00032c9ddb5f23ed3028259e70998ae7a08b4
Instruction Fuzzy Hash: 0A329E70A087029FD318CF29C98472AB7E1BF84304F148A3EE89567781D779E955CBDA

Function 00406CA0 Relevance: .4, Instructions: 401COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1798930253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1798907082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1798958969.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1798983883.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799006241.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799027503.0000000000A31000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799225081.0000000000A32000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 020392db844ceed98276714fd2150c2ad4a639f6bad3fb02a1d0621011a6745a
Instruction ID: cc67e10771130af0a5279b37c8f7fa75a2653c997645fd1ae8a0b8309c7f2627
Opcode Fuzzy Hash: 020392db844ceed98276714fd2150c2ad4a639f6bad3fb02a1d0621011a6745a
Instruction Fuzzy Hash: 48E1D6306083514FC708CF28C99456ABBE2EFC5304F198A7EE8D68B386D779D94ACB55

Function 076F6D20 Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 209f84a5daa318ea7d7345d28290a3cdca4b63382281e2bbd7d636c84fe4d90a
Instruction ID: cced168fddec95828437cc775e3f057ec6c4177c5f3d970e07ef9e369cd4560d
Opcode Fuzzy Hash: 209f84a5daa318ea7d7345d28290a3cdca4b63382281e2bbd7d636c84fe4d90a
Instruction Fuzzy Hash: 86B17EB1E1012A9BCB11CFA9D8806ADFBF1FF48310F64866AD556E7205D734ED42CB90

Function 00402B90 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1798930253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1798907082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1798958969.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1798983883.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799006241.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799027503.0000000000A31000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799225081.0000000000A32000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 519d71d31dfe2b71d65c539f7253ce4d0ce1a0c509a5eaaf561cac07154b4855
Instruction ID: 74c1b90a01db230de662c72faab58802bb742d928f34651097fec506a9751401
Opcode Fuzzy Hash: 519d71d31dfe2b71d65c539f7253ce4d0ce1a0c509a5eaaf561cac07154b4855
Instruction Fuzzy Hash: 15717072A9155347E39CCF5CECD17763713DBC5351F49C23ACA025B6EAC938A922C688

Function 076F6D10 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1808614266.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43df0644b30acc4466f328bbfd66546873da0bf8d15c1d2085c1fd791d2b1187
Instruction ID: 9ac2353c468abb4a7b4be0e24b098e816e77499bb82d1700d4ab9692da4b2f14
Opcode Fuzzy Hash: 43df0644b30acc4466f328bbfd66546873da0bf8d15c1d2085c1fd791d2b1187
Instruction Fuzzy Hash: 9D716BB1E0522A9FCB11CFA9C9806EDFBF2FF48310F18866AD555E7205D734A946CB90

Function 004028B0 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1798930253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1798907082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1798958969.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1798983883.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799006241.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799027503.0000000000A31000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799225081.0000000000A32000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56d4400f77c04dc4446d24fbb084ed78fa0beaad766ef6ff58d44a670f1be69a
Instruction ID: e93c334361593eb17f37b37ed9e80cdb2c00b1b1e1af3e0e9a736190e966ddef
Opcode Fuzzy Hash: 56d4400f77c04dc4446d24fbb084ed78fa0beaad766ef6ff58d44a670f1be69a
Instruction Fuzzy Hash: 4A615E3266055747E391DF6DEEC47663762EBC9351F18C630CA008B6A6CB39B92297CC

Function 00401650 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1798930253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1798907082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1798958969.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1798983883.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799006241.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799027503.0000000000A31000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799225081.0000000000A32000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f84f8abda09efbfc4fc50908dec446613bf2f52d635c093d4d9c5e236f650133
Instruction ID: 39afabd8a370e1aacf823bb5b0eb141e0e266d105c364ee31248ba7b153c19f0
Opcode Fuzzy Hash: f84f8abda09efbfc4fc50908dec446613bf2f52d635c093d4d9c5e236f650133
Instruction Fuzzy Hash: 2851F94400D7E18EC716873A44E0AA7BFD10FAB115F4E9ACDA5E90B2E3C159C288DB77

