Edit tour

Windows Analysis Report
PO# EB202329720241007_Hardy_Process^^^^.pif.exe

Overview

General Information

Sample name:	PO# EB202329720241007_Hardy_Process^^^^.pif.exe
Analysis ID:	1528611
MD5:	6145c8269f1675712b844d8ac1980287
SHA1:	7f37641603386f8b96edcf91a4d32d3f4a5d40cd
SHA256:	93548239884f6d9f3ea7240dbf34beaa81bcd4f3c122454e81d9e1e433c804f0
Tags:	exeuser-threatcat_ch
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

.NET source code contains potential unpacker

AI detected suspicious sample

Allocates memory in foreign processes

Creates a thread in another existing process (thread injection)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Obfuscated command line found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Potential Dosfuscation Activity

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

PO# EB202329720241007_Hardy_Process^^^^.pif.exe (PID: 6728 cmdline: "C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe" MD5: 6145C8269F1675712B844D8AC1980287)

InstallUtil.exe (PID: 7136 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

conhost.exe (PID: 2256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wpappx.exe (PID: 7016 cmdline: "C:\Users\user\AppData\Roaming\wpappx.exe" MD5: 6145C8269F1675712B844D8AC1980287)

InstallUtil.exe (PID: 6752 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

conhost.exe (PID: 6832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wpappx.exe (PID: 3052 cmdline: "C:\Users\user\AppData\Roaming\wpappx.exe" MD5: 6145C8269F1675712B844D8AC1980287)

InstallUtil.exe (PID: 1104 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

conhost.exe (PID: 280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1807903081.0000000002F87000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x5ed0:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x1406:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
0000000A.00000002.2446396240.0000000005770000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000A.00000002.2435244126.000000000412C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000001.00000002.1814780379.0000000000B60000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x85708:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x88c3e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000000.00000002.1824668881.0000000005DA0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1817667483.0000000004094000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x85f60:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x89496:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000004.00000002.2048461368.00000000033BA000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x66c8:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x1bfe:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000007.00000002.2125157304.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000008.00000002.2928192880.0000000003D44000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000004.00000002.2048461368.0000000002F28000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1807903081.0000000002A38000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000007.00000002.2140570961.0000000003C82000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x10f710:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x112c46:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000007.00000002.2125157304.0000000002F78000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x64d8:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x1a0e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000008.00000002.2922615312.0000000002B62000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000004.00000002.2065435853.000000000456D000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x86478:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x899ae:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
0000000A.00000002.2430967730.0000000002F50000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: PO# EB202329720241007_Hardy_Process^^^^.pif.exe PID: 6728	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: PO# EB202329720241007_Hardy_Process^^^^.pif.exe PID: 6728	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: InstallUtil.exe PID: 7136	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: wpappx.exe PID: 7016	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: wpappx.exe PID: 7016	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: wpappx.exe PID: 3052	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: wpappx.exe PID: 3052	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: InstallUtil.exe PID: 6752	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: InstallUtil.exe PID: 1104	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Click to see the 20 entries

Unpacked PEs

Source	Rule	Description	Author
10.2.InstallUtil.exe.41544e8.4.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
10.2.InstallUtil.exe.5770000.10.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
8.2.InstallUtil.exe.3d444e8.6.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.PO# EB202329720241007_Hardy_Process^^^^.pif.exe.5da0000.7.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\wpappx.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe, ProcessId: 6728, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wpappx

Sigma detected: Potential Dosfuscation Activity

Source: Process started

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe", CommandLine: "C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe, NewProcessName: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe, OriginalFileName: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe", ProcessId: 6728, ProcessName: PO# EB202329720241007_Hardy_Process^^^^.pif.exe

Suricata Signatures

ETPRO MALWARE Win32/zgRAT CnC Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T04:28:37.021260+0200	2857345	1	Malware Command and Control Activity Detected	192.168.2.4	49739	89.238.176.5	50600	TCP
2024-10-08T04:28:58.400411+0200	2857345	1	Malware Command and Control Activity Detected	192.168.2.4	49747	89.238.176.5	50600	TCP
2024-10-08T04:29:19.782484+0200	2857345	1	Malware Command and Control Activity Detected	192.168.2.4	49879	89.238.176.5	50600	TCP
2024-10-08T04:29:41.289415+0200	2857345	1	Malware Command and Control Activity Detected	192.168.2.4	50010	89.238.176.5	50600	TCP
2024-10-08T04:30:02.663221+0200	2857345	1	Malware Command and Control Activity Detected	192.168.2.4	50011	89.238.176.5	50600	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for domain / URL

Source: cdn.glitch.global	Virustotal: Detection: 5%			Perma Link
Source: https://cdn.glitch.global	Virustotal: Detection: 6%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\wpappx.exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Virustotal: Detection: 33%			Perma Link

Multi AV Scanner detection for submitted file

Source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe	ReversingLabs: Detection: 34%
Source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Virustotal: Detection: 33%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\wpappx.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe

Joe Sandbox ML: detected

Source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

Jump to behavior

Source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1807903081.0000000002DF7000.00000004.00000800.00020000.00000000.sdmp, PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1825930591.0000000005F70000.00000004.08000000.00040000.00000000.sdmp, PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1817667483.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, wpappx.exe, 00000004.00000002.2065435853.00000000041BE000.00000004.00000800.00020000.00000000.sdmp, wpappx.exe, 00000004.00000002.2065435853.0000000003FFC000.00000004.00000800.00020000.00000000.sdmp, wpappx.exe, 00000004.00000002.2048461368.0000000003230000.00000004.00000800.00020000.00000000.sdmp, wpappx.exe, 00000007.00000002.2140570961.0000000003EFC000.00000004.00000800.00020000.00000000.sdmp, wpappx.exe, 00000007.00000002.2125157304.0000000002DEE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1807903081.0000000002DF7000.00000004.00000800.00020000.00000000.sdmp, PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1825930591.0000000005F70000.00000004.08000000.00040000.00000000.sdmp, PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1817667483.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, wpappx.exe, 00000004.00000002.2065435853.00000000041BE000.00000004.00000800.00020000.00000000.sdmp, wpappx.exe, 00000004.00000002.2065435853.0000000003FFC000.00000004.00000800.00020000.00000000.sdmp, wpappx.exe, 00000004.00000002.2048461368.0000000003230000.00000004.00000800.00020000.00000000.sdmp, wpappx.exe, 00000007.00000002.2140570961.0000000003EFC000.00000004.00000800.00020000.00000000.sdmp, wpappx.exe, 00000007.00000002.2125157304.0000000002DEE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1824377543.0000000005D40000.00000004.08000000.00040000.00000000.sdmp, wpappx.exe, 00000004.00000002.2065435853.00000000041BE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2435244126.0000000003FE6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2435244126.0000000003F6E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2430967730.0000000002F50000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1824377543.0000000005D40000.00000004.08000000.00040000.00000000.sdmp, wpappx.exe, 00000004.00000002.2065435853.00000000041BE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2435244126.0000000003FE6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2435244126.0000000003F6E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2430967730.0000000002F50000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_05D9D3D0
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	0_2_05EB1A78
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	0_2_05EB1A70
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 4x nop then jmp 05EF5973h	0_2_05EF55E0
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 4x nop then jmp 05EF5973h	0_2_05EF55D1
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 4x nop then jmp 05EFD510h	0_2_05EFD458
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 4x nop then jmp 05EFD510h	0_2_05EFD450
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 4x nop then jmp 05EF61A9h	0_2_05EF6148
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 4x nop then jmp 05EF61A9h	0_2_05EF6336
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	4_2_0643D3D0
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	4_2_06551A70
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	4_2_06551A78
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4x nop then jmp 0659D510h	4_2_0659D458
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4x nop then jmp 0659D510h	4_2_0659D450
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4x nop then jmp 06595973h	4_2_065955D1
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4x nop then jmp 06595973h	4_2_065955E0
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4x nop then jmp 065961A9h	4_2_06596336
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4x nop then jmp 065961A9h	4_2_06596148
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4x nop then jmp 065961A9h	4_2_06596138
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	7_2_0602D3D0
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	7_2_06141A70
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	7_2_06141A78
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4x nop then jmp 0618D510h	7_2_0618D458
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4x nop then jmp 0618D510h	7_2_0618D450
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4x nop then jmp 06185973h	7_2_061855D1
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4x nop then jmp 06185973h	7_2_061855E0
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4x nop then jmp 061861A9h	7_2_06186336
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4x nop then jmp 061861A9h	7_2_06186138
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4x nop then jmp 061861A9h	7_2_06186148

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2857345 - Severity 1 - ETPRO MALWARE Win32/zgRAT CnC Checkin : 192.168.2.4:49747 -> 89.238.176.5:50600
Source: Network traffic	Suricata IDS: 2857345 - Severity 1 - ETPRO MALWARE Win32/zgRAT CnC Checkin : 192.168.2.4:49739 -> 89.238.176.5:50600
Source: Network traffic	Suricata IDS: 2857345 - Severity 1 - ETPRO MALWARE Win32/zgRAT CnC Checkin : 192.168.2.4:49879 -> 89.238.176.5:50600
Source: Network traffic	Suricata IDS: 2857345 - Severity 1 - ETPRO MALWARE Win32/zgRAT CnC Checkin : 192.168.2.4:50010 -> 89.238.176.5:50600
Source: Network traffic	Suricata IDS: 2857345 - Severity 1 - ETPRO MALWARE Win32/zgRAT CnC Checkin : 192.168.2.4:50011 -> 89.238.176.5:50600

Uses dynamic DNS services

Source: unknown

DNS query: name: puritylgs.duckdns.org

Source: global traffic

TCP traffic: 192.168.2.4:49739 -> 89.238.176.5:50600

Source: Joe Sandbox View

ASN Name: M247GB M247GB

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: cdn.glitch.global
Source: global traffic	DNS traffic detected: DNS query: puritylgs.duckdns.org

Source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1807903081.00000000029F1000.00000004.00000800.00020000.00000000.sdmp, wpappx.exe, 00000004.00000002.2048461368.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, wpappx.exe, 00000007.00000002.2125157304.0000000002B0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: InstallUtil.exe, 00000008.00000002.2922615312.0000000002B62000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2430967730.0000000002F50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://archive.torproject.org/tor-package-archive/torbrowser/13.0.9/tor-expert-bundle-windows-i686-
Source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1807903081.00000000029F1000.00000004.00000800.00020000.00000000.sdmp, wpappx.exe, 00000004.00000002.2048461368.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, wpappx.exe, 00000007.00000002.2125157304.0000000002B0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.glitch.global
Source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1807903081.00000000029F1000.00000004.00000800.00020000.00000000.sdmp, wpappx.exe, 00000007.00000002.2125157304.0000000002B01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.glitch.global/65e86a4d-1443-41a6-ac6d-f084c1191eff/Vyciz.mp4xC
Source: wpappx.exe, 00000004.00000002.2048461368.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.glitch.global/65e86a4d-1443-41a6-ac6d-f084c1191eff/Vyciz.mp4xC&
Source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1824377543.0000000005D40000.00000004.08000000.00040000.00000000.sdmp, wpappx.exe, 00000004.00000002.2065435853.00000000041BE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2435244126.0000000003FE6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2435244126.0000000003F6E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2430967730.0000000002F50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1817667483.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1824377543.0000000005D40000.00000004.08000000.00040000.00000000.sdmp, wpappx.exe, 00000004.00000002.2065435853.00000000041BE000.00000004.00000800.00020000.00000000.sdmp, wpappx.exe, 00000007.00000002.2140570961.0000000003DFB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2435244126.0000000003FE6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2435244126.0000000003F6E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2430967730.0000000002F50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1824377543.0000000005D40000.00000004.08000000.00040000.00000000.sdmp, wpappx.exe, 00000004.00000002.2065435853.00000000041BE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2435244126.0000000003FE6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2435244126.0000000003F6E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2430967730.0000000002F50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1824377543.0000000005D40000.00000004.08000000.00040000.00000000.sdmp, wpappx.exe, 00000004.00000002.2065435853.00000000041BE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2435244126.0000000003FE6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2435244126.0000000003F6E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2430967730.0000000002F50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: InstallUtil.exe, 0000000A.00000002.2430967730.0000000002F50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1824377543.0000000005D40000.00000004.08000000.00040000.00000000.sdmp, wpappx.exe, 00000004.00000002.2065435853.00000000041BE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2435244126.0000000003FE6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2435244126.0000000003F6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.1807903081.0000000002F87000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000001.00000002.1814780379.0000000000B60000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000000.00000002.1817667483.0000000004094000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000004.00000002.2048461368.00000000033BA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000007.00000002.2140570961.0000000003C82000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000007.00000002.2125157304.0000000002F78000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000004.00000002.2065435853.000000000456D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: PO# EB202329720241007_Hardy_Process^^^^.pif.exe

Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_05EB0C28 NtWriteVirtualMemory,	0_2_05EB0C28
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_05EB08E0 NtAllocateVirtualMemory,	0_2_05EB08E0
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_05EB0A58 NtCreateThreadEx,	0_2_05EB0A58
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_05EB0C21 NtWriteVirtualMemory,	0_2_05EB0C21
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_05EB08D8 NtAllocateVirtualMemory,	0_2_05EB08D8
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_05EB0A50 NtCreateThreadEx,	0_2_05EB0A50
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_05EFECF0 NtProtectVirtualMemory,	0_2_05EFECF0
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_05EFECE8 NtProtectVirtualMemory,	0_2_05EFECE8
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_06550C28 NtWriteVirtualMemory,	4_2_06550C28
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_06550A58 NtCreateThreadEx,	4_2_06550A58
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_065508E0 NtAllocateVirtualMemory,	4_2_065508E0
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_06550C21 NtWriteVirtualMemory,	4_2_06550C21
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_06550A50 NtCreateThreadEx,	4_2_06550A50
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_065508D8 NtAllocateVirtualMemory,	4_2_065508D8
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_0659ECF0 NtProtectVirtualMemory,	4_2_0659ECF0
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_0659ECE8 NtProtectVirtualMemory,	4_2_0659ECE8
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_06140C28 NtWriteVirtualMemory,	7_2_06140C28
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_06140A58 NtCreateThreadEx,	7_2_06140A58
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_061408E0 NtAllocateVirtualMemory,	7_2_061408E0
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_06140C21 NtWriteVirtualMemory,	7_2_06140C21
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_06140A50 NtCreateThreadEx,	7_2_06140A50
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_061408D8 NtAllocateVirtualMemory,	7_2_061408D8
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_0618ECF0 NtProtectVirtualMemory,	7_2_0618ECF0
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_0618ECE8 NtProtectVirtualMemory,	7_2_0618ECE8

Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_027CC164	0_2_027CC164
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_027C159C	0_2_027C159C
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_027C8A90	0_2_027C8A90
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_027C09B8	0_2_027C09B8
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_027C1EE0	0_2_027C1EE0
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_027C0C98	0_2_027C0C98
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_027CAD67	0_2_027CAD67
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_027C2218	0_2_027C2218
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_027C52A0	0_2_027C52A0
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_027C43F8	0_2_027C43F8
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_027C50C5	0_2_027C50C5
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_027C169A	0_2_027C169A
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_027C4408	0_2_027C4408
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_027C8A80	0_2_027C8A80
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_027C4FED	0_2_027C4FED
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_027C1F91	0_2_027C1F91
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_027CDC70	0_2_027CDC70
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_027CDC60	0_2_027CDC60
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_027C0CD2	0_2_027C0CD2
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_027C0C89	0_2_027C0C89
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_027C0D49	0_2_027C0D49
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_05D36CC0	0_2_05D36CC0
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_05D36CBB	0_2_05D36CBB
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_05D3579B	0_2_05D3579B
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_05D357A0	0_2_05D357A0
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_05D30040	0_2_05D30040
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_05D3003B	0_2_05D3003B
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_05D3724F	0_2_05D3724F
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_05D9E8D8	0_2_05D9E8D8
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_05D90040	0_2_05D90040
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_05D90007	0_2_05D90007
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_05EA212F	0_2_05EA212F
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_05EA5B50	0_2_05EA5B50
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_05EA2467	0_2_05EA2467
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_05EA3748	0_2_05EA3748
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_05EBC458	0_2_05EBC458
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_05EB2688	0_2_05EB2688
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_05EBC44B	0_2_05EBC44B
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_05EBD6C7	0_2_05EBD6C7
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_05EBD6D8	0_2_05EBD6D8
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_05EB267A	0_2_05EB267A
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_05EFA140	0_2_05EFA140
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_05EFBB88	0_2_05EFBB88
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_05EFEA50	0_2_05EFEA50
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_05EF9A18	0_2_05EF9A18
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_05EF9D6D	0_2_05EF9D6D
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_05EFAFA0	0_2_05EFAFA0
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_05EFAF90	0_2_05EFAF90
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_05EFC840	0_2_05EFC840
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_05EFBB78	0_2_05EFBB78
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_05EFEA40	0_2_05EFEA40
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_05EF9A09	0_2_05EF9A09
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_060C0719	0_2_060C0719
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_060C0728	0_2_060C0728
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_060C0138	0_2_060C0138
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_060C0148	0_2_060C0148
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_0614E9C0	0_2_0614E9C0
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_0614CAE8	0_2_0614CAE8
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_06130006	0_2_06130006
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_06130040	0_2_06130040
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_0614F878	0_2_0614F878
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00BEA454	1_2_00BEA454
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_014AC164	4_2_014AC164
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_014A159C	4_2_014A159C
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_014A09B8	4_2_014A09B8
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_014A8A90	4_2_014A8A90
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_014AAD67	4_2_014AAD67
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_014A0C98	4_2_014A0C98
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_014A1EE0	4_2_014A1EE0
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_014A43F8	4_2_014A43F8
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_014A2218	4_2_014A2218
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_014A52A0	4_2_014A52A0
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_014A4408	4_2_014A4408
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_014A169A	4_2_014A169A
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_014A8A80	4_2_014A8A80
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_014A0D49	4_2_014A0D49
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_014ADC60	4_2_014ADC60
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_014ADC70	4_2_014ADC70
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_014A0CD2	4_2_014A0CD2
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_014A0C89	4_2_014A0C89
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_014A1F91	4_2_014A1F91
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_06320001	4_2_06320001
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_063D6CC0	4_2_063D6CC0
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_063D7247	4_2_063D7247
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_063D57A0	4_2_063D57A0
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_063D5790	4_2_063D5790
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_063D001E	4_2_063D001E
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_063D0040	4_2_063D0040
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_063D6CB1	4_2_063D6CB1
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_063D65F0	4_2_063D65F0
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_063D69F0	4_2_063D69F0
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_06430040	4_2_06430040
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_06430006	4_2_06430006
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_0643E8D8	4_2_0643E8D8
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_0654212F	4_2_0654212F
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_06543748	4_2_06543748
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_06542467	4_2_06542467
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_06552688	4_2_06552688
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_0655B5E0	4_2_0655B5E0
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_0655267A	4_2_0655267A
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_0655C458	4_2_0655C458
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_0655C448	4_2_0655C448
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_0655B5D1	4_2_0655B5D1
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_0655F210	4_2_0655F210
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_0655F201	4_2_0655F201
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_0655F800	4_2_0655F800
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_0655F802	4_2_0655F802
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_0659EA50	4_2_0659EA50
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_06599A18	4_2_06599A18
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_0659BB88	4_2_0659BB88
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_0659A140	4_2_0659A140
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_0659AF90	4_2_0659AF90
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_0659AFA0	4_2_0659AFA0
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_06599D6D	4_2_06599D6D
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_0659EA40	4_2_0659EA40
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_06599A09	4_2_06599A09
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_0659BB78	4_2_0659BB78
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_065923D8	4_2_065923D8
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_0659C840	4_2_0659C840
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_06591118	4_2_06591118
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_067EE9C0	4_2_067EE9C0
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_067ECAE8	4_2_067ECAE8
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_067EF878	4_2_067EF878
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_067D0040	4_2_067D0040
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_067D0007	4_2_067D0007
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_028DC164	7_2_028DC164
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_028D159C	7_2_028D159C
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_028D8A90	7_2_028D8A90
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_028D09B8	7_2_028D09B8
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_028D1EE0	7_2_028D1EE0
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_028D0C98	7_2_028D0C98
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_028DAD67	7_2_028DAD67
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_028D52A0	7_2_028D52A0
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_028D2218	7_2_028D2218
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_028D43F8	7_2_028D43F8
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_028D169A	7_2_028D169A
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_028D4408	7_2_028D4408
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_028D1F91	7_2_028D1F91
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_028D0C89	7_2_028D0C89
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_028D0CD2	7_2_028D0CD2
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_028DDC60	7_2_028DDC60
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_028DDC70	7_2_028DDC70
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_028D0D49	7_2_028D0D49
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_05FC6CC0	7_2_05FC6CC0
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_05FC57A0	7_2_05FC57A0
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_05FC6CB1	7_2_05FC6CB1
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_05FC0040	7_2_05FC0040
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_05FC0006	7_2_05FC0006
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_05FC5790	7_2_05FC5790
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_05FC7247	7_2_05FC7247
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_06020006	7_2_06020006
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_06020040	7_2_06020040
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_0602E8D8	7_2_0602E8D8
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_0613212F	7_2_0613212F
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_06133748	7_2_06133748
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_06132467	7_2_06132467
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_06142688	7_2_06142688
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_0614B5E0	7_2_0614B5E0
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_0614267A	7_2_0614267A
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_0614C458	7_2_0614C458
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_0614C448	7_2_0614C448
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_0614B5D1	7_2_0614B5D1
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_0614F210	7_2_0614F210
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_0614F201	7_2_0614F201
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_0614F800	7_2_0614F800
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_0614F802	7_2_0614F802
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_06189A18	7_2_06189A18
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_0618EA50	7_2_0618EA50
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_0618BB88	7_2_0618BB88
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_0618A140	7_2_0618A140
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_0618AF93	7_2_0618AF93
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_0618AFA0	7_2_0618AFA0
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_06189D6D	7_2_06189D6D
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_06189A09	7_2_06189A09
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_0618EA40	7_2_0618EA40
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_0618BB78	7_2_0618BB78
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_061823D8	7_2_061823D8
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_0618C840	7_2_0618C840
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_063DF878	7_2_063DF878
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_063DE9C0	7_2_063DE9C0
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_063DCAE8	7_2_063DCAE8
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_063C0006	7_2_063C0006
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_063C0040	7_2_063C0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_02A92B88	8_2_02A92B88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_02A938D0	8_2_02A938D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_02A97040	8_2_02A97040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_02A94AB6	8_2_02A94AB6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_02A94A80	8_2_02A94A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_02A94A9D	8_2_02A94A9D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_02A92AF1	8_2_02A92AF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_02A94A34	8_2_02A94A34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_02A94A07	8_2_02A94A07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_02A94A1A	8_2_02A94A1A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_02A93A15	8_2_02A93A15
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_02A94A69	8_2_02A94A69
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_02A94A50	8_2_02A94A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_02A92B88	8_2_02A92B88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_02A938D0	8_2_02A938D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_02A949F2	8_2_02A949F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_02A9395D	8_2_02A9395D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_02A93EBD	8_2_02A93EBD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_02A93E87	8_2_02A93E87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_02A93690	8_2_02A93690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_02A9560E	8_2_02A9560E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_02A93FD0	8_2_02A93FD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_05064DB0	8_2_05064DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_050695B8	8_2_050695B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_05068D31	8_2_05068D31
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_05068D6F	8_2_05068D6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_05068D80	8_2_05068D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_05064DA0	8_2_05064DA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_050695A8	8_2_050695A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_05068F0F	8_2_05068F0F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_050696EF	8_2_050696EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_05064B91	8_2_05064B91
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_050B1020	8_2_050B1020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_050B20C8	8_2_050B20C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_050B1357	8_2_050B1357
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_050E39F1	8_2_050E39F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_050E1C38	8_2_050E1C38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_050FEEC8	8_2_050FEEC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_050F62B0	8_2_050F62B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_050F68F0	8_2_050F68F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_053C7040	10_2_053C7040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_053C38D0	10_2_053C38D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_053C2B88	10_2_053C2B88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_053C3FD0	10_2_053C3FD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_053C3EBD	10_2_053C3EBD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_053C3E87	10_2_053C3E87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_053C395D	10_2_053C395D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_053C7039	10_2_053C7039
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_053C2B78	10_2_053C2B78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_053C38D0	10_2_053C38D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_053C2B88	10_2_053C2B88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_053C3A15	10_2_053C3A15
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_056D68E0	10_2_056D68E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_056D68F0	10_2_056D68F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_056D60B9	10_2_056D60B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_056D5AD0	10_2_056D5AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_056D5AD0	10_2_056D5AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_056D62B0	10_2_056D62B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_05754DB0	10_2_05754DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_057595B8	10_2_057595B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_05758D6F	10_2_05758D6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_05758D31	10_2_05758D31
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_05754DA0	10_2_05754DA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_057595A8	10_2_057595A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_05758D80	10_2_05758D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_05758F0F	10_2_05758F0F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_057596EF	10_2_057596EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_05754B87	10_2_05754B87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_057F1020	10_2_057F1020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_057F20C8	10_2_057F20C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_057F1357	10_2_057F1357
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_05821C38	10_2_05821C38

Source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000000.1670102950.00000000004C2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamePO# EB202329720241007_Hardy_Process^^^^.exep( vs PO# EB202329720241007_Hardy_Process^^^^.pif.exe
Source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1807903081.0000000002DF7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs PO# EB202329720241007_Hardy_Process^^^^.pif.exe
Source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1825930591.0000000005F70000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs PO# EB202329720241007_Hardy_Process^^^^.pif.exe
Source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1817667483.00000000039F9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePO# EB202329720241007_Hardy_Process^^^^.exep( vs PO# EB202329720241007_Hardy_Process^^^^.pif.exe
Source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1817667483.00000000039F9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs PO# EB202329720241007_Hardy_Process^^^^.pif.exe
Source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1817667483.00000000039F9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs PO# EB202329720241007_Hardy_Process^^^^.pif.exe
Source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1822347169.000000000591A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePO# EB202329720241007_Hardy_Process^^^^.exep( vs PO# EB202329720241007_Hardy_Process^^^^.pif.exe
Source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1807903081.0000000002A1F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs PO# EB202329720241007_Hardy_Process^^^^.pif.exe
Source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1807147952.0000000000A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs PO# EB202329720241007_Hardy_Process^^^^.pif.exe
Source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1824377543.0000000005D40000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs PO# EB202329720241007_Hardy_Process^^^^.pif.exe
Source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Binary or memory string: OriginalFilenamePO# EB202329720241007_Hardy_Process^^^^.exep( vs PO# EB202329720241007_Hardy_Process^^^^.pif.exe

Source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 00000000.00000002.1807903081.0000000002F87000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000001.00000002.1814780379.0000000000B60000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000000.00000002.1817667483.0000000004094000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000004.00000002.2048461368.00000000033BA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000007.00000002.2140570961.0000000003C82000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000007.00000002.2125157304.0000000002F78000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000004.00000002.2065435853.000000000456D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13

Source: 0.2.PO# EB202329720241007_Hardy_Process^^^^.pif.exe.5f70000.8.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.PO# EB202329720241007_Hardy_Process^^^^.pif.exe.5f70000.8.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.PO# EB202329720241007_Hardy_Process^^^^.pif.exe.5f70000.8.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.PO# EB202329720241007_Hardy_Process^^^^.pif.exe.5f70000.8.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'

Source: 0.2.PO# EB202329720241007_Hardy_Process^^^^.pif.exe.5f70000.8.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO# EB202329720241007_Hardy_Process^^^^.pif.exe.5f70000.8.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.PO# EB202329720241007_Hardy_Process^^^^.pif.exe.5f70000.8.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.PO# EB202329720241007_Hardy_Process^^^^.pif.exe.5f70000.8.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.PO# EB202329720241007_Hardy_Process^^^^.pif.exe.5f70000.8.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.PO# EB202329720241007_Hardy_Process^^^^.pif.exe.5f70000.8.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)

Source: classification engine

Classification label: mal100.troj.evad.winEXE@12/3@3/1

Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe

File created: C:\Users\user\AppData\Roaming\wpappx.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Mutant created: \Sessions\1\BaseNamedObjects\16904c6276731aa3
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2256:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6832:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:280:120:WilError_03

Source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe	ReversingLabs: Detection: 34%
Source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Virustotal: Detection: 33%

Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe

File read: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe "C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe"
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\wpappx.exe "C:\Users\user\AppData\Roaming\wpappx.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\wpappx.exe "C:\Users\user\AppData\Roaming\wpappx.exe"
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wininet.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll

Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1807903081.0000000002DF7000.00000004.00000800.00020000.00000000.sdmp, PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1825930591.0000000005F70000.00000004.08000000.00040000.00000000.sdmp, PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1817667483.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, wpappx.exe, 00000004.00000002.2065435853.00000000041BE000.00000004.00000800.00020000.00000000.sdmp, wpappx.exe, 00000004.00000002.2065435853.0000000003FFC000.00000004.00000800.00020000.00000000.sdmp, wpappx.exe, 00000004.00000002.2048461368.0000000003230000.00000004.00000800.00020000.00000000.sdmp, wpappx.exe, 00000007.00000002.2140570961.0000000003EFC000.00000004.00000800.00020000.00000000.sdmp, wpappx.exe, 00000007.00000002.2125157304.0000000002DEE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1807903081.0000000002DF7000.00000004.00000800.00020000.00000000.sdmp, PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1825930591.0000000005F70000.00000004.08000000.00040000.00000000.sdmp, PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1817667483.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, wpappx.exe, 00000004.00000002.2065435853.00000000041BE000.00000004.00000800.00020000.00000000.sdmp, wpappx.exe, 00000004.00000002.2065435853.0000000003FFC000.00000004.00000800.00020000.00000000.sdmp, wpappx.exe, 00000004.00000002.2048461368.0000000003230000.00000004.00000800.00020000.00000000.sdmp, wpappx.exe, 00000007.00000002.2140570961.0000000003EFC000.00000004.00000800.00020000.00000000.sdmp, wpappx.exe, 00000007.00000002.2125157304.0000000002DEE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1824377543.0000000005D40000.00000004.08000000.00040000.00000000.sdmp, wpappx.exe, 00000004.00000002.2065435853.00000000041BE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2435244126.0000000003FE6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2435244126.0000000003F6E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2430967730.0000000002F50000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1824377543.0000000005D40000.00000004.08000000.00040000.00000000.sdmp, wpappx.exe, 00000004.00000002.2065435853.00000000041BE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2435244126.0000000003FE6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2435244126.0000000003F6E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2430967730.0000000002F50000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe, --.cs	.Net Code: _0003 System.AppDomain.Load(byte[])
Source: 0.2.PO# EB202329720241007_Hardy_Process^^^^.pif.exe.3b0c030.3.raw.unpack, --.cs	.Net Code: _0003 System.AppDomain.Load(byte[])
Source: 0.2.PO# EB202329720241007_Hardy_Process^^^^.pif.exe.5d40000.6.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.PO# EB202329720241007_Hardy_Process^^^^.pif.exe.5d40000.6.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.PO# EB202329720241007_Hardy_Process^^^^.pif.exe.5d40000.6.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.PO# EB202329720241007_Hardy_Process^^^^.pif.exe.5d40000.6.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.PO# EB202329720241007_Hardy_Process^^^^.pif.exe.5d40000.6.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 0.2.PO# EB202329720241007_Hardy_Process^^^^.pif.exe.5f70000.8.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.PO# EB202329720241007_Hardy_Process^^^^.pif.exe.5f70000.8.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.PO# EB202329720241007_Hardy_Process^^^^.pif.exe.5f70000.8.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties

Obfuscated command line found

Source: unknown

Process created: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe "C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe"

Yara detected Costura Assembly Loader

Source: Yara match	File source: 10.2.InstallUtil.exe.41544e8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.InstallUtil.exe.5770000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.InstallUtil.exe.3d444e8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO# EB202329720241007_Hardy_Process^^^^.pif.exe.5da0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.2446396240.0000000005770000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2435244126.000000000412C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1824668881.0000000005DA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2125157304.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2928192880.0000000003D44000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2048461368.0000000002F28000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1807903081.0000000002A38000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2922615312.0000000002B62000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2430967730.0000000002F50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO# EB202329720241007_Hardy_Process^^^^.pif.exe PID: 6728, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7136, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wpappx.exe PID: 7016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wpappx.exe PID: 3052, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 6752, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 1104, type: MEMORYSTR

Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_05C82EA7 push esp; retf	0_2_05C82EA8
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_05D3D1D7 pushfd ; ret	0_2_05D3D1E9
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_05D3234B pushfd ; retf	0_2_05D32351
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_05D9A291 push eax; ret	0_2_05D9A294
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_06131860 push eax; ret	0_2_06131861
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_0613714C push cs; ret	0_2_0613714F
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Code function: 0_2_061331B0 push edx; iretd	0_2_061331B7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00B60175 push ecx; retf	1_2_00B60176
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_06322EA7 push esp; retf	4_2_06322EA8
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_063DD1D6 pushfd ; ret	4_2_063DD1E9
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_0643A291 push eax; ret	4_2_0643A294
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_065418B0 push es; ret	4_2_06541960
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_0654F9F0 push es; ret	4_2_0654FA00
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_0659B779 push es; ret	4_2_0659B7A4
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_0659CF96 push es; iretd	4_2_0659CF98
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_0659E136 push es; iretd	4_2_0659E174
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_067D1860 push eax; ret	4_2_067D1861
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_067D714C push cs; ret	4_2_067D714F
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 4_2_067D31B0 push edx; iretd	4_2_067D31B7
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_05F12EA7 push esp; retf	7_2_05F12EA8
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_05FCD1D6 pushfd ; ret	7_2_05FCD1E9
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_0602A291 push eax; ret	7_2_0602A294
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_061318B0 push es; ret	7_2_06131960
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_0613F9F0 push es; ret	7_2_0613FA00
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_0618B779 push es; ret	7_2_0618B7A4
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_0618CF97 push es; iretd	7_2_0618CF98
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_063C1860 push eax; ret	7_2_063C1861
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_063C714C push cs; ret	7_2_063C714F
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Code function: 7_2_063C31B0 push edx; iretd	7_2_063C31B7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_02A918E7 push eax; retf	8_2_02A918ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 8_2_02A931B5 push 63E803ACh; iretd	8_2_02A931BA

Source: 0.2.PO# EB202329720241007_Hardy_Process^^^^.pif.exe.59b0000.5.raw.unpack, lQLmXMbHl8njJme4f0k.cs

High entropy of concatenated method names: 'RtlInitUnicodeString', 'LdrLoadDll', 'RtlZeroMemory', 'NtQueryInformationProcess', 'zFfbkJquEn', 'NtProtectVirtualMemory', 'Ihel4LWr9OlsDUXcCTi', 'DXLNrhWfGTQi3CMsqcC', 'GfcVLgWWi3LHIkuvgCg', 'vt335oW6qAJUHkS11q6'

Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe

File created: C:\Users\user\AppData\Roaming\wpappx.exe

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wpappx			Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wpappx			Jump to behavior

Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: PO# EB202329720241007_Hardy_Process^^^^.pif.exe PID: 6728, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wpappx.exe PID: 7016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wpappx.exe PID: 3052, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1807903081.0000000002A38000.00000004.00000800.00020000.00000000.sdmp, wpappx.exe, 00000004.00000002.2048461368.0000000002F28000.00000004.00000800.00020000.00000000.sdmp, wpappx.exe, 00000007.00000002.2125157304.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2922615312.0000000002B62000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2430967730.0000000002F50000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Memory allocated: 2780000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Memory allocated: 29F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Memory allocated: 27F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 1100000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2DD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 4DD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Memory allocated: 1400000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Memory allocated: 2EE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Memory allocated: 1400000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Memory allocated: 28D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Memory allocated: 2B00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Memory allocated: 2940000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 27C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2AC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 27C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2C50000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2ED0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 4ED0000 memory reserve \| memory write watch

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 2026			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 7830			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5740	Thread sleep time: -25825441703193356s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3804	Thread sleep count: 2026 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3804	Thread sleep count: 7830 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5928	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477