Function 00402F20 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1798930253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1798907082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1798958969.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1798983883.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799006241.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799027503.0000000000A31000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799225081.0000000000A32000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5804b07f674ae3d268ec1438c7da71b35f3107e62f64f1f633515dfb68ee091a
Instruction ID: cff114a85fcb8f5deb46d81d22c4208fa3965af46b01a687ebeadebabb5a60ab
Opcode Fuzzy Hash: 5804b07f674ae3d268ec1438c7da71b35f3107e62f64f1f633515dfb68ee091a
Instruction Fuzzy Hash: 9A31D8302052028BE738CE19C954BEBB3B5AFC0349F44883ED986A73C4DABDD945D795

Function 00402F89 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1798930253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1798907082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1798958969.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1798983883.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799006241.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799027503.0000000000A31000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799225081.0000000000A32000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NL Hybrid.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9961543af999a1320c5b9d9b8c59a9b64f893fc8dbb42675723320a25693eab2
Instruction ID: 40597224e526abc728bb10992f322fa75c91b34d76fbbe6bc80328d1c420bfc2
Opcode Fuzzy Hash: 9961543af999a1320c5b9d9b8c59a9b64f893fc8dbb42675723320a25693eab2
Instruction Fuzzy Hash: F321923170520247EB68C929C9547ABB3A5ABC0389F48853EC986A73C8DAB9E941D785

Function 00417081 Relevance: 31.8, APIs: 21, Instructions: 340COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,00000100,00420398,00000001,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004170B3
GetLastError.KERNEL32(?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000,?,7FFFFFFF,00000000,00000000,?,028918C0), ref: 004170C5
MultiByteToWideChar.KERNEL32(7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 00417151
_malloc.LIBCMT ref: 0041718A
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171BD
LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171D9
LCMapStringW.KERNEL32(?,00000400,00000400,00000000,?,?), ref: 00417213
_malloc.LIBCMT ref: 0041724C
LCMapStringW.KERNEL32(?,00000400,00000400,00000000,00000000,?), ref: 00417277
WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,?,00000000,00000000), ref: 0041729A
__freea.LIBCMT ref: 004172A4
__freea.LIBCMT ref: 004172AD
___ansicp.LIBCMT ref: 004172DE
___convertcp.LIBCMT ref: 00417309
LCMapStringA.KERNEL32(?,?,00000000,?,00000000,00000000,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?), ref: 0041732A
_malloc.LIBCMT ref: 00417362
_memset.LIBCMT ref: 00417384
LCMapStringA.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?), ref: 0041739C
___convertcp.LIBCMT ref: 004173BA
__freea.LIBCMT ref: 004173CF
LCMapStringA.KERNEL32(?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004173E9

Memory Dump Source

Source File: 00000000.00000002.1798930253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1798907082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1798958969.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1798983883.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799006241.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799027503.0000000000A31000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799225081.0000000000A32000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NL Hybrid.jbxd

Similarity

API ID: String$ByteCharMultiWide__freea_malloc$___convertcp$ErrorLast___ansicp_memset
String ID:
API String ID: 3809854901-0
Opcode ID: 699406c386ffa869d5cdd020c3adf727bae4a7aedc43fc2fcbe963bd6ef1e29e
Instruction ID: cdfffc9a1d2b3026f9ae82d5cc8d175594050d3ba9b5f3d3ede674b9b5b9b85c
Opcode Fuzzy Hash: 699406c386ffa869d5cdd020c3adf727bae4a7aedc43fc2fcbe963bd6ef1e29e
Instruction Fuzzy Hash: 29B1B072908119EFCF119FA0CC808EF7BB5EF48354B14856BF915A2260D7398DD2DB98

Function 004057B0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 205COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 004057DE

Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4

_malloc.LIBCMT ref: 00405842
_malloc.LIBCMT ref: 00405906
_malloc.LIBCMT ref: 00405930

Strings

1.2.3, xrefs: 004058EC, 00405937

Memory Dump Source

Source File: 00000000.00000002.1798930253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1798907082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1798958969.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1798983883.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799006241.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799027503.0000000000A31000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799225081.0000000000A32000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NL Hybrid.jbxd

Similarity

API ID: _malloc$AllocateHeap
String ID: 1.2.3
API String ID: 680241177-2310465506
Opcode ID: 1371ffb49ce3b8dee1113081a69af0fad64233f45308895947edc3c59a7df708
Instruction ID: 6f54ea0e5a0cddcbb7a6eab5c61130b8c10e9e343dc86a4c4a61a5a67c51a18e
Opcode Fuzzy Hash: 1371ffb49ce3b8dee1113081a69af0fad64233f45308895947edc3c59a7df708
Instruction Fuzzy Hash: 8B61F7B1944B408FD720AF2A888066BBBE0FB45314F548D3FE5D5A3781D739D8498F5A

Function 0040BCC2 Relevance: 10.7, APIs: 7, Instructions: 189COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040BD24
_memcpy_s.LIBCMT ref: 0040BD99
__fileno.LIBCMT ref: 0040BDF9
__read.LIBCMT ref: 0040BE00
__filbuf.LIBCMT ref: 0040BE24
_memset.LIBCMT ref: 0040BE6A
_memset.LIBCMT ref: 0040BE95

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Memory Dump Source

Source File: 00000000.00000002.1798930253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1798907082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1798958969.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1798983883.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799006241.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799027503.0000000000A31000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799225081.0000000000A32000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NL Hybrid.jbxd

Similarity

API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
String ID:
API String ID: 3886058894-0
Opcode ID: 61b9ef8a6f765c58139a33a573ef994292dae8fcc9e916c915b81b6d9ebba236
Instruction ID: 0234425abcb0213f77efd30778ac7634d7a408156a07f93f58cd91f86a00e979
Opcode Fuzzy Hash: 61b9ef8a6f765c58139a33a573ef994292dae8fcc9e916c915b81b6d9ebba236
Instruction Fuzzy Hash: 1E519031A00605ABCB209F69C844A9FBB75EF41324F24863BF825B22D1D7799E51CBDD

Function 0040C73D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 0040C6C8
__fileno.LIBCMT ref: 0040C6D6
__fileno.LIBCMT ref: 0040C6E2
__fileno.LIBCMT ref: 0040C6EE
__fileno.LIBCMT ref: 0040C6FE

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F

Strings

'B, xrefs: 0040C70F

Memory Dump Source

Source File: 00000000.00000002.1798930253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1798907082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1798958969.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1798983883.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799006241.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799027503.0000000000A31000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799225081.0000000000A32000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NL Hybrid.jbxd

Similarity

API ID: __fileno$__decode_pointer__getptd_noexit__lock_file
String ID: 'B
API String ID: 2805327698-2787509829
Opcode ID: 0562b983a982954f07d72bd2f01eb344b0d1ff129a9d588568d63b7b4b77f5f9
Instruction ID: db056c5abb1484b678344f3d998e50672bc49cccd6cfe868de5707b4f3f6250f
Opcode Fuzzy Hash: 0562b983a982954f07d72bd2f01eb344b0d1ff129a9d588568d63b7b4b77f5f9
Instruction Fuzzy Hash: 1A01253231451096C261ABBE5CC246E76A0DE81734726877FF024BB1D2DB3C99429E9D

Function 07A2C957 Relevance: 8.8, Strings: 7, Instructions: 78COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07A2CA4D
4'^q, xrefs: 07A2C99E
4'^q, xrefs: 07A2CA07
4'^q, xrefs: 07A2C9C1
4'^q, xrefs: 07A2C9E4
4'^q, xrefs: 07A2CA2A
4'^q, xrefs: 07A2C97B