Source: InstallUtil.exe, 0000000A.00000002.2430967730.0000000002F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 0VMware\|VIRTUAL\|A M I\|Xen4win32_process.handle='{0}'
Source: wpappx.exe, 00000007.00000002.2125157304.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SerialNumber0VMware\|VIRTUAL\|A M I\|XenDselect * from Win32_ComputerSystem
Source: InstallUtil.exe, 00000008.00000002.2922615312.0000000002B62000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2430967730.0000000002F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmGuestLib.dllDselect * from Win32_ComputerSystem
Source: InstallUtil.exe, 0000000A.00000002.2430967730.0000000002F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual
Source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1807147952.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllj
Source: InstallUtil.exe, 00000001.00000002.1817174501.0000000003FD0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.1817174501.0000000003DD5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2444965514.0000000005510000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: qQXKlhGqeMuRaBW9e5O
Source: wpappx.exe, 00000004.00000002.2044541117.00000000012B2000.00000004.00000020.00020000.00000000.sdmp, wpappx.exe, 00000007.00000002.2123213483.0000000000D27000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2919734175.0000000000C41000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Roaming\wpappx.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: D00000 protect: page execute and read and write

Jump to behavior

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Thread created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe EIP: B60000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Thread created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe EIP: 700000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Thread created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe EIP: D00000	Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: B60000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 700000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: D00000	Jump to behavior

Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Queries volume information: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Queries volume information: C:\Users\user\AppData\Roaming\wpappx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Queries volume information: C:\Users\user\AppData\Roaming\wpappx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Command and Scripting Interpreter	1 Scheduled Task/Job	311 Process Injection	1 Masquerading	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	311 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	12 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Link
PO# EB202329720241007_Hardy_Process^^^^.pif.exe	34%	ReversingLabs
PO# EB202329720241007_Hardy_Process^^^^.pif.exe	33%	Virustotal	Browse
PO# EB202329720241007_Hardy_Process^^^^.pif.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Roaming\wpappx.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\wpappx.exe	34%	ReversingLabs
C:\Users\user\AppData\Roaming\wpappx.exe	33%	Virustotal	Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
puritylgs.duckdns.org	4%	Virustotal		Browse
cdn.glitch.global	5%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://stackoverflow.com/q/14436606/23354	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://stackoverflow.com/q/11564914/23354;	0%	URL Reputation	safe
https://stackoverflow.com/q/2152978/23354	0%	URL Reputation	safe
https://github.com/mgravell/protobuf-net	0%	Virustotal		Browse
https://github.com/mgravell/protobuf-neti	0%	Virustotal		Browse
https://cdn.glitch.global/65e86a4d-1443-41a6-ac6d-f084c1191eff/Vyciz.mp4xC	2%	Virustotal		Browse
https://github.com/mgravell/protobuf-netJ	0%	Virustotal		Browse
https://cdn.glitch.global	6%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
puritylgs.duckdns.org	89.238.176.5	true	true	4%, Virustotal, Browse	unknown
cdn.glitch.global	unknown	unknown	true	5%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://cdn.glitch.global/65e86a4d-1443-41a6-ac6d-f084c1191eff/Vyciz.mp4xC&	wpappx.exe, 00000004.00000002.2048461368.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp	true		unknown
https://github.com/mgravell/protobuf-net	PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1824377543.0000000005D40000.00000004.08000000.00040000.00000000.sdmp, wpappx.exe, 00000004.00000002.2065435853.00000000041BE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2435244126.0000000003FE6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2435244126.0000000003F6E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2430967730.0000000002F50000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://github.com/mgravell/protobuf-neti	PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1824377543.0000000005D40000.00000004.08000000.00040000.00000000.sdmp, wpappx.exe, 00000004.00000002.2065435853.00000000041BE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2435244126.0000000003FE6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2435244126.0000000003F6E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2430967730.0000000002F50000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://stackoverflow.com/q/14436606/23354	InstallUtil.exe, 0000000A.00000002.2430967730.0000000002F50000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/mgravell/protobuf-netJ	PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1817667483.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1824377543.0000000005D40000.00000004.08000000.00040000.00000000.sdmp, wpappx.exe, 00000004.00000002.2065435853.00000000041BE000.00000004.00000800.00020000.00000000.sdmp, wpappx.exe, 00000007.00000002.2140570961.0000000003DFB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2435244126.0000000003FE6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2435244126.0000000003F6E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2430967730.0000000002F50000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://cdn.glitch.global	PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1807903081.00000000029F1000.00000004.00000800.00020000.00000000.sdmp, wpappx.exe, 00000004.00000002.2048461368.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, wpappx.exe, 00000007.00000002.2125157304.0000000002B0D000.00000004.00000800.00020000.00000000.sdmp	true	6%, Virustotal, Browse	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1807903081.00000000029F1000.00000004.00000800.00020000.00000000.sdmp, wpappx.exe, 00000004.00000002.2048461368.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, wpappx.exe, 00000007.00000002.2125157304.0000000002B0D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://stackoverflow.com/q/11564914/23354;	PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1824377543.0000000005D40000.00000004.08000000.00040000.00000000.sdmp, wpappx.exe, 00000004.00000002.2065435853.00000000041BE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2435244126.0000000003FE6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2435244126.0000000003F6E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2430967730.0000000002F50000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://stackoverflow.com/q/2152978/23354	PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1824377543.0000000005D40000.00000004.08000000.00040000.00000000.sdmp, wpappx.exe, 00000004.00000002.2065435853.00000000041BE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2435244126.0000000003FE6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2435244126.0000000003F6E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.glitch.global/65e86a4d-1443-41a6-ac6d-f084c1191eff/Vyciz.mp4xC	PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1807903081.00000000029F1000.00000004.00000800.00020000.00000000.sdmp, wpappx.exe, 00000007.00000002.2125157304.0000000002B01000.00000004.00000800.00020000.00000000.sdmp	true	2%, Virustotal, Browse	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
89.238.176.5	puritylgs.duckdns.org	United Kingdom		9009	M247GB	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1528611
Start date and time:	2024-10-08 04:27:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PO# EB202329720241007_Hardy_Process^^^^.pif.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@12/3@3/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 88% Number of executed functions: 469 Number of non-executed functions: 41
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 151.101.2.132, 151.101.66.132, 151.101.130.132, 151.101.194.132
Excluded domains from analysis (whitelisted): ocsp.digicert.com, j.sni.global.fastly.net, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:28:13	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run wpappx C:\Users\user\AppData\Roaming\wpappx.exe
03:28:21	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run wpappx C:\Users\user\AppData\Roaming\wpappx.exe
22:28:36	API Interceptor	218092x Sleep call for process: InstallUtil.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
puritylgs.duckdns.org	PO_DIT1209240001212092900007^^.pif.exe	Get hash	malicious	Unknown	Browse	89.238.176.6
puritylgs.duckdns.org	REV-New Order 20240717^^^^^^^^^^^^^^^^^^.pif.exe	Get hash	malicious	PureLog Stealer	Browse	193.187.91.208

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
M247GB	NEW INVOICE.exe	Get hash	malicious	FormBook	Browse	45.150.55.15
	Quotation request YN2024-10-07pdf.vbs	Get hash	malicious	Remcos	Browse	172.111.244.100
	Urgent Purchase Order (P.O.) No.477764107102024.vbs	Get hash	malicious	Remcos	Browse	172.111.244.100
	na.elf	Get hash	malicious	Mirai, Okiru	Browse	38.206.46.29
	17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exe	Get hash	malicious	Remcos	Browse	185.236.203.101
	na.rtf	Get hash	malicious	Remcos	Browse	185.236.203.101
	file.dll	Get hash	malicious	Matanbuchus	Browse	193.109.85.31
	file.dll	Get hash	malicious	Matanbuchus	Browse	193.109.85.31
	Booking_0106.exe	Get hash	malicious	AgentTesla	Browse	172.86.66.70
	DSpWOKW7zn.rtf	Get hash	malicious	Remcos	Browse	185.236.203.101

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	CSV text
Category:	modified
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Roaming\wpappx.exe

Download File

Process:	C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	688640
Entropy (8bit):	6.762817122635475
Encrypted:	false
SSDEEP:	12288:9PDyLTOntK+KZxfKjfFh76v3wd1QOmyAKJMMK/y8MsT1:9LgTOnYjxijfFh77d1QOpJU/5
MD5:	6145C8269F1675712B844D8AC1980287
SHA1:	7F37641603386F8B96EDCF91A4D32D3F4A5D40CD
SHA-256:	93548239884F6D9F3EA7240DBF34BEAA81BCD4F3C122454E81D9E1E433C804F0
SHA-512:	434D634928458C55A3B27D7B686D2BA20F77432C323B540EA9464FB3B61C51079C6E60F5A4A01D8EF1E60A2208FB189A85CF130DB760E43D5C1DF893F3DE0DD9
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 34% Antivirus: Virustotal, Detection: 33%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....p.g.................v.............. ........@.. ....................................`.....................................W.......`............................................................................ ............... ..H............text....t... ...v.................. ..`.rsrc...`............x..............@..@.reloc..............................@..B.......................H........]...6..........D...TH............................................(....*.0........... ....=......x0l..;......;......eYE............................................'...1...;...E...O...Y...c...m...w.......8`.... ....YE....V...`...j...t...~.................... -...YE................................. ....YE....................................8..... ....=..... ....YE........................................................ .... Y...YE....................................&...

C:\Users\user\AppData\Roaming\wpappx.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.762817122635475
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	PO# EB202329720241007_Hardy_Process^^^^.pif.exe
File size:	688'640 bytes
MD5:	6145c8269f1675712b844d8ac1980287
SHA1:	7f37641603386f8b96edcf91a4d32d3f4a5d40cd
SHA256:	93548239884f6d9f3ea7240dbf34beaa81bcd4f3c122454e81d9e1e433c804f0
SHA512:	434d634928458c55a3b27d7b686d2ba20f77432c323b540ea9464fb3b61c51079c6e60f5a4a01d8ef1e60a2208fb189a85cf130db760e43d5c1df893f3de0dd9
SSDEEP:	12288:9PDyLTOntK+KZxfKjfFh76v3wd1QOmyAKJMMK/y8MsT1:9LgTOnYjxijfFh77d1QOpJU/5
TLSH:	7BE4E6BEED0F7D6ED64D0EBA508A5848C7BCA42941C3972993435DE87203B2E578235F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....p.g.................v............... ........@.. ....................................`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4a94e6
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67047080 [Mon Oct 7 23:36:32 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa948c	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xaa000	0x660	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xac000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa74ec	0xa7600	d2cab939301db50d1530cbb9e301815f	False	0.5255787901418969	data	6.7681380739989025	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xaa000	0x660	0x800	feaebdf2a9641fe2c5d09a189ef3aec6	False	0.32958984375	data	4.580827930290116	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xac000	0xc	0x200	43c76f64735256763bde26c10d79a07d	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xaa0a0	0x40c	data			0.3581081081081081
RT_MANIFEST	0xaa4ac	0x1b4	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (433), with no line terminators			0.5642201834862385

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-08T04:28:37.021260+0200	2857345	ETPRO MALWARE Win32/zgRAT CnC Checkin	1	192.168.2.4	49739	89.238.176.5	50600	TCP
2024-10-08T04:28:58.400411+0200	2857345	ETPRO MALWARE Win32/zgRAT CnC Checkin	1	192.168.2.4	49747	89.238.176.5	50600	TCP
2024-10-08T04:29:19.782484+0200	2857345	ETPRO MALWARE Win32/zgRAT CnC Checkin	1	192.168.2.4	49879	89.238.176.5	50600	TCP
2024-10-08T04:29:41.289415+0200	2857345	ETPRO MALWARE Win32/zgRAT CnC Checkin	1	192.168.2.4	50010	89.238.176.5	50600	TCP
2024-10-08T04:30:02.663221+0200	2857345	ETPRO MALWARE Win32/zgRAT CnC Checkin	1	192.168.2.4	50011	89.238.176.5	50600	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 04:28:36.998100996 CEST	49739	50600	192.168.2.4	89.238.176.5
Oct 8, 2024 04:28:37.002922058 CEST	50600	49739	89.238.176.5	192.168.2.4
Oct 8, 2024 04:28:37.002988100 CEST	49739	50600	192.168.2.4	89.238.176.5
Oct 8, 2024 04:28:37.015937090 CEST	49739	50600	192.168.2.4	89.238.176.5
Oct 8, 2024 04:28:37.021159887 CEST	50600	49739	89.238.176.5	192.168.2.4
Oct 8, 2024 04:28:37.021260023 CEST	49739	50600	192.168.2.4	89.238.176.5
Oct 8, 2024 04:28:37.026607037 CEST	50600	49739	89.238.176.5	192.168.2.4
Oct 8, 2024 04:28:58.031554937 CEST	49739	50600	192.168.2.4	89.238.176.5
Oct 8, 2024 04:28:58.036489010 CEST	50600	49739	89.238.176.5	192.168.2.4
Oct 8, 2024 04:28:58.036604881 CEST	49739	50600	192.168.2.4	89.238.176.5
Oct 8, 2024 04:28:58.041409016 CEST	50600	49739	89.238.176.5	192.168.2.4
Oct 8, 2024 04:28:58.361759901 CEST	50600	49739	89.238.176.5	192.168.2.4
Oct 8, 2024 04:28:58.361905098 CEST	49739	50600	192.168.2.4	89.238.176.5
Oct 8, 2024 04:28:58.380660057 CEST	49739	50600	192.168.2.4	89.238.176.5
Oct 8, 2024 04:28:58.385694981 CEST	50600	49739	89.238.176.5	192.168.2.4
Oct 8, 2024 04:28:58.387968063 CEST	49747	50600	192.168.2.4	89.238.176.5
Oct 8, 2024 04:28:58.392925024 CEST	50600	49747	89.238.176.5	192.168.2.4
Oct 8, 2024 04:28:58.393033981 CEST	49747	50600	192.168.2.4	89.238.176.5
Oct 8, 2024 04:28:58.395493984 CEST	49747	50600	192.168.2.4	89.238.176.5
Oct 8, 2024 04:28:58.400348902 CEST	50600	49747	89.238.176.5	192.168.2.4
Oct 8, 2024 04:28:58.400410891 CEST	49747	50600	192.168.2.4	89.238.176.5
Oct 8, 2024 04:28:58.405169010 CEST	50600	49747	89.238.176.5	192.168.2.4
Oct 8, 2024 04:29:19.770091057 CEST	50600	49747	89.238.176.5	192.168.2.4
Oct 8, 2024 04:29:19.770251036 CEST	49747	50600	192.168.2.4	89.238.176.5
Oct 8, 2024 04:29:19.770451069 CEST	49747	50600	192.168.2.4	89.238.176.5
Oct 8, 2024 04:29:19.771608114 CEST	49879	50600	192.168.2.4	89.238.176.5
Oct 8, 2024 04:29:19.775233984 CEST	50600	49747	89.238.176.5	192.168.2.4
Oct 8, 2024 04:29:19.776426077 CEST	50600	49879	89.238.176.5	192.168.2.4
Oct 8, 2024 04:29:19.776514053 CEST	49879	50600	192.168.2.4	89.238.176.5
Oct 8, 2024 04:29:19.777633905 CEST	49879	50600	192.168.2.4	89.238.176.5
Oct 8, 2024 04:29:19.782404900 CEST	50600	49879	89.238.176.5	192.168.2.4
Oct 8, 2024 04:29:19.782484055 CEST	49879	50600	192.168.2.4	89.238.176.5
Oct 8, 2024 04:29:19.787270069 CEST	50600	49879	89.238.176.5	192.168.2.4
Oct 8, 2024 04:29:41.160428047 CEST	50600	49879	89.238.176.5	192.168.2.4
Oct 8, 2024 04:29:41.160522938 CEST	49879	50600	192.168.2.4	89.238.176.5
Oct 8, 2024 04:29:41.160691023 CEST	49879	50600	192.168.2.4	89.238.176.5
Oct 8, 2024 04:29:41.165404081 CEST	50600	49879	89.238.176.5	192.168.2.4
Oct 8, 2024 04:29:41.278708935 CEST	50010	50600	192.168.2.4	89.238.176.5
Oct 8, 2024 04:29:41.283618927 CEST	50600	50010	89.238.176.5	192.168.2.4
Oct 8, 2024 04:29:41.283708096 CEST	50010	50600	192.168.2.4	89.238.176.5
Oct 8, 2024 04:29:41.284513950 CEST	50010	50600	192.168.2.4	89.238.176.5
Oct 8, 2024 04:29:41.289352894 CEST	50600	50010	89.238.176.5	192.168.2.4
Oct 8, 2024 04:29:41.289414883 CEST	50010	50600	192.168.2.4	89.238.176.5
Oct 8, 2024 04:29:41.294296026 CEST	50600	50010	89.238.176.5	192.168.2.4
Oct 8, 2024 04:30:02.644900084 CEST	50600	50010	89.238.176.5	192.168.2.4
Oct 8, 2024 04:30:02.649701118 CEST	50010	50600	192.168.2.4	89.238.176.5
Oct 8, 2024 04:30:02.650109053 CEST	50010	50600	192.168.2.4	89.238.176.5
Oct 8, 2024 04:30:02.652318954 CEST	50011	50600	192.168.2.4	89.238.176.5
Oct 8, 2024 04:30:02.654949903 CEST	50600	50010	89.238.176.5	192.168.2.4
Oct 8, 2024 04:30:02.657248974 CEST	50600	50011	89.238.176.5	192.168.2.4
Oct 8, 2024 04:30:02.657386065 CEST	50011	50600	192.168.2.4	89.238.176.5
Oct 8, 2024 04:30:02.658210039 CEST	50011	50600	192.168.2.4	89.238.176.5
Oct 8, 2024 04:30:02.663156986 CEST	50600	50011	89.238.176.5	192.168.2.4
Oct 8, 2024 04:30:02.663220882 CEST	50011	50600	192.168.2.4	89.238.176.5
Oct 8, 2024 04:30:02.668128014 CEST	50600	50011	89.238.176.5	192.168.2.4
Oct 8, 2024 04:30:04.985654116 CEST	50011	50600	192.168.2.4	89.238.176.5
Oct 8, 2024 04:30:04.990956068 CEST	50600	50011	89.238.176.5	192.168.2.4
Oct 8, 2024 04:30:04.991019964 CEST	50011	50600	192.168.2.4	89.238.176.5
Oct 8, 2024 04:30:04.996239901 CEST	50600	50011	89.238.176.5	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 04:27:58.944983006 CEST	60790	53	192.168.2.4	1.1.1.1
Oct 8, 2024 04:28:36.859030962 CEST	63981	53	192.168.2.4	1.1.1.1
Oct 8, 2024 04:28:36.995460987 CEST	53	63981	1.1.1.1	192.168.2.4
Oct 8, 2024 04:29:41.161436081 CEST	55933	53	192.168.2.4	1.1.1.1
Oct 8, 2024 04:29:41.277702093 CEST	53	55933	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 8, 2024 04:27:58.944983006 CEST	192.168.2.4	1.1.1.1	0x1181	Standard query (0)	cdn.glitch.global	A (IP address)	IN (0x0001)	false
Oct 8, 2024 04:28:36.859030962 CEST	192.168.2.4	1.1.1.1	0xe9ca	Standard query (0)	puritylgs.duckdns.org	A (IP address)	IN (0x0001)	false
Oct 8, 2024 04:29:41.161436081 CEST	192.168.2.4	1.1.1.1	0xbee1	Standard query (0)	puritylgs.duckdns.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 8, 2024 04:27:59.112066984 CEST	1.1.1.1	192.168.2.4	0x1181	No error (0)	cdn.glitch.global	j.sni.global.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 04:28:36.995460987 CEST	1.1.1.1	192.168.2.4	0xe9ca	No error (0)	puritylgs.duckdns.org		89.238.176.5	A (IP address)	IN (0x0001)	false
Oct 8, 2024 04:29:41.277702093 CEST	1.1.1.1	192.168.2.4	0xbee1	No error (0)	puritylgs.duckdns.org		89.238.176.5	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	22:27:58
Start date:	07/10/2024
Path:	C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe"
Imagebase:	0x4c0000
File size:	688'640 bytes
MD5 hash:	6145C8269F1675712B844D8AC1980287
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.1807903081.0000000002F87000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1824668881.0000000005DA0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.1817667483.0000000004094000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1807903081.0000000002A38000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	22:28:11
Start date:	07/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Imagebase:	0x790000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000001.00000002.1814780379.0000000000B60000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	22:28:11
Start date:	07/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	22:28:21
Start date:	07/10/2024
Path:	C:\Users\user\AppData\Roaming\wpappx.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\wpappx.exe"
Imagebase:	0xb40000
File size:	688'640 bytes
MD5 hash:	6145C8269F1675712B844D8AC1980287
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000004.00000002.2048461368.00000000033BA000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000004.00000002.2048461368.0000000002F28000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000004.00000002.2065435853.000000000456D000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 34%, ReversingLabs Detection: 33%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	22:28:30
Start date:	07/10/2024
Path:	C:\Users\user\AppData\Roaming\wpappx.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\wpappx.exe"
Imagebase:	0x730000
File size:	688'640 bytes
MD5 hash:	6145C8269F1675712B844D8AC1980287
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000007.00000002.2125157304.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000007.00000002.2140570961.0000000003C82000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000007.00000002.2125157304.0000000002F78000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	22:28:35
Start date:	07/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Imagebase:	0x430000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000008.00000002.2928192880.0000000003D44000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000008.00000002.2922615312.0000000002B62000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	22:28:35
Start date:	07/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	22:28:43
Start date:	07/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Imagebase:	0x900000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000A.00000002.2446396240.0000000005770000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000A.00000002.2435244126.000000000412C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000A.00000002.2430967730.0000000002F50000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	22:28:43
Start date:	07/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	12.9%
Dynamic/Decrypted Code Coverage:	95%
Signature Coverage:	10.3%
Total number of Nodes:	301
Total number of Limit Nodes:	11

Executed Functions

Function 05EA212F Relevance: 16.1, Strings: 12, Instructions: 1138COMMON

Download Yara Rule

Strings

$fq, xrefs: 05EA2A11
$fq, xrefs: 05EA2A7A
,jq, xrefs: 05EA2BFA
$fq, xrefs: 05EA2587
$fq, xrefs: 05EA2A6A
4, xrefs: 05EA2B15
$fq, xrefs: 05EA2A21
$fq, xrefs: 05EA2647
$fq, xrefs: 05EA23D3
$fq, xrefs: 05EA23C3
$fq, xrefs: 05EA2597
$fq, xrefs: 05EA2637

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: ,jq$4$$fq$$fq$$fq$$fq$$fq$$fq$$fq$$fq$$fq$$fq
API String ID: 0-2524271925
Opcode ID: f91ffddcfc817e17d8c3d0b50bff150b35e46241ff243a8261b578dfc899ebb8
Instruction ID: 9ce5ae850338cf5b1f8d6f5cc56887abcc564dcef926288de5a1c3882aa1865d
Opcode Fuzzy Hash: f91ffddcfc817e17d8c3d0b50bff150b35e46241ff243a8261b578dfc899ebb8
Instruction Fuzzy Hash: CEB21779A00218CFDB14DFA4C884BADB7B6FF48704F149599E646AB2A5DB70EC81CF50

Function 05EA2467 Relevance: 8.0, Strings: 6, Instructions: 495COMMON

Download Yara Rule

Strings

$fq, xrefs: 05EA2A11
,jq, xrefs: 05EA2BFA
$fq, xrefs: 05EA2587
$fq, xrefs: 05EA2A6A
4, xrefs: 05EA2B15
$fq, xrefs: 05EA2637

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: ,jq$4$$fq$$fq$$fq$$fq
API String ID: 0-2005009869
Opcode ID: f867e8ac98ff1073e82e0ea86e79941908380b42ba5143fe42f85d821aa86a09
Instruction ID: 8e7c675068a6a6ce3c363374580ba5918bd0609ca07f915d62c399f15442235e
Opcode Fuzzy Hash: f867e8ac98ff1073e82e0ea86e79941908380b42ba5143fe42f85d821aa86a09
Instruction Fuzzy Hash: FA222C79A00214CFEB24DFA4C994BADB7B2FF48304F149099E549AB2A5DB70ED81CF50

Function 027C8A90 Relevance: 6.0, Strings: 4, Instructions: 983
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

xbiq, xrefs: 027C8BBD
Tefq, xrefs: 027C91B3
pjq, xrefs: 027C964A
TJkq, xrefs: 027C8C32

Memory Dump Source

Source File: 00000000.00000002.1807716949.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: TJkq$Tefq$pjq$xbiq
API String ID: 0-513662044
Opcode ID: f67cdedb0b59697d1ce13f1084d765dfb2c29bc4209fa2453c32089992a0f752
Instruction ID: 54de7a26d730ec82d42aeca0be557aa7a56d39b636faf6c3b453cdbde285845c
Opcode Fuzzy Hash: f67cdedb0b59697d1ce13f1084d765dfb2c29bc4209fa2453c32089992a0f752
Instruction Fuzzy Hash: 31A2E575A00228CFDB65CF69C984AD9BBB2FF89304F1581E9D509AB325DB319E81CF50

Function 05EA5B50 Relevance: 3.1, Strings: 2, Instructions: 637
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$fq, xrefs: 05EA5E1E
Plfq, xrefs: 05EA5D38

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: Plfq$$fq
API String ID: 0-502218747
Opcode ID: 66724850d883826ff41b356028633cbcaf1db3874003c8b9af8c0f59ad143c22
Instruction ID: 94c3f65fdbf78ba25e4e7fce8cee403919ff0ef588037561418b25ec858603ef
Opcode Fuzzy Hash: 66724850d883826ff41b356028633cbcaf1db3874003c8b9af8c0f59ad143c22
Instruction Fuzzy Hash: 4C323575B002048FDB14DF79C588A6A7BF6BF89304B2594A9E546CF3A5EB30EC41CB61

Function 027C0C98 Relevance: 3.1, Strings: 2, Instructions: 578
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\sfq, xrefs: 027C0F45
LRfq, xrefs: 027C0D70

Memory Dump Source

Source File: 00000000.00000002.1807716949.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: LRfq$\sfq
API String ID: 0-373085665
Opcode ID: 17326e91fd773a1ecbbd0ce8022565d5c7555f440353889813b66a7cd0025e20
Instruction ID: 43f4c3110859dfcdbba7a57d063f0ee896d0b2970b8689ce82d3b0000f3586a2
Opcode Fuzzy Hash: 17326e91fd773a1ecbbd0ce8022565d5c7555f440353889813b66a7cd0025e20
Instruction Fuzzy Hash: D0325A74E0022A8FDB54DF79D894AAEB7F2FF88300F518669D40AEB255DB309945CF90

Function 05EFBB88 Relevance: 3.0, Strings: 2, Instructions: 543
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8, xrefs: 05EFBC94
fkq, xrefs: 05EFBCA7

Memory Dump Source

Source File: 00000000.00000002.1825516670.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ef0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: fkq$8
API String ID: 0-3236039973
Opcode ID: 9cbb13259c39d38d6d22845d170cdc01c5c5e425134043355120b854489c3b06
Instruction ID: 9db03cb775c424da1fce8e3316e22327be6c1a0cea04b4c215bd2c35e893806c
Opcode Fuzzy Hash: 9cbb13259c39d38d6d22845d170cdc01c5c5e425134043355120b854489c3b06
Instruction Fuzzy Hash: 3242E375D006298FDB64DF69C850AD9B7B2FF89300F1086EAD54DA7254EB30AE85CF90

Function 027C0C89 Relevance: 2.9, Strings: 2, Instructions: 365
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\sfq, xrefs: 027C0F45
LRfq, xrefs: 027C0D70

Memory Dump Source

Source File: 00000000.00000002.1807716949.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: LRfq$\sfq
API String ID: 0-373085665
Opcode ID: d0f4913b7783cf3cad2131a1c3b2698e09e365b6b8635fb96c5a6fb6de0c8315
Instruction ID: fa590aafac28c8be1b78c953680ec6ba5663376ca9444438067120831916219e
Opcode Fuzzy Hash: d0f4913b7783cf3cad2131a1c3b2698e09e365b6b8635fb96c5a6fb6de0c8315
Instruction Fuzzy Hash: C8E15A75E0022A8FDB54DF79D884AAEB7F2BF88310F11CA69D405EB259DB309945CF90

Function 027C0CD2 Relevance: 2.9, Strings: 2, Instructions: 353
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\sfq, xrefs: 027C0F45
LRfq, xrefs: 027C0D70

Memory Dump Source

Source File: 00000000.00000002.1807716949.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: LRfq$\sfq
API String ID: 0-373085665
Opcode ID: f86a0044e795dbc7aa49a5eef695bbf6619a65b4517f6640f7de6d74e0b87af7
Instruction ID: a3821412aa144c0b6c3bf5ec777e7838aeec6f366ce6408f71893e484d074805
Opcode Fuzzy Hash: f86a0044e795dbc7aa49a5eef695bbf6619a65b4517f6640f7de6d74e0b87af7
Instruction Fuzzy Hash: FED16C75E0022A8FDB54DF79D880AAEB7F2FF88304F118A69D405EB258DB309945CF90

Function 027C0D49 Relevance: 2.8, Strings: 2, Instructions: 325
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\sfq, xrefs: 027C0F45
LRfq, xrefs: 027C0D70

Memory Dump Source

Source File: 00000000.00000002.1807716949.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: LRfq$\sfq
API String ID: 0-373085665
Opcode ID: 11cd34f357f16063a69cffdba2598284f07a1148281be54e8135d2f225f931a8
Instruction ID: 34b306a9ccee38a96f6d32e4e3d9a13de249a95cd4ab8eccfc942940bb1d32e1
Opcode Fuzzy Hash: 11cd34f357f16063a69cffdba2598284f07a1148281be54e8135d2f225f931a8
Instruction Fuzzy Hash: A1D15C75E0022A8FDB54DF79D884AAEB7F2BF88300F15CA69D405EB258DB309945DF90

Function 05EFBB78 Relevance: 2.7, Strings: 2, Instructions: 162
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

h, xrefs: 05EFBC88
fkq, xrefs: 05EFBCA7

Memory Dump Source

Source File: 00000000.00000002.1825516670.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ef0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: fkq$h
API String ID: 0-2877906129
Opcode ID: 586aec54a72ba06b60a5be19870e1c9e54fb61fca8b8cfb781e3f10f02548c50
Instruction ID: 64638f8e4c8cb393c1a86b6db204a47e275aeaab74090b8be4624ce5b574bd9d
Opcode Fuzzy Hash: 586aec54a72ba06b60a5be19870e1c9e54fb61fca8b8cfb781e3f10f02548c50
Instruction Fuzzy Hash: A6610671D006298BEB64DF6AC840BD9FBB6BF88310F14D2EAD54CA7254EB305A85CF50

Function 027CAD67 Relevance: 2.3, Strings: 1, Instructions: 1085COMMON

Download Yara Rule

Strings

2, xrefs: 027CB8B8

Memory Dump Source

Source File: 00000000.00000002.1807716949.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: 2
API String ID: 0-450215437
Opcode ID: c9bdaa3de416af1b14e9e554f4a67afead5e82105a61902837b3d275af2ef65a
Instruction ID: 20cf2e254e4dd5f3f0a9b25bd39e278faec332c55e1eb36af3dc71a23e18f1c7
Opcode Fuzzy Hash: c9bdaa3de416af1b14e9e554f4a67afead5e82105a61902837b3d275af2ef65a
Instruction Fuzzy Hash: BEC2B1B4E002288FCB65DF69C984B9DBBB6FB89304F1081E9D509AB355DB309E85CF54

Function 027C159C Relevance: 1.7, Strings: 1, Instructions: 403COMMON

Download Yara Rule

Strings

LRfq, xrefs: 027C1930

Memory Dump Source

Source File: 00000000.00000002.1807716949.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: LRfq
API String ID: 0-2333822924
Opcode ID: ed143766453591f9691ea7e376b349f96537698d2ddf28aa3cfe7ba3adf5b916
Instruction ID: 3df993869f6f6be64bf8c49483e005068bc4c437b5b4f5d482ee118ebb1aa312
Opcode Fuzzy Hash: ed143766453591f9691ea7e376b349f96537698d2ddf28aa3cfe7ba3adf5b916
Instruction Fuzzy Hash: DFF19B71E041298FDB14CF68C890BADBBF2BF84314F6985ADD059AB296D734AD81CF50

Function 05EB0A50 Relevance: 1.7, APIs: 1, Instructions: 151nativethreadCOMMON

Download Yara Rule

APIs

NtCreateThreadEx.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 05EB0B52

Memory Dump Source

Source File: 00000000.00000002.1825325119.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 9ed7c4e392e5c995eae0dc0410b7f85721ad6f75437d32d2a3568170b89d8172
Instruction ID: 12508e0b4937620deea94750190003f7560f0e97ad02877435f8e5392e171b3b
Opcode Fuzzy Hash: 9ed7c4e392e5c995eae0dc0410b7f85721ad6f75437d32d2a3568170b89d8172
Instruction Fuzzy Hash: 1F5189B9D042499FCF10CFA9D980ADEFBF1BB19314F24A02AE818B7210D735A955DF58

Function 05EB0A58 Relevance: 1.6, APIs: 1, Instructions: 148nativethreadCOMMON

Download Yara Rule

APIs

NtCreateThreadEx.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 05EB0B52

Memory Dump Source

Source File: 00000000.00000002.1825325119.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 28e832f9168471ce019d5e4221b8c7b40cf1263c8f76af9c26999c6f6611b66b
Instruction ID: 1e4bdf428e2de1b760329a4c939f220d7a5ce202b7d389b65557107df0673811
Opcode Fuzzy Hash: 28e832f9168471ce019d5e4221b8c7b40cf1263c8f76af9c26999c6f6611b66b
Instruction Fuzzy Hash: 814189B9D042489FCF10CFA9D9809DEFBF1BB19314F20A02AE818B7210D735A955DF58

Function 0614E9C0 Relevance: 1.6, Strings: 1, Instructions: 381COMMON

Download Yara Rule

Strings

Tefq, xrefs: 0614EC74

Memory Dump Source

Source File: 00000000.00000002.1826216056.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6130000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: Tefq
API String ID: 0-1066582953
Opcode ID: df6a603d1b16c80ef83f811cc6a2022f9a2f84ff033a90ccd40c25e7b78648a7
Instruction ID: da69903bda403d8cadf6531e1008a2728dcb64b593e7c98cf3d7b012ea716673
Opcode Fuzzy Hash: df6a603d1b16c80ef83f811cc6a2022f9a2f84ff033a90ccd40c25e7b78648a7
Instruction Fuzzy Hash: D102E374E05218CFEB68EF6AC844BADBBF2BF89300F1185AAD50DA7254DB705985CF40

Function 05EB0C21 Relevance: 1.6, APIs: 1, Instructions: 117nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 05EB0CFB

Memory Dump Source

Source File: 00000000.00000002.1825325119.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: db1c52ef317a968648cc525ab3d1f242f74236b8f27487315f17c1e6d35f437e
Instruction ID: fa1f8f6b43b65d84d7c3db0eba2865b4682f23d708986a24e06daf7a91d70361
Opcode Fuzzy Hash: db1c52ef317a968648cc525ab3d1f242f74236b8f27487315f17c1e6d35f437e
Instruction Fuzzy Hash: 4A4197B5D012489FDF10CFA9D984ADEFBF1BB49314F20902AE819BB250D775A905CF64

Function 05EB0C28 Relevance: 1.6, APIs: 1, Instructions: 114nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 05EB0CFB

Memory Dump Source

Source File: 00000000.00000002.1825325119.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: d67043444ade448c4e5accb3d4b369fcf619757ee4e948f8006bc65cdac431a4
Instruction ID: 99a2c6c1bfa8eb6c84df44a8cd421ba322e969d74aaf2209a53406810208e83b
Opcode Fuzzy Hash: d67043444ade448c4e5accb3d4b369fcf619757ee4e948f8006bc65cdac431a4
Instruction Fuzzy Hash: E441A7B4D012489FDF00CFA9D984ADEFBF1BB49310F20902AE819BB210D775A905CF64

Function 05EB08D8 Relevance: 1.6, APIs: 1, Instructions: 114memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(?,?,?,?,?,?), ref: 05EB099D