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
API String ID: 0-3435395042
Opcode ID: 66d038f09494655771a27ff2bf0564cb390d0881267f70bbeb5180cd5eebbc76
Instruction ID: 37967ba25a2f9f5e291d3ad5a3712dbea0edf3bde4cc5c9b6b447d80b8916aee
Opcode Fuzzy Hash: 66d038f09494655771a27ff2bf0564cb390d0881267f70bbeb5180cd5eebbc76
Instruction Fuzzy Hash: C8312F30E1121A9FCF08EFA4E8515DDBBF1FF84704F109999E145AB259DF306A4ACB92

Function 07A2C968 Relevance: 8.8, Strings: 7, Instructions: 70COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07A2CA4D
4'^q, xrefs: 07A2C99E
4'^q, xrefs: 07A2CA07
4'^q, xrefs: 07A2C9C1
4'^q, xrefs: 07A2C9E4
4'^q, xrefs: 07A2CA2A
4'^q, xrefs: 07A2C97B

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
API String ID: 0-3435395042
Opcode ID: bd2897458ea979de4cf8a7a47b442d02903d1e66de37e8809b966ecc10cd1aa1
Instruction ID: f499d6027747fb61424a8904011652b9d26e882c57b1ff478efc4ab183baf5fa
Opcode Fuzzy Hash: bd2897458ea979de4cf8a7a47b442d02903d1e66de37e8809b966ecc10cd1aa1
Instruction Fuzzy Hash: 62213030E1011A9FCF08EFA4E8515DDBBF1FF84305F109959E105AB258DF306A4ACB91

Function 00414738 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00414744

Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745

__getptd.LIBCMT ref: 0041475B
__amsg_exit.LIBCMT ref: 00414769
__lock.LIBCMT ref: 00414779

Strings

@.B, xrefs: 00414786

Memory Dump Source

Source File: 00000000.00000002.1798930253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1798907082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1798958969.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1798983883.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799006241.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799027503.0000000000A31000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799225081.0000000000A32000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NL Hybrid.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID: @.B
API String ID: 3521780317-470711618
Opcode ID: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
Instruction ID: 91aff3cf2d6bbea4e2ea5d49e8e08bf0f41c3eb50374f8394f27d7b6c467aa53
Opcode Fuzzy Hash: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
Instruction Fuzzy Hash: 60F09631A407009BE720BB66850678D73A06F81719F91456FE4646B2D1CB7C6981CA5D

Function 07A290F8 Relevance: 7.7, Strings: 6, Instructions: 244COMMON

Download Yara Rule

Strings

f9l, xrefs: 07A2937E
Hg9l, xrefs: 07A291D9
Hg9l, xrefs: 07A29318
Hg9l, xrefs: 07A2934A
f9l, xrefs: 07A293B0
Hg9l, xrefs: 07A2920B

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID: Hg9l$Hg9l$Hg9l$Hg9l$f9l$f9l
API String ID: 0-1924673892
Opcode ID: 88c8410e539d090a399afd40ff4b0e11e3a8b490e209834015b988ae69722360
Instruction ID: 568623d95f482e480c8b0fae0ffd802f17460adedd4330071b609c7f2554a1c3
Opcode Fuzzy Hash: 88c8410e539d090a399afd40ff4b0e11e3a8b490e209834015b988ae69722360
Instruction Fuzzy Hash: 4F9180B03013529FC705AB38D4116AEBBA6EBC5318F18C91DE14A8F385DB76AC479BD1

Function 07A290F2 Relevance: 7.7, Strings: 6, Instructions: 239COMMON

Download Yara Rule

Strings

f9l, xrefs: 07A2937E
Hg9l, xrefs: 07A291D9
Hg9l, xrefs: 07A29318
Hg9l, xrefs: 07A2934A
f9l, xrefs: 07A293B0
Hg9l, xrefs: 07A2920B