Memory Dump Source

Source File: 00000000.00000002.1825325119.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 88eeb31a8fa646a12a6dd1d4613ac95b8db5bfb46ef7363d9531219980967f09
Instruction ID: e7a4947f1e25acd05f439ad08a7cc48c686146dd8681ccbc7816fc2cee314134
Opcode Fuzzy Hash: 88eeb31a8fa646a12a6dd1d4613ac95b8db5bfb46ef7363d9531219980967f09
Instruction Fuzzy Hash: 3F4198B5D042599FDF10CFA9D985ADEFBB1BB59320F10A02AE818B7310D775A901CF54

Function 05EB08E0 Relevance: 1.6, APIs: 1, Instructions: 111memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(?,?,?,?,?,?), ref: 05EB099D

Memory Dump Source

Source File: 00000000.00000002.1825325119.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 9c1651f04691c07b5240fa844667545b0941ceec04489dbc22b990ab8c2d7969
Instruction ID: d22400682c3243aeca79f4cd07d648f5313298b38e6c122d04ccd8ce533f350d
Opcode Fuzzy Hash: 9c1651f04691c07b5240fa844667545b0941ceec04489dbc22b990ab8c2d7969
Instruction Fuzzy Hash: A44197B9D042599FDF10CFA9D984ADEFBB1BB49320F20A02AE818B7210D775A901CF54

Function 05EFECE8 Relevance: 1.6, APIs: 1, Instructions: 108nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 05EFEDA5

Memory Dump Source

Source File: 00000000.00000002.1825516670.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ef0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 50202e08754af7155b6949ce0679dc7bc7f5e78bc823ade996322154a415abba
Instruction ID: 706f77faa4f5e1aa2819234a5e265f9e67450e763bd100ced9b134a016aa97af
Opcode Fuzzy Hash: 50202e08754af7155b6949ce0679dc7bc7f5e78bc823ade996322154a415abba
Instruction Fuzzy Hash: 4941AAB5D002589FCF10CFA9D981ADEFBB5BB59320F10A02AE818B7310D735A905CF64

Function 05EFECF0 Relevance: 1.6, APIs: 1, Instructions: 105nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 05EFEDA5

Memory Dump Source

Source File: 00000000.00000002.1825516670.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ef0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: e10c4b44857f4b357d666ac2d5e6568434397f94a6c244e9811ffd16c15be79b
Instruction ID: 05589b46ee870db7c173b3c3dc1cd3f19d6c0dc3044af68e02c25d9b9d7e0e0c
Opcode Fuzzy Hash: e10c4b44857f4b357d666ac2d5e6568434397f94a6c244e9811ffd16c15be79b
Instruction Fuzzy Hash: 354187B4D002599FCF10CFAAD980ADEFBB5BB49320F10A02AE919B7310D735A905CF64

Function 05EF9A18 Relevance: 1.5, Strings: 1, Instructions: 280COMMON

Download Yara Rule

Strings

PHfq, xrefs: 05EF9CFA

Memory Dump Source

Source File: 00000000.00000002.1825516670.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ef0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: PHfq
API String ID: 0-2154135885
Opcode ID: e7a243cf6af56532cab74b0c2006ec80a95389ba116f57afbb6be66f578d076f
Instruction ID: 808cd02501bbbc4c55b8218f376a588c5a5910fe408be9dbd192019e26d81b51
Opcode Fuzzy Hash: e7a243cf6af56532cab74b0c2006ec80a95389ba116f57afbb6be66f578d076f
Instruction Fuzzy Hash: 51C1C870D05218CFEB24DF69D884BADBBF2BF89304F2090A9D589E7256EB705985CF14

Function 05EF9A09 Relevance: 1.5, Strings: 1, Instructions: 268COMMON

Download Yara Rule

Strings

PHfq, xrefs: 05EF9CFA

Memory Dump Source

Source File: 00000000.00000002.1825516670.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ef0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: PHfq
API String ID: 0-2154135885
Opcode ID: bd544de6a48379e16f841440beed9e8f61c55c48fdb01966a6a2e14834874818
Instruction ID: a52cd23639770b0bbdce4b264e952fb5cb5650b97f37d88ca0bb775c0ab06633
Opcode Fuzzy Hash: bd544de6a48379e16f841440beed9e8f61c55c48fdb01966a6a2e14834874818
Instruction Fuzzy Hash: CDC1E970D05218CFEB24DF69D884BADBBF2BF89304F2490A9D189E7256EB744985CF14

Function 05D36CC0 Relevance: 1.5, Strings: 1, Instructions: 237COMMON

Download Yara Rule

Strings

Tefq, xrefs: 05D36E8A

Memory Dump Source

Source File: 00000000.00000002.1824223343.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d30000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: Tefq
API String ID: 0-1066582953
Opcode ID: 71acb3f7f41f1afb3a11c4f84ca5c86d6f9ebaa842440f20d54b447e0f286a21
Instruction ID: c0c6f5b60ade66e0afab83e788a72350848e80e476c8b6344aa7261c148f6b85
Opcode Fuzzy Hash: 71acb3f7f41f1afb3a11c4f84ca5c86d6f9ebaa842440f20d54b447e0f286a21
Instruction Fuzzy Hash: 5CA1D270E05218DFDB14DFA9D886BADBBF2FF89304F10906AE409A7255DB749989CF00

Function 05D36CBB Relevance: 1.5, Strings: 1, Instructions: 230COMMON

Download Yara Rule

Strings

Tefq, xrefs: 05D36E8A

Memory Dump Source

Source File: 00000000.00000002.1824223343.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d30000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: Tefq
API String ID: 0-1066582953
Opcode ID: 22fa0ba205aa18f4f9c600f4af6905d77f330f99f526d9dd4304ad580d3db340
Instruction ID: 4cb458425d2cbeedec8584a6a3cbc7742d407178d2caf2bda11497b98a97d470
Opcode Fuzzy Hash: 22fa0ba205aa18f4f9c600f4af6905d77f330f99f526d9dd4304ad580d3db340
Instruction Fuzzy Hash: F9A1C170E05218DFDB14DFA9D885B9DBBF2BF89304F10806AE419A7355DB749985CF40

Function 027C169A Relevance: 1.5, Strings: 1, Instructions: 218COMMON

Download Yara Rule

Strings

LRfq, xrefs: 027C1930

Memory Dump Source

Source File: 00000000.00000002.1807716949.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: LRfq
API String ID: 0-2333822924
Opcode ID: a289721c6e483c12118d941a66f9e01fd8872286fe421b6014896246a3866ad8
Instruction ID: 94f7ebe383eaf98cbf5bec17f940788ca55a1eb0772f17d52700a68477f35377
Opcode Fuzzy Hash: a289721c6e483c12118d941a66f9e01fd8872286fe421b6014896246a3866ad8
Instruction Fuzzy Hash: CC916E30E041198FDB14CF68C990BADB7B2BF84314F69C5ADD049AB286D734AD81CF94

Function 027C09B8 Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

\sfq, xrefs: 027C0B2D

Memory Dump Source

Source File: 00000000.00000002.1807716949.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: \sfq
API String ID: 0-3800904836
Opcode ID: 6d92b46d321f56a779262783c3da619263d31e3e3c01d88e2bcf75e45cf031dd
Instruction ID: ce853214a0229f9619872fc6b7e08e709ca47f0b2e8f6c741d0113341cd3891e
Opcode Fuzzy Hash: 6d92b46d321f56a779262783c3da619263d31e3e3c01d88e2bcf75e45cf031dd
Instruction Fuzzy Hash: 9481E8B8E4010ADFDF14DFA9E5849BEBBF1BF48314F206659D402EB290DB319941CB60

Function 05EF9D6D Relevance: 1.4, Strings: 1, Instructions: 187COMMON

Download Yara Rule

Strings

PHfq, xrefs: 05EF9CFA

Memory Dump Source

Source File: 00000000.00000002.1825516670.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ef0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: PHfq
API String ID: 0-2154135885
Opcode ID: 682ffbb44d48b2c0686e8009bcede8bc3209576f6c6594c045a360f492ecd6e3
Instruction ID: 05ec03cd6fa902fbc89ad35fee482ccb0be61a1fbb0fbd774f8d319a9d636a59
Opcode Fuzzy Hash: 682ffbb44d48b2c0686e8009bcede8bc3209576f6c6594c045a360f492ecd6e3
Instruction Fuzzy Hash: DC81C870D05218CFEB24DFA9D884BADBBF2BF85308F20A069D189E7256DB754984CF05

Function 05EFA140 Relevance: 1.4, Strings: 1, Instructions: 163COMMON

Download Yara Rule

Strings

4|kq, xrefs: 05EFA27C

Memory Dump Source

Source File: 00000000.00000002.1825516670.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ef0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: 4|kq
API String ID: 0-2733494808
Opcode ID: 11d319775e0ca8ef54b7d2ba6ea698a1323e96bfd0fa4aa82ed8c2570053c1c3
Instruction ID: bb0b3b0149963818efdec7e7e2ac853e4744968fcea20ee9d79ea3b0caf80d1d
Opcode Fuzzy Hash: 11d319775e0ca8ef54b7d2ba6ea698a1323e96bfd0fa4aa82ed8c2570053c1c3
Instruction Fuzzy Hash: 1471F5B4E052288FEB64CF69D844BEDBBF2BB89314F0090A9D14DAB251DB705E85CF11

Function 027CC164 Relevance: .5, Instructions: 471COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1807716949.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c79c2540acf30d6e945e8a88c7fe4191a0d1704672dbe9c916694ecaecc31c2
Instruction ID: 7024685beb0561c5d37fa417336130b0f17dd590187e2f10766b973045624ba8
Opcode Fuzzy Hash: 6c79c2540acf30d6e945e8a88c7fe4191a0d1704672dbe9c916694ecaecc31c2
Instruction Fuzzy Hash: DE32B5B4A042298FCB65DF28C984B99BBB6FF48304F1095D9E94DA7351DB30AE81CF54

Function 05EB267A Relevance: .3, Instructions: 288COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825325119.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2e2d132faa53b4210811c9e67206d39374b011d0b574e6a8b32c42dcf87bb50
Instruction ID: 156272d9d50c8633116ac3656e0a749eb7565ed829cae52a3321b7b41ca82ada
Opcode Fuzzy Hash: e2e2d132faa53b4210811c9e67206d39374b011d0b574e6a8b32c42dcf87bb50
Instruction Fuzzy Hash: F9D11474E04218CFEB54DFA9D884BEEBBB2FF48305F1090AAD149AB294DB745985CF11

Function 05EB2688 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825325119.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8130fe4cd570a7389232d6eb3584d1b1e69aa516bad93956082db2f10905ebb0
Instruction ID: c67062ae806692c91a236f065356c534702ee8e0a64604ce832010852fc76282
Opcode Fuzzy Hash: 8130fe4cd570a7389232d6eb3584d1b1e69aa516bad93956082db2f10905ebb0
Instruction Fuzzy Hash: 00D11374E04218CFEB54DFA5D844BEEBBB2FF48305F0090AAD249AB294DB745985CF15

Function 05EBC44B Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825325119.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c881d6313e9b2ebae6003538440a7fb01dea9b4724696bee174ef4ab99723981
Instruction ID: ba3fe8b71edd38cb3b891f538408623a5bf1759b40ef129893e529bfd5ac0ef2
Opcode Fuzzy Hash: c881d6313e9b2ebae6003538440a7fb01dea9b4724696bee174ef4ab99723981
Instruction Fuzzy Hash: 85C1E070E09219CFEB54DF69D944BEEBBB2BF89305F20A0A9D049A7245DB745E81CF01

Function 05EBC458 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825325119.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3528e35e152739d78bffac9005dc76113c0ee6735a5e5ab42e5f1d96509bffd2
Instruction ID: af1efe4a6afa7769f60a88361525ef0f4cbff3805f4f97588aedcd58cea37ec2
Opcode Fuzzy Hash: 3528e35e152739d78bffac9005dc76113c0ee6735a5e5ab42e5f1d96509bffd2
Instruction Fuzzy Hash: 7BC1F170E09219CFEB54DF69D944BEEBBB2BF89305F20A0A9D049A7245DB745E81CF01

Function 027C1EE0 Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1807716949.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18d3c1ab1a144fd99d4c8d92d47db3feec397e2c510db12599aa9cc55c055ebc
Instruction ID: 6c334a7274d5883a976b23ea193c8e014688e9e16b9cf93b28d4ed8c01fb9482
Opcode Fuzzy Hash: 18d3c1ab1a144fd99d4c8d92d47db3feec397e2c510db12599aa9cc55c055ebc
Instruction Fuzzy Hash: E0916036F106158FC754DB69D890A9EB7E3AFC8710F298179E409DB3A6DB30DC018B90

Function 027C1F91 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1807716949.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 826d2419e50d5958638921e97d7721c15d4cb1dda3cda9ccf61d84c66c4b18a9
Instruction ID: 80949bf7e735736a8c9901a97adb99fc6c7f3fe7af4e12dad7a4a39350dc5861
Opcode Fuzzy Hash: 826d2419e50d5958638921e97d7721c15d4cb1dda3cda9ccf61d84c66c4b18a9
Instruction Fuzzy Hash: 5E612F36F105258FD754DB69CC80B5EB3E3AFD4711F1A8168E4099B36ADE34EC419B90

Function 05EFEA40 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825516670.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ef0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36d9e055deff52ff4d8c9942966863990cd53223283ae4075bdd8cb596dfa27f
Instruction ID: 1f38adaf12fec3704500218309809e37558fdbc35f7db11ed4e41dc1f2a50f3b
Opcode Fuzzy Hash: 36d9e055deff52ff4d8c9942966863990cd53223283ae4075bdd8cb596dfa27f
Instruction Fuzzy Hash: 0D81E870E00209DFDB44DFA9D584AAEBBF6FF88300F149029E555AB364DB34A945CF60

Function 05EFEA50 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825516670.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ef0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7601039b16b8dcb31a98076b70fbf4a8775ee6485fd3fc8f4cbe746555b42fe7
Instruction ID: 1aedbea49619b265b70f7e99766311cd895f282ccc0176a82eebeca64af5a233
Opcode Fuzzy Hash: 7601039b16b8dcb31a98076b70fbf4a8775ee6485fd3fc8f4cbe746555b42fe7
Instruction Fuzzy Hash: C171D870E00209DFDB44DFA9D584AAEBBF6FF88304F149029E519AB364DB74A945CF60

Function 05EA82F0 Relevance: 4.2, Strings: 3, Instructions: 438
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hjq, xrefs: 05EA8844
Hjq, xrefs: 05EA87F4
Hjq, xrefs: 05EA87C5

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: Hjq$Hjq$Hjq
API String ID: 0-2296473396
Opcode ID: 1a6d6518c2dc956e27a059bb275db5e4983ae71281fe4b5c5a0b4036190b412f
Instruction ID: 1ba2df733d333bd4bd6549c99e72156b069e63776b0b82e173df857346261647
Opcode Fuzzy Hash: 1a6d6518c2dc956e27a059bb275db5e4983ae71281fe4b5c5a0b4036190b412f
Instruction Fuzzy Hash: 4E026E72A042048FDB25DFB5D494AAEBBF2FF88304F14952DE4869B391DB35AC45CB60

Function 05EA9FA8 Relevance: 4.1, Strings: 3, Instructions: 370
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'fq, xrefs: 05EAA1C2
4'fq, xrefs: 05EAA321
4'fq, xrefs: 05EAA2A1

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: 4'fq$4'fq$4'fq
API String ID: 0-3646979650
Opcode ID: fe1f9e7334838b4ad7448f7184cff7f2de4e250ae07342e50a6f2feb41408cdf
Instruction ID: e45be4f16c3c3c5906d6d7c6cf3af3c89077bda96b6a903953c5b623f57cbdce
Opcode Fuzzy Hash: fe1f9e7334838b4ad7448f7184cff7f2de4e250ae07342e50a6f2feb41408cdf
Instruction Fuzzy Hash: E2F1E935B10218CFCB04DFA4D998AADBBB2FF88304F519169E446AB365DB71EC42CB50

Function 05C80D98 Relevance: 3.1, Strings: 2, Instructions: 577COMMON

Download Yara Rule

Strings

4'fq, xrefs: 05C81559
4'fq, xrefs: 05C81549

Memory Dump Source

Source File: 00000000.00000002.1823685044.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c80000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: 4'fq$4'fq
API String ID: 0-751858264
Opcode ID: 07eacc42b303ff5eb19868c09bbb7a3ee473a5e90ad58fcb2921853650bbdeee
Instruction ID: 63b5badbbd9600d81494012f79a0f2475e0bde2c10ae6067445180eb39bdd62a
Opcode Fuzzy Hash: 07eacc42b303ff5eb19868c09bbb7a3ee473a5e90ad58fcb2921853650bbdeee
Instruction Fuzzy Hash: 9C42F574E04209CFCF18EBA5D499ABEBBB2FF89309F14881AD512A7350DB345986CF51

Function 05EA4859 Relevance: 3.0, Strings: 2, Instructions: 484
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$fq, xrefs: 05EA4B83
$fq, xrefs: 05EA4B73

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: $fq$$fq
API String ID: 0-2537786760
Opcode ID: 02d93bb9031c3bc28002be06d98da11141661425a1763ea3e56c912e2333bf59
Instruction ID: 4aa4ca5f8ede356d4c1860e87661fe071e6164730d7bb2f4e24ec5a8c6bcba36
Opcode Fuzzy Hash: 02d93bb9031c3bc28002be06d98da11141661425a1763ea3e56c912e2333bf59
Instruction Fuzzy Hash: 2C129C35E006598FDF15DFA5C884AEDBBB2FF48308F148415E882AB395DBB4A946CF50

Function 05C818C0 Relevance: 2.9, Strings: 2, Instructions: 362
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'fq, xrefs: 05C81D66
4'fq, xrefs: 05C81D56

Memory Dump Source

Source File: 00000000.00000002.1823685044.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c80000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: 4'fq$4'fq
API String ID: 0-751858264
Opcode ID: 8d6d7b66a91953f760e018e36205e1a185564a530ca8b20b23a78e11dae09dc8
Instruction ID: e966734d8d8fee717aad61448d51fe8cc0c3c7be765d23dc2aa3d6937f72c028
Opcode Fuzzy Hash: 8d6d7b66a91953f760e018e36205e1a185564a530ca8b20b23a78e11dae09dc8
Instruction Fuzzy Hash: 6DF1D574E01208DFCB18EFA5E4996ECBBB2FF89319F24452AE446A7350DB355986CF10

Function 05EA3E28 Relevance: 2.7, Strings: 2, Instructions: 175
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(jq, xrefs: 05EA3F2E
Hjq, xrefs: 05EA3FBD

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: (jq$Hjq
API String ID: 0-2151573235
Opcode ID: f32bc6a5ab922189f8d26cad3b58b20d2452a656c0641d7230d5b4281144aae0
Instruction ID: c0d2b7f4b43d62355a6554f2ab4fe621189825e1ee5c2b512a9d8a264a52a421
Opcode Fuzzy Hash: f32bc6a5ab922189f8d26cad3b58b20d2452a656c0641d7230d5b4281144aae0
Instruction Fuzzy Hash: DD519D357002108FDB19AF78D49466E7BB2EF89304B10486DE5468B3A4CF35EC06CBA5

Function 027C1CB0 Relevance: 2.7, Strings: 2, Instructions: 170
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 027C1DC2
\sfq, xrefs: 027C1E8F

Memory Dump Source

Source File: 00000000.00000002.1807716949.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: $\sfq
API String ID: 0-1105643209
Opcode ID: 074d1b79d9750aed143c62ad21caa5e36da95d2537bad2ff09b59ae38a82744f
Instruction ID: 6bcc1af92f125df3bdf58467a45c80f653a2633ad8b2cc4e818a6344a399aec2
Opcode Fuzzy Hash: 074d1b79d9750aed143c62ad21caa5e36da95d2537bad2ff09b59ae38a82744f
Instruction Fuzzy Hash: A551CF71F400198FCB14DFAEE8806AEBBB6FB84311B64857EE618D7706D730E9518B80

Function 05EA05A0 Relevance: 2.6, Strings: 2, Instructions: 148COMMON

Download Yara Rule

Strings

(jq, xrefs: 05EA06D8
Hjq, xrefs: 05EA0704

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: (jq$Hjq
API String ID: 0-2151573235
Opcode ID: b29ee0460b0335eec23fcd543b637f3cc1d97fc3c150489b6978120b1a191aae
Instruction ID: 7e41e3f9eff2e173ba45f5801114fa52e18c618b0ffd410448bd19ab85bd9bac
Opcode Fuzzy Hash: b29ee0460b0335eec23fcd543b637f3cc1d97fc3c150489b6978120b1a191aae
Instruction Fuzzy Hash: 705128722047004FD725DF3AD48835B7BE2EFC0318F149929E48A8F791EA74E8448BA1

Function 05EA63E3 Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

(jq, xrefs: 05EA64F4
(jq, xrefs: 05EA654B

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: (jq$(jq
API String ID: 0-2294966697
Opcode ID: 6aa15150b7b81889f7250bef91e5c8ed48eb0417bba40a22e507600bdb3b9587
Instruction ID: 2400c61a1e354c9435da5bfec1635bc894d2bdc8a7020ebaf72335bd6c730e81
Opcode Fuzzy Hash: 6aa15150b7b81889f7250bef91e5c8ed48eb0417bba40a22e507600bdb3b9587
Instruction Fuzzy Hash: 2651AD327001148FDB189F39E894AAE3BA2FF89304F148469E8468F391CF35DD46CBA5

Function 06133961 Relevance: 2.6, Strings: 2, Instructions: 61COMMON

Download Yara Rule

Strings

s, xrefs: 0613396E
X, xrefs: 0613399E

Memory Dump Source

Source File: 00000000.00000002.1826216056.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6130000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: X$s
API String ID: 0-2768922426
Opcode ID: 2992ed0f7b4b79426df44e5956f492d5e99a198f0d1bfeebf2b3208ecb4680b8
Instruction ID: 95ba3c78437f84a674b22acfd18cd8a02a74e0438fd2d3b43a49865f67494d4a
Opcode Fuzzy Hash: 2992ed0f7b4b79426df44e5956f492d5e99a198f0d1bfeebf2b3208ecb4680b8
Instruction Fuzzy Hash: C631C3B4A042298FDBA4EF58D9847D9BBF1FB48309F1044EAA509A7390DB309E85CF50

Function 05D3044D Relevance: 2.5, Strings: 2, Instructions: 40COMMON

Download Yara Rule

Strings

K, xrefs: 05D306E6
V, xrefs: 05D30712

Memory Dump Source

Source File: 00000000.00000002.1824223343.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d30000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: K$V
API String ID: 0-4033785428
Opcode ID: d004102cacb7241c7375ee508194f9b6a3815a53621b4e6e172c2cfc14b22e3e
Instruction ID: 9f4703987d8b8ecca8ba311d6906cbbe296bcda6b4d93fcf554ed94036a87019
Opcode Fuzzy Hash: d004102cacb7241c7375ee508194f9b6a3815a53621b4e6e172c2cfc14b22e3e
Instruction Fuzzy Hash: C411DF7080A2288FDBA5DF64C88ABEDBBB1BF49320F1451EAD449A3241CB704AC0CF04

Function 05EAAE80 Relevance: 1.9, Strings: 1, Instructions: 677COMMON

Download Yara Rule

Strings

,jq, xrefs: 05EAB1FB

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: ,jq
API String ID: 0-1538246120
Opcode ID: 3e9d408e5df6eec49ec5dd615dd73af5025d5e7ea46e78d53d75afa1fef56fa5
Instruction ID: f0e56e9f7e9b42ddb9931ceb01f91a613b4f2f70f1b4b6d789e4bbd172f10a96
Opcode Fuzzy Hash: 3e9d408e5df6eec49ec5dd615dd73af5025d5e7ea46e78d53d75afa1fef56fa5
Instruction Fuzzy Hash: 3552FA75A002288FDB64DF69C981BDDBBF6BF88300F1541D9E549AB391DA309E81CF61

Function 05EA53E0 Relevance: 1.8, Strings: 1, Instructions: 531COMMON

Download Yara Rule

Strings

(_fq, xrefs: 05EA566D

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: (_fq
API String ID: 0-931642571
Opcode ID: 2d7515c6ab30607357bc530ab6b9d1e6fe53c313f479f9119f01c68255260897
Instruction ID: ac15089d2f215e60868eadf67dea1a17014f68723c63f4468260fcd93cc9b252
Opcode Fuzzy Hash: 2d7515c6ab30607357bc530ab6b9d1e6fe53c313f479f9119f01c68255260897
Instruction Fuzzy Hash: 07226E36A002149FDB04DF69D490AADBBF6FF88314F15806AE9469F395DB71ED40CBA0

Function 05EFF594 Relevance: 1.8, APIs: 1, Instructions: 263processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 05EFF807

Memory Dump Source

Source File: 00000000.00000002.1825516670.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ef0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: c8bd492970b508e67ac6b27684024bcfde27fbe9e0cb4ffa74ff92b8e709fce5
Instruction ID: e7604c00ded3bcf4a5b69c16ea1a89a5c83b3ac56b041219720cbc8321c848d6
Opcode Fuzzy Hash: c8bd492970b508e67ac6b27684024bcfde27fbe9e0cb4ffa74ff92b8e709fce5
Instruction Fuzzy Hash: 01A136B1D00259DFEF20CFA9C945BEDBBB1BF09314F10A169D869A7290DB748985CF81

Function 05EFF5A0 Relevance: 1.8, APIs: 1, Instructions: 261processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 05EFF807

Memory Dump Source

Source File: 00000000.00000002.1825516670.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ef0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: ee66506cbf35974c83580ed1e59b8818a9fbca85c3ad8caad776cb8f014b2ad0
Instruction ID: 7a65c16c5c97c9c27b19a0be851afc3a92cb8872944c0f384ddf3f057476b017
Opcode Fuzzy Hash: ee66506cbf35974c83580ed1e59b8818a9fbca85c3ad8caad776cb8f014b2ad0
Instruction Fuzzy Hash: A5A12571D00259DFDF20CFA9C845BEDBBB1BF09314F10A169E869A7290DB748985CF81

Function 05EB1BD4 Relevance: 1.7, APIs: 1, Instructions: 173fileCOMMON

Download Yara Rule

APIs

CopyFileA.KERNEL32(?,?,?), ref: 05EB1D5B

Memory Dump Source

Source File: 00000000.00000002.1825325119.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 63e2c206d5db47537fdbee86e8cd0af01270547be5fe46af6a4f76d787272db2
Instruction ID: 1e881a651aa9fb9309e2ac28e8732a3d26f01112393874e2c9fac11f74ce4e95
Opcode Fuzzy Hash: 63e2c206d5db47537fdbee86e8cd0af01270547be5fe46af6a4f76d787272db2
Instruction Fuzzy Hash: 156146B0D00319DFEB18CFA9C9957EEBBF1BB09325F20A129D855A7280D7B48985CF41

Function 05EB1BE0 Relevance: 1.7, APIs: 1, Instructions: 169fileCOMMON

Download Yara Rule

APIs

CopyFileA.KERNEL32(?,?,?), ref: 05EB1D5B

Memory Dump Source

Source File: 00000000.00000002.1825325119.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: ed96e5f18d87c4dd4f06c7526599eaf1aa4d461ae00583697095c7fcec8fa257
Instruction ID: 3b3d7214af20e8f10b638ebb16f9d09649b83cad9657c89b8d270fa303974668
Opcode Fuzzy Hash: ed96e5f18d87c4dd4f06c7526599eaf1aa4d461ae00583697095c7fcec8fa257
Instruction Fuzzy Hash: B66145B0D00358DFEB18CFA9C8957EEBBF1BB09325F20A129D855A7280D7B49985CF41

Function 05EB20B4 Relevance: 1.7, APIs: 1, Instructions: 161registryCOMMON

Download Yara Rule

APIs

RegSetValueExA.KERNEL32(?,?,?,?,?,?), ref: 05EB2220

Memory Dump Source

Source File: 00000000.00000002.1825325119.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 6177efee519a726f201407951991d6ac3ec2e54cd7b46eccf93eff6c73778871
Instruction ID: 7b71ee4a46dbf6d2266d09549e4757619192a44fd54fc4ff140a497883b9d032
Opcode Fuzzy Hash: 6177efee519a726f201407951991d6ac3ec2e54cd7b46eccf93eff6c73778871
Instruction Fuzzy Hash: 6951EFB4D002199FEF10CFA9D985BDEBBB1BF09314F10A12AE958B7250DB749945CF44

Function 05EB20C0 Relevance: 1.7, APIs: 1, Instructions: 157registryCOMMON

Download Yara Rule

APIs

RegSetValueExA.KERNEL32(?,?,?,?,?,?), ref: 05EB2220

Memory Dump Source

Source File: 00000000.00000002.1825325119.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 03b84266361ba8d89c1068963a2a33fa7ec6b8a387089e4ecd367f0e4980b4fb
Instruction ID: 170c04aa1a62c21c3a4c355833e459bb463ad36e8a7b027e1e1bea2ab112cca1
Opcode Fuzzy Hash: 03b84266361ba8d89c1068963a2a33fa7ec6b8a387089e4ecd367f0e4980b4fb
Instruction Fuzzy Hash: 4B51EFB4D002199FEF20CFA9D985BDEBBF1BF49304F10A02AE958AB240DB749945CF44

Function 05EB1E7C Relevance: 1.6, APIs: 1, Instructions: 144registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(?,?,?,?,?), ref: 05EB1FB0

Memory Dump Source

Source File: 00000000.00000002.1825325119.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 12857f68c51148ea24dd859a7f436db567b5aec971d4c2f4b073e8b4fa1c53d7
Instruction ID: 6caf8293b0296d6b5c7e7a950cfa1ca990e0d4d33fd7a50877204730cb46ac96
Opcode Fuzzy Hash: 12857f68c51148ea24dd859a7f436db567b5aec971d4c2f4b073e8b4fa1c53d7
Instruction Fuzzy Hash: B05100B4D002199FEF14CFA9D985AEEBBF1BF09314F20A12AE859B7250D7749845CF44

Function 05EB1E88 Relevance: 1.6, APIs: 1, Instructions: 140registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(?,?,?,?,?), ref: 05EB1FB0

Memory Dump Source

Source File: 00000000.00000002.1825325119.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: e4f9618eb2a959c091efa1cac1800e4d221c62547c6dcad36fc15de39e039816
Instruction ID: 3fb199bdab8dd228ddcffc14c973a7acca8fcb1b868fe503d11817ad96f214b0
Opcode Fuzzy Hash: e4f9618eb2a959c091efa1cac1800e4d221c62547c6dcad36fc15de39e039816
Instruction Fuzzy Hash: BC5100B4D002199FEF24CFA9D985ADEBBF1BF09314F20A02AE859B7250DB749841CF45

Function 05EB0350 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 05EB03FC

Memory Dump Source

Source File: 00000000.00000002.1825325119.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 5c1eec52fc0bf444237e0f70d2edaa0a52b04766b0f5c337937583ab7db484ce
Instruction ID: 504b6466dba5031d68ffb4faa33f7e84b645244ae0adadd708ea1aeb2e67fd10
Opcode Fuzzy Hash: 5c1eec52fc0bf444237e0f70d2edaa0a52b04766b0f5c337937583ab7db484ce
Instruction Fuzzy Hash: B831DBB5D002589FDF10CFA9D984AEEFBB1BB19320F24902AE814B7210C779A945CF54

Function 05EB0358 Relevance: 1.6, APIs: 1, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 05EB03FC

Memory Dump Source

Source File: 00000000.00000002.1825325119.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 672922d90d0d2e9725c65a571ea48a95b0d356d48c0dd5e1671d108d5c8b71d1
Instruction ID: a7caee122ed82194052955e126eff9d86c5b3b7385866f4094995990b97d824d
Opcode Fuzzy Hash: 672922d90d0d2e9725c65a571ea48a95b0d356d48c0dd5e1671d108d5c8b71d1
Instruction Fuzzy Hash: E531CAB4D002589FDF10CFA9D984AEEFBB1BB49320F14902AE815B7210D775A945CF54

Function 05D9D588 Relevance: 1.6, APIs: 1, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 05D9D62C

Memory Dump Source

Source File: 00000000.00000002.1824610975.0000000005D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d90000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: c63e4a42c66e737101c6cc04964f875d56e210a57a130e454890f315573bf7b3
Instruction ID: 998cbfbd5a21cad123ee81a6e5eb8972ede67223bb442216c3fac1afe012834f
Opcode Fuzzy Hash: c63e4a42c66e737101c6cc04964f875d56e210a57a130e454890f315573bf7b3
Instruction Fuzzy Hash: 3431A5B8D002489FCF14CFA9D980A9EFBB1BB49320F20A02AE818B7310D735A945CF54

Function 05EFB85A Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

SleepEx.KERNEL32(?,?), ref: 05EFB8F2

Memory Dump Source

Source File: 00000000.00000002.1825516670.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ef0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: fb859a16c1f4622b9c17a7b69d7a71526e44f6ee1fdf3e1f2a9a375991705ab6
Instruction ID: b435c2022131888032ae77a8aaaf19e2134cef5b9a280761e802470f6c02035b
Opcode Fuzzy Hash: fb859a16c1f4622b9c17a7b69d7a71526e44f6ee1fdf3e1f2a9a375991705ab6
Instruction Fuzzy Hash: 7431CAB5D012589FCB10CFAAD981AEEFBF5AB49320F14942AE815B7340C739A945CF64

Function 05EFB860 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

SleepEx.KERNEL32(?,?), ref: 05EFB8F2

Memory Dump Source

Source File: 00000000.00000002.1825516670.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ef0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 47aa3e3db064080ba18b4ac90fc1b26232bc5ed92169aa803919c7aa6fa8c1a8
Instruction ID: 87a094705eba7558bab72369ae12d5729c0ed95f1699cc3ecd313f6033c0d6a9
Opcode Fuzzy Hash: 47aa3e3db064080ba18b4ac90fc1b26232bc5ed92169aa803919c7aa6fa8c1a8
Instruction Fuzzy Hash: B731CAB4D012589FCB10CFAAD980AEEFBF5BB49320F14942AE815B7340C739A945CF54

Function 05EA9F98 Relevance: 1.5, Strings: 1, Instructions: 223COMMON

Download Yara Rule

Strings

4'fq, xrefs: 05EAA1C2

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: 4'fq
API String ID: 0-2007657732
Opcode ID: 5ac94d972474a3ee4a27691fbb395d41b626e348c59d1a0610d11a73e589090e
Instruction ID: 2582252ab2451fd57352eac28635742cdb1fa506040b409a32231c1987712ce2
Opcode Fuzzy Hash: 5ac94d972474a3ee4a27691fbb395d41b626e348c59d1a0610d11a73e589090e
Instruction Fuzzy Hash: EFA1EC35B10218DFCB04DFA4D898AADBBB6FF88304F559569E446AB365DF30AC42CB50

Function 027C09A8 Relevance: 1.4, Strings: 1, Instructions: 147COMMON

Download Yara Rule

Strings

\sfq, xrefs: 027C0B2D

Memory Dump Source

Source File: 00000000.00000002.1807716949.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: \sfq
API String ID: 0-3800904836
Opcode ID: edf8ff5c19b36b78fb71abc8986a0b84b82fe1dfc1d7b23af5c254e738d357be
Instruction ID: a6bcdef413d435b54c27d90f85738501c21597429ea56ac7f9128f97826e3ad6
Opcode Fuzzy Hash: edf8ff5c19b36b78fb71abc8986a0b84b82fe1dfc1d7b23af5c254e738d357be
Instruction Fuzzy Hash: C5510978E0020ADFDF10DFA9D980AEDBBB1BF88314F206659D401FB251DB359941CB64

Function 05EAEC98 Relevance: 1.4, Strings: 1, Instructions: 144COMMON

Download Yara Rule

Strings

(jq, xrefs: 05EAEDC4

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: (jq
API String ID: 0-3225323518
Opcode ID: 063c7d9df578b8f4592cea9fbe33320960128398174757992a9cd7a1d718bba5
Instruction ID: ed730fa28635c3a7c878caa5ac3c9582897c6f50e8d359108c889700407f40d4
Opcode Fuzzy Hash: 063c7d9df578b8f4592cea9fbe33320960128398174757992a9cd7a1d718bba5
Instruction Fuzzy Hash: 6F418E32604254AFCB099F68D854E597FB6FF89310B1580A5E605CF3B2CA32DC11DB61