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID: Hg9l$Hg9l$Hg9l$Hg9l$f9l$f9l
API String ID: 0-1924673892
Opcode ID: 1b8dec007641a346c173bc6dcc901cf525a16396edb7755fbf554927eaabd1e0
Instruction ID: ecd31816224b9bf70d49300b27723f76b3de3b33d00ab06ae3bc488e7ef94087
Opcode Fuzzy Hash: 1b8dec007641a346c173bc6dcc901cf525a16396edb7755fbf554927eaabd1e0
Instruction Fuzzy Hash: 909190B03013529FC705AB38D4512AE77A6EBC5318F18C91DE14A8F386DB76AC479BD1

Function 00413FCC Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00413FD8

Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745

__amsg_exit.LIBCMT ref: 00413FF8
__lock.LIBCMT ref: 00414008
InterlockedDecrement.KERNEL32(?), ref: 00414025
InterlockedIncrement.KERNEL32(02891660), ref: 00414050

Memory Dump Source

Source File: 00000000.00000002.1798930253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1798907082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1798958969.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1798983883.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799006241.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799027503.0000000000A31000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799225081.0000000000A32000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NL Hybrid.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
Instruction ID: 77fb08d543caf33888dccec20a3998fa005b1348dfeb798e4aa279577202aa48
Opcode Fuzzy Hash: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
Instruction Fuzzy Hash: 9301A531A01621ABD724AF67990579E7B60AF48764F50442BE814B72D0C77C6DC2CBDD

Function 0040FA58 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 0040FA7A
__calloc_crt.LIBCMT ref: 0040FA93

Strings

`$B, xrefs: 0040FACC
P$B, xrefs: 0040FAAA

Memory Dump Source

Source File: 00000000.00000002.1798930253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1798907082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1798958969.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1798983883.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799006241.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799027503.0000000000A31000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799225081.0000000000A32000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NL Hybrid.jbxd

Similarity

API ID: __calloc_crt
String ID: P$B$`$B
API String ID: 3494438863-235554963
Opcode ID: fdf4f6b62053dea64867d0c1085960dee66dbdb5e7cbac4bce55836661d1e8cf
Instruction ID: 4bdca0f49684ef71ac3198dcc3f656e5d5ce7fed137673697bf40858e87bd1f9
Opcode Fuzzy Hash: fdf4f6b62053dea64867d0c1085960dee66dbdb5e7cbac4bce55836661d1e8cf
Instruction Fuzzy Hash: 6011A3327446115BE7348B1DBD50F662391EB84728BA4423BE619EA7E0E77CD8864A4C

Function 00413610 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,0040CDF5), ref: 00413615
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00413625

Strings

KERNEL32, xrefs: 00413610
IsProcessorFeaturePresent, xrefs: 0041361F

Memory Dump Source

Source File: 00000000.00000002.1798930253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1798907082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1798958969.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1798983883.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799006241.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799027503.0000000000A31000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799225081.0000000000A32000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NL Hybrid.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
Instruction ID: 3bb3582238f4ecb0ba7b9e8fe578e45fdcf0af3c55e5dfe2a5e3893bc0ad87fb
Opcode Fuzzy Hash: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
Instruction Fuzzy Hash: 96F06230600A09E2DB105FA1ED1E2EFBB74BB80746F5101A19196B0194DF38D0B6825A

Function 004146FA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

___addlocaleref.LIBCMT ref: 0041470C

Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(00000001), ref: 004145E4
Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 004145F1
Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 004145FE
Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 0041460B
Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 00414618
Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 00414634
Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 00414644
Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 0041465A

___removelocaleref.LIBCMT ref: 00414717

Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 0041467B
Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 00414688
Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 00414695
Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 004146A2
Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 004146AF
Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 004146CB
Part of subcall function 00414661: InterlockedDecrement.KERNEL32(00000000), ref: 004146DB
Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 004146F1

___freetlocinfo.LIBCMT ref: 0041472B

Part of subcall function 00414489: ___free_lconv_mon.LIBCMT ref: 004144CF
Part of subcall function 00414489: ___free_lconv_num.LIBCMT ref: 004144F0
Part of subcall function 00414489: ___free_lc_time.LIBCMT ref: 00414575

Strings

@.B, xrefs: 00414722

Memory Dump Source

Source File: 00000000.00000002.1798930253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1798907082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1798958969.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1798983883.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799006241.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799027503.0000000000A31000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799225081.0000000000A32000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NL Hybrid.jbxd

Similarity

API ID: Interlocked$DecrementIncrement$___addlocaleref___free_lc_time___free_lconv_mon___free_lconv_num___freetlocinfo___removelocaleref
String ID: @.B
API String ID: 467427115-470711618
Opcode ID: 3857329619949c293296419ec2be8f51648e9d3bf58d3a63f1cc8ec60b1035b6
Instruction ID: 8e9b8205a585dc9325c25650a27042e0212317e7447dcce9b0fe23aa5a8dd77f
Opcode Fuzzy Hash: 3857329619949c293296419ec2be8f51648e9d3bf58d3a63f1cc8ec60b1035b6
Instruction Fuzzy Hash: BDE0863250192255CE35261D76806EF93A98FD3725B3A017FF864AF7D8EB2C4CC0809D

Function 0040C748 Relevance: 6.1, APIs: 4, Instructions: 148COMMONLIBRARYCODE

Download Yara Rule

APIs

__fileno.LIBCMT ref: 0040C77C
__locking.LIBCMT ref: 0040C791

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F

Memory Dump Source

Source File: 00000000.00000002.1798930253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1798907082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1798958969.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1798983883.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799006241.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799027503.0000000000A31000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799225081.0000000000A32000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NL Hybrid.jbxd

Similarity

API ID: __decode_pointer__fileno__getptd_noexit__locking
String ID:
API String ID: 2395185920-0
Opcode ID: 0afeae9b27a86c2abe0b3397de8921379debd9150d07dd18b85413c6fc1de43d
Instruction ID: 30055f4621fb528cea72007990449f1feb1a7f288d573051c200dc5e1a244c20
Opcode Fuzzy Hash: 0afeae9b27a86c2abe0b3397de8921379debd9150d07dd18b85413c6fc1de43d
Instruction Fuzzy Hash: CC51CF72E00209EBDB10AF69C9C0B59BBA1AF01355F14C27AD915B73D1D378AE41DB8D

Function 00405D00 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00405D54
_memset.LIBCMT ref: 00405D6F
_fseek.LIBCMT ref: 00405DDD

Memory Dump Source

Source File: 00000000.00000002.1798930253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1798907082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1798958969.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1798983883.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799006241.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799027503.0000000000A31000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799225081.0000000000A32000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NL Hybrid.jbxd

Similarity

API ID: _fseek_malloc_memset
String ID:
API String ID: 208892515-0
Opcode ID: e2021bf9677ac04d29097cd60d098293ca774abcf3d3e4afca42f73e68fb5c2d
Instruction ID: b5a371ba5f9a3ad1fa090fb1a89082137fe8d6c03bc5c52cd66242ccf2a60741
Opcode Fuzzy Hash: e2021bf9677ac04d29097cd60d098293ca774abcf3d3e4afca42f73e68fb5c2d
Instruction Fuzzy Hash: 3541A572600F018AD630972EE804B2772E5DF90364F140A3FE9E6E27D5E738E9458F89

Function 0041529F Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004152D3
__isleadbyte_l.LIBCMT ref: 00415307
MultiByteToWideChar.KERNEL32(00000080,00000009,00000083,?,?,00000000,?,?,?), ref: 00415338
MultiByteToWideChar.KERNEL32(00000080,00000009,00000083,00000001,?,00000000,?,?,?), ref: 004153A6

Memory Dump Source

Source File: 00000000.00000002.1798930253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1798907082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1798958969.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1798983883.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799006241.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799027503.0000000000A31000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799225081.0000000000A32000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NL Hybrid.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
Instruction ID: 094900ada7e667e90e346a2540d450e67f5821ec0926a3c2ae07879bc245b0d1
Opcode Fuzzy Hash: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
Instruction Fuzzy Hash: 1831A032A00649EFDB20DFA4C8809EE7BB5EF41350B1885AAE8659B291D374DD80DF59