Function 027C1BF3 Relevance: 1.4, Strings: 1, Instructions: 139COMMON

Download Yara Rule

Strings

, xrefs: 027C1DC2

Memory Dump Source

Source File: 00000000.00000002.1807716949.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 9220b3937789a979e68e92ece7604bfcc305d8d18bbb77d4bb8d6e63d5280669
Instruction ID: 837932dc51d68dc49f8be20a0a3143eb7794d4be8085ca34af4f077ff10766ae
Opcode Fuzzy Hash: 9220b3937789a979e68e92ece7604bfcc305d8d18bbb77d4bb8d6e63d5280669
Instruction Fuzzy Hash: 3851BF71E042558FCB10CFA9D8806AEBBB2FF85311B69C57ED118DB646C330E952CB90

Function 05EADC38 Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

4'fq, xrefs: 05EADC82

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: 4'fq
API String ID: 0-2007657732
Opcode ID: 98c4a42982735c126a5ec205cfd3bfcc71b65a0a0e937a1ac66987391a4bf81a
Instruction ID: 3ff4f83c54a358c3ac95c8faedc93cf40ad4632285af8d2e14c4f46f90813dad
Opcode Fuzzy Hash: 98c4a42982735c126a5ec205cfd3bfcc71b65a0a0e937a1ac66987391a4bf81a
Instruction Fuzzy Hash: FF417035B102148FCB05AB78C494AAE77BBAFC9600F105569E042EF795CF74AC46CB91

Function 0614FDE8 Relevance: 1.4, Strings: 1, Instructions: 119COMMON

Download Yara Rule

Strings

pjq, xrefs: 0614FE30

Memory Dump Source

Source File: 00000000.00000002.1826216056.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6130000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: pjq
API String ID: 0-551751012
Opcode ID: a8bc3e219487bc260c4ca830bfc7b0526d67b792e1d016c3c462c7362231df7f
Instruction ID: 2bd7d6b5418a6e34c4e1ed8ebc4d0c14bd754d97424d995c6284e18b2d8e2758
Opcode Fuzzy Hash: a8bc3e219487bc260c4ca830bfc7b0526d67b792e1d016c3c462c7362231df7f
Instruction Fuzzy Hash: A641C776600110AFCB469FA8D944D5A7FF6FF8C31471A8098E2099B376DB32DC21EB90

Function 027CCFC0 Relevance: 1.4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

TJkq, xrefs: 027CD05E

Memory Dump Source

Source File: 00000000.00000002.1807716949.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: TJkq
API String ID: 0-3106782265
Opcode ID: 01a029cfeb8b9546c2f9ffdd25b8ce38a2d131909534b92a9a50ecfe9798db42
Instruction ID: 30b2bdc16d2d8c38e05d4995411a42c05745bd95bd91ca14668548f0c2f0821e
Opcode Fuzzy Hash: 01a029cfeb8b9546c2f9ffdd25b8ce38a2d131909534b92a9a50ecfe9798db42
Instruction Fuzzy Hash: C951D1B4D01208DFCB54DFA9D5486AEBBF2FF88314F20842AE516A3350DB346986DF54

Function 05EA0BAC Relevance: 1.4, Strings: 1, Instructions: 116COMMON

Download Yara Rule

Strings

(jq, xrefs: 05EA0BC4

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: (jq
API String ID: 0-3225323518
Opcode ID: 8ac53e3e31365f5b213be4d22ea3342ba84be1e98728abb65fed504d1275663f
Instruction ID: eda68c039a37853ca2d512f373f2ffb698dc5272df7a6880d5c7ace695d91711
Opcode Fuzzy Hash: 8ac53e3e31365f5b213be4d22ea3342ba84be1e98728abb65fed504d1275663f
Instruction Fuzzy Hash: 9B41DE76A00616CFDB00DF68C48896AFBF1FF49324B259659D569AB381D730F852CBD0

Function 027CCFD0 Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

TJkq, xrefs: 027CD05E

Memory Dump Source

Source File: 00000000.00000002.1807716949.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: TJkq
API String ID: 0-3106782265
Opcode ID: 9015309eb994061856a5599f2ac0d605a77dc00c974e64c7b9cab5d6ab98df56
Instruction ID: 3f0d7f6180aceef9ccb29d86b304d655613c3e365dd1f3be603dbf64ba4af9b0
Opcode Fuzzy Hash: 9015309eb994061856a5599f2ac0d605a77dc00c974e64c7b9cab5d6ab98df56
Instruction Fuzzy Hash: CA41A0B4D01208DFCB54DFA9D5486AEBBB2FF88314F20842AE516B3350DB346986DF54

Function 05EA1A30 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

,jq, xrefs: 05EA1A93

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: ,jq
API String ID: 0-1538246120
Opcode ID: f8c0a36308dfd542f9ec90a669553416a383de7de136ac3248cc8900c310e3c8
Instruction ID: 268b9516b6c15e7e51cdcae587046f6886a13bde3a91bdb6470255fb009740ba
Opcode Fuzzy Hash: f8c0a36308dfd542f9ec90a669553416a383de7de136ac3248cc8900c310e3c8
Instruction Fuzzy Hash: 84417B357002048FCB19EF79C8949AEBBF2EF85350B158469E9469F361DB30ED41CBA1

Function 05EAD640 Relevance: 1.4, Strings: 1, Instructions: 113COMMON

Download Yara Rule

Strings

4'fq, xrefs: 05EAD6F7

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: 4'fq
API String ID: 0-2007657732
Opcode ID: aa624fb3153ba13db30c8487a7387079fce407a310bdda066b4ab4f5a44ff798
Instruction ID: b317a01b6eec96a44b94617d776aebd76d41351d79b0a58c700e091ddda99cf8
Opcode Fuzzy Hash: aa624fb3153ba13db30c8487a7387079fce407a310bdda066b4ab4f5a44ff798
Instruction Fuzzy Hash: 40415A723006109FD308DB79C999F2A7BA6AFC8704F105468E24A8F3A1DE75EC42C790

Function 05EAD650 Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

4'fq, xrefs: 05EAD6F7

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: 4'fq
API String ID: 0-2007657732
Opcode ID: 82d95e681ebc1567b9778a02105dde14211d4339c99122f8c9a34459ebf4acd6
Instruction ID: d783cf8eea3612d787c3f00c84b11ef54a8c232136f766ee4925fb7fcbcfe9d1
Opcode Fuzzy Hash: 82d95e681ebc1567b9778a02105dde14211d4339c99122f8c9a34459ebf4acd6
Instruction Fuzzy Hash: 15313B753006149FD308DB79C999F6A77A6AFC8704F105468E64A8F3A1DE71EC42C791

Function 05EA0448 Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

(jq, xrefs: 05EA0498

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: (jq
API String ID: 0-3225323518
Opcode ID: 416dd4b7f60bd861e01bd290636d178d314f68b9b652e78f1ce749d8f184a590
Instruction ID: 2adddbcb3c0d2778672abaa6413c3727b5234ec69d8f8873ad9b5d3eb5455cd0
Opcode Fuzzy Hash: 416dd4b7f60bd861e01bd290636d178d314f68b9b652e78f1ce749d8f184a590
Instruction Fuzzy Hash: 6021F2363041159FDB199F69E884AAE7B67EFC9324F54403AF945CB251DE71AC01C7A0

Function 05D9E750 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,?,?), ref: 05D9E7EF

Memory Dump Source

Source File: 00000000.00000002.1824610975.0000000005D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d90000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1e50dffce2a963733c3a70c453e4a62109b886b40af94de71a0a925084b8a307
Instruction ID: 7e22447b693f5ac3370057bb1be56aebaca4429762dd5088325ededccb46fbda
Opcode Fuzzy Hash: 1e50dffce2a963733c3a70c453e4a62109b886b40af94de71a0a925084b8a307
Instruction Fuzzy Hash: 5731A7B8D002589BCF14CFA9D880ADEFBB5EB49320F20942AE814B7310C735A945CF94

Function 05EA9019 Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

4'fq, xrefs: 05EA9061

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: 4'fq
API String ID: 0-2007657732
Opcode ID: 10c9fa3d222af8577005c93c388ac158033037651246c484c5ca9bb628006b56
Instruction ID: 0279621ca3ffed5821b2d10d39de1b35348b79a819e2285cd76f1fdd9e69ab22
Opcode Fuzzy Hash: 10c9fa3d222af8577005c93c388ac158033037651246c484c5ca9bb628006b56
Instruction Fuzzy Hash: 69317136A001049FCF089FA5D895D6DBBB7FF88310B0550A9EA469B361DE32EC52CB91

Function 027C3E9A Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

Tefq, xrefs: 027C3F18

Memory Dump Source

Source File: 00000000.00000002.1807716949.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: Tefq
API String ID: 0-1066582953
Opcode ID: 2c38d68bac4cc2c5d16c44319d5297e8a4a15ba3a64fac8f21c07785aadaca44
Instruction ID: 5198de97ca8ccefa8ada3ccf842dd1d14b862f173f8725f2830addfc19a0b8ed
Opcode Fuzzy Hash: 2c38d68bac4cc2c5d16c44319d5297e8a4a15ba3a64fac8f21c07785aadaca44
Instruction Fuzzy Hash: 5531D5707041409FCB459B79C498AAEBFF3EF85300B25449EE545EB3A5CE358C05CB91

Function 05C80D7C Relevance: 1.3, Strings: 1, Instructions: 76COMMON

Download Yara Rule

Strings

4'fq, xrefs: 05C81549

Memory Dump Source

Source File: 00000000.00000002.1823685044.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c80000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: 4'fq
API String ID: 0-2007657732
Opcode ID: f634f5124dd69956a145ce5a6af250e27a931cf366b6bd57d305dafff1180233
Instruction ID: 47baf1ee3305af3df0f459409235df981408c8c5c5a1eeb1efb9cd7135a792fa
Opcode Fuzzy Hash: f634f5124dd69956a145ce5a6af250e27a931cf366b6bd57d305dafff1180233
Instruction Fuzzy Hash: 68318E74D04209CFDB05EFAAD4486FEBBB1FF45309F04886AD015A7291D7385A89CF91

Function 05EA4740 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

p<fq, xrefs: 05EA477A

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: p<fq
API String ID: 0-1940909823
Opcode ID: 57b7a7a62644edc4379a6edd8da6df718b78462d5ec49450d5ae0c68991b1053
Instruction ID: a431e5394bbb0320bada3f4eef433522dfbe41e92b98b8bf594ae30711af37ea
Opcode Fuzzy Hash: 57b7a7a62644edc4379a6edd8da6df718b78462d5ec49450d5ae0c68991b1053
Instruction Fuzzy Hash: 41213C763041949FDB06CF3AC840EAA7BEABF8A244B055095F885CB2A1DA71EC50DB20

Function 05EA4730 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

p<fq, xrefs: 05EA477A

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: p<fq
API String ID: 0-1940909823
Opcode ID: de1f57b5b50475f767821199145f1ad58fa56268ca27a4933b0d19081d41e8fb
Instruction ID: fb53b2fec5e0adf811c6550645aac69830b90ed3f3632d53b5c049e38bbb4d20
Opcode Fuzzy Hash: de1f57b5b50475f767821199145f1ad58fa56268ca27a4933b0d19081d41e8fb
Instruction Fuzzy Hash: 2B215E763041949FDF06DF3AC884DAA7BEABF8A254B445055F885CB3B0DA71EC51DB20

Function 027C3E77 Relevance: 1.3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

Strings

Tefq, xrefs: 027C3F18

Memory Dump Source

Source File: 00000000.00000002.1807716949.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: Tefq
API String ID: 0-1066582953
Opcode ID: b3985c9815f608cca7a2cf35304841c22543af004f797ffb4404094d6cef6f23
Instruction ID: d8de9b9a45d9dd91dece6d969e84660e953bed96d6ddf657e5af85ce99e0fe49
Opcode Fuzzy Hash: b3985c9815f608cca7a2cf35304841c22543af004f797ffb4404094d6cef6f23
Instruction Fuzzy Hash: 0B218E70B001518FCB05EB7DD4A8A9EBBF2EF89714B25449DE001AF3A5CE748C46CB90

Function 027C3EB8 Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

Tefq, xrefs: 027C3F18

Memory Dump Source

Source File: 00000000.00000002.1807716949.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: Tefq
API String ID: 0-1066582953
Opcode ID: cf108703b488c91fa031caa65ea3da0fb3a3c9f2e4f5893448b96a10663bcbbc
Instruction ID: 09ac356e5a848fd8252684e3a65735755b1b13ae2f0e7b0c8856f0c880f4ce14
Opcode Fuzzy Hash: cf108703b488c91fa031caa65ea3da0fb3a3c9f2e4f5893448b96a10663bcbbc
Instruction Fuzzy Hash: B1219D707001059FCB44EBB9C498AAEBBF7EF89700F61846DE506AB3A5CE749C458B90

Function 05EA1A20 Relevance: 1.3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

Strings

,jq, xrefs: 05EA1A93

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: ,jq
API String ID: 0-1538246120
Opcode ID: fdc4b627c5ec39735c87a53e9849baeae06333ebb42fcb59c64401c7ba842fee
Instruction ID: 34b68c055269e096b1b1be3105bccb76c15f359e219b5ccf17d6cb60c3355070
Opcode Fuzzy Hash: fdc4b627c5ec39735c87a53e9849baeae06333ebb42fcb59c64401c7ba842fee
Instruction Fuzzy Hash: 12115B79B001059FCB08EFB9C9949AEBBB6EF89341F158069E9419F365DB30ED01CB91

Function 05EA1A2C Relevance: 1.3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

Strings

,jq, xrefs: 05EA1A93

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: ,jq
API String ID: 0-1538246120
Opcode ID: a652b92b00e91c8df3b34fc6d2fd72e55197bd0b4f8751a75c62a4140fe912a9
Instruction ID: d5621083abf4004ddac6a1a2a074fb75d6e6911a6b9753806b519cd23ec03d33
Opcode Fuzzy Hash: a652b92b00e91c8df3b34fc6d2fd72e55197bd0b4f8751a75c62a4140fe912a9
Instruction Fuzzy Hash: 39116D79B00115CFCB04DFA9C994A6EBBB6AF94341F158069E941AF365DB30EC01CB90

Function 027C1E2B Relevance: 1.3, Strings: 1, Instructions: 48COMMON

Download Yara Rule

Strings

\sfq, xrefs: 027C1E8F

Memory Dump Source

Source File: 00000000.00000002.1807716949.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: \sfq
API String ID: 0-3800904836
Opcode ID: 611f0a08406d68a3269f0e3b3e849269594aca05f3e483a21498775b216d9a94
Instruction ID: f0e8932eb93c2968e82d7d6c1503fadc86ac01edf079fc3e41d43bdc7e35b91d
Opcode Fuzzy Hash: 611f0a08406d68a3269f0e3b3e849269594aca05f3e483a21498775b216d9a94
Instruction Fuzzy Hash: AA01BCB13045218FD725CB3DD85092A3BF5AF8971032185FEE40ADB2B3DA61CC018BA0

Function 05D3C67C Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

I, xrefs: 05D3C718

Memory Dump Source

Source File: 00000000.00000002.1824223343.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d30000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 1660b410fd928d7dc858ae657eaee246ae3e2abf97ebad7a15b09856aed2e311
Instruction ID: 2b9a147f11495e1bd6137e41d109b29705d3ab141bc9e7ea097e216f2e3c1ca9
Opcode Fuzzy Hash: 1660b410fd928d7dc858ae657eaee246ae3e2abf97ebad7a15b09856aed2e311
Instruction Fuzzy Hash: 0A21AFB4A04628CFDBA0DF28CC88B9ABBB1FB49202F0045EBD50DA7250DB305E84CF11

Function 05D3056F Relevance: 1.3, Strings: 1, Instructions: 28COMMON

Download Yara Rule

Strings

o, xrefs: 05D30DA7

Memory Dump Source

Source File: 00000000.00000002.1824223343.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d30000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: o
API String ID: 0-252678980
Opcode ID: 973a89115ea6e7ed71293384b8110e1e43dc6fcfa2cae5d63f06ffe567e1a1d2
Instruction ID: ab658d2510fa1585c87bd058dc60b45c0b0d33144f2e7c806d947c02d166c610
Opcode Fuzzy Hash: 973a89115ea6e7ed71293384b8110e1e43dc6fcfa2cae5d63f06ffe567e1a1d2
Instruction Fuzzy Hash: FB01EF74909218CFDB65DF64D88ABADBBB1BB0A314F1450EAD40DA3242C7314988CF15

Function 05D30D70 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

o, xrefs: 05D30DA7

Memory Dump Source

Source File: 00000000.00000002.1824223343.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d30000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: o
API String ID: 0-252678980
Opcode ID: 99285391d8f35b10f9f0aa76631da75018d399b6592379a10576bc3a200326ea
Instruction ID: 4820daa33e978f6ad0eeeb1fcf0e9bf173d2311ef6fbdc7984790f942f035209
Opcode Fuzzy Hash: 99285391d8f35b10f9f0aa76631da75018d399b6592379a10576bc3a200326ea
Instruction Fuzzy Hash: 42F0CF709152188FDBA0DF28C889B9DBBB1BF0A324F5041EAD41CE7292C7304D84CF11

Function 05D37ED4 Relevance: 1.3, Strings: 1, Instructions: 13COMMON

Download Yara Rule

Strings

., xrefs: 05D3B284

Memory Dump Source

Source File: 00000000.00000002.1824223343.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d30000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 506d6d4ccb5aea3d03ecec301982311cfb7edd9c3f21bf59d35d69ea81ec8b8b
Instruction ID: ae1560e20335297974e02595818993f5180488ba747aff15516b4f8a7cf67b09
Opcode Fuzzy Hash: 506d6d4ccb5aea3d03ecec301982311cfb7edd9c3f21bf59d35d69ea81ec8b8b
Instruction Fuzzy Hash: 24D05BF46143188FDB50EF35D88465E7772F745300F10455AC15997344DE304D858F56

Function 05EADE88 Relevance: .4, Instructions: 437COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 519d7348d783172f444773872d6ba911e4c43bf4c9ec7217d81fb67dc4ba0532
Instruction ID: 9b1e3892bff5d85eee4a5c3fdd64fe820de0f3dd752580230851c02b0ccdb870
Opcode Fuzzy Hash: 519d7348d783172f444773872d6ba911e4c43bf4c9ec7217d81fb67dc4ba0532
Instruction Fuzzy Hash: 90120835A002188FCB14EF74C994BADB7B6BF89304F5195A8E48AAB355DF30ED85CB50

Function 05EA12C8 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65c607e877fd6b5663d448708b853ea3ded6e02e02c1a670103a836efd719524
Instruction ID: 73000bc4f668978fa990cd8de09a163428c5e8ffeadf77e384a5132635f996a0
Opcode Fuzzy Hash: 65c607e877fd6b5663d448708b853ea3ded6e02e02c1a670103a836efd719524
Instruction Fuzzy Hash: 65918D36B012049FDB19DFA5D485AADBBF2FF88315F14806AE5829B390CB35ED45CB50

Function 05D325D0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824223343.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d30000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de36b887f6cbf5068f843852d4d4ce1dd6bd8217881f959523763c3bddf6c478
Instruction ID: d11fc853c9438b76aeb2daf3b58ff9d449f63f01c6a9aec09c3fc9171fc73a07
Opcode Fuzzy Hash: de36b887f6cbf5068f843852d4d4ce1dd6bd8217881f959523763c3bddf6c478
Instruction Fuzzy Hash: 0AA1F778E05219DFDB04DFA8D4866EEBBB2FF49314F10402AE546AB344DB349985CF61

Function 05EADE78 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d3a57725295dc0b47cef7a862196f0760b13aca934b3d1acb174a72eefc80b3
Instruction ID: 5ae5206830a85dd03ce408018c0abf28b5778813df50463ab89e2b06d8e1639a
Opcode Fuzzy Hash: 8d3a57725295dc0b47cef7a862196f0760b13aca934b3d1acb174a72eefc80b3
Instruction Fuzzy Hash: E8A1E735B002148FDB14DF74C898BADBBB6BF89304F5195A8E48AAB355DB30AD85CF50

Function 05EA4863 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07a01677c1569b01d060f3ef51d48181d97fd7abb2e102bc1fa8dc49a21188fb
Instruction ID: 9e49ae57ad53566791ce92e9a9cf9130b38abf5087c9ce0fde0f42242cc1b045
Opcode Fuzzy Hash: 07a01677c1569b01d060f3ef51d48181d97fd7abb2e102bc1fa8dc49a21188fb
Instruction Fuzzy Hash: 48A1C176E046698FDF11DFA1C440AFDBBB2FF48308F148016E892AB295DB74A946CF50

Function 05EAEE30 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80c29c5b40e7f5e39917b44210d8146287d7965680f5069504e12c3ebe35bd1f
Instruction ID: 226303d10eb5d5c8529ba944f47eb4779cf65d89e89594cd90a57d748e7d5ace
Opcode Fuzzy Hash: 80c29c5b40e7f5e39917b44210d8146287d7965680f5069504e12c3ebe35bd1f
Instruction Fuzzy Hash: 028138357102149FCB04DF68D498AADBBB6FF89710F1091A9E546DF3A5CB74AC42CB90

Function 05EAE75B Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c20205b14077c4b83a370681391d431ea005de391757612ecdb55dbf5a061c7
Instruction ID: 98eb1d134fa706a907016b6b5dfb7febd1ce071b85328314334076cc99fb9fbf
Opcode Fuzzy Hash: 0c20205b14077c4b83a370681391d431ea005de391757612ecdb55dbf5a061c7
Instruction Fuzzy Hash: 45A1AD35A11208DFCB04EFA4E4949AD7BB6FF89310F509569F842AB365DF30AD42DB90

Function 05EA68B0 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bdd09cd0ee49741e67eabb8c621f7b7881156d57ee8fbe5199390ad4d91b80a
Instruction ID: 3307c4d6bee9c8e03b570730d26e12cd826dd1cb54a18827058a62eaf0c83227
Opcode Fuzzy Hash: 0bdd09cd0ee49741e67eabb8c621f7b7881156d57ee8fbe5199390ad4d91b80a
Instruction Fuzzy Hash: AB812976A00514CFCB14DF68C48499EBBF6FF89314B199069E8469B365DB30FD42CB90

Function 05D325CB Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824223343.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d30000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df186204b4af15da04c5a6bc472a5d87ad36aa9287dd9e972a055f894372d495
Instruction ID: 50226fb9515273935bbae5a63a9155605f53523c8b87f9161bc1ae9e8f6ed2c3
Opcode Fuzzy Hash: df186204b4af15da04c5a6bc472a5d87ad36aa9287dd9e972a055f894372d495
Instruction Fuzzy Hash: 3F711578D09218DFDB04DFA8D8466EEBBF2FF49314F10802AE546AB244DB349A45CF61

Function 05EAEE20 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd09dd0e5a13bd31814a55f56b8d52b3595130ebb0a4a760cfe6523b51d5c387
Instruction ID: 34564e1383a65d4dea05f2bc0a43f5c7e40bef7a844fb246de5b043e645f4c40
Opcode Fuzzy Hash: fd09dd0e5a13bd31814a55f56b8d52b3595130ebb0a4a760cfe6523b51d5c387
Instruction Fuzzy Hash: D8611835B102149FCB04DF68D498AADBBB6FF88700F1491A9E5469F365CB30EC42CB90

Function 05D3607D Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824223343.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d30000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12720b5a71843e42c528908cd5aa62a31294e3d85b6ee8948ccdaff53e61a874
Instruction ID: c143104e978e34d9f3918e9cd3a74c24ffa4f2b977483c17b458b33528853c88
Opcode Fuzzy Hash: 12720b5a71843e42c528908cd5aa62a31294e3d85b6ee8948ccdaff53e61a874
Instruction Fuzzy Hash: 5071C374D09218DFDB20DFA9C98ABADBBF2FB45304F14806AD409AB255DBB4D984CF41

Function 05D32D80 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824223343.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d30000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82401b4978f0c57cbf2a58363676d49ab4ecfe138f823d68f8e0b69951e75be9
Instruction ID: 895000f32675a6125f9833a75aa97fa34e37b20426960d0b6353b919da75c854
Opcode Fuzzy Hash: 82401b4978f0c57cbf2a58363676d49ab4ecfe138f823d68f8e0b69951e75be9
Instruction Fuzzy Hash: A4519078D04219DFCB44DFA9D885AEDBBB2FF49300F10846AE456AB350DB749945CFA0

Function 05EA9B78 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82dfd237c008387de74c6214ea0b874f3c46969581e401783fe9d03c536002aa
Instruction ID: c16b4cd269336f4f623dc2f046a3f5af450e2aea9a52e93be5d2df9830c7d9ed
Opcode Fuzzy Hash: 82dfd237c008387de74c6214ea0b874f3c46969581e401783fe9d03c536002aa
Instruction Fuzzy Hash: 91517134B105099FCB04EF65E458AAEBBB6FFC8704F00812AF5429B364DF34A946CB91

Function 027C07EB Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1807716949.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 519ad217d491ba98af2b214a9455bc74328cb636702dfb90d81951b303d4ac93
Instruction ID: c798afa35b9d5ed345f016e3b102b1d976c25b5d5d1dc51cd95a1bdb92a6f2bf
Opcode Fuzzy Hash: 519ad217d491ba98af2b214a9455bc74328cb636702dfb90d81951b303d4ac93
Instruction Fuzzy Hash: 90415A72B083948FC7069B38A8596AE3FB2DF86310F2505ADD545DB393EE344C0A87D1

Function 05D32D73 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824223343.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d30000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b6478c62a408b06844659ced8db41a517f92a10f2bb425063859a92df59225e
Instruction ID: 4f59ea9175b5b38cbcab9a8cc9de81be1d8747946868f3cce596ab938225aabe
Opcode Fuzzy Hash: 0b6478c62a408b06844659ced8db41a517f92a10f2bb425063859a92df59225e
Instruction Fuzzy Hash: 3F519078D04219DFCB44DFA9D885AECBBB2FF49310F10846AE456AB350DB309945CB60

Function 05D32D1B Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824223343.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d30000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 909f9828ad42697114c2d220b0f2d1d156f5f768d4f62d36fadab988236cdb49
Instruction ID: e7ee7b94316e8e3ea0cdf957030f6850d20683852485096a331e54802ba0d282
Opcode Fuzzy Hash: 909f9828ad42697114c2d220b0f2d1d156f5f768d4f62d36fadab988236cdb49
Instruction Fuzzy Hash: F1519178D04219DFCB44DFA9E885AACBBF2FF49314F10846AE456AB360DB309945CF60

Function 05D36A00 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824223343.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d30000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d927fe450c7202f1e4d21d52259e60be5a2e3cc2b7edc9d0fd20fe75ca6f1c5d
Instruction ID: 3bc85863f3985f41be0f7209a65e4ec9af144afe3a6486815fbdeb5dc485e723
Opcode Fuzzy Hash: d927fe450c7202f1e4d21d52259e60be5a2e3cc2b7edc9d0fd20fe75ca6f1c5d
Instruction Fuzzy Hash: AD51C370E01208DFDB58DFB9D995A9DBBF2BF89305F20802AE406AB364DB319941CF50

Function 05EA7C74 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c3cb2439bf549dfcf501c70f6f1ccc803f0cba48b44302a1e653053fd08bdc8
Instruction ID: b6a356abe578446e43b4eacedfc2d13b98fc97d0c95bf0c9126563f0da748343
Opcode Fuzzy Hash: 8c3cb2439bf549dfcf501c70f6f1ccc803f0cba48b44302a1e653053fd08bdc8
Instruction Fuzzy Hash: EF31C4767006009BDB15EB38D494A7A77A7EFC9325324A829E49ACF351EF30EC42C790

Function 05D369FB Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824223343.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d30000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96f13c389466e823a78aed98bba59dbb7bfc07018de478a33ee2078d331ced66
Instruction ID: 5676fad03449edd8cf4e5c19b4f3c4713b57d8febb7a1403f4934dc54e5042a3
Opcode Fuzzy Hash: 96f13c389466e823a78aed98bba59dbb7bfc07018de478a33ee2078d331ced66
Instruction Fuzzy Hash: 8241C670D01208DFDB58DFB9D994A9DBBB2BF89305F20852AD41AAB364DB319941CF50

Function 05EAC750 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e77c6de832fac858bb239986f1b404cb21349f37ac3c88e479be2728597a73e2
Instruction ID: 9a0044e84fcae62107234903e61a8513487e458b6881929de515e4aeab1203dc
Opcode Fuzzy Hash: e77c6de832fac858bb239986f1b404cb21349f37ac3c88e479be2728597a73e2
Instruction Fuzzy Hash: 5A31D2366101049FDB05DF69D888EA9BBB2FF48724B1680A9F5099F372CB31EC55DB80

Function 05EA1778 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f200047aeea8b3d75e8c0ed1c9541bee750e1804d973487bf7127bd459089600
Instruction ID: 5684c31ad5188e02ea13649a166953f852e459ce6d688aadb2d24606174d2f9f
Opcode Fuzzy Hash: f200047aeea8b3d75e8c0ed1c9541bee750e1804d973487bf7127bd459089600
Instruction Fuzzy Hash: D8419072A002158FDB18CFB5D944ABEBBB2FF44754F0085AAE496EB254D730E945CB90

Function 05D3DC58 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824223343.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d30000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6f941dd65501f3bdd7776b8beaf27244de31d417026b80e38533077370b588d
Instruction ID: c62d125b31044e3d5d86911993d5664847b6c283cc205d314c638a9ed6e3da51
Opcode Fuzzy Hash: c6f941dd65501f3bdd7776b8beaf27244de31d417026b80e38533077370b588d
Instruction Fuzzy Hash: 0041D4B0E15208DFDB44EFA9D945BEEBBF2BF88340F10802AE405A7360D7B499408F50

Function 05EAF138 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70762224e8aaa08522dcb2d32ce1b53391631559887e620f85d50a6e7cb7a477
Instruction ID: f3e542776919002a978bbc85157c92d4d88f9d1a78237a9760560dedcbd5bddf
Opcode Fuzzy Hash: 70762224e8aaa08522dcb2d32ce1b53391631559887e620f85d50a6e7cb7a477
Instruction Fuzzy Hash: 5C318F3AA001089BDF04DFA4D855BEEB7B2FF88310F109125E955BB394DB31AD51CBA0

Function 05D36270 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824223343.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d30000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adf2fd8f0bffc1560dbfbd0e541d736c73d04e474b7fdc578010f2a814cec10a
Instruction ID: 363929dfce217eaea771692e0ea3f2d873c465b3cb96c5a71874bbfea6cbe489
Opcode Fuzzy Hash: adf2fd8f0bffc1560dbfbd0e541d736c73d04e474b7fdc578010f2a814cec10a
Instruction Fuzzy Hash: 2A41D4B4D09219DFDB20DFA9C84ABADBBF2FF48304F14816AD409A7255DBB49980CF40

Function 05D3F518 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824223343.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d30000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bc662e1f24bdb901fa543d2ec3ef031fcb6a9b4e1880d7524f1df2bec6b5468
Instruction ID: d13968feb503a8d52b908d19aca25f363f4bc424d9efe6642d227d7c50779d56
Opcode Fuzzy Hash: 1bc662e1f24bdb901fa543d2ec3ef031fcb6a9b4e1880d7524f1df2bec6b5468
Instruction Fuzzy Hash: AF31D2B4E0420ADFDB04DFAAD8856EEBBF2FB88304F108466D519A7354D77899468F50

Function 05EA3E1A Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fed5ae85eff8c1c3f8d39ae066a40e6cb00fb3332febee6380aa780c3b9353c
Instruction ID: 3c924eea0dffd5c8bd39ac377c726162b0b9e03aafb683510fb9f4ac31255641
Opcode Fuzzy Hash: 3fed5ae85eff8c1c3f8d39ae066a40e6cb00fb3332febee6380aa780c3b9353c
Instruction Fuzzy Hash: D4318E35700211DFCB299F35D48496ABBB6FF89309B10486DE8868B3A5DF31EC46CB90

Function 05EAFF00 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaf6bb27db14429473892801f03f91f21f6a88144b5248e4864aba35ea54d1be
Instruction ID: 834b7c43cda5657db7af6adda9e78fc8e46af30aeaf6592acccc33fe16e5a379
Opcode Fuzzy Hash: eaf6bb27db14429473892801f03f91f21f6a88144b5248e4864aba35ea54d1be
Instruction Fuzzy Hash: BA218575B00619CFCB00EF78C5849AEB7B5EF89600B10452AD546DB324EF70A946CB91

Function 027C88D2 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1807716949.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a165e296de6d71e7dfff1e7f3a299cde20add015148afe1dfb433b8bbaf03e7d
Instruction ID: 021a25dbcf0c7e9f6112e94d934747ee6468ca8eea85fb64b1763efbf26cea69
Opcode Fuzzy Hash: a165e296de6d71e7dfff1e7f3a299cde20add015148afe1dfb433b8bbaf03e7d
Instruction Fuzzy Hash: C23127B4D042098FDB49DFA9D9083EEBBF2FB89304F109829D614B3240D7744A45CFA6

Function 05EAFEE4 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c825d9e42bd9639f8ee114a9b231e631a28f9a571de9c6d6c4174a7f78428dd
Instruction ID: e5d82f47d2e6a4e07432bbb70ac17b12a77b267315815cda27c1cd91c4a95ebb
Opcode Fuzzy Hash: 3c825d9e42bd9639f8ee114a9b231e631a28f9a571de9c6d6c4174a7f78428dd
Instruction Fuzzy Hash: 1721B375B006498FCB00EF78C4849AEBBB5EF89200F10426ED545DB361EB34A946CBA1

Function 05EA3C00 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93e2f4b4ec3f642389c6411161ee121615cca071bb3c2f35b9f40eadbbe24102
Instruction ID: 2ba505d2cd1db6a50c109e567a3b261fde895852ede28729a9331e653fffc746
Opcode Fuzzy Hash: 93e2f4b4ec3f642389c6411161ee121615cca071bb3c2f35b9f40eadbbe24102
Instruction Fuzzy Hash: AF215172E00219DFEB10DF74D9047EEBBF5AB48340F209465D955DB250E734DA44CBA1

Function 027C88E0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1807716949.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec0b468204944b2ba9230d41f276941b9b8c531fc31e92a7ac695ab8e4229b04
Instruction ID: 11a1b52552c014e44afb0dfb6626468bdced8f31dd3a35033265379b793e9cf5
Opcode Fuzzy Hash: ec0b468204944b2ba9230d41f276941b9b8c531fc31e92a7ac695ab8e4229b04
Instruction Fuzzy Hash: 0D2125B4D04209CFDB48DFA9C4083EEB7F2BB89304F109829D615B3240D7744A44CFA6

Function 025FD030 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1807521631.00000000025FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 025FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25fd000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2be254aba19f1ce0b40e27502deb235fa56fd752eb7cc608a30d1d7bc8dbb2c
Instruction ID: f529e1727ede3d72ef3224a6d288cdafa0380d02a586e0ab7f53c699a6375ed0
Opcode Fuzzy Hash: e2be254aba19f1ce0b40e27502deb235fa56fd752eb7cc608a30d1d7bc8dbb2c
Instruction Fuzzy Hash: 032142B2105200DFCB54DF14D9C4B26BF79FB88314F20CA69EA0A0B646D336D806CBA2

Function 025FD006 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1807521631.00000000025FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 025FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25fd000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f0f6bf3a050e8e52fcde14f5efe4093c0b35b0e34abe1ccf010487c8bdd7182
Instruction ID: 7cc095625104eb61b926d2dcf94128cfd0f0f8aeda7bea6d6eacf27f0ecbbcc8
Opcode Fuzzy Hash: 4f0f6bf3a050e8e52fcde14f5efe4093c0b35b0e34abe1ccf010487c8bdd7182
Instruction Fuzzy Hash: 3C216D7550E3C08FCB13CF24D994715BF71AB46214F2981EBD9858F6A7C33A981ACB62

Function 05EA7DB8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 038561e3b538555029941a7c5df1966baa935e6b42e14346d14c24583c4fd3a0
Instruction ID: e634cc7b2927750f7aae256fe7829af1b07e71a6edaba4298d31120232e4985f
Opcode Fuzzy Hash: 038561e3b538555029941a7c5df1966baa935e6b42e14346d14c24583c4fd3a0
Instruction Fuzzy Hash: 6B212876A002098FDB08DF64C585ADDB7F2FF88305F2055A9E445BB3A1CB71AD41CBA0

Function 027CF088 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1807716949.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d95e4352e55a94008027e37e851f09558f87c2e7938b16ca8e195557b1d46940
Instruction ID: 3d01fea7a5d1287c49e6025b2b686f6e0ccc97b5a99dc3b8d7355b513e49cb27
Opcode Fuzzy Hash: d95e4352e55a94008027e37e851f09558f87c2e7938b16ca8e195557b1d46940
Instruction Fuzzy Hash: 2521F370D05619CBDB04DFA9D5087EEBBF6FB88324F20842ED505B3644DB755A84CBA2

Function 05D37178 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824223343.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d30000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77d9a662c9ecee0dfb1e86ed2653c748f62f63e92b58d5e21553e78c9fff892e
Instruction ID: badd0b41d4e004bb8226c1cae031da1ffd3153633e476d69fc79eb1457fa137d
Opcode Fuzzy Hash: 77d9a662c9ecee0dfb1e86ed2653c748f62f63e92b58d5e21553e78c9fff892e
Instruction Fuzzy Hash: E1217CB4E0960ACFCB44DFE9D4416AEBBB2FB48300F10C16AD455A7240D7349A81CF90

Function 06137231 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1826216056.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6130000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 606d5ac7b2a6634db4801d00c585d4d7bd8de4c566c7aeb18673070f3fabcc37
Instruction ID: 973cd084943728ce2dcd834009f858c5a9657a42c3f53fbe93634aee3c8a6c45
Opcode Fuzzy Hash: 606d5ac7b2a6634db4801d00c585d4d7bd8de4c566c7aeb18673070f3fabcc37
Instruction Fuzzy Hash: 8D319278A15228CFEB65DF68C884E99BBF1FB48305F1042E6D919A7351DB31AE85CF40

Function 05EAA918 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3a3e23e8df57f7ab42e1029634379269965f87d2181c0dc9ed9ab089bae86bf
Instruction ID: ddbb635a0fffdb1a92bbaef2eaa2b95c34339d788e4f85510215424edfe36ef3
Opcode Fuzzy Hash: d3a3e23e8df57f7ab42e1029634379269965f87d2181c0dc9ed9ab089bae86bf
Instruction Fuzzy Hash: D211B6333093005FD7358B79E484A2ABBA5EB84325B16A6BEE09ECB191CB31FC45C750

Function 05D3FD18 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824223343.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d30000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b99b9832f3b4a68f6b358dec9f52e17017bc804dbd161901d552c5d5e3420461
Instruction ID: 01399495ce9071c90b64296a29003c981fbe93821ebfa8d942a6d4efe4d82cbb
Opcode Fuzzy Hash: b99b9832f3b4a68f6b358dec9f52e17017bc804dbd161901d552c5d5e3420461
Instruction Fuzzy Hash: 90213935A002099BCB159FA9C8599DE7FB6FF8D324F14812AE815A7390CE759841CBA0

Function 027C42E7 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1807716949.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94918f7343cf1564656e68b03353692aa1e2b9a4e80e79a265d9c1017cb4f8b3
Instruction ID: 8157e42ded19062dffb70ab946a91900a4b931981b65990ba6e3bb096fb6baec
Opcode Fuzzy Hash: 94918f7343cf1564656e68b03353692aa1e2b9a4e80e79a265d9c1017cb4f8b3
Instruction Fuzzy Hash: 3D21F270D44608DFDB44EFB8E4A87ADBBF1EB89304F2489AED205A7241D7344A95DF08

Function 05EA7DA8 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44186f3457b7577b8fa09dc5d74b7fad530f6b5c1dea8c6ba0798c6c5fedea1f
Instruction ID: be9d3300184e6443b8e9721bc53e23536b803fb038234dc342e6cb3f3df32cbb
Opcode Fuzzy Hash: 44186f3457b7577b8fa09dc5d74b7fad530f6b5c1dea8c6ba0798c6c5fedea1f
Instruction Fuzzy Hash: 6C215772A002088FDB08DFA4C585ADDB7F2FF48304F205699E085BB3A1CB31AD40CBA0

Function 027C42F8 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1807716949.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc210eabc60e7d45ba49018ac7e4d30184c8e27d6321e76014a80949c2e9c29c
Instruction ID: e53b8c1507c54fc85dc7ecf4fa5f7d31ce4fa302845cc98700bd57e063c5f6d6
Opcode Fuzzy Hash: cc210eabc60e7d45ba49018ac7e4d30184c8e27d6321e76014a80949c2e9c29c
Instruction Fuzzy Hash: F6211F70D44608DFDB44EFB8E0687ADBBF1EB89304F2088ADD209B3240DB344A95CB08

Function 027CFEC0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1807716949.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3792211777632b94b34a2e57aa37927ba05f1f2cfdc7dad3ca227f9de9f0a897
Instruction ID: b1b5ef331c3d889315260edd3b3a1afeef93ce44f1ce1062d3adbc2a329025f5
Opcode Fuzzy Hash: 3792211777632b94b34a2e57aa37927ba05f1f2cfdc7dad3ca227f9de9f0a897
Instruction Fuzzy Hash: F221C0706102045FCB18EB69D8867AE7BF6EBC8304F10492DF04AD7685DEB59D0587F0

Function 027C9C90 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1807716949.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd7414c9f842ee989bc0befe68e004a88e174fd68ea249cc6687b0f54435c71f
Instruction ID: 40a00ac74b5249901f9d3970b86a63ff2f4c4ddbfd3b1a145708ffea312983ae
Opcode Fuzzy Hash: cd7414c9f842ee989bc0befe68e004a88e174fd68ea249cc6687b0f54435c71f
Instruction Fuzzy Hash: 9E216271D05209CFCB94CFAAC8446EEBBF6BB8C314F14842AD614B3240D7340955CBA0

Function 027C9CA0 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1807716949.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8d7021f5ace3722a71fedbf95707d6ba8d47fa6adb82e726c11ef3a0b99677d
Instruction ID: f081e5edcf52eb5cf59b0e24df34b627b4dcea8957814d61bf52e3b94dfec792
Opcode Fuzzy Hash: c8d7021f5ace3722a71fedbf95707d6ba8d47fa6adb82e726c11ef3a0b99677d
Instruction Fuzzy Hash: A6113271D0520ACBCF94CFAAC8446FEBBF6FB88310F20842AD615B3200D7345A95CBA0

Function 05EAA4C8 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ee0ad4b24fb3f4938a3ae29eb3d702855684323272504aa76cc6d54b9b6ccca
Instruction ID: 18f9a939c43967aa70d54ef7b6617783e5f850a13b182904d69a9fe33fd4ddf1
Opcode Fuzzy Hash: 1ee0ad4b24fb3f4938a3ae29eb3d702855684323272504aa76cc6d54b9b6ccca
Instruction Fuzzy Hash: 6D0161323002104B9B14AE7AE48896EB7DBEFC4629314903AE546CF315CE31DC05C7A4

Function 05EA0D00 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62f4f39a177c789f604d839191c2ae172b9616fa2d2a715238aa4a767dd1cd6c
Instruction ID: ed24377dfbf8cb170374ad8aa682617204b56c374db22d2ee9aefc0063425f93
Opcode Fuzzy Hash: 62f4f39a177c789f604d839191c2ae172b9616fa2d2a715238aa4a767dd1cd6c
Instruction Fuzzy Hash: BF117376B002549FDF24DB79C859BAA7FF2BB88701F14402AE585DB380DA71E9018BA0

Function 05EA0A69 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9214ed1b20d0d157854a5b376e6f89437b6c62c56609744924739fe07f99af6
Instruction ID: 13906c6f16089d4a1802da8d05d3b93683c068893917f9433c978950adcb75ac
Opcode Fuzzy Hash: b9214ed1b20d0d157854a5b376e6f89437b6c62c56609744924739fe07f99af6
Instruction Fuzzy Hash: 50216F79A42219AFDB04DFA8D594EADBBF2FF49304F204059E802AB361DB34AD41CF50

Function 027C0860 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1807716949.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1187b25e7b1f0bcd789740a87e6cc45fae9ef7eac50365ee898488bb93452d14
Instruction ID: 56d86816ad8832cc4028350c35be73845af1f0a662dba0d3dd3d5fd532142658
Opcode Fuzzy Hash: 1187b25e7b1f0bcd789740a87e6cc45fae9ef7eac50365ee898488bb93452d14
Instruction Fuzzy Hash: BF0128367002008FC7559B7DE855A6E3FF6DFC9320B1540A9E606CB362EE21CC068790

Function 05EA0948 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a822d377d347eea64fb7a4afdc68e95d840bd1ea99dc2cd1b42afaf4f154cc5a
Instruction ID: 6e405ff37a61f623102c31523e87a715bd5e5556a19c3ee5e23103d1977f2bfb
Opcode Fuzzy Hash: a822d377d347eea64fb7a4afdc68e95d840bd1ea99dc2cd1b42afaf4f154cc5a
Instruction Fuzzy Hash: 21018436340214AFDB148E59DC84FAB7BA9FB89721F108026FA04CB3A0CAB1D8048760

Function 05EAF279 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11cb91eae29cc6e98d17c69f9e4349aae61da316d4777fad7f55675faef3069f
Instruction ID: 5f2152f09a095461274acb3ce454ea00e037c26e42c122a93545cc760425c4e0
Opcode Fuzzy Hash: 11cb91eae29cc6e98d17c69f9e4349aae61da316d4777fad7f55675faef3069f
Instruction Fuzzy Hash: F901C43A3002008FD7299B38C455BAA77A2EBC5324F14662CE0968F790DB75EC42C790

Function 061356C5 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1826216056.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6130000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaa4b1b3437253d70fbb002842fc28c7dfe72cdede6e57efc9b28fb446e70095
Instruction ID: fe1f986e336c2378a634afdd81a3e6c12034ec416769efe30ee4aa3875481676
Opcode Fuzzy Hash: aaa4b1b3437253d70fbb002842fc28c7dfe72cdede6e57efc9b28fb446e70095
Instruction Fuzzy Hash: EE216274A14228CFEB68DF68D889AD9BBB2FB48704F5045D5E509AB244DB349F81CF50

Function 0614DBF8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1826216056.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6130000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c295e5f0822de3d09eb2f253d47e3077f225f285bb42243f1394da944a633a0
Instruction ID: 488c055ec55bc492cd0de495c0be34b1cc0392cbb5087c07e1d14e14cd8057e8
Opcode Fuzzy Hash: 8c295e5f0822de3d09eb2f253d47e3077f225f285bb42243f1394da944a633a0
Instruction Fuzzy Hash: F211B3B0E002199FCB44DFF9D9456AFBBF5FF88300F20846A9518A7350DB359A419BA1

Function 05EAF288 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fbe2f95e1ef0696e436a91c44ebedc41ef9ec6eaf2b3bb46f9e9e3cbad0d176
Instruction ID: 0c8c2733455d81252516d8fc0b4a4d4762f60308b128771f86b56196fdbf6780
Opcode Fuzzy Hash: 8fbe2f95e1ef0696e436a91c44ebedc41ef9ec6eaf2b3bb46f9e9e3cbad0d176
Instruction Fuzzy Hash: 3001923A3002008FD7299B74C554A7A37A3AFC5314F10A51CE5968F794DB71EC42D790

Function 05EA8FC8 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 813a54c0fc85966550d4f192d26f2c903317515d0ee25ab2005a36ae7755b6bf
Instruction ID: ff2a4ea4692a0d5c7d2c0f26b792fcc04fb461f5c24ed3ccd0f6aa7d6c7f1867
Opcode Fuzzy Hash: 813a54c0fc85966550d4f192d26f2c903317515d0ee25ab2005a36ae7755b6bf
Instruction Fuzzy Hash: 98F0F0323042051BCB049A2EFCC598BFFABEBC0624B40A93FB14ACB216CE719C458694

Function 05EA4F98 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57ae0f82190a37316a13750bd394d2d280de988dbd9084ea76da8f692e352db3
Instruction ID: 92560aacf44641e390ae99bf1237d1016ba292bfc32b8d62f6703e46bad346ab
Opcode Fuzzy Hash: 57ae0f82190a37316a13750bd394d2d280de988dbd9084ea76da8f692e352db3
Instruction Fuzzy Hash: F301367A6042189FDB14CEA8D444A9ABBF9FF45324F25A069E544DB390D771E980CB50

Function 05EA0938 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e91a707402f1f43b2265d77467c0cb803097208f19824831d6e38dc766dfb3d3
Instruction ID: 2dd7674662e6ffffc32420385224953de2c3c98abc37de49a1f069981a7ce0cb
Opcode Fuzzy Hash: e91a707402f1f43b2265d77467c0cb803097208f19824831d6e38dc766dfb3d3
Instruction Fuzzy Hash: FCF0CD777002009FDB44CE69D888F9A73F9FF98321B14816AF555CB3A0DA30D8048621

Function 05D37173 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824223343.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d30000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b15cfd1550072fa85a93dc02b4649a4c4911742f1bed3d42d68477494f47496
Instruction ID: b5b1acda0d20938bd6c48a9dcfb2e9ee4c7dfc99779f5023c4038fb0b80317e9
Opcode Fuzzy Hash: 8b15cfd1550072fa85a93dc02b4649a4c4911742f1bed3d42d68477494f47496
Instruction Fuzzy Hash: 28012CB5D0960ADFCB84DFA9C9426AEBBF6FB48300F14D56AD509E3204E7709681CF91

Function 05EAD190 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7fa565343d6a0678e0f5d9710a4565f2c6b1c988a4cfd54f2193cd5756e8256
Instruction ID: e905f150ed5171d4938b3b0d23531edddd074df5183c8d46bab36d7629aa8904
Opcode Fuzzy Hash: c7fa565343d6a0678e0f5d9710a4565f2c6b1c988a4cfd54f2193cd5756e8256
Instruction Fuzzy Hash: 240181353006149FC3099B25D058A1EBBA3EFCD7117108129F94A8B754CF31EC82CBC0

Function 05D3E7F8 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824223343.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d30000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7b4c5aadfd1e51bab2a6980289e1763001cb204fdbdf856a4927bfeea6b2212
Instruction ID: 3f3c4f5306d51303a5a6edc658449efbeee2d91e6b8159d8dab5e2ecbca31183
Opcode Fuzzy Hash: b7b4c5aadfd1e51bab2a6980289e1763001cb204fdbdf856a4927bfeea6b2212
Instruction Fuzzy Hash: 9D014F30D08608DBEB44DF69DC06BD9BBBAEBC9301F008426D50967285DB349445CE15

Function 05EACF08 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8246ebad2b6917b972c1285132f630ae850723c468e6132df04f46cb705219fc
Instruction ID: 5255561d25f509d544f764141ee7e22758b23a1c2997416f4eec34d0f84779fb
Opcode Fuzzy Hash: 8246ebad2b6917b972c1285132f630ae850723c468e6132df04f46cb705219fc
Instruction Fuzzy Hash: BDF062363402009FC7049B2AD495E6A7BAAEF8C720F144169F946CB760CA35EC428B50

Function 05D34ED9 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824223343.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d30000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feaf92aab17e79411b5204b83bd2dcfe0f4c51601653bcecf09116a53c7eb4c9
Instruction ID: cfc6442830500de097ed61903c9065b342a49b48eba04bc9e1a85454324589c3
Opcode Fuzzy Hash: feaf92aab17e79411b5204b83bd2dcfe0f4c51601653bcecf09116a53c7eb4c9
Instruction Fuzzy Hash: 1B018C74D4A208DFCB80DFA8C84AA98BFF4AB09319F1444DAE809D3362D6759D44CB41

Function 0614FF68 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1826216056.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6130000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5795b5f1ac92d8fc19d4c5f44ecd9fb393589322c21b085386bd355600a7863e
Instruction ID: 7de7ead947e49bba93c8720c07fd451ea7b65673fc18e2d4dd0f5e44f1bba671
Opcode Fuzzy Hash: 5795b5f1ac92d8fc19d4c5f44ecd9fb393589322c21b085386bd355600a7863e
Instruction Fuzzy Hash: D7F0E932F052215FE7145659980476FF7A9EBCD710F14442AF5059B340CB72AC42C3C4

Function 0613176F Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1826216056.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6130000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a95811d242fc7dd4a9462d01158e88fae3487ae9ff6130df3246c9b6464c7e4c
Instruction ID: 0378ff9211835c394ad00176b91a33162545a92d25eab798b795924c5eaff29c
Opcode Fuzzy Hash: a95811d242fc7dd4a9462d01158e88fae3487ae9ff6130df3246c9b6464c7e4c
Instruction Fuzzy Hash: 6E110378A04128CFCB68DF58D988999BBF2FB49304F5045D8E509A7350CA30AE818F64

Function 05EA9B6E Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f658f29198058f076a2eb819503e1bb35501b8a1183434a624a223542345ef92
Instruction ID: 3a74136f028a9a698c8dd20a781b322016d5b054a9e7ec5b60937b92a67a7b97
Opcode Fuzzy Hash: f658f29198058f076a2eb819503e1bb35501b8a1183434a624a223542345ef92
Instruction Fuzzy Hash: 2DF024327001086BDB189A29D84496EB7AAEFC8230B044126FD2ADB3A1DE30AC168690

Function 05D36C4B Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824223343.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d30000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c2862f16854b70e0da42032fa872cd91e7cd0f73b29342deaf336573ca48742
Instruction ID: 000f17d3a0139c41680265f27ffd5a4a79e3c86c40408ecbc78a307a12013aea
Opcode Fuzzy Hash: 6c2862f16854b70e0da42032fa872cd91e7cd0f73b29342deaf336573ca48742
Instruction Fuzzy Hash: 25F0ECB0D45209EFCB84DFA8D9456ADBBF4FB48304F5085AAA809E3250EB319A40DB91

Function 05EACF18 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70be1f0a829521556fe155141a66aaf44fb15af36bbd537ba9a6c233bcd9da3f
Instruction ID: a8c22199f41b67e18ff47a9764067318025bdb009ae59ec65ed69ab6c2bd4942
Opcode Fuzzy Hash: 70be1f0a829521556fe155141a66aaf44fb15af36bbd537ba9a6c233bcd9da3f
Instruction Fuzzy Hash: B6F0FE753506009FC714DB29D458D3A77AAEFC9721B154069F946CB371CE71EC42DB90

Function 027C0918 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1807716949.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 806e0ac2d1de5b76b3bab5b33d4d0af99b4aa233a3dc3dd7c0237a2d061b0d9d
Instruction ID: 4cb0481eb35c4fe6b70e5f698095fd08fe4e4b605da10eae4e92f5ce39e58370
Opcode Fuzzy Hash: 806e0ac2d1de5b76b3bab5b33d4d0af99b4aa233a3dc3dd7c0237a2d061b0d9d
Instruction Fuzzy Hash: 7AF08271A00618DBEF04EB78C85979FBEB6EB88710F60092CD506B7345DF780A459BE2

Function 05EA2030 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2678e69c520da6851f08b83607de5b1917dd01c1b01a83015fa215d39349e01
Instruction ID: cd92e0f4fb13974b434bf0113e6298cb6973d182ff693bd048baac7bc0c0b46b
Opcode Fuzzy Hash: b2678e69c520da6851f08b83607de5b1917dd01c1b01a83015fa215d39349e01
Instruction Fuzzy Hash: DEF0E276E04614AFDF09DFB4D48D38C7FB2AF44224F04859AD08AE72D1DB745A84C744

Function 027C9A58 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1807716949.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d88c0a721f7db9240f1dbd3d30334250d68b6736ad986d3aa8e4fa812650e745
Instruction ID: 4d37fb150df620c3841ee1abf3b469c7fb010bc99a9e3fc1320a1aece8abb590
Opcode Fuzzy Hash: d88c0a721f7db9240f1dbd3d30334250d68b6736ad986d3aa8e4fa812650e745
Instruction Fuzzy Hash: 63F034B5D04208EFCB80EFA8C940AECBBF5EB49314F14C09AA808A3311D6329A59DF44

Function 05D36052 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824223343.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d30000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3887a52662e1a75e34e5e7944d8a147fde96b26c53a59e13b5744a3c93293b6
Instruction ID: 06d7ac385e7d544c5b8a47af05a29e1dcfb036e77d5647d465e339dd9a09def3
Opcode Fuzzy Hash: d3887a52662e1a75e34e5e7944d8a147fde96b26c53a59e13b5744a3c93293b6
Instruction Fuzzy Hash: A6019274905318DFDB54DF68E889B9CBBB2FB09304F108056E50AA7291DB749985CF00

Function 05EA8F78 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f07a84e8fec955ecae298671d55d1bacb56d9b5cfab6be93428122017846fff6
Instruction ID: 55122ef3b05e3a754fe1d883dd8195cb8d71650e93d3308b3463f3ecb5562d59
Opcode Fuzzy Hash: f07a84e8fec955ecae298671d55d1bacb56d9b5cfab6be93428122017846fff6
Instruction Fuzzy Hash: 1CE0D8A771812247EB14186E6C5139DD182EBC8A38F44173EF995CF3C2D915880102A0

Function 05D3256B Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824223343.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d30000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 478d6c90368286f99dc0d97d58bd3449cf293dfba1064a7a83de893b3ef48f73
Instruction ID: 530ec244422f0dccd7045272887e12cd5d2bad886d94b9e8e259e20f37807388
Opcode Fuzzy Hash: 478d6c90368286f99dc0d97d58bd3449cf293dfba1064a7a83de893b3ef48f73
Instruction Fuzzy Hash: C1F0F875D05248AFCB80DFA8C951AADBBF9EB4C310F14C4AAA858D3341D6359B51DF50

Function 05EA203C Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cad71e955c117c083ad64707e48a4f92bfee48a9d15a8e749d2274b2936fff29
Instruction ID: b651beb8e24ee4f51d18dd3ecc266444e30f8cf950f7e123bc5e6182bf83deec
Opcode Fuzzy Hash: cad71e955c117c083ad64707e48a4f92bfee48a9d15a8e749d2274b2936fff29
Instruction Fuzzy Hash: 8DF0A731A04618AFDF05CF65D44C7DDBFB7AB44315F048096E08AA6280DB701A80C784

Function 027C0C48 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1807716949.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a26b83fe9b0dc52f51e42083837a35e404ac15a585fbe89811b25a6abcefa2f
Instruction ID: 6e283a7d37f6f34c684dff379c3ae6fcfa702d6bc686187f68f29631f9dad2ef
Opcode Fuzzy Hash: 2a26b83fe9b0dc52f51e42083837a35e404ac15a585fbe89811b25a6abcefa2f
Instruction Fuzzy Hash: 31E04F32704218AFD718EAA8E4445DA7BEDEB49271F20007AD60CC3654EA3299408790

Function 05D32570 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824223343.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d30000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce49c544854756598d910385d247814f7755656a28a2384c4e4902a194432f6c
Instruction ID: d30cbdc114edf74fea20d6d7a4ba4771dc0620f46995126cc3f61c8627ea4c98
Opcode Fuzzy Hash: ce49c544854756598d910385d247814f7755656a28a2384c4e4902a194432f6c
Instruction Fuzzy Hash: DBF01C74D04248EFCB80DFA8C951AADBBF9AB4C310F14C49AA858D3341D6359B51DF50

Function 06134A8A Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1826216056.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6130000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5068e86d2bd2834abd7725a042233d4579174a6d6cccf4038753fc4bd22a915
Instruction ID: 844516695b0179226b4ab39f6cefd13d1e85a9faf5f5250dacb802085a9d425f
Opcode Fuzzy Hash: e5068e86d2bd2834abd7725a042233d4579174a6d6cccf4038753fc4bd22a915
Instruction Fuzzy Hash: 62F0EC74B04229CFD768DF94D844B9A7BB5FB4E314F1040E5A509A7744CB709E81CF51

Function 05EA2040 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea25eb6b5be93ac53d9349c1e8550f8f1a6018609c1ce3ed8848c3dd8e4025ea
Instruction ID: 9aec60f5d56bf88c8c79c316f726a1a9372e9c361581f3480ac2b81cc333f062
Opcode Fuzzy Hash: ea25eb6b5be93ac53d9349c1e8550f8f1a6018609c1ce3ed8848c3dd8e4025ea
Instruction Fuzzy Hash: 5DF06535A04618AFDF09CF65D48D6DDBFB7EB44215F148496E08AA7250DB705A81C784

Function 05D34F2B Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824223343.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d30000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e42a47dba0e16a870bbfb8b3451984a016a5aa6579c2d16350a3317c628b66c3
Instruction ID: 2da4376078eaee23f3c03fabcda5d6eaa78365718fe89e8243c1b0ce4232f439
Opcode Fuzzy Hash: e42a47dba0e16a870bbfb8b3451984a016a5aa6579c2d16350a3317c628b66c3
Instruction Fuzzy Hash: 20F03078D04218AFCB50EFE8D54A6ACBFF5EB04314F0484E9E848A3341DA359E40DF51

Function 05EA8FD8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e41fa5df803bcddd717ee74ef5c64a0109d746a43ce158365d06ce27096a4cf7
Instruction ID: 44ef24b1f5539eedfb3d027057b015e35b32a75c0add14b4a3cecedc3d6f9b6d
Opcode Fuzzy Hash: e41fa5df803bcddd717ee74ef5c64a0109d746a43ce158365d06ce27096a4cf7
Instruction Fuzzy Hash: B2E01A712002055BC7149A1AE88484BFB9AEFD1764710EA3AB54A87625DE71AD8A86E0

Function 027C8A30 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1807716949.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffdfbb88809504fed7518423d5cd58a928490f4fb41c77237b8c0cde96b850bf
Instruction ID: 2a49869af322db2685891a8df6d2c9fd8c8ae3327efc089b118540def866af25
Opcode Fuzzy Hash: ffdfbb88809504fed7518423d5cd58a928490f4fb41c77237b8c0cde96b850bf
Instruction Fuzzy Hash: DFE09270840508DEC741DFB4D9047DA3BB4AB0A204F0048D59144D3110EE324A94AB65

Function 05D32D23 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824223343.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d30000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 722ada928161d647949a8d6ae56ab337f1f23a70cca84df4c16886b2bf9ec063
Instruction ID: 8a4c08704a61923d986889a062301e9b62fb35d77f6951325737a36644ef1f51
Opcode Fuzzy Hash: 722ada928161d647949a8d6ae56ab337f1f23a70cca84df4c16886b2bf9ec063
Instruction Fuzzy Hash: 25F065B4D04208EFC780DFA8D5416ACFBF4EB48314F14C4AAD848D7340D6359A41DF80

Function 05D34F30 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824223343.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d30000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa32860e9e219d669d30674678976cccfea150224910e7ec6b2652c341af81ad
Instruction ID: b7b341981dc9dab6c38f7c0a79ad74d4b6bb02ca792c02d1c6ab5b8e6a8dc350
Opcode Fuzzy Hash: fa32860e9e219d669d30674678976cccfea150224910e7ec6b2652c341af81ad
Instruction Fuzzy Hash: 49F03074D04218AFCB40DFE8D54A6ACBBF4EB04314F0484E9E84893341DA359E40DF51

Function 05EAAA20 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceddba5788bd2a0036015f3a8a54047ac5e367854e89c1aa05a6491d6813f640
Instruction ID: 36efbc26315c85c797b7e10d6cea1708a1837f86b2b642526d5f4a89dd5b2797
Opcode Fuzzy Hash: ceddba5788bd2a0036015f3a8a54047ac5e367854e89c1aa05a6491d6813f640
Instruction Fuzzy Hash: 54E0D863A193800FC742A3399D4918D3F909F961307087F9AE0F7855E7D924940F9652

Function 027C0992 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1807716949.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7002c82b440beb1508189c55e44b1e3e783b24498abf999cac251deac962a670
Instruction ID: 376bb50b7519347c59245962921d4a8a4914b738b4f26d12fc11cdcf7d253120
Opcode Fuzzy Hash: 7002c82b440beb1508189c55e44b1e3e783b24498abf999cac251deac962a670
Instruction Fuzzy Hash: 1AE065B1A14615CBEF58EBB894583AE7EA2AB84350F60191DC406F6245DF780A449BD2

Function 05D37118 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824223343.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d30000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9af1ec94360afe2323485d192a69f73c7402d3be0f23ac4d2a72c8ada0805814
Instruction ID: 19a0835ca905e729147400ec971bde4931610fc4e98cec23db0fe1bf55023545
Opcode Fuzzy Hash: 9af1ec94360afe2323485d192a69f73c7402d3be0f23ac4d2a72c8ada0805814
Instruction Fuzzy Hash: D3F0E5B5E492449FC740CFA8C545998BFF0EF05311F1092DAD854CB3A2D3318A46CB01

Function 05D36241 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824223343.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d30000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d99824df28f806e6aed348e10ad29d31ba06ada79fdafa28398ed668c0467bb
Instruction ID: 13532749c89ff970085f41baf5d2c8deab1592237be8aabc9eb143df93fbc189
Opcode Fuzzy Hash: 5d99824df28f806e6aed348e10ad29d31ba06ada79fdafa28398ed668c0467bb
Instruction Fuzzy Hash: E4F0D474D09218DFDB54DF68E889BACBBB2FB09315F408096E459A7390DBB89985CF00

Function 06144E70 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1826216056.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6130000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e10b7e1022817956c8e3d022cca9b4a9433599f2118b05accd3180f782ad5eb
Instruction ID: 9c56cfe8d74d9c369f3d5ac038cdaf3bf09fc2d793154db0ef6fa4729ea25b72
Opcode Fuzzy Hash: 2e10b7e1022817956c8e3d022cca9b4a9433599f2118b05accd3180f782ad5eb
Instruction Fuzzy Hash: 34E0E574E05208EFCB84EFA9D584AADFBF4EB48310F10C4AA9818A3341D7369A51DF80

Function 06149028 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1826216056.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6130000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e10b7e1022817956c8e3d022cca9b4a9433599f2118b05accd3180f782ad5eb
Instruction ID: cd396bcdd2d445b86d878f440a47c25f57d7dfe1a2c6ee12a92a42fe62d470cf
Opcode Fuzzy Hash: 2e10b7e1022817956c8e3d022cca9b4a9433599f2118b05accd3180f782ad5eb
Instruction Fuzzy Hash: 88E0ED74D05208EFCB84DFA8D545A9DFBF8EB48310F10C4A99808D3340D7359A51DF80

Function 05EA4018 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c49ba00432b9979e8d0381ae90e5eea767b57312e8ce592af111f488bb9c533
Instruction ID: 44a57ee3542d867b77cc8fdff44008c341c7ca4eb1aed215c92312cd7b55e40c
Opcode Fuzzy Hash: 4c49ba00432b9979e8d0381ae90e5eea767b57312e8ce592af111f488bb9c533
Instruction Fuzzy Hash: 3AE02633780310AAEF24AAB099817A87780AF41721F246A95D3A65F1D0DAA1F401E713

Function 05EA896C Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c762fe5ca7819e137c297b92e4efc0b65e30e8cf1c843300aec96ccd27777787
Instruction ID: 4a065d43043fa138a630dd2b96fbe9cbe14ee53497898bc1a3f20b41e3d08a4c
Opcode Fuzzy Hash: c762fe5ca7819e137c297b92e4efc0b65e30e8cf1c843300aec96ccd27777787
Instruction Fuzzy Hash: B6E0DF72B0C2821FC7176239A8166DA6FE65F8610470990AAA0C9DB226ED14EC4A8792

Function 05D3219B Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824223343.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d30000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 237294a12536c9c3f1ef3aaddeba61d29bdfdae92502c07644a447f8e499e662
Instruction ID: e947da70a62de050c6a00ed9606d7e7f903e211bb3a11f9f3eaa5c677f4c95fe
Opcode Fuzzy Hash: 237294a12536c9c3f1ef3aaddeba61d29bdfdae92502c07644a447f8e499e662
Instruction Fuzzy Hash: 91E09AB4D46208EFCB80DFA8CA0569DBBF5EB08300F00C4AAE804A3310D3318A50EF80

Function 05D350B9 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824223343.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d30000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d47230fbbc7cf2beebed965941d96b6d6b9ba9f41137eba4b0e649789e66dadd
Instruction ID: e47a9036ff946ab4be3ec6cb4517a9249f46427a38a6b73ddab5c85cd240035f
Opcode Fuzzy Hash: d47230fbbc7cf2beebed965941d96b6d6b9ba9f41137eba4b0e649789e66dadd
Instruction Fuzzy Hash: 55E09274945108EFC744CFD4D6015ACBBF1EB49310F14C1D6DC6953341C6368B42EB40

Function 05D34E4B Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824223343.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d30000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17fdf0ecc89f5ffed904367a170ab718e91258d03f8cfc3fade6047952b89c8c
Instruction ID: f693689333f6caca0c2c1064bf42e021c6e5b919ab5db36574a768e3711f99b5
Opcode Fuzzy Hash: 17fdf0ecc89f5ffed904367a170ab718e91258d03f8cfc3fade6047952b89c8c
Instruction Fuzzy Hash: DAE09A71945208DFCB80DFA8C98AB9CBFF4EB08214F1480A9D848E3320E330EA44DB52

Function 0614BF18 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1826216056.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6130000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce8dbf8e7f84366e46155be2843a502586d2b4a05dcbaed14d91d2706563b85e
Instruction ID: 2cb93ec9f235b3625f294a2ec6c98b82b3fcbe0f84ba678b530117cb459120fa
Opcode Fuzzy Hash: ce8dbf8e7f84366e46155be2843a502586d2b4a05dcbaed14d91d2706563b85e
Instruction Fuzzy Hash: 62E0E574E0A208EFCB84EFA8D544AACBBF4EB48314F10C4A99808D3340D7319A42DF80

Function 0614D718 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1826216056.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6130000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed3c0de59333bf28878ae82554113ab382cdcb10109f9b3f505c7fb0df6df9fa
Instruction ID: 76b48ea046b45f92571a904368a62cce7b6dae9d04dbac3371274c76209b4d10
Opcode Fuzzy Hash: ed3c0de59333bf28878ae82554113ab382cdcb10109f9b3f505c7fb0df6df9fa
Instruction Fuzzy Hash: 75E01A30D892089BDB85EFB8E54579DBBF4AB48305F1048A99A0893340DA305A54DB55

Function 0614F758 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1826216056.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6130000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce8dbf8e7f84366e46155be2843a502586d2b4a05dcbaed14d91d2706563b85e
Instruction ID: f77a3edebb66f3e069cf9200728f1d8df03f938fe4b2dbfc661a6ddefd1b9b3a
Opcode Fuzzy Hash: ce8dbf8e7f84366e46155be2843a502586d2b4a05dcbaed14d91d2706563b85e
Instruction Fuzzy Hash: BDE0E574E49208EFCB84EFA8D5446ACBBF4EB88314F10C4A9980893350D735AA42DF81

Function 05EAAA2C Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c95898776bdc08f5c8eba35d103fa93e8c074be1c5199a2f524ab98c3dee608d
Instruction ID: 7558e317ac7b899669dc6d69e66acfaa3e9b17ab43d6c33f9b5d058849524d00
Opcode Fuzzy Hash: c95898776bdc08f5c8eba35d103fa93e8c074be1c5199a2f524ab98c3dee608d
Instruction Fuzzy Hash: 55E07D13A083404FC342A3399C511853F50DF861307086F95E0D7C35D3D934940A9221

Function 060C00F9 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1826177779.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfd3d1bb7a12897fef036a716017eaf8577579818ec465788fb8456af98f9c20
Instruction ID: ba6a2e71da71457caa04d28a4bd651d6e6fa016e50a8bc0aa15b7672d37da547
Opcode Fuzzy Hash: dfd3d1bb7a12897fef036a716017eaf8577579818ec465788fb8456af98f9c20
Instruction Fuzzy Hash: 05E0D830849208DBC740DFA8ED4579DBFB4AB41328F14829CDC44133C1CB324D51C780

Function 027CD3E2 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1807716949.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e2e05f0e471dfa6da1d456f113e34a9fe74dbc28586199c9df6be65e3081ca6
Instruction ID: 0ad43c414f8b8c8319f1b4058f30a2760053e507e6b713302f78f1daedae035b
Opcode Fuzzy Hash: 8e2e05f0e471dfa6da1d456f113e34a9fe74dbc28586199c9df6be65e3081ca6
Instruction Fuzzy Hash: DDE04F349091489BC708DFF4E5516BCBFB4EB45318F2495ADD94853341C6316A47DB94