Function 004134DB Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00413501

Part of subcall function 00413326: __fltout2.LIBCMT ref: 00413352

__cftog_l.LIBCMT ref: 00413527
__cftoe_l.LIBCMT ref: 00413559

Memory Dump Source

Source File: 00000000.00000002.1798930253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1798907082.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1798958969.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1798983883.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799006241.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799027503.0000000000A31000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1799225081.0000000000A32000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NL Hybrid.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: bfd0e68975b3765f24e543ba70b005e9871d43ed2f52156b65e62ceec70126f9
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: DA117E7200014EBBCF125E85CC418EE3F27BF18755B58841AFE2858130D73BCAB2AB89

Function 07A208A8 Relevance: 5.3, Strings: 4, Instructions: 331COMMON

Download Yara Rule

Strings

$^q, xrefs: 07A20A84
30j^, xrefs: 07A20A26, 07A20A2B
$^q, xrefs: 07A209D6
<duq, xrefs: 07A20902

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID: <duq$$^q$$^q$30j^
API String ID: 0-2500203974
Opcode ID: cee19c4f4f4ba5f91df55bc729392c481db45411cc1ceae0a924157e9df6eb91
Instruction ID: bacc74e3e21137872746da519dc7a710d7a8021a382647a2f90670a3dfb31563
Opcode Fuzzy Hash: cee19c4f4f4ba5f91df55bc729392c481db45411cc1ceae0a924157e9df6eb91
Instruction Fuzzy Hash: 08F1F9B0D002199FCB55EFA4D840ADDBBF6FF89300F5085A9D209AB265EF315E449F92

Function 07A208A7 Relevance: 5.3, Strings: 4, Instructions: 329COMMON

Download Yara Rule

Strings

$^q, xrefs: 07A20A84
30j^, xrefs: 07A20A26, 07A20A2B
$^q, xrefs: 07A209D6
<duq, xrefs: 07A20902

Memory Dump Source

Source File: 00000000.00000002.1809063819.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a20000_NL Hybrid.jbxd

Similarity

API ID:
String ID: <duq$$^q$$^q$30j^
API String ID: 0-2500203974
Opcode ID: da62498d5ef4eaaa9a10dabfe44b437d48caacb30c779d3271562a679826e576
Instruction ID: d286940f66785eb22e3f6fa53c2a78c5c698e1d88c2824a579344f4c556e44c6
Opcode Fuzzy Hash: da62498d5ef4eaaa9a10dabfe44b437d48caacb30c779d3271562a679826e576
Instruction Fuzzy Hash: 2EF1F9B0D002199FCB55EFA4D840ADDBBF6FF89300F5085A9D109AB265EF315E449F92

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report NL Hybrid.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NL Hybrid.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WPFC347.tmp

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

Windows Analysis Report
NL Hybrid.exe

Function 004019F0 Relevance: 146.0, APIs: 34, Strings: 49, Instructions: 747
comprocessCOMMON

Function 07731908 Relevance: 5.7, Strings: 4, Instructions: 673
COMMON

Function 077300F1 Relevance: 3.6, Strings: 2, Instructions: 1146
COMMON

Function 028650F8 Relevance: 2.7, Strings: 2, Instructions: 209
COMMON

Function 02865080 Relevance: 2.7, Strings: 2, Instructions: 203
COMMON

Function 0040CBF7 Relevance: 21.1, APIs: 14, Instructions: 78
COMMON

Function 07A25A32 Relevance: 9.0, Strings: 7, Instructions: 294
COMMON

Function 004018F0 Relevance: 6.3, APIs: 5, Instructions: 77
stringCOMMON

Function 0040AF66 Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Function 07A2B9E0 Relevance: 5.2, Strings: 4, Instructions: 172
COMMON

Function 0040E7EE Relevance: 3.0, APIs: 2, Instructions: 8
COMMONLIBRARYCODE

Function 076FE170 Relevance: 2.6, Strings: 2, Instructions: 57
COMMON

Function 0286DCD8 Relevance: 1.6, APIs: 1, Instructions: 56
memoryCOMMON