Function 05D321A0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824223343.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d30000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 545227856c3d406b139e41ede556d012318e7fb26ae4899f114ad6c52b1b1855
Instruction ID: 6c0d3fa62c0432f3e6eb1d06aa1588a20cfde5ba10e00b802d8e888b51f06858
Opcode Fuzzy Hash: 545227856c3d406b139e41ede556d012318e7fb26ae4899f114ad6c52b1b1855
Instruction Fuzzy Hash: 68E01A74D06208EFCB84DFA8D60569DBBF5EB48310F10C4AAD904A3354D7359A50EF84

Function 05D3DB80 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824223343.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d30000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 545227856c3d406b139e41ede556d012318e7fb26ae4899f114ad6c52b1b1855
Instruction ID: dc3c543f5a60e880635c577e05b6410ef92d691fbfcfd2232206abb17e39adb6
Opcode Fuzzy Hash: 545227856c3d406b139e41ede556d012318e7fb26ae4899f114ad6c52b1b1855
Instruction Fuzzy Hash: B4E01A74D05208EFCB94EFA8D505A9DBBF6EB48311F10C4AAD814A3350D7359A50EF84

Function 05D3FA98 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824223343.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d30000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 108f03db84ec9da9ce7be6b273bcd68663aff378868cbab7cc33d604b457bfaf
Instruction ID: b01189ea507e480ee16be57562d34541840e5528a33d575aa8a348d8e2a18d3a
Opcode Fuzzy Hash: 108f03db84ec9da9ce7be6b273bcd68663aff378868cbab7cc33d604b457bfaf
Instruction Fuzzy Hash: 83E0E574E05208EFCB84DFA8D5456ACBBF5EB48314F10C4AA980893340D6759E46DF80

Function 0614E978 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1826216056.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6130000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 598de534fc52a7abfeeaab30dcc4052c04b38075ee36c0dc022a296b88521fe4
Instruction ID: 635d41cc1b3af0299d015d30e4f4be33651db09c9629f1bfcd722300c9816aaf
Opcode Fuzzy Hash: 598de534fc52a7abfeeaab30dcc4052c04b38075ee36c0dc022a296b88521fe4
Instruction Fuzzy Hash: 39E08674D09108EFC784DF94D5409ADBFB8AB45310F14D499D94457381C7329A51DB94

Function 027CCF88 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1807716949.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 002df23c808a0388cb59e63804961583458574698fbd53fef050dc54675a2b72
Instruction ID: 5c27becacb2ed0f16451abab720804822670028cb44819793828dffb46b78f69
Opcode Fuzzy Hash: 002df23c808a0388cb59e63804961583458574698fbd53fef050dc54675a2b72
Instruction Fuzzy Hash: 66E086355091489BC746CBA4E611BE4FBB8A746318F24648DD80C47341DA725902D794

Function 05D350C0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824223343.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d30000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52563c058b1b6d4cc7818a3e4ad9957702645688a73ac3fb0ff803daf3a9fa00
Instruction ID: fb1f70ac16e9a6b755a17c1e923fd81ce29b28fa37463504745b8b548646fca3
Opcode Fuzzy Hash: 52563c058b1b6d4cc7818a3e4ad9957702645688a73ac3fb0ff803daf3a9fa00
Instruction Fuzzy Hash: 84E01A74D09208EFCB44DF98D5419ACFBF5EB48310F24C0EAEC5463341D6329A92EB84

Function 061479C8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1826216056.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6130000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9fc39297c72513015c804879afe36c5f6f752d9e7c37d42aad03773ef4dc5ab
Instruction ID: 803ce6a4cce627fd9c34ddce4140aeef3b453eb9d34d3f213a81850dcc8d76e3
Opcode Fuzzy Hash: c9fc39297c72513015c804879afe36c5f6f752d9e7c37d42aad03773ef4dc5ab
Instruction Fuzzy Hash: 47E04F34D45108EFC784DFA9D5416ACFBF4EB49324F14C4E9D84853381C7329A41DB80

Function 05EA4028 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd8716e36a7fd4025b59211fbcc6dbbf12815f3c755434fdd361b95bae1d0e7d
Instruction ID: c2f9dc0a1f49285d0db349a57c508cdabdf1fbdaf5e16d3050919b145d969b3d
Opcode Fuzzy Hash: dd8716e36a7fd4025b59211fbcc6dbbf12815f3c755434fdd361b95bae1d0e7d
Instruction Fuzzy Hash: 32D05B3338431497DF34AA709841BE17399AB45715F1464A5E7865F2C0DAE2F841D752

Function 060C06E0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1826177779.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34a7a8b618e25fa9904c3a06d410ec35d379cd757cbcf51ec22cf22dfe66f2a1
Instruction ID: 575c3f580874ef93ae3c4879755f59b1403d6b9369f950cc705665083e770770
Opcode Fuzzy Hash: 34a7a8b618e25fa9904c3a06d410ec35d379cd757cbcf51ec22cf22dfe66f2a1
Instruction Fuzzy Hash: 7AE0267088E284DFC3C4CB60D954A2D7FA89B02329F1841CDCC084B292CA338C44DB41

Function 05D365B3 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824223343.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d30000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc70069d306b468837b97ab4d1025d73fd2c0fbfb9edd392e38c9e8fc1727a9e
Instruction ID: 83324e8ee0272e1f27d080afe985228a20853b33a3610fe537321d62b0353aad
Opcode Fuzzy Hash: dc70069d306b468837b97ab4d1025d73fd2c0fbfb9edd392e38c9e8fc1727a9e
Instruction Fuzzy Hash: 71E08CB0C86258EFCB80DFB8D94A69CBFF4AB04205F1044A9A909E3340EE308A50CB90

Function 05D3F400 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824223343.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d30000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48609d81598a7c6ccfbf4b8e3dbb14dd725a75f0a102597b39579fe047bb66b9
Instruction ID: e6f0597cd545b7b0c10eae37343b3441796acc52d08a36b4b4bcb8d21c579ff8
Opcode Fuzzy Hash: 48609d81598a7c6ccfbf4b8e3dbb14dd725a75f0a102597b39579fe047bb66b9
Instruction Fuzzy Hash: B3E08C30D0520CEFCB80EFA8D9466ACBBF4EB08314F2084BAD909D3341E6329E42CB40

Function 05D32FC0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824223343.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d30000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15130abb5703a3554ab90ccdcc2d44f5400945b33eee25f5ee20bb6c150ec3bb
Instruction ID: 0ca43fa2fa5c68824476d8b96e9b05f8dcf60645dc360a5c4158946450e4370c
Opcode Fuzzy Hash: 15130abb5703a3554ab90ccdcc2d44f5400945b33eee25f5ee20bb6c150ec3bb
Instruction Fuzzy Hash: 02E04678D66208DFC780EFA8C549A9CBBF8AB08314F1040EAE808D3320E6309E80CB41

Function 05D35FFF Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824223343.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d30000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61eb2f3ea3b19dde4f866ffc0ebb09225c123d549dc209784a8b764779d7af22
Instruction ID: ce7783eac32826359a4316945956d9111494fe7bb2a2416eee1bcdce2e9a3228
Opcode Fuzzy Hash: 61eb2f3ea3b19dde4f866ffc0ebb09225c123d549dc209784a8b764779d7af22
Instruction Fuzzy Hash: 8BF07F74909308DFDB94DF68E985B98BBF2FB09304F108096E549A7361DB759985CF00

Function 05D34E93 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824223343.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d30000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c657ff444c094889259c246c14c37b97d3354fe486054a99ef7b66ded7ef0780
Instruction ID: 922ed0ca0ed3cb7b3f2c42a4bc122f747a915a0343d9339537f1999b0689c8be
Opcode Fuzzy Hash: c657ff444c094889259c246c14c37b97d3354fe486054a99ef7b66ded7ef0780
Instruction Fuzzy Hash: 41E0263444C15487CB50CBE8CA0F7ACBFE0AB01335F1902DE8885973D2C7B90542C741

Function 05D34E58 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824223343.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d30000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d07016a4c76272ffc99fe96db702f604126e6e6f71c94f7947ef98b5831ddbf
Instruction ID: 39a0effe74d8cf707519c1a88b70409f8839cdb8d12cdc27b87e129ce9a2a0ee
Opcode Fuzzy Hash: 7d07016a4c76272ffc99fe96db702f604126e6e6f71c94f7947ef98b5831ddbf
Instruction Fuzzy Hash: 2DE04674945208DFCB80DFA8C949AACBFF4AB08224F1080AAD848E3320E730EE44DB41

Function 0614CAA8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1826216056.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6130000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59995753d363077481c4b73111d8d87bcc865e9527fa33abfeddf2901a4f4cea
Instruction ID: 607ccc23ce5f749a79c30679f0d908c6e1f09be8729bad8a656d2a6d677d0919
Opcode Fuzzy Hash: 59995753d363077481c4b73111d8d87bcc865e9527fa33abfeddf2901a4f4cea
Instruction Fuzzy Hash: 59E0C234D0A108DBC744EF94D5409ACBBB8EF45314F24C5ACD80813350DB329E42DBC0

Function 060C0108 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1826177779.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c086a78619b4f53af13876562380668dc3a7d2039f6c30edd448c2ee30809e0
Instruction ID: ac5160dbbca44ba1c43e8c42889e16b64b10a1e343406cd73514fdc22390e8a0
Opcode Fuzzy Hash: 0c086a78619b4f53af13876562380668dc3a7d2039f6c30edd448c2ee30809e0
Instruction Fuzzy Hash: 25E0C234D49108EBCB84DF98E9409ACFFB8EB45328F10C09CCC0913341CA329E52DB80

Function 027CF048 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1807716949.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2ed31c127c27294e39ea47f2933d135a0d7a38fc2d75abb9b049224928c9d79
Instruction ID: 9d3a40d1eb68d49134dde354afa6c4af1f5a915f44c8562cf66b80ef7f67f94c
Opcode Fuzzy Hash: d2ed31c127c27294e39ea47f2933d135a0d7a38fc2d75abb9b049224928c9d79
Instruction Fuzzy Hash: F2E0C234E09108DBCB04DFA4D5409BCBBB9EB45324F20C09DCC0827340CB329E82DB81

Function 027C8A40 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1807716949.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 162ebcd8d0783cfd5352d3f19eb3d296ff213f9a2c336f4d1725ca932a139ce0
Instruction ID: 08020022b891534e159a788076182394e37cf700918ba99e78e4cd9dde58cf0d
Opcode Fuzzy Hash: 162ebcd8d0783cfd5352d3f19eb3d296ff213f9a2c336f4d1725ca932a139ce0
Instruction Fuzzy Hash: A9E01271941208DFCB45EFF4D50869E7BF8EB09315F1049A99509D3110EE324A54ABAA

Function 027C8890 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1807716949.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2b64952d8dcbf21980cc164275f0e4edc581d65f6ad4c2d8d2416a877d17a90
Instruction ID: 400cc2a2a78968233390ab359fe3d6045579f4db1d7f2687c57f17424a9d9903
Opcode Fuzzy Hash: a2b64952d8dcbf21980cc164275f0e4edc581d65f6ad4c2d8d2416a877d17a90
Instruction Fuzzy Hash: 08D02B2045E7814BE3A72778A419BFC7FA18F47319F054C9ECA8893946C924485ECB37

Function 027C1C33 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1807716949.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32e2b1f061b12128de5f44645d262e6a0fd7450c70abd85ccffcde969b2aeead
Instruction ID: 320e15bbbde4913e879983900151288f2ffe9ff4d06365aac0fcb731fabdf56f
Opcode Fuzzy Hash: 32e2b1f061b12128de5f44645d262e6a0fd7450c70abd85ccffcde969b2aeead
Instruction Fuzzy Hash: FEE08670909189EFCB41DFB8ED504AD7FB6EF85204B1405EAD404DB252D5301F25E725

Function 05D365B8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824223343.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d30000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3c847e91e4aaeba89fd9d69ed60574c8011db9faf88dac09fd393af9da2c182
Instruction ID: f81a3241589d918fb2f30bb33bec740d5804d81208119001afd33c8486c4fb27
Opcode Fuzzy Hash: b3c847e91e4aaeba89fd9d69ed60574c8011db9faf88dac09fd393af9da2c182
Instruction Fuzzy Hash: 30E0EC70D56258EFCB80DFB8D54A69CBFF4AB04215F1044A99909A3240EE309A54DB51

Function 05D3D8D0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824223343.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d30000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e04baf1a691047c40a1bb91a95d45e5ad950495cd6df20253a2e6d2f1164633
Instruction ID: 1f894fb9c0dade4dd3f568d882d94b5417e6f3a09ff6bc034457c8d304301e77
Opcode Fuzzy Hash: 4e04baf1a691047c40a1bb91a95d45e5ad950495cd6df20253a2e6d2f1164633
Instruction Fuzzy Hash: 88E0EC70D56208DFC784EFA8D94A69CBFF9AB04215F1444A9980993240E6305A94DF81

Function 027CFE50 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1807716949.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 852ef99a4ca5fd240f9aadbcedee0f634c4d3bcc853d603fe3e80fc319eee5e1
Instruction ID: ce655c3e2f0c9c3d01277dd922ec65363f2a8072bc109a7e2cf6436a9349c239
Opcode Fuzzy Hash: 852ef99a4ca5fd240f9aadbcedee0f634c4d3bcc853d603fe3e80fc319eee5e1
Instruction Fuzzy Hash: 26E01274A10208EFCB04DFB9E94166DB7B5EB49305F508999E844AB240DD319F019BA5

Function 05D34EA0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824223343.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d30000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22b9c70eeaa927736b30b9d91a810845899d08a9eb7c580ee23c1b373ab3ff28
Instruction ID: 48867b46cbc3a64c44b036cfff43013ff5fc44745052f0a231a45b57298e11f3
Opcode Fuzzy Hash: 22b9c70eeaa927736b30b9d91a810845899d08a9eb7c580ee23c1b373ab3ff28
Instruction Fuzzy Hash: E7E01274D59218DFCB80EFE8D54A69CBFF4AB04315F1044AAD809E3350EB715A94DB81

Function 06138C68 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1826216056.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6130000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70b78164bb92c2cb109a0a5290fd92662d1c7432903ce8adbcc15a4486f39e67
Instruction ID: 073d5ae263537a19b33528c71799727dfb2259f2a578aed8c6619b6cee815b6a
Opcode Fuzzy Hash: 70b78164bb92c2cb109a0a5290fd92662d1c7432903ce8adbcc15a4486f39e67
Instruction Fuzzy Hash: FEE06534A09228CFDB68DF64C888ADABBB1FB4E306F0041D4E409A3704CB349E81CF56

Function 0614FDA0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1826216056.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6130000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b28041406ba40f12809e488fdcc413117c4ed33f1129892016a0af981f46ea1
Instruction ID: d836250f4e244b4aaf1c14b3804ce90af515edd3a128477bfb42a9e9185ca8bc
Opcode Fuzzy Hash: 9b28041406ba40f12809e488fdcc413117c4ed33f1129892016a0af981f46ea1
Instruction Fuzzy Hash: 67E01270A05209EFCF04DFA8E94169DB7F5EB44304F104999E508E7341DD715F0097A1

Function 05EAA9BB Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12abac07cd6da27ec1590fbc3dcd380e0db25f14076478b7903ee934897f515c
Instruction ID: 6056792a8441ebd3189634189bd932f3ece764bcf51c4dd4c3103fbf67f99c36
Opcode Fuzzy Hash: 12abac07cd6da27ec1590fbc3dcd380e0db25f14076478b7903ee934897f515c
Instruction Fuzzy Hash: 89D012327444284B9B4995FC74801FA77DADFC916571494B6D98DC7244EE22CC5293D0

Function 060C06F0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1826177779.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bb3b115f3be2322665e73f92ba93d2829ad418d3f5160b207f5e7f57d140c2e
Instruction ID: 1f22da7dbd7db28033d8aee60f459a2b9de95c4f83dbd4272cc29347a94078d7
Opcode Fuzzy Hash: 9bb3b115f3be2322665e73f92ba93d2829ad418d3f5160b207f5e7f57d140c2e
Instruction Fuzzy Hash: 3ED05E34989108DBC7C8CB94D500A6DBBECDB46228F14969CD80953341DA339D41EB80

Function 027C8858 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1807716949.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43dbdf40f682b8c44edd6a06a9bb01f8b87a6429f9996d20ab36858bea34441f
Instruction ID: dba7671bf7f603413488405f1d8e95586ab6413ab65f900ec36f3b1265b3e445
Opcode Fuzzy Hash: 43dbdf40f682b8c44edd6a06a9bb01f8b87a6429f9996d20ab36858bea34441f
Instruction Fuzzy Hash: 9AD0A7200C52444DD3522BF06F0D3683FE5A70231AFC40404E2CC43911CA1960B8EB7B

Function 027CCF98 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1807716949.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3af7461189039db29afbf01f39477bb7e5fa9111258b90064fe1b3a3dd5a60e
Instruction ID: 96900aea86680c39b573e935b974dce1e7e250df32d97e0d82869ba7a33f3b3e
Opcode Fuzzy Hash: c3af7461189039db29afbf01f39477bb7e5fa9111258b90064fe1b3a3dd5a60e
Instruction Fuzzy Hash: 21D0A770549108DBC744CFA4D500A69F7BCDB46318F2494DE9C0C53341CB339D02D794

Function 027C1C40 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1807716949.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80054cecd2227dce625baf063b3f97ca4c3ae54eb6c0cfbe65b271581202ed79
Instruction ID: f98696f348b4b5f44877a8db55c109d38e6fc72465236a3015f3f8bec0b9054c
Opcode Fuzzy Hash: 80054cecd2227dce625baf063b3f97ca4c3ae54eb6c0cfbe65b271581202ed79
Instruction Fuzzy Hash: D7D05E71A0020DEFCB44EFA9EA4159EB7F9EB44304F1049A8E509E7201EA316F10ABA5

Function 05D3A684 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824223343.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d30000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd901de7758db9e5df59bae8b8332567f1354e961e6d55abc1fc19f07e82edb9
Instruction ID: 98036ed6749f13e88aaef63babdbb0f301638fe36070fe518c65161a91dd4fe0
Opcode Fuzzy Hash: fd901de7758db9e5df59bae8b8332567f1354e961e6d55abc1fc19f07e82edb9
Instruction Fuzzy Hash: 80E0B6B4A05618CFEB20CF24DC88BD977B1FB05305F01169A818962280C7705A84CF4A

Function 05EACEE1 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c39760340d879fd0aeb5dfae812d47b2eff8cb0908aad1507ac54de8fe68e5f
Instruction ID: c9e590bd32f403b60c202d3c832ae5f34e215bee89209bc1b2785c2679a980a6
Opcode Fuzzy Hash: 3c39760340d879fd0aeb5dfae812d47b2eff8cb0908aad1507ac54de8fe68e5f
Instruction Fuzzy Hash: 43D012760142089FCB409B54D84AF817778EB15761F154051F50887331D671E814D685

Function 0614CEC8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1826216056.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6130000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1af36e4c9cf8b9c07702dc96e955837a65e8ff36ded841e67befbc575946775f
Instruction ID: 69d65918281e7d516ede823e0de9844693ed2a512da13a8653c9e59d7e69969b
Opcode Fuzzy Hash: 1af36e4c9cf8b9c07702dc96e955837a65e8ff36ded841e67befbc575946775f
Instruction Fuzzy Hash: 43C08C204DB2058AC2C4268AA94E3703E9C9706219F041C00A20D230108B605854C1D4

Function 05EAEDF8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e38bfe4fedb4ec80db0d4741aef1cf69300da7a1ef9360ee6e995057e628e265
Instruction ID: a7ca871f5379468ef7ae569639daff1f9ed4d3fc65919f8b42cc523742043f2f
Opcode Fuzzy Hash: e38bfe4fedb4ec80db0d4741aef1cf69300da7a1ef9360ee6e995057e628e265
Instruction Fuzzy Hash: 4BD0C93208830CAFC700DB14E981B59BBB5EF55315F4545A4FD8486632D63AE510D696

Function 05EA1F6C Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88a70892af24abaac0852936f9d78f71b9c7a9691e32272487800ae96889a13c
Instruction ID: cc9ae62e880a3ec4c78e8539571e2e5a8eaf3a3720b73ad212772aa3ea363d99
Opcode Fuzzy Hash: 88a70892af24abaac0852936f9d78f71b9c7a9691e32272487800ae96889a13c
Instruction Fuzzy Hash: 72C080B24085040BCF11D704FCC19C17751DF9034434AAD4C90D44F933D570D843CA84

Function 05EA1F70 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e54727e7bd47b5d7eaba42499346322631808411dc4acfaef31368b5d9cc586b
Instruction ID: 083520e0c3aff9ade4d97ce3fca67660f065657f1026364abd12d5b594949d0c
Opcode Fuzzy Hash: e54727e7bd47b5d7eaba42499346322631808411dc4acfaef31368b5d9cc586b
Instruction Fuzzy Hash: 89C012701086108FCB28EB28F584C82B7A2EF4830530189AEE08A8B620CB70EC81CB80

Function 027C8868 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1807716949.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22345dc0ddf615ae3d800ba85da90ef32d54811d16af76fff959f38cfbf046a1
Instruction ID: afc4c1b42d4f21fce795a0dad13702221dc38bb3053d414b690ef5f62f7af485
Opcode Fuzzy Hash: 22345dc0ddf615ae3d800ba85da90ef32d54811d16af76fff959f38cfbf046a1
Instruction Fuzzy Hash: 1FC08C200C12048AC2853BF4AA0D72872E85B01329FD40808E24C528009B65A0B8D53B

Function 05D35E43 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824223343.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d30000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24ffb4d5736f44c19d94b99639adc7d7be7e87c033979b28c6e20c0557a32779
Instruction ID: 640d8637e27f02ab986a660495d27b5927cc3ae3981a8b3d0060ed95216213a6
Opcode Fuzzy Hash: 24ffb4d5736f44c19d94b99639adc7d7be7e87c033979b28c6e20c0557a32779
Instruction Fuzzy Hash: D6C01235204604CF8300EB1AE481C4233A8FB496193120190E5188B329C721FC01CB44

Function 05D3A42D Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824223343.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d30000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36005f956b392f211fdd427c98977b69cac03c2c09ea52105b1f5f2b1441ac69
Instruction ID: 8ec52312ca3c0ba6b6e53f90ee0d8cb25f385810f8fd1c8cf58a9d1f1c28a74c
Opcode Fuzzy Hash: 36005f956b392f211fdd427c98977b69cac03c2c09ea52105b1f5f2b1441ac69
Instruction Fuzzy Hash: B8D0C9B4A04618CFDB60DF24DC84B997B71FF05305F011AD99189A7241CB302EC48F4A

Function 05D36BF2 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824223343.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d30000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1486e3abd0c1063d5ef6f0bdfcaad5ac3c41e1f91e37602522f4c89f1716abc
Instruction ID: 746016191c738103762bd6cc8407111de534c2903a50945bc0a0a47886d40326
Opcode Fuzzy Hash: f1486e3abd0c1063d5ef6f0bdfcaad5ac3c41e1f91e37602522f4c89f1716abc
Instruction Fuzzy Hash: A8C00276E5001A9A8B00DAD9E8508DCB774EB94322B004026D215A6104D63015268B50

Function 05D35E48 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824223343.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d30000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a8d6be8a31c68cacbc275b7e08c82a5315dc19082607fb217e88a009fe25244
Instruction ID: 787b59e80aa86d03a3b48dccb3e3336eee21f7c755a7d2ab8e919d6934549cdd
Opcode Fuzzy Hash: 5a8d6be8a31c68cacbc275b7e08c82a5315dc19082607fb217e88a009fe25244
Instruction Fuzzy Hash: F7C00235254604CF8704EB5AE485C5173A9FB496153120194E5198B329C721FC51CA50

Function 05EACEF0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
Instruction ID: a5ced1602b898661de329531365079a034e3d75a808f59c5ffcbefa728424f66
Opcode Fuzzy Hash: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
Instruction Fuzzy Hash: 58C0927A140208EFC700DF69E848C85BBB8EF1977171180A1FA088B332C732EC60DA94

Function 027C1E10 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1807716949.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 940e5b8db08da87e81d2cf79e9d7ab8ab872c4fd05d72bc83d55eb18b635aed8
Instruction ID: 1a15f3be0cecbabb1a22fcb1164053873bc66b81305cd621091065927263b3c0
Opcode Fuzzy Hash: 940e5b8db08da87e81d2cf79e9d7ab8ab872c4fd05d72bc83d55eb18b635aed8
Instruction Fuzzy Hash: 34B012302442080E26806BF1280472232CC5600515380047CD50CC1001F640D0101544

Function 05D363F6 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824223343.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d30000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f30a0df4e870542bf1f18f59e9f9810937f78fde3cdb2cce10b6b904b57a6881
Instruction ID: bd988d0fea626d3f2121fec6ac8d4102c33dc5fedcba98d3b8093cb531c55d5a
Opcode Fuzzy Hash: f30a0df4e870542bf1f18f59e9f9810937f78fde3cdb2cce10b6b904b57a6881
Instruction Fuzzy Hash: 3DD0E974D05118CBDF54DF64DD55B99BBB1BB15305F0051D5E50DA3391DA745D848F00

Function 05EA0CD0 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f0b93231847a3d2fffbd62256e45f38e812d71f1b3900041475032323432fec
Instruction ID: 45b64055f77802c9444557e63d2e50064b9920f70a652847b162fea86da4e5bd
Opcode Fuzzy Hash: 5f0b93231847a3d2fffbd62256e45f38e812d71f1b3900041475032323432fec
Instruction Fuzzy Hash: 70B092E28151415BCF025AB4DE5E2012D01A72238AF8B2289A080C10C4D4408801C912

Function 027C0982 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1807716949.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c17b021cc65ffe0f32e4ba772029f5065cc7c5e2154f0398e8f79225c9a594b
Instruction ID: 03102a43cea1a250c405b3de8ebd4114965d61cc71db1b78c86a80129df574cd
Opcode Fuzzy Hash: 3c17b021cc65ffe0f32e4ba772029f5065cc7c5e2154f0398e8f79225c9a594b
Instruction Fuzzy Hash: 53B01237A40404C64A145B96B0081DCF734D180373F400066D70DE10009320023C86C0

Function 027C0848 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1807716949.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165fcc544766138fd80c1b9983959616596f2955c11c4dac9ffe0a9026ff3d72
Instruction ID: cb8335f5c6da939b93f963f28c22d72aab3ce1549153676e62a094c237f4be52
Opcode Fuzzy Hash: 165fcc544766138fd80c1b9983959616596f2955c11c4dac9ffe0a9026ff3d72
Instruction Fuzzy Hash: 63A0123048021C8F81802F50B40C0087B1CA5401117D00C10A21DC00057A2014245548

Function 05EA3BE4 Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f328b0f2f4ee3f94614ad9950934ad106c3b776b5aed7d5eddc0e562e5181a6a
Instruction ID: 3c5f5462f054b9f632fb7b090f21727c21aa5c0385003191071c0d7e526d618f
Opcode Fuzzy Hash: f328b0f2f4ee3f94614ad9950934ad106c3b776b5aed7d5eddc0e562e5181a6a
Instruction Fuzzy Hash:

Non-executed Functions

Function 027C8A80 Relevance: 4.0, Strings: 3, Instructions: 240COMMON

Download Yara Rule

Strings

xbiq, xrefs: 027C8BBD
Tefq, xrefs: 027C91B3
TJkq, xrefs: 027C8C32

Memory Dump Source

Source File: 00000000.00000002.1807716949.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: TJkq$Tefq$xbiq
API String ID: 0-2501753584
Opcode ID: b119464f32b5120f6edf6fa6558174b84d7d6c23851f0b9716495a21b7c8f32c
Instruction ID: 1a5236f23c76b72bc40fbd6ee44e3baf107e756cb16104d9639252d25cb9a4ce
Opcode Fuzzy Hash: b119464f32b5120f6edf6fa6558174b84d7d6c23851f0b9716495a21b7c8f32c
Instruction Fuzzy Hash: FFC18475E016188FDB58DF6AD944ADDBBF2AF89300F14C0AAD909AB365DB305E81CF50

Function 05EA3748 Relevance: 2.8, Strings: 2, Instructions: 330COMMON

Download Yara Rule

Strings

,jq, xrefs: 05EA383E
(jq, xrefs: 05EA3AEC

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: (jq$,jq
API String ID: 0-324742079
Opcode ID: 137a0b7633fe1a81f3a80aa1c0450df545f893d461105ee195ea1db8994fa43f
Instruction ID: 481a0a36fb463adef3820c6c0e0c434208b66a6339781bc826a1ba3be8762bed
Opcode Fuzzy Hash: 137a0b7633fe1a81f3a80aa1c0450df545f893d461105ee195ea1db8994fa43f
Instruction Fuzzy Hash: A8D12836A00614CFDB14DF69C584AAABBF2FF88304F259899E445AF365DB31EC81CB50

Function 027C43F8 Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

4'fq, xrefs: 027C44BF
4'fq, xrefs: 027C44EA

Memory Dump Source

Source File: 00000000.00000002.1807716949.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: 4'fq$4'fq
API String ID: 0-751858264
Opcode ID: 54201676c000bf37022409bf54faf62510baadd0f394227f8f7d5a1832de70c5
Instruction ID: 538847a8e3493a74e0e9d6fdb3cd4dbdd96225d3e11ff0e504ef6b84ad02e57f
Opcode Fuzzy Hash: 54201676c000bf37022409bf54faf62510baadd0f394227f8f7d5a1832de70c5
Instruction Fuzzy Hash: 837118B0E057488FD748EF7AE98069ABBF2FB89300F14C829D144AB269DE341909DB55

Function 027C4408 Relevance: 2.7, Strings: 2, Instructions: 165COMMON

Download Yara Rule

Strings

4'fq, xrefs: 027C44BF
4'fq, xrefs: 027C44EA

Memory Dump Source

Source File: 00000000.00000002.1807716949.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: 4'fq$4'fq
API String ID: 0-751858264
Opcode ID: 07cf770e67b3916d192300c0d375e9e65264feeb299d7122aa2e101c6369db7f
Instruction ID: 97a284293da1bbec35c7c3c1ee7c09e3989314614d6ac238c70f32f89dd5ef76
Opcode Fuzzy Hash: 07cf770e67b3916d192300c0d375e9e65264feeb299d7122aa2e101c6369db7f
Instruction Fuzzy Hash: 7E7109B0E057088FD748EF6AE94069ABBF2FFC9304F14C829D204AB269DF351949DB55

Function 05D30040 Relevance: 2.6, Strings: 2, Instructions: 95COMMON

Download Yara Rule

Strings

b, xrefs: 05D31973
~, xrefs: 05D31947

Memory Dump Source

Source File: 00000000.00000002.1824223343.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d30000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: b$~
API String ID: 0-4064771009
Opcode ID: 2b565972505f20b86697d19234b167c944585192c5abe2b0d0f0b4714b9ab679
Instruction ID: da1614a3d4662df43bb04a0acde32ac2ff97fba86b85afffe2096516f957e876
Opcode Fuzzy Hash: 2b565972505f20b86697d19234b167c944585192c5abe2b0d0f0b4714b9ab679
Instruction Fuzzy Hash: 0041A771E066198BEB58DF6BCC4969AFBF7AFC9300F14C1EA845CA6214DB744A85CF10

Function 027C4FED Relevance: 1.5, Strings: 1, Instructions: 295COMMON

Download Yara Rule

Strings

{q, xrefs: 027C4FF4

Memory Dump Source

Source File: 00000000.00000002.1807716949.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: {q
API String ID: 0-2254525776
Opcode ID: 7a6954371dc89d4ba6b54e51e13d557f0a3afb384046ad9eb27654797c8e309b
Instruction ID: 4cedc692aa19a7d2709089f802ae4e9febe50696e23b65911b7274d9af23e96a
Opcode Fuzzy Hash: 7a6954371dc89d4ba6b54e51e13d557f0a3afb384046ad9eb27654797c8e309b
Instruction Fuzzy Hash: BD31F8B0E056588BEB68CF6AC85878EFBF6AFC5304F14C0A9C448AB255DB751985CF41

Function 0614F878 Relevance: 1.5, Strings: 1, Instructions: 251COMMON

Download Yara Rule

Strings

Tefq, xrefs: 0614FBD4

Memory Dump Source

Source File: 00000000.00000002.1826216056.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6130000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: Tefq
API String ID: 0-1066582953
Opcode ID: 2fa5d2025a278e6da6446d1c0b52a834009e739e9851836cf41af66773e5a520
Instruction ID: b9a07a65f035f42377ded34f2571242edeae503a7f5c946eb19950f00a4dc812
Opcode Fuzzy Hash: 2fa5d2025a278e6da6446d1c0b52a834009e739e9851836cf41af66773e5a520
Instruction Fuzzy Hash: 4AB1C474D04218CFEB58EF69D844B9DBBF2BF89304F2194A9D409AB355DB705986CF00

Function 05EF55D1 Relevance: 1.4, Strings: 1, Instructions: 198COMMON

Download Yara Rule

Strings

djq, xrefs: 05EF586B

Memory Dump Source

Source File: 00000000.00000002.1825516670.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ef0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: djq
API String ID: 0-3097775593
Opcode ID: 8e866ff37b806cb2da2d97d5e68e1abd26ad7573249f7c7729af81f64f222d00
Instruction ID: 29d09c1324e04a919abc23122a52a9198e36c1b16f0796a7685789f349e41e43
Opcode Fuzzy Hash: 8e866ff37b806cb2da2d97d5e68e1abd26ad7573249f7c7729af81f64f222d00
Instruction Fuzzy Hash: AF812570D05218CFDB14EFA8D944BEDBBB2FF59318F2090AAD559AB254DB345A86CF00

Function 05EF55E0 Relevance: 1.4, Strings: 1, Instructions: 196COMMON

Download Yara Rule

Strings

djq, xrefs: 05EF586B

Memory Dump Source

Source File: 00000000.00000002.1825516670.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ef0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: djq
API String ID: 0-3097775593
Opcode ID: 862ac958412c98a7a261577596d25b4a3982ca3fdcad68dedb3afecb156665e4
Instruction ID: 6d8d03be450d0595fff370eefb51d8b1f359fc42e765f6576e9f0cb03acc483e
Opcode Fuzzy Hash: 862ac958412c98a7a261577596d25b4a3982ca3fdcad68dedb3afecb156665e4
Instruction Fuzzy Hash: EE811470E05218CFDB14EFA8D944BEDBBB2FF59318F10906AD559AB254DB345A85CF00

Function 027C2218 Relevance: 1.4, Strings: 1, Instructions: 172COMMON

Download Yara Rule

Strings

, xrefs: 027C232E

Memory Dump Source

Source File: 00000000.00000002.1807716949.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: b4080e1d0962e6c78ae0ac31659ffb9313c9a714bd7660c372cee82c3de3a8f1
Instruction ID: cd82080d801cb56eaa1560ddba7f98ca1623b6a3fc7a53ff093e7c41feb72a52
Opcode Fuzzy Hash: b4080e1d0962e6c78ae0ac31659ffb9313c9a714bd7660c372cee82c3de3a8f1
Instruction Fuzzy Hash: 3351CD71B001158FCB54CB79D8849AEBBF2FBC8311B25857AD615D734ADB30EC558B90

Function 05D90040 Relevance: 1.4, Strings: 1, Instructions: 118COMMON

Download Yara Rule

Strings

', xrefs: 05D9AC12

Memory Dump Source

Source File: 00000000.00000002.1824610975.0000000005D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d90000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: '
API String ID: 0-1997036262
Opcode ID: 5b909e7ea5b0ba733a8e070edc3b7c80e4fdb1d200489636a9f68f247b1ae5b4
Instruction ID: 668347da88c60333e5261a18a4de1e0e97810df180f73eee6b0cfae5b7cd7d71
Opcode Fuzzy Hash: 5b909e7ea5b0ba733a8e070edc3b7c80e4fdb1d200489636a9f68f247b1ae5b4
Instruction Fuzzy Hash: 00513C71D056688BEB2CCF2B9D446DAFAF7AFC8340F04C1FA994CA6254DB700AC58E10

Function 05D3724F Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

W, xrefs: 05D3936C

Memory Dump Source

Source File: 00000000.00000002.1824223343.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d30000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: W
API String ID: 0-655174618
Opcode ID: 9eaecb61d1435332228abd640ea39b04b66dccdf7b068626ef7b27328946a4cf
Instruction ID: 04f408ad88a768097194a574c3b3e5a815a8028b49671d59ec5a1f5b00698633
Opcode Fuzzy Hash: 9eaecb61d1435332228abd640ea39b04b66dccdf7b068626ef7b27328946a4cf
Instruction Fuzzy Hash: 59417DB1E05A188BEB18CF67CD4169EFAF3AFC9301F18C1AAC85CAA255DB7055468F11

Function 06130040 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

c, xrefs: 061300F9

Memory Dump Source

Source File: 00000000.00000002.1826216056.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6130000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: c
API String ID: 0-112844655
Opcode ID: af5d37831a5b808013be5b321eefbf11e83e6b873651bdd9b27789e16e747228
Instruction ID: c8ba9f3bb0849405dbbb20ddbd9b9aecd716547250a6b845be3cad2be201d3dc
Opcode Fuzzy Hash: af5d37831a5b808013be5b321eefbf11e83e6b873651bdd9b27789e16e747228
Instruction Fuzzy Hash: 85412B70E056298BEB68CF6AC848799BBF2BF88304F00C5EAD50DA7254DB704A859F40

Function 06130006 Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

c, xrefs: 061300F9

Memory Dump Source

Source File: 00000000.00000002.1826216056.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6130000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: c
API String ID: 0-112844655
Opcode ID: 917f30054877dc6f737719178a3a7343d876760f1b3b8d4e5f89ea2e2ac67879
Instruction ID: 9558f5a9ed961af70c8f24e25d60f53976243cd465c02119d6ee93f07d73c934
Opcode Fuzzy Hash: 917f30054877dc6f737719178a3a7343d876760f1b3b8d4e5f89ea2e2ac67879
Instruction Fuzzy Hash: AB313A71D0A2548FEB19CF6ACC14799BBF3AF89300F08C5EAC448AB265DB744A858F10

Function 05D357A0 Relevance: .4, Instructions: 431COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824223343.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d30000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44ab9cc6c36117fe00f567413854a491a64ac42eaede93f0bcb71addab794d1f
Instruction ID: a05b4aaed750db311057c8ec78eb9a2d4209ad31d0aa75c2c278f979ba5f82c8
Opcode Fuzzy Hash: 44ab9cc6c36117fe00f567413854a491a64ac42eaede93f0bcb71addab794d1f
Instruction Fuzzy Hash: 8212B671E056188BDB14CFAAC98169DFBF2FF88304F24C16AD459EB219D734A946CF50

Function 027C50C5 Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1807716949.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 238161f2e7af65e44288dbac37368879221228fafdb969e3ecf54a944683e850
Instruction ID: da50337632b2e18b8bf4e5d376360a009610106248d0af0631c4d3a3d47bdff8
Opcode Fuzzy Hash: 238161f2e7af65e44288dbac37368879221228fafdb969e3ecf54a944683e850
Instruction Fuzzy Hash: 8A31CAB0D056588BEB59CF6AC85478EFBF2AFC5304F14C1AAC44CAB265DB751946CF01

Function 060C0148 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1826177779.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0d5a5389f9abc050f1be855d658734475552d3606a093f36bce0343b22b3b27
Instruction ID: 802b87e8f34c35082b0b1fcd67097e8b66fcad1e926407e7b1fb99a40d5a4fd3
Opcode Fuzzy Hash: c0d5a5389f9abc050f1be855d658734475552d3606a093f36bce0343b22b3b27
Instruction Fuzzy Hash: 36B16770E45218CFEB94DFA9D884BAEBBF1FF89314F109069D44AAB290DB755984CF40

Function 060C0138 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1826177779.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 692e7a0e9e0a9d2a33b1ecfff6824332dadd6ed9fd2b979f5b74f47989910792
Instruction ID: 70eaeb53bdeea53a07df550e9757fcdb6f0182f6d21a44f11f6804816cc3440b
Opcode Fuzzy Hash: 692e7a0e9e0a9d2a33b1ecfff6824332dadd6ed9fd2b979f5b74f47989910792
Instruction Fuzzy Hash: A6B17870E45208CFEB94DFA9D884BAEBBF1FF89314F108069D44AAB290DB755984CF40

Function 05EFC840 Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825516670.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ef0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 686998e6517734d45f72a86bb5cb9b68a5e8326d14a38c843cf8eaa330839d81
Instruction ID: 7d2a4bff9c26fbd279b30c12ff16ea76a92388b9010a79607c7eee0bb9b65a54
Opcode Fuzzy Hash: 686998e6517734d45f72a86bb5cb9b68a5e8326d14a38c843cf8eaa330839d81
Instruction Fuzzy Hash: 44A1C174E042189FDB64DFA9D844B9DBBB2FF89300F2090A9D54DA7351DB30AD858F61

Function 060C0728 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1826177779.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60bce43d470c782bb354da2dd51ce73b883e96411121b738f0f7e778cf70879c
Instruction ID: a959923465e5e802660b72ade1b31fe3a78af77db1585fa8611735db1e892dee
Opcode Fuzzy Hash: 60bce43d470c782bb354da2dd51ce73b883e96411121b738f0f7e778cf70879c
Instruction Fuzzy Hash: 10812974E44208CFEB48DFA9D484BADBBF5FF89314F109129E00AAB294DB755885CF54

Function 060C0719 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1826177779.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc92128e9f8997c00af8b2305f3fcb51b48ad3fa1c415e20bf96b713a9e9140d
Instruction ID: 00843d0874762ad70116dbd2fd9fc6ae1f1074cb923886ec25112896080f63e7
Opcode Fuzzy Hash: fc92128e9f8997c00af8b2305f3fcb51b48ad3fa1c415e20bf96b713a9e9140d
Instruction Fuzzy Hash: 53812874E44208CFDB48DFA9D494BADBBF1FF89314F10912AE00AAB294DB755885CF54

Function 027CDC70 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1807716949.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2256bad4844cc7d641a21d39bfc2cce30a02cdeab9ebcf04b0c1bf8f65825d60
Instruction ID: ae791e2309a5b4fda2867a6c2f8db143f4eed89551aeb5e356a0d501cb6f6b75
Opcode Fuzzy Hash: 2256bad4844cc7d641a21d39bfc2cce30a02cdeab9ebcf04b0c1bf8f65825d60
Instruction Fuzzy Hash: FE81C2B0D06219CFDB24CFA9C6487EEBBF1EB89304F20A46ED519B7240D7B50A45CB54

Function 0614CAE8 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1826216056.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6130000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60c2226ad4cc6ed02d0d5a7276756b1541d8429d6a2e399f352363842edd192a
Instruction ID: 24313f74028ef524d19964ba9b9c5ab521ed9995062add62c62d63055b6e4530
Opcode Fuzzy Hash: 60c2226ad4cc6ed02d0d5a7276756b1541d8429d6a2e399f352363842edd192a
Instruction Fuzzy Hash: AE810770D06218CFEBA8EF69C844BADBBB6BF89344F11C4A9D419B7250DB705985CF81

Function 027CDC60 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1807716949.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a5e554a7a330eed2018a90c58ebed51f88ccc60d4c8b99b6500a8a243a32740
Instruction ID: 78b1b2b907bce40a200d91c38415fbd2c3c74d41dbe2b9df4f8d9d41df594c8c
Opcode Fuzzy Hash: 3a5e554a7a330eed2018a90c58ebed51f88ccc60d4c8b99b6500a8a243a32740
Instruction Fuzzy Hash: A071B2B0D06219CFDB24CFA9C6487EEBBF1EB89304F20A46ED515B7250D7B50945CB58

Function 05EF6148 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825516670.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ef0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8476df6e118a86a27f035e8a60a430e413346d662e59d98fc1651895f5e8704
Instruction ID: 92ac29e97d599e6dd4faa3b8d86752ebbf7aeb54971f80d9297c44271db91dc6
Opcode Fuzzy Hash: d8476df6e118a86a27f035e8a60a430e413346d662e59d98fc1651895f5e8704
Instruction Fuzzy Hash: 84512470E09208CFEB14DFA9E948BEDBBF2FF89304F146029D149AB255EB745946CB00

Function 05D90007 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824610975.0000000005D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d90000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23a8363b6fce5e32b54add046ee12a058ff29b33defe411acbf13649869e7f5f
Instruction ID: a0fcc0b8f832ca3c0f8fe82141c1905caef682206d29399947ab14a06deccc19
Opcode Fuzzy Hash: 23a8363b6fce5e32b54add046ee12a058ff29b33defe411acbf13649869e7f5f
Instruction Fuzzy Hash: F1516D71D056588BEB29CF2B9D556C9FBF3AFC9300F08C1FA944CA6255EB7409868F10

Function 05D3579B Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824223343.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d30000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1458b5c53d7897e08b1f19b5d9d530a54d98fb0fff592da3b424fb334d2bd3c
Instruction ID: 81ff1539748cfb745f6266bb85e18237c6989b3c3143cd78501d8b6c0da5d5c3
Opcode Fuzzy Hash: c1458b5c53d7897e08b1f19b5d9d530a54d98fb0fff592da3b424fb334d2bd3c
Instruction Fuzzy Hash: 3E4147B1E016198BDB08CFABD94069EFBF3BFC8310F14C07AD958AB214DB3059458B54

Function 05D9D3D0 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824610975.0000000005D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d90000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56c5f7256135184c21749f73949720b84ee1e14b0365696377288fbe2ea1cf16
Instruction ID: 51d97144fcf8f89b815b48da37c298d8528e605bb26598f3feb1f32da8712e36
Opcode Fuzzy Hash: 56c5f7256135184c21749f73949720b84ee1e14b0365696377288fbe2ea1cf16
Instruction Fuzzy Hash: 2F41EFB0D003489FDF14DFA9D985AADFBF2BB0A314F20912AE819AB350D774A845CF45

Function 05EF6336 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825516670.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ef0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92b08ecbbd9bcb63209b495048abe171c8cd7a57995cdabf12c3de6ffbe16f0b
Instruction ID: 6462f05730555718f276007d085badf1d7c140ccbab3305e1c7f7168c2313fde
Opcode Fuzzy Hash: 92b08ecbbd9bcb63209b495048abe171c8cd7a57995cdabf12c3de6ffbe16f0b
Instruction Fuzzy Hash: C941F471E05208CFEB14DFA9E548AEDBBF2FF89304F146029D149AB255DB746992CF04

Function 027C52A0 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1807716949.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b0e8d394dec89837bbcd018498c4522e153980ed5f22df552a1a58072b84339
Instruction ID: ce0d2a1b9520cf51f8f14e6eaf9ee39ec4ce3b269e632622a83e9f4c0a5fb932
Opcode Fuzzy Hash: 5b0e8d394dec89837bbcd018498c4522e153980ed5f22df552a1a58072b84339
Instruction Fuzzy Hash: 1741B974D056188FEB98DF6AC958799BBF6BF88304F14C1A9C40DA7264DB711A85CF01

Function 05EB1A70 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825325119.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e611499f64e597fad4da61c0c352929b79a83d05573aa86e4f38bc1e239f7215
Instruction ID: 3c853bc429c9eed97ba6aaf08818268665c65a66da607432a9ce7350383243e6
Opcode Fuzzy Hash: e611499f64e597fad4da61c0c352929b79a83d05573aa86e4f38bc1e239f7215
Instruction Fuzzy Hash: 754111B5D00258DFCB10CFA9D581AEEFBF1AB49320F24902AE454B7240D778AA45CFA4

Function 05EB1A78 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825325119.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c16cebe094a8e5248dff6fc9fd3fc345c9c4723669e45b4fdc9f85b7d3d88cdf
Instruction ID: 9f1b04f5cafd9aca6abd63818470040ab4f563c87e7b0e05cd191dc0486e64c7
Opcode Fuzzy Hash: c16cebe094a8e5248dff6fc9fd3fc345c9c4723669e45b4fdc9f85b7d3d88cdf
Instruction Fuzzy Hash: A241FEB5D04258DFDB00CFA9D480AEEFBF5AB49320F24902AE455B7240D778AA45CF64

Function 05D3003B Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824223343.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d30000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 732d3716219099e06ed0d5bcfc403d167c0c0ba50776b93b171f53ad167c9262
Instruction ID: 316f7ebd367204bb2b57e3660f14aa83aef7eb989495ee974a0935321ed8b71d
Opcode Fuzzy Hash: 732d3716219099e06ed0d5bcfc403d167c0c0ba50776b93b171f53ad167c9262
Instruction Fuzzy Hash: 3B217171E056198BEB5CDF6BCC4969AFAF7AFC9300F18C1FA844CA6214DB3449858F40

Function 05EFD450 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825516670.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ef0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56c0e9979cab9dde92c9cc226b6759d95573f02b591b75d9ffbd2cdbd59d14bd
Instruction ID: 4d175a76904cd095a5f8215bcda52b14dfab1980bcad0fe468b7e2956308d6c8
Opcode Fuzzy Hash: 56c0e9979cab9dde92c9cc226b6759d95573f02b591b75d9ffbd2cdbd59d14bd
Instruction Fuzzy Hash: B3210FB5D00218DFCB10CFA9D981AEEBBF5BB48320F10901AD809B7310CB35A905CF64

Function 05EFD458 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825516670.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ef0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37c1bde2d5202266ffa49b7564937a7ba3fa97723f68ee2c5fbdb624a6f84094
Instruction ID: 51bfc8a5256688fed83a9bcef7252a8f100ce18287411bc7674e919c9b7d1922
Opcode Fuzzy Hash: 37c1bde2d5202266ffa49b7564937a7ba3fa97723f68ee2c5fbdb624a6f84094
Instruction Fuzzy Hash: 9521EDB5D002189FCB10CFA9D981AEEFBF5BB49320F10901AE919B7210CB35A905CFA4

Function 05EBD6D8 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825325119.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a9a1061450f8310583c46b525b46b5d9df0cc50944384e9df057f6177ee7c9f
Instruction ID: baef2b6c641e7db4bac3fe3bd581ec66c8d9c35ab5c596b7932d0c6a70947007
Opcode Fuzzy Hash: 9a9a1061450f8310583c46b525b46b5d9df0cc50944384e9df057f6177ee7c9f
Instruction Fuzzy Hash: 3521A771D05A288BEB18CFABCD047DEBAF7AFC9301F04D06A9459AB259EB7005458E44

Function 05EFAF90 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825516670.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ef0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d87ba387466c7913427af0146beb4a2a31d650e1108f3fbeba7ce5b6442d1d8
Instruction ID: 2221dfaf90287830e264bbab43c52feb5feebe0e07bbebe9096c638796da56b4
Opcode Fuzzy Hash: 8d87ba387466c7913427af0146beb4a2a31d650e1108f3fbeba7ce5b6442d1d8
Instruction Fuzzy Hash: CD21C2B1E056189BEB18CFABC94479EFBF7BFC8300F14C16AD508AA264DB7509468F54

Function 05EFAFA0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825516670.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ef0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75320daa4762ab84d5825b9b98a75ba462a59875b8c7e9bd2e7b66ee23c9b6ae
Instruction ID: d04597f54ed7a925abf9db3821854c5ec3401381b1ad8d5c6491c5c931960fc1
Opcode Fuzzy Hash: 75320daa4762ab84d5825b9b98a75ba462a59875b8c7e9bd2e7b66ee23c9b6ae
Instruction Fuzzy Hash: 8421BEB1E05618CBEB18CF9AC8447DEBBFABB88300F04C16AD519AA254EB7508458F54

Function 05D9E8D8 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824610975.0000000005D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d90000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2049433d0b28140e5ce38c944755d850836159a86179302928d81a6365b8dea4
Instruction ID: 6774fe64bab4f15301317bf4063e4140c0639c8ff35703174eda7145aab006db
Opcode Fuzzy Hash: 2049433d0b28140e5ce38c944755d850836159a86179302928d81a6365b8dea4
Instruction Fuzzy Hash: 9121C971D05618DBDB5CCF6B89006D9FBF7AFC9300F08C4AAC489A7214DB714A858E45

Function 05EBD6C7 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825325119.0000000005EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5eb0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccb89d32e0fcf42e612a768c2704de0396ad5f97b8613991d59f58d061f777ea
Instruction ID: b4d1d558f81686963e86a005fd18828154e3ae34e48af9210ec7fd75950f7df7
Opcode Fuzzy Hash: ccb89d32e0fcf42e612a768c2704de0396ad5f97b8613991d59f58d061f777ea
Instruction Fuzzy Hash: D321A971D006188BEB18CFABCD442DEBBF7AFC9301F04C06AD458AB254EB7445458F40

Function 05EA95B0 Relevance: 7.9, Strings: 6, Instructions: 402COMMON

Download Yara Rule

Strings

4'fq, xrefs: 05EA9682
4'fq, xrefs: 05EA9664
pjq, xrefs: 05EA9707
(jq, xrefs: 05EA977A
4'fq, xrefs: 05EA96FA
4'fq, xrefs: 05EA9634

Memory Dump Source

Source File: 00000000.00000002.1825268040.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ea0000_PO# EB202329720241007_Hardy_Process^^^^.jbxd

Similarity

API ID:
String ID: (jq$4'fq$4'fq$4'fq$4'fq$pjq
API String ID: 0-799542208
Opcode ID: 5adbf2bf47792444fe211c7dbb3f6207af38ce7350b8b836afc7491ad35bc1b6
Instruction ID: 810fd41f9f3ece75cba71d0c945c3f1b0305e8f88e0745d8287c456fbe63ef2c
Opcode Fuzzy Hash: 5adbf2bf47792444fe211c7dbb3f6207af38ce7350b8b836afc7491ad35bc1b6
Instruction Fuzzy Hash: B5D16E76A00114DFCB09DFA8C944E9A7BB2FF88314F058498E649AF272DB31ED55DB90

Analysis Process: InstallUtil.exePID: 7136, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	13.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	94
Total number of Limit Nodes:	6

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00BE8EB4 Relevance: 6.1, APIs: 4, Instructions: 99
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00BEB0D2: LoadLibraryA.KERNELBASE(00000000,?,?), ref: 00BEB164

VirtualProtect.KERNELBASE(00000000,0000000C,00000040,?), ref: 00BE8F0F
VirtualProtect.KERNELBASE(00000000,0000000C,?,?), ref: 00BE8F42
VirtualProtect.KERNELBASE(00000000,0040145E,00000040,?), ref: 00BE8F75
VirtualProtect.KERNELBASE(00000000,0040145E,?,?), ref: 00BE8F9F

Memory Dump Source

Source File: 00000001.00000002.1814780379.0000000000B60000.00000040.00000400.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b60000_InstallUtil.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: 93985e93d1afab8f719b8aa13ce6a91e230957808ceab0eaee363415b4ddc148
Instruction ID: d3c431b05d77f6a56327d26fe04f2bd69217cbc8eb8ceedd5cc6e5272927803e
Opcode Fuzzy Hash: 93985e93d1afab8f719b8aa13ce6a91e230957808ceab0eaee363415b4ddc148
Instruction Fuzzy Hash: C82106726047897FE310AA629C45FB776DCDB85311F0008BEFA4AD2052FB69AD0583B1

Function 00BEB0D2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(00000000,?,?), ref: 00BEB164

Strings

.dll, xrefs: 00BEB140, 00BEB143
., xrefs: 00BEB0FD

Memory Dump Source

Source File: 00000001.00000002.1814780379.0000000000B60000.00000040.00000400.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b60000_InstallUtil.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: .$.dll
API String ID: 1029625771-979041800
Opcode ID: f6f06f52cd4a024ca790678b75224790e8b38e6a55f670a1ffdfea5ea75d1fe1
Instruction ID: e925cbc42197e6ec2d92b084c190a09a8edc4715e3161d964c0dec726c9df6b4
Opcode Fuzzy Hash: f6f06f52cd4a024ca790678b75224790e8b38e6a55f670a1ffdfea5ea75d1fe1
Instruction Fuzzy Hash: DD21B4356142C59FDB21CFAEC894F6B7BE4EF05360F1841ADD816ABA42D730EC458781

Function 00BE9D24 Relevance: 4.8, APIs: 3, Instructions: 325
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00BE9D9E
VirtualFree.KERNELBASE(00000000,00000000,0000C000), ref: 00BEA0E2
RtlExitUserProcess.NTDLL(00000000), ref: 00BEA0EB

Memory Dump Source

Source File: 00000001.00000002.1814780379.0000000000B60000.00000040.00000400.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b60000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Virtual$AllocExitFreeProcessUser
String ID:
API String ID: 1828502597-0
Opcode ID: 1a5418cea19d400be9e889379b85ba4036e89269bda122047750eba29fcf4b87
Instruction ID: 401b6a8d05a6649ce82ce1c69e23d992f75384bf8a8b9d19519fbb7e1fbd44be
Opcode Fuzzy Hash: 1a5418cea19d400be9e889379b85ba4036e89269bda122047750eba29fcf4b87
Instruction Fuzzy Hash: 63B1F531500B85EBCB31AE62CC80FABB7E8FF45301F1405A9F64982152E731F958DB92

Function 00BE9B15 Relevance: 4.7, APIs: 3, Instructions: 183
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32(?), ref: 00BE9C42
SafeArrayCreate.OLEAUT32(00000011,00000001,?), ref: 00BE9CA6
SafeArrayDestroy.OLEAUT32(00000000), ref: 00BE9D0F

Memory Dump Source

Source File: 00000001.00000002.1814780379.0000000000B60000.00000040.00000400.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b60000_InstallUtil.jbxd

Yara matches

Similarity

API ID: ArraySafe$AllocCreateDestroyString
String ID:
API String ID: 2997030761-0
Opcode ID: e9dae07e6597974dd7a2e07dc59b16717cc00198222b0edab0e98d7cec828a5a
Instruction ID: 83959176779a8c3d1a93b617da3202efe26d69c27f9dd44d07e567093282d65b
Opcode Fuzzy Hash: e9dae07e6597974dd7a2e07dc59b16717cc00198222b0edab0e98d7cec828a5a
Instruction Fuzzy Hash: D3614B71204246AFDB14DF61C884FA7B7E8FF49705F1486A9E959CB105DB30E909CFA1

Function 00BE8FAF Relevance: 3.0, APIs: 2, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00BEB0D2: LoadLibraryA.KERNELBASE(00000000,?,?), ref: 00BEB164

VirtualProtect.KERNELBASE(00000000,00000004,00000040,?), ref: 00BE8FE7
VirtualProtect.KERNELBASE(00000000,00000004,?,?), ref: 00BE900A

Memory Dump Source

Source File: 00000001.00000002.1814780379.0000000000B60000.00000040.00000400.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b60000_InstallUtil.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: 4b81b02862df4f1b90606a87d7a95fef9c5f7f2dde159036914d36a532f09deb
Instruction ID: 58c0be49eef6933f5e613cf4835b1ac5fdf2f2b7673e0a2e9326acf0dfa7b649
Opcode Fuzzy Hash: 4b81b02862df4f1b90606a87d7a95fef9c5f7f2dde159036914d36a532f09deb
Instruction Fuzzy Hash: 38F0AFB61006087EE620AA66CC42FFB73ECDF89B50F400468FB06D6081EB61EA0597B5

Function 010AD4C4 Relevance: .1, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.1815805331.00000000010AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10ad000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76ac5525f5f826bd73fd8174169ae0cd69e9c78ae65cead5310b88113c8e4a0a
Instruction ID: 39da6e0cbdf8cbd1a13ccb0462c7762cc67b09a9da96d9d957928a0ce9af01d6
Opcode Fuzzy Hash: 76ac5525f5f826bd73fd8174169ae0cd69e9c78ae65cead5310b88113c8e4a0a
Instruction Fuzzy Hash: 9C2167B1504200DFCB05DFA8D9C0F2ABFA5FB88318F64C5ADE9890B616C336D446CBA1

Function 010AD4BF Relevance: .1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.1815805331.00000000010AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10ad000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78d241bac5f9e434cbf566c7ece8cd0614e0595df08b723599ec006d9c96ac54
Instruction ID: 5dcd0da9ad601c18d2c9c5cfdb08d746f9366646cbf43c2130ecd151dc11511a
Opcode Fuzzy Hash: 78d241bac5f9e434cbf566c7ece8cd0614e0595df08b723599ec006d9c96ac54
Instruction Fuzzy Hash: 5C11D376504280CFDB16CF54D5C4B16BFB1FB84318F24C6A9D9894B616C33AD45ACBA1

Function 010AD006 Relevance: .0, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.1815805331.00000000010AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10ad000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c8200b6e0dfc021c56788a08b7a6ec12e2cbbcf7c4a5f2d33c872cfa02cffb1
Instruction ID: 8bbcb3302075b94605aaa10f1a564ada1dba5452cc763fd6683da20c82f0a689
Opcode Fuzzy Hash: 4c8200b6e0dfc021c56788a08b7a6ec12e2cbbcf7c4a5f2d33c872cfa02cffb1
Instruction Fuzzy Hash: 7A018C7144E3C05FE7134B698C94B52BFA8DF53624F1980DBE9888F5A3C2699C45C772

Function 010AD01D Relevance: .0, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.1815805331.00000000010AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10ad000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab3b791fd883057105f59cf22051764ba95d8e9cb44b1344de6ac389db68b1fb
Instruction ID: 138cb89c1c55eeec23a3f13b7843448f1ae850a5a1a2502c7d9d61944f56ca21
Opcode Fuzzy Hash: ab3b791fd883057105f59cf22051764ba95d8e9cb44b1344de6ac389db68b1fb
Instruction Fuzzy Hash: A601F2B14493409AE7208AE9C8C4F6ABFD8DF417A4F58C45AFE884B682C678D841C7B1

Analysis Process: wpappx.exePID: 7016, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	14.2%
Dynamic/Decrypted Code Coverage:	92.7%
Signature Coverage:	0%
Total number of Nodes:	247
Total number of Limit Nodes:	28

Executed Functions

Function 0654212F Relevance: 16.2, Strings: 12, Instructions: 1151COMMON

Download Yara Rule

Strings

$fq, xrefs: 06542A21
$fq, xrefs: 065423C3
4, xrefs: 06542B15
$fq, xrefs: 06542587
,jq, xrefs: 06542BFA
$fq, xrefs: 06542647
$fq, xrefs: 06542637
$fq, xrefs: 06542A11
$fq, xrefs: 065423D3
$fq, xrefs: 06542A7A
$fq, xrefs: 06542597
$fq, xrefs: 06542A6A

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID: ,jq$4$$fq$$fq$$fq$$fq$$fq$$fq$$fq$$fq$$fq$$fq
API String ID: 0-2524271925
Opcode ID: 969069255c7b0f92e13dc0563ab6ff1422fafbcc1052abf209c4692646896489
Instruction ID: 2c2c62cc360d032ad7b737783a9e2f4e3ad9e914ecd75879cdae9311ae7c95e9
Opcode Fuzzy Hash: 969069255c7b0f92e13dc0563ab6ff1422fafbcc1052abf209c4692646896489
Instruction Fuzzy Hash: 90B22734A00229DFDB54EFA5C884BADB7B6BF88704F148599E505AB3A5CB70ED81CF50

Function 06542467 Relevance: 8.0, Strings: 6, Instructions: 495COMMON

Download Yara Rule

Strings

4, xrefs: 06542B15
,jq, xrefs: 06542BFA
$fq, xrefs: 06542587
$fq, xrefs: 06542637
$fq, xrefs: 06542A11
$fq, xrefs: 06542A6A

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID: ,jq$4$$fq$$fq$$fq$$fq
API String ID: 0-2005009869
Opcode ID: bff02640c98fb0fffcc7738f9369804dd0c2070dab59bff732a57210c6d1cce5
Instruction ID: ed895354cd373ae81ad5fe9dae50b363233e68ba29488eb6a2798c6452924bb9
Opcode Fuzzy Hash: bff02640c98fb0fffcc7738f9369804dd0c2070dab59bff732a57210c6d1cce5
Instruction Fuzzy Hash: 2C222C34A00229DFDB64EF65C994BADB7B6BF48304F1081D9E509AB3A5DB709D81CF50

Function 014A8A90 Relevance: 6.0, Strings: 4, Instructions: 983
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

xbiq, xrefs: 014A8BBD
Tefq, xrefs: 014A91B3
TJkq, xrefs: 014A8C32
pjq, xrefs: 014A964A

Memory Dump Source

Source File: 00000004.00000002.2047982492.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14a0000_wpappx.jbxd

Similarity

API ID:
String ID: TJkq$Tefq$pjq$xbiq
API String ID: 0-513662044
Opcode ID: 6ce99add2ee18d765ba150eb7c1b3a3a4a18e6ef1f14a82ce9839a08f443e601
Instruction ID: 29bf8f77f4161dbbf99398e7557c8f72fc8334c109d6a291646c04e64c10d84c
Opcode Fuzzy Hash: 6ce99add2ee18d765ba150eb7c1b3a3a4a18e6ef1f14a82ce9839a08f443e601
Instruction Fuzzy Hash: 23A2A475A00228CFDB65CF69C984AD9BBB2FF89304F1581E9D509AB365DB319E81CF40

Function 014A0C98 Relevance: 3.1, Strings: 2, Instructions: 578
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LRfq, xrefs: 014A0D70
\sfq, xrefs: 014A0F45

Memory Dump Source

Source File: 00000004.00000002.2047982492.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14a0000_wpappx.jbxd

Similarity

API ID:
String ID: LRfq$\sfq
API String ID: 0-373085665
Opcode ID: e0ab1275c77749208b74e287189e23fee5103d5cf5faa16efb6d1c286d0da995
Instruction ID: 682c0d9d2b4cd0990c3d236d1a6c041291fd26dfa7c78d58d150491ee2919290
Opcode Fuzzy Hash: e0ab1275c77749208b74e287189e23fee5103d5cf5faa16efb6d1c286d0da995
Instruction Fuzzy Hash: FA323074E002298FDB24CF69D894AAEBBF2BF88300F55C65AE446EB355DB309945CF50

Function 014A0C89 Relevance: 2.9, Strings: 2, Instructions: 363
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LRfq, xrefs: 014A0D70
\sfq, xrefs: 014A0F45

Memory Dump Source

Source File: 00000004.00000002.2047982492.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14a0000_wpappx.jbxd

Similarity

API ID:
String ID: LRfq$\sfq
API String ID: 0-373085665
Opcode ID: 02938636fcaab2aaff59f8a3e0633ee5ea3370d9ef5f15a63aa30e60f69e692e
Instruction ID: 1e9c0686c6e126d0c1ed6ddec36bd5b8e76bf02b13b316f3a37b22820e39faca
Opcode Fuzzy Hash: 02938636fcaab2aaff59f8a3e0633ee5ea3370d9ef5f15a63aa30e60f69e692e
Instruction Fuzzy Hash: 6AE17075E0022A8FDB24DF69D850AAEB7F6BF88300F51C65AE405EB358DB309945CF90

Function 014A0CD2 Relevance: 2.9, Strings: 2, Instructions: 353
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LRfq, xrefs: 014A0D70
\sfq, xrefs: 014A0F45

Memory Dump Source

Source File: 00000004.00000002.2047982492.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14a0000_wpappx.jbxd

Similarity

API ID:
String ID: LRfq$\sfq
API String ID: 0-373085665
Opcode ID: d2a116deb35ece2494ac4c7d30af4803e8bde033354dca9d798dc520094e1b3d
Instruction ID: 3fd968ab236e53feb7dfac7cb5813f90db8c82c192ba8e3aed68e04183bc26d7
Opcode Fuzzy Hash: d2a116deb35ece2494ac4c7d30af4803e8bde033354dca9d798dc520094e1b3d
Instruction Fuzzy Hash: 5ED16E75E0022A8FDB24DF69D850AAEB7F6BF88300F55C659E405EB358DB30A945CF90

Function 014A0D49 Relevance: 2.8, Strings: 2, Instructions: 325
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LRfq, xrefs: 014A0D70
\sfq, xrefs: 014A0F45

Memory Dump Source

Source File: 00000004.00000002.2047982492.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14a0000_wpappx.jbxd

Similarity

API ID:
String ID: LRfq$\sfq
API String ID: 0-373085665
Opcode ID: 72a6c22293223114f1ab9c8d1c9f05f99529b277aa288779c00da2d34171eb75
Instruction ID: 09170426031d34a50a0b5a2f71b84d6ec4e4d60f29802d9dc0e3de7562fda888
Opcode Fuzzy Hash: 72a6c22293223114f1ab9c8d1c9f05f99529b277aa288779c00da2d34171eb75
Instruction Fuzzy Hash: 50D15D75E0022A8FDB24DF69D850AAEB7F6BF88300F55C659E405EB358DB30A945CF90

Function 014AAD67 Relevance: 2.3, Strings: 1, Instructions: 1085COMMON

Download Yara Rule

Strings

2, xrefs: 014AB8B8

Memory Dump Source

Source File: 00000004.00000002.2047982492.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14a0000_wpappx.jbxd

Similarity

API ID:
String ID: 2
API String ID: 0-450215437
Opcode ID: 7f2d5ad3f68a8f17bd85302004852a6bc996c5094b6f5366cc97ea51ac64cdcf
Instruction ID: a3d9eddea8760704ce858ebacb82f2d71498c04bad8f2aa530e66705351842dd
Opcode Fuzzy Hash: 7f2d5ad3f68a8f17bd85302004852a6bc996c5094b6f5366cc97ea51ac64cdcf
Instruction Fuzzy Hash: CDC2C2B4A002298FDB65DF69C984B9DBBB5FB98300F1081EAD50DAB355DB309E85CF40

Function 06550A50 Relevance: 1.7, APIs: 1, Instructions: 155nativethreadCOMMON

Download Yara Rule

APIs

NtCreateThreadEx.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 06550B52

Memory Dump Source

Source File: 00000004.00000002.2076136879.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6550000_wpappx.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: df6beb33443903b3c88c2fae50d7ad62acaea2b6c4c32a59075ef59ba2b9feb3
Instruction ID: 9e5a4624ddfe1f126c1076921470753eeec7c28c12601f039a6b174dd6d699da
Opcode Fuzzy Hash: df6beb33443903b3c88c2fae50d7ad62acaea2b6c4c32a59075ef59ba2b9feb3
Instruction Fuzzy Hash: 42518AB9D052489FCF10CFA9D9809DEFBF5BB59310F20A02AE814B7210D735A955DF58

Function 06550A58 Relevance: 1.6, APIs: 1, Instructions: 148nativethreadCOMMON

Download Yara Rule

APIs

NtCreateThreadEx.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 06550B52

Memory Dump Source

Source File: 00000004.00000002.2076136879.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6550000_wpappx.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 03abf8e73a648942c8e6fe5553a7def46dee1c0b4cc939adf7c174852614fe9d
Instruction ID: e2e3036f7c366a05aa06076003f12751c056f6010cfffa9ac602af051418b0d3
Opcode Fuzzy Hash: 03abf8e73a648942c8e6fe5553a7def46dee1c0b4cc939adf7c174852614fe9d
Instruction Fuzzy Hash: 694189B9D042489FCF10CFA9D980ADEFBF1BB19310F20A02AE814B7210D335A955DF58

Function 014A159C Relevance: 1.6, Strings: 1, Instructions: 390COMMON

Download Yara Rule

Strings

LRfq, xrefs: 014A1930

Memory Dump Source

Source File: 00000004.00000002.2047982492.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14a0000_wpappx.jbxd

Similarity

API ID:
String ID: LRfq
API String ID: 0-2333822924
Opcode ID: ea2fe34384f2b9a2e5952d8ef59866d40579eb86f0ecb67a3ecd4f4cc43be512
Instruction ID: a283d156c4748d8aa48dfc587e69b29b3adcbe66bfcce6566677b8d174655973
Opcode Fuzzy Hash: ea2fe34384f2b9a2e5952d8ef59866d40579eb86f0ecb67a3ecd4f4cc43be512
Instruction Fuzzy Hash: E4F18131E002698FDB14CF69C990BADBBF2BF94300F5AC5AAD059AB256D7349D81CF50

Function 067EE9C0 Relevance: 1.6, Strings: 1, Instructions: 381COMMON

Download Yara Rule

Strings

Tefq, xrefs: 067EEC74

Memory Dump Source

Source File: 00000004.00000002.2077281462.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_67d0000_wpappx.jbxd

Similarity

API ID:
String ID: Tefq
API String ID: 0-1066582953
Opcode ID: 17b9742d4c69b3eda402f65fbf7ba6d5c7876d34249bbf82baadbdfbb522aa21
Instruction ID: 9b17262cf5317763f7ecac3938aca6ad7bff77128e91305f41218568c294cee1
Opcode Fuzzy Hash: 17b9742d4c69b3eda402f65fbf7ba6d5c7876d34249bbf82baadbdfbb522aa21
Instruction Fuzzy Hash: C602E374E05628CFEBA4DF6AD844BA9B7F2BF89300F1085A9D409AB355D7705A89CF40

Function 06550C21 Relevance: 1.6, APIs: 1, Instructions: 121nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 06550CFB

Memory Dump Source

Source File: 00000004.00000002.2076136879.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6550000_wpappx.jbxd

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: a1cd3fc6a5b95476cbe43e68103bb1636570b75481920a69841d95d580cf2f6b
Instruction ID: 2776d98f6f4cfacc22148ce4facf623c6a7a8e1a6c223de13c26d3082f568178
Opcode Fuzzy Hash: a1cd3fc6a5b95476cbe43e68103bb1636570b75481920a69841d95d580cf2f6b
Instruction Fuzzy Hash: DF4198B4D012589FCB10CFA9D984ADEFBF5FB49310F20902AE818BB250D775A941CFA4

Function 065508D8 Relevance: 1.6, APIs: 1, Instructions: 115memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(?,?,?,?,?,?), ref: 0655099D

Memory Dump Source

Source File: 00000004.00000002.2076136879.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6550000_wpappx.jbxd

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: a100795a2af63c9085b6b34f040e8b561d3ec3a64c85fe19cb0f9b0ebd096e9a
Instruction ID: 39f22e23499e16be21d67c9589934ca8793a46bbe1f07c10640b1731f44c19b1
Opcode Fuzzy Hash: a100795a2af63c9085b6b34f040e8b561d3ec3a64c85fe19cb0f9b0ebd096e9a
Instruction Fuzzy Hash: 6041A9B4D052589FCF10CFA9D984ADEFBB5BF09310F20A02AE818B7250D735A901CF94

Function 06550C28 Relevance: 1.6, APIs: 1, Instructions: 114nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 06550CFB

Memory Dump Source

Source File: 00000004.00000002.2076136879.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6550000_wpappx.jbxd

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: e9c23766eecc9ba54e6962f28e5c9a32ec4777fcdfffe18cdf2fcf227518bb2d
Instruction ID: fda550d1a1a1dc963962db3cc7ec4458ea734d5a1de9d9a5639d768ccb890e5a
Opcode Fuzzy Hash: e9c23766eecc9ba54e6962f28e5c9a32ec4777fcdfffe18cdf2fcf227518bb2d
Instruction Fuzzy Hash: A24186B5D012599FCF10CFA9D984ADEFBF1BB49310F20902AE818BB250D775AA05CF64

Function 065508E0 Relevance: 1.6, APIs: 1, Instructions: 111memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(?,?,?,?,?,?), ref: 0655099D

Memory Dump Source

Source File: 00000004.00000002.2076136879.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6550000_wpappx.jbxd

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e4cfe48aafc828c5f90190b6436dc11a86666b9c93f50f8606d13f8e95f5e3c7
Instruction ID: 77a7074b9941cac734937cf72b9e6c2c949a9990f06fd92a52ec2480ba5f9f09
Opcode Fuzzy Hash: e4cfe48aafc828c5f90190b6436dc11a86666b9c93f50f8606d13f8e95f5e3c7
Instruction Fuzzy Hash: 884198B5D042599FCF10CFA9D984A9EFBF1BF49310F20A42AE818B7214D735A901CF94

Function 0659ECE8 Relevance: 1.6, APIs: 1, Instructions: 109nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 0659EDA5

Memory Dump Source

Source File: 00000004.00000002.2076445263.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6590000_wpappx.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: f52c5f4899f8170afde63e505a4b7b4cf0b8354213c8bf447e579e0da8ec3bf2
Instruction ID: 213582cc14d162d7d684b0ed8a0d269ae5bd466a5736e9472012722ddb208874
Opcode Fuzzy Hash: f52c5f4899f8170afde63e505a4b7b4cf0b8354213c8bf447e579e0da8ec3bf2
Instruction Fuzzy Hash: 114187B4D002589BCF10CFAAD981ADEFBB5BB49320F10942AE819B7210D735A905CF64

Function 0659ECF0 Relevance: 1.6, APIs: 1, Instructions: 105nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 0659EDA5

Memory Dump Source

Source File: 00000004.00000002.2076445263.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6590000_wpappx.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 93372b9da63f3c20c913069eeb130dce1a12559ef520ff578f36453ca0a95d73
Instruction ID: 7dd462cbcb1247d42c6db8b2ec7e0671267d197319e511145b932842a7249e08
Opcode Fuzzy Hash: 93372b9da63f3c20c913069eeb130dce1a12559ef520ff578f36453ca0a95d73
Instruction Fuzzy Hash: A04177B4D002599FCF10CFAAD981A9EFBB5BF49310F14942AE818B7310D735A905CF64

Function 063D6CC0 Relevance: 1.5, Strings: 1, Instructions: 237COMMON

Download Yara Rule

Strings

Tefq, xrefs: 063D6E8A

Memory Dump Source

Source File: 00000004.00000002.2075643461.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63d0000_wpappx.jbxd

Similarity

API ID:
String ID: Tefq
API String ID: 0-1066582953
Opcode ID: 7c9e4d598e1691310802b8bdd3d8cca5df1ed2c139df6a8abaef5f526b7ac0bc
Instruction ID: 6be79b42eca8c3e06dab505c1f3cb0138dc06c896da579e9ee7fbd861d69db44
Opcode Fuzzy Hash: 7c9e4d598e1691310802b8bdd3d8cca5df1ed2c139df6a8abaef5f526b7ac0bc
Instruction Fuzzy Hash: DAA15A71E05218CFEB54DFA9E84579DBBF6BF8A300F20906AE419AB255DB305985CF80

Function 063D6CB1 Relevance: 1.5, Strings: 1, Instructions: 234COMMON

Download Yara Rule

Strings

Tefq, xrefs: 063D6E8A

Memory Dump Source

Source File: 00000004.00000002.2075643461.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63d0000_wpappx.jbxd

Similarity

API ID:
String ID: Tefq
API String ID: 0-1066582953
Opcode ID: e1b57e9182b1de05a59fab26216e9ae2bf6dfe1d528bc5a33a919c87244fb611
Instruction ID: aa70781593d1a74f8b57555ec656e45a37beacb22c6191459dc803775f38abbb
Opcode Fuzzy Hash: e1b57e9182b1de05a59fab26216e9ae2bf6dfe1d528bc5a33a919c87244fb611
Instruction Fuzzy Hash: 40A12871E01218CFEB64DFA9E84579DBBF6BF8A300F20906AE419A7355DB705985CF80

Function 014A169A Relevance: 1.5, Strings: 1, Instructions: 218COMMON

Download Yara Rule

Strings

LRfq, xrefs: 014A1930

Memory Dump Source

Source File: 00000004.00000002.2047982492.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14a0000_wpappx.jbxd

Similarity

API ID:
String ID: LRfq
API String ID: 0-2333822924
Opcode ID: 451bbf56232d7a3d90f129d0a5b6d2719303763e3b23dbadf33e7244d45174d7
Instruction ID: 76ea94f532e9757da331e068d585dd2023eefc82bbdd599a271f09f75dba853e
Opcode Fuzzy Hash: 451bbf56232d7a3d90f129d0a5b6d2719303763e3b23dbadf33e7244d45174d7
Instruction Fuzzy Hash: 1991A475E001298FDB15CF69C990BADFBB2BF94300F6AC69AD045AB295D734AD81CF40

Function 014A09B8 Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

\sfq, xrefs: 014A0B2D

Memory Dump Source

Source File: 00000004.00000002.2047982492.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14a0000_wpappx.jbxd

Similarity

API ID:
String ID: \sfq
API String ID: 0-3800904836
Opcode ID: 0c42cecf102d06e8855feec9b3f7a60f17b81fe1bc86aa77c66cc8431154075d
Instruction ID: bfb01aaa3d0321880a9e2a2c06e16e5b56626205dd97db6a24b60e7e22356be3
Opcode Fuzzy Hash: 0c42cecf102d06e8855feec9b3f7a60f17b81fe1bc86aa77c66cc8431154075d
Instruction Fuzzy Hash: 0181E6B8E4010E9FDF14DFAAD584ABEBBF1BB48304F10A655D412EB2A4DB31A941CB50

Function 014AC164 Relevance: .5, Instructions: 471COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2047982492.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14a0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5442078ff1095b07cc7cacc55479857f4fa0ab60b54aedb62201893db9572177
Instruction ID: b4dd9256fcb87d2e6bfcd89af414c07261113f512d813e52a02162d51599c893
Opcode Fuzzy Hash: 5442078ff1095b07cc7cacc55479857f4fa0ab60b54aedb62201893db9572177
Instruction Fuzzy Hash: 6132B4B4A10229CFCB65DF28C984AA9BBB6FB48310F5191D9D54DA7351DB30AE85CF40

Function 014A1EE0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2047982492.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14a0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd0f3f37af93bbd3d8a9a89b8cc15e70ad066942b4ad65f95dbc4b379364d498
Instruction ID: 46cb1c88554a87712bd41f6bc01c65e1b99340e477177ff5d81f733ae4dac8e0
Opcode Fuzzy Hash: bd0f3f37af93bbd3d8a9a89b8cc15e70ad066942b4ad65f95dbc4b379364d498
Instruction Fuzzy Hash: 2581B076F106259FD714DB69CC90A9EB7E7AFD8710F1A8165E409DB3A9DE30EC018B80

Function 014A1F91 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2047982492.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14a0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51fbaab072730248f3f87eb2b39858dafd19f386568fe1f403bab8ae5c20fa8e
Instruction ID: 7ef5846cdb3c570137d903fc0009e6a734edc92fd3f9ad85cbfdf3992229cb8a
Opcode Fuzzy Hash: 51fbaab072730248f3f87eb2b39858dafd19f386568fe1f403bab8ae5c20fa8e
Instruction Fuzzy Hash: 21615C36F105258FD714DB69CC90A6EB7E3AFD8710F1A8165E4099B3AADE70EC019B80

Function 063D69F0 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2075643461.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63d0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3597bb362790b1aa3b947730f2ee7c92cdef5266e6c54328d47a6a863638543
Instruction ID: 2c7a10cacb133d776665d47fa820e32c1c0887d355935d75e8bb12a3d2f811e5
Opcode Fuzzy Hash: a3597bb362790b1aa3b947730f2ee7c92cdef5266e6c54328d47a6a863638543
Instruction Fuzzy Hash: C141E670D01208DFDB58DFBAD59469DBBB2BF89300F20812AE41AAB265DB319945CF90

Function 065495B0 Relevance: 7.9, Strings: 6, Instructions: 407
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'fq, xrefs: 065496FA
4'fq, xrefs: 06549634
pjq, xrefs: 06549707
4'fq, xrefs: 06549664
(jq, xrefs: 0654977A
4'fq, xrefs: 06549682

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID: (jq$4'fq$4'fq$4'fq$4'fq$pjq
API String ID: 0-799542208
Opcode ID: 8ff4781b0a7c0dea618dae9c27a5148ae806bd01ddec4d89f8b15cc413501645
Instruction ID: 1f7a009e4e95f48ec884040859e004084cdf9c25e8af99968b65d6cc51862e5f
Opcode Fuzzy Hash: 8ff4781b0a7c0dea618dae9c27a5148ae806bd01ddec4d89f8b15cc413501645
Instruction Fuzzy Hash: 0BD14C76A00114DFCB45DFA8C844EAA7BB2FF88314F0544D8E609AB272DB32ED55DB90

Function 065482F0 Relevance: 4.2, Strings: 3, Instructions: 479
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hjq, xrefs: 06548844
Hjq, xrefs: 065487C5
Hjq, xrefs: 065487F4

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID: Hjq$Hjq$Hjq
API String ID: 0-2296473396
Opcode ID: b30a3d8c14c5959a95c1eef48276f97c5485df4a4dc8cc2577e787624289ce31
Instruction ID: a46fb3689b8d0d9007a357ac8604df8625db0576d21f4d9011ee2ba754eea8a9
Opcode Fuzzy Hash: b30a3d8c14c5959a95c1eef48276f97c5485df4a4dc8cc2577e787624289ce31
Instruction Fuzzy Hash: 0F125E71A002159FCBA4EFA5C8946AEB7F6FF88304F14856DD50A9B391DB31EC49CB90

Function 0654E572 Relevance: 4.1, Strings: 3, Instructions: 373
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(jq, xrefs: 0654E6A9
(jq, xrefs: 0654E6D5
Hjq, xrefs: 0654E701

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID: (jq$(jq$Hjq
API String ID: 0-2836811127
Opcode ID: 506c4370f9d3cf167b3a72e02cb1470877699a2f07142175d63518a59e740df0
Instruction ID: 8b1ed35bcbd2d6b9af460dc11ad9bae82ce8ea7f8e08a6d953c129955485bdd4
Opcode Fuzzy Hash: 506c4370f9d3cf167b3a72e02cb1470877699a2f07142175d63518a59e740df0
Instruction Fuzzy Hash: 09F15134A01219DFCB54EF64D8949AEBBB2FF89314F108558E406AB365DF30EC46CB90

Function 06549FA8 Relevance: 4.1, Strings: 3, Instructions: 370
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'fq, xrefs: 0654A2A1
4'fq, xrefs: 0654A321
4'fq, xrefs: 0654A1C2

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID: 4'fq$4'fq$4'fq
API String ID: 0-3646979650
Opcode ID: b2c7d69f1ca638bd22175c98a19cc49bc467cc2d445c190dbfc535f433b805cd
Instruction ID: c224d27bc49a5ebd1ce7d105a283204c51d1cd126e24afe8ff8fb6102906a577
Opcode Fuzzy Hash: b2c7d69f1ca638bd22175c98a19cc49bc467cc2d445c190dbfc535f433b805cd
Instruction Fuzzy Hash: F2F1D934A00219CFCB48EFA4D998A9DB7B6FF89704F518158E506AB3A5DB31EC46CF50

Function 06320D98 Relevance: 3.1, Strings: 2, Instructions: 577COMMON

Download Yara Rule

Strings

4'fq, xrefs: 06321549
4'fq, xrefs: 06321559

Memory Dump Source

Source File: 00000004.00000002.2075327960.0000000006320000.00000040.00000800.00020000.00000000.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6320000_wpappx.jbxd

Similarity

API ID:
String ID: 4'fq$4'fq
API String ID: 0-751858264
Opcode ID: 34f5f5a7cf1b6cc9e525b304c3a6abe54913afe081b0dbe37f7ac3e34b41556e
Instruction ID: e4a448ae7119e462c3422501b5888ead129084f5754c66c0287940265283ddf6
Opcode Fuzzy Hash: 34f5f5a7cf1b6cc9e525b304c3a6abe54913afe081b0dbe37f7ac3e34b41556e
Instruction Fuzzy Hash: BF42E774E1022ACFDB98DFA4C5846AEB7B6FF48304F108059EA1667754DB34688ACFD1

Function 06544801 Relevance: 3.0, Strings: 2, Instructions: 532
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$fq, xrefs: 06544B83
$fq, xrefs: 06544B73

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID: $fq$$fq
API String ID: 0-2537786760
Opcode ID: 7521f8e73c970e0eeee274ea738c90205d4784becac9cc165a92608732ce7b4e
Instruction ID: 021b1fae21c7ac57e7b3969b149ba10320e7a522a8ff737ebbefbac28614361a
Opcode Fuzzy Hash: 7521f8e73c970e0eeee274ea738c90205d4784becac9cc165a92608732ce7b4e
Instruction Fuzzy Hash: 7B22AB31E002299FCB55EFA5C840BAEBBF6FF88744F148598E911AB394CB359945CF90

Function 063218C0 Relevance: 2.9, Strings: 2, Instructions: 362
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'fq, xrefs: 06321D56
4'fq, xrefs: 06321D66

Memory Dump Source

Source File: 00000004.00000002.2075327960.0000000006320000.00000040.00000800.00020000.00000000.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6320000_wpappx.jbxd

Similarity

API ID:
String ID: 4'fq$4'fq
API String ID: 0-751858264
Opcode ID: 1dba3caf2df72662ade0a7eab054f96159580230509d3202fdc427d2eced3b45
Instruction ID: 52e02d9a23339f4df0f9f14b851dc51178d963523b47fe95157220f910c85f1d
Opcode Fuzzy Hash: 1dba3caf2df72662ade0a7eab054f96159580230509d3202fdc427d2eced3b45
Instruction Fuzzy Hash: 2FF1E634D01229DFCBA4DFA4D5946ECBBB6FF49751F20812AE506AB350DB31598ACF80

Function 065405A0 Relevance: 2.7, Strings: 2, Instructions: 214
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hjq, xrefs: 06540704
(jq, xrefs: 065406D8

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID: (jq$Hjq
API String ID: 0-2151573235
Opcode ID: f3a5a5bd50162025c50a98b0bbe0898a4449a6da15f7c930a25a2d30b5d99d5e
Instruction ID: 9253509e1b09560cbd2392ef8ec99abce3feed96c70efa758e260285dff9b221
Opcode Fuzzy Hash: f3a5a5bd50162025c50a98b0bbe0898a4449a6da15f7c930a25a2d30b5d99d5e
Instruction Fuzzy Hash: 2C81E2706047518FD7A4EF29C49065ABBE2FF84308F24CA9DE11A8B2D1DB35E885CF91

Function 014A1CB0 Relevance: 2.7, Strings: 2, Instructions: 191COMMON

Download Yara Rule

Strings

\sfq, xrefs: 014A1E8F
, xrefs: 014A1DC2

Memory Dump Source

Source File: 00000004.00000002.2047982492.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14a0000_wpappx.jbxd

Similarity

API ID:
String ID: $\sfq
API String ID: 0-1105643209
Opcode ID: 6a3aa738744e501e965c4248180a64bca105339d727037910f61ba7e3ae2bbeb
Instruction ID: e0b967ec63335bf398398eba7748f90acb369d7b38ca594a17de4a7caca9a02e
Opcode Fuzzy Hash: 6a3aa738744e501e965c4248180a64bca105339d727037910f61ba7e3ae2bbeb
Instruction Fuzzy Hash: B051CE71B001158FDB10DFACD8809AFBBB6FB84621F56856BE619DB761C730EC428B80

Function 06543E28 Relevance: 2.7, Strings: 2, Instructions: 157COMMON

Download Yara Rule

Strings

Hjq, xrefs: 06543FBD
(jq, xrefs: 06543F2E

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID: (jq$Hjq
API String ID: 0-2151573235
Opcode ID: 945fdead5931fe245bfb21730a6ca228fe0a7a288fed4a4a93830b99cac91980
Instruction ID: 8f7537f6b924c9fc26e3e0f222b4a071f322c9d5879500430db8bc3db08ffa26
Opcode Fuzzy Hash: 945fdead5931fe245bfb21730a6ca228fe0a7a288fed4a4a93830b99cac91980
Instruction Fuzzy Hash: 3E5168347002119FCB99AF29D49452EBBB7FF8974572044ACE5068B3A5CF35EC4ACBA0

Function 067D3961 Relevance: 2.6, Strings: 2, Instructions: 61COMMON

Download Yara Rule

Strings

X, xrefs: 067D399E
s, xrefs: 067D396E

Memory Dump Source

Source File: 00000004.00000002.2077281462.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_67d0000_wpappx.jbxd

Similarity

API ID:
String ID: X$s
API String ID: 0-2768922426
Opcode ID: de2cde29500a644dc37b93f62c9e08ab748dda9817ef48f56d4db76935938e6f
Instruction ID: d6e3d70cde37e8163c2333e621b2339a1bc240d08baef256a4d2cd57358dcf43
Opcode Fuzzy Hash: de2cde29500a644dc37b93f62c9e08ab748dda9817ef48f56d4db76935938e6f
Instruction Fuzzy Hash: 1131E5B8A10229CFDB64DF64C8847EDB7B5FB49315F1045EA9509A7390DB30AE85CF00

Function 0654AE80 Relevance: 1.9, Strings: 1, Instructions: 677COMMON

Download Yara Rule

Strings

,jq, xrefs: 0654B1FB

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID: ,jq
API String ID: 0-1538246120
Opcode ID: 38c50193893935c9bb4d5f26136ed38837ee17af323808c2313fdc507582aa96
Instruction ID: 00a9dfe33fb1a862fcb8b6c45e8fb480a2ecb83c1aca7679193983c73849c8c1
Opcode Fuzzy Hash: 38c50193893935c9bb4d5f26136ed38837ee17af323808c2313fdc507582aa96
Instruction Fuzzy Hash: BE52F775A102288FDB64DF68C980BEDBBF6BB88700F1541D9E509A7391DA30DE85CF61

Function 065453E0 Relevance: 1.8, Strings: 1, Instructions: 531COMMON

Download Yara Rule

Strings

(_fq, xrefs: 0654566D

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID: (_fq
API String ID: 0-931642571
Opcode ID: 99ce60a4cabd5b0a7aa7aff803ecbd0d51c0c641771e819add76903bc5364b2c
Instruction ID: 0f5d247ecf1f8fca430aa7dab5c6811ccb376863bf4d0ab8be00f1e809e3864d
Opcode Fuzzy Hash: 99ce60a4cabd5b0a7aa7aff803ecbd0d51c0c641771e819add76903bc5364b2c
Instruction Fuzzy Hash: 03229B75A00215DFDB44EF69D494A6DB7F6FF88304F1480A9E905AB3A1EB31EC84CB90

Function 0659F594 Relevance: 1.8, APIs: 1, Instructions: 267processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0659F807

Memory Dump Source

Source File: 00000004.00000002.2076445263.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6590000_wpappx.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 7933235d3513b8239f23ed72410743a3d4b84cbdf3b16ec765dcac8d097c071e
Instruction ID: be8fe326f2eb865abe75cfc2e9c16930de0975241f741bb7542bc460f83b711c
Opcode Fuzzy Hash: 7933235d3513b8239f23ed72410743a3d4b84cbdf3b16ec765dcac8d097c071e
Instruction Fuzzy Hash: 37A10EB0D002199FDF64CFA9C881BEEBBB1BF09310F149569E858E7290DB748985CF95

Function 0659F5A0 Relevance: 1.8, APIs: 1, Instructions: 261processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0659F807

Memory Dump Source

Source File: 00000004.00000002.2076445263.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6590000_wpappx.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: b3519e4ca01aaa90fb3f950c2a548a9e0049d11f4b932e22bae20704b06c4ad0
Instruction ID: 2cb778237c5dd22a77c9d3901d8cd96e1ac8636e5d16dcf96c8f21d7aa4fa251
Opcode Fuzzy Hash: b3519e4ca01aaa90fb3f950c2a548a9e0049d11f4b932e22bae20704b06c4ad0
Instruction Fuzzy Hash: 9DA100B1D002199FDF64CFA9C881BEEBBB1BF09310F149169E858E7290DB748985CF95

Function 06550350 Relevance: 1.6, APIs: 1, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 065503FC

Memory Dump Source

Source File: 00000004.00000002.2076136879.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6550000_wpappx.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: e49186a88d4a1c8607b165dafd0e3c5f8b0857ed0924b15cc670598c8f70937c
Instruction ID: d7e6da7255a60f7f2f0004f70ce2e5c98cff1315656b07bc466894443070c080
Opcode Fuzzy Hash: e49186a88d4a1c8607b165dafd0e3c5f8b0857ed0924b15cc670598c8f70937c
Instruction Fuzzy Hash: 7B31EBB4D012589FCF10CFAAD884AEEFBB4BB49310F10902AE814B7210D734A945CF64

Function 06550358 Relevance: 1.6, APIs: 1, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 065503FC

Memory Dump Source

Source File: 00000004.00000002.2076136879.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6550000_wpappx.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: f78fa402a73e15f19d46bfc1447e6a7fa71595e8760128da3ad350b2c73db7de
Instruction ID: f3ec0c96151afc894dfd7f8e9347b1f38b24d5d1c73903e581e27a3e2172c834
Opcode Fuzzy Hash: f78fa402a73e15f19d46bfc1447e6a7fa71595e8760128da3ad350b2c73db7de
Instruction Fuzzy Hash: 7731B8B4D00258DFCB10CFAAD984AEEFBB1BB59320F24942AE814B7250D779A945CF54

Function 0659B85A Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

SleepEx.KERNELBASE(?,?), ref: 0659B8F2

Memory Dump Source

Source File: 00000004.00000002.2076445263.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6590000_wpappx.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 997af850b4469cd2c09ec5130f0eae4fe0bf9ef3868a251e93664dc02c63046b
Instruction ID: 6b9bd546247cf68f0a3e32e3c16742163b1fd79032a6b8f0e228e20c8c951992
Opcode Fuzzy Hash: 997af850b4469cd2c09ec5130f0eae4fe0bf9ef3868a251e93664dc02c63046b
Instruction Fuzzy Hash: 2731C9B4D012199FCB10CFAAD980A9EBBF5BB49310F24942AE804B7200D734A945CBA4

Function 0659B860 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

SleepEx.KERNELBASE(?,?), ref: 0659B8F2

Memory Dump Source

Source File: 00000004.00000002.2076445263.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6590000_wpappx.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: f84cf69f14c650f6c7126a1c5a7578eea56060ed15f09deb13ec85b00c002773
Instruction ID: 55c824db4ade24d4d00defb655ea0a4718ac7c8ac3a8e14b2bdccbfc38822e80
Opcode Fuzzy Hash: f84cf69f14c650f6c7126a1c5a7578eea56060ed15f09deb13ec85b00c002773
Instruction Fuzzy Hash: 9431CCB4D012199FDF10CFAAD980A9EFBF5BF59310F14942AE414B7240D735A945CFA4

Function 06545B50 Relevance: 1.5, Strings: 1, Instructions: 246COMMON

Download Yara Rule

Strings

Plfq, xrefs: 06545D38

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID: Plfq
API String ID: 0-3206639473
Opcode ID: c529a65091e342094202aecbcc1225294e8c30f786cad914b38014ac34edefde
Instruction ID: b3e9503d65aadbdc0ae0ed0167bafed17f6a5b31f56d90779e8349d2ca6f32a5
Opcode Fuzzy Hash: c529a65091e342094202aecbcc1225294e8c30f786cad914b38014ac34edefde
Instruction Fuzzy Hash: D9910274B001148FDB54EF28C884AAA7BF6FF89714B1440A9E506CB3B5EB70ED41CBA1

Function 06549F98 Relevance: 1.5, Strings: 1, Instructions: 229COMMON

Download Yara Rule

Strings

4'fq, xrefs: 0654A1C2

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID: 4'fq
API String ID: 0-2007657732
Opcode ID: 6f813a85b8f4d214946f6af4b8c2fd2362f7ec1efe2131d3d28758c8265aa89f
Instruction ID: e91a0c777ecad4d299a655a3362d1213a400a7637bfa769a14157722e9aeb2e3
Opcode Fuzzy Hash: 6f813a85b8f4d214946f6af4b8c2fd2362f7ec1efe2131d3d28758c8265aa89f
Instruction Fuzzy Hash: 17A11E34A10219DFCB44EFA4D89899EB7B6FF88304F558159E405AB365DF30AC46CF50

Function 014A09A8 Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

\sfq, xrefs: 014A0B2D

Memory Dump Source

Source File: 00000004.00000002.2047982492.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14a0000_wpappx.jbxd

Similarity

API ID:
String ID: \sfq
API String ID: 0-3800904836
Opcode ID: cab99969396b4cfe21d4262982bc5f3d1263d84fd567238b38812756c12caab8
Instruction ID: 2a691d0c6c5277363eddf26aa51bac7cd9273bac20753a8c28e7eee4d3814f48
Opcode Fuzzy Hash: cab99969396b4cfe21d4262982bc5f3d1263d84fd567238b38812756c12caab8
Instruction Fuzzy Hash: 2E51E8B8E4020A9FDF14DFA9D980AEEBBF1BF88314F10A665D401FB254DB359946CB50

Function 0654EC98 Relevance: 1.4, Strings: 1, Instructions: 146COMMON

Download Yara Rule

Strings

(jq, xrefs: 0654EDC4

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID: (jq
API String ID: 0-3225323518
Opcode ID: 61046b6448bdc05acd9eb49c46f68b17b0dfe179473c9c55fc378fc32049dfe2
Instruction ID: 073b8f7a1be678d810e2c4db07d5fa964e7d25506153ffe79e17345672c4bc66
Opcode Fuzzy Hash: 61046b6448bdc05acd9eb49c46f68b17b0dfe179473c9c55fc378fc32049dfe2
Instruction Fuzzy Hash: F6518E36704250AFCB469F68D814D597FB6FF89710B1980EAF605CF2B2CA32D815DB60

Function 0654DC39 Relevance: 1.4, Strings: 1, Instructions: 139COMMON

Download Yara Rule

Strings

4'fq, xrefs: 0654DC82

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID: 4'fq
API String ID: 0-2007657732
Opcode ID: 5bd32488508ccbc700551e3e66d5a06b05ac03119bc0acad79a2036f3667ed3d
Instruction ID: d77dbc0b6080236f6c8d7dd542c829b48cbf7d126657155fd1b47c02b5667b4f
Opcode Fuzzy Hash: 5bd32488508ccbc700551e3e66d5a06b05ac03119bc0acad79a2036f3667ed3d
Instruction Fuzzy Hash: 74415D34B106158FCB94FF68D894AAEB7BABFC9704F104559E406AB398CF749C06CB91

Function 06540B9C Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

(jq, xrefs: 06540BC4

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID: (jq
API String ID: 0-3225323518
Opcode ID: ea60e55b7956b0cd6f0c3f7caeb5be04a12fa8108bfcca8ddafaf49a19ca6278
Instruction ID: 77fc662fd9bb5ceb74ffd7dbb7d0f58ff520bee5c2269eeafbe6050f0bb6d2a1
Opcode Fuzzy Hash: ea60e55b7956b0cd6f0c3f7caeb5be04a12fa8108bfcca8ddafaf49a19ca6278
Instruction Fuzzy Hash: A841D670A01616DFCB00DF68C484A6AFBB5FF89314F258599D6159B382C730ED55CBE0

Function 06548FC8 Relevance: 1.4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

4'fq, xrefs: 06549061

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID: 4'fq
API String ID: 0-2007657732
Opcode ID: cac23ad34e9a761da842a4792f9c38cf4900a54cf4144c8e593ba0bcafe74fef
Instruction ID: 9d6ca2de9414736036bcfad7aea9e865141daa03adb9f3f1d27c3252063fb7bd
Opcode Fuzzy Hash: cac23ad34e9a761da842a4792f9c38cf4900a54cf4144c8e593ba0bcafe74fef
Instruction Fuzzy Hash: E241C3317002119FCB159FA5D888D9ABFB7FF89710B0581AAF60A9B365CA319C46DB90

Function 067EFDE8 Relevance: 1.4, Strings: 1, Instructions: 119COMMON

Download Yara Rule

Strings

pjq, xrefs: 067EFE30

Memory Dump Source

Source File: 00000004.00000002.2077281462.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_67d0000_wpappx.jbxd

Similarity

API ID:
String ID: pjq
API String ID: 0-551751012
Opcode ID: ca29dfa5eafaf1d2b0fea01f069a89b95eea993ea2a52a034848e354499baf3b
Instruction ID: 7beb25f138d72ecd73cba3295d555ee9bea9373060b4d902c8e64cbdabde7f8f
Opcode Fuzzy Hash: ca29dfa5eafaf1d2b0fea01f069a89b95eea993ea2a52a034848e354499baf3b
Instruction Fuzzy Hash: 9F41C776600110AFCB469FA9D944D6A7FF6FF8C31471A8198E2099B372DB32DC61EB50

Function 014ACFC0 Relevance: 1.4, Strings: 1, Instructions: 119COMMON

Download Yara Rule

Strings

TJkq, xrefs: 014AD05E

Memory Dump Source

Source File: 00000004.00000002.2047982492.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14a0000_wpappx.jbxd

Similarity

API ID:
String ID: TJkq
API String ID: 0-3106782265
Opcode ID: ee23354d5a1c645cdfe814dc9ff27617efece9087e869c181d1594d9f603b15a
Instruction ID: b335c1aa1468ca5679d86ed90bfee96794ecc7559fd18d0c56f57f327104b40b
Opcode Fuzzy Hash: ee23354d5a1c645cdfe814dc9ff27617efece9087e869c181d1594d9f603b15a
Instruction Fuzzy Hash: 6251E3B4D01209DFDB24DFA9E5886AEBBBAFF88314F50802AE415A7368DB345945CF50

Function 0654D640 Relevance: 1.4, Strings: 1, Instructions: 118COMMON

Download Yara Rule

Strings

4'fq, xrefs: 0654D6F7

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID: 4'fq
API String ID: 0-2007657732
Opcode ID: 06c1f3d9b88141b2b4328b7935cc9a567a98adddb865132ba3f59ed63d6ec9ab
Instruction ID: 69480a0599fc7dca6d4af6b3b1f4a8983c1736e22e5e42fcec948113f78d66df
Opcode Fuzzy Hash: 06c1f3d9b88141b2b4328b7935cc9a567a98adddb865132ba3f59ed63d6ec9ab
Instruction Fuzzy Hash: B5415F717006109FD349EB69C995F2B7BEABFC9B04F104598E20A8B3A1DE71EC41C791

Function 06541A30 Relevance: 1.4, Strings: 1, Instructions: 116COMMON

Download Yara Rule

Strings

,jq, xrefs: 06541A93

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID: ,jq
API String ID: 0-1538246120
Opcode ID: 1155032dcd57ffffae8deace2d59dbc4ac731ff30f7e9cf0b3f4273ce191dba2
Instruction ID: 10c4c0e90d93218305337a3155f8fb22b2bc0ebdaca4fbeb649a2e4b421c99df
Opcode Fuzzy Hash: 1155032dcd57ffffae8deace2d59dbc4ac731ff30f7e9cf0b3f4273ce191dba2
Instruction Fuzzy Hash: F541BC357005058FCB14EF69C8909AEBBF2FF85350B1185A9E9059F361DB31ED45CB91

Function 014ACFD0 Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

TJkq, xrefs: 014AD05E

Memory Dump Source

Source File: 00000004.00000002.2047982492.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14a0000_wpappx.jbxd

Similarity

API ID:
String ID: TJkq
API String ID: 0-3106782265
Opcode ID: 2db5829947f3287d7c4304e1352e76f1dc547ff2318da76423c2d2d06f749e39
Instruction ID: 8271c4a95437b0e9b45eed97f0f634f2e9ace426b5c93d58f5a2fdb511fa5430
Opcode Fuzzy Hash: 2db5829947f3287d7c4304e1352e76f1dc547ff2318da76423c2d2d06f749e39
Instruction Fuzzy Hash: BA41E5B4D01209DFDB24DFA9E5886ADBBBAFF88314F50802AE415A3368DB345945CF50

Function 0654D650 Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

4'fq, xrefs: 0654D6F7

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID: 4'fq
API String ID: 0-2007657732
Opcode ID: 84d05db73caa2b3e0897fde2bb1a37905e2fcaebd175ffc3f14cee4cf646f70d
Instruction ID: 7096ac35a483f8a38e44e7c34db3fccbf7c31aeeee28989680c255600e4d01e5
Opcode Fuzzy Hash: 84d05db73caa2b3e0897fde2bb1a37905e2fcaebd175ffc3f14cee4cf646f70d
Instruction Fuzzy Hash: 23311F757006109FD348EB69C995B2B77EABFC8B04F104558E60A8B3A1DE71EC41CB91

Function 06540448 Relevance: 1.4, Strings: 1, Instructions: 104COMMON

Download Yara Rule

Strings

(jq, xrefs: 06540498

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID: (jq
API String ID: 0-3225323518
Opcode ID: 6ddd1abffeaba5d9e713e93a4ed407c4370a7d4370ae1a45fd8275d428fa442b
Instruction ID: 01f53954a70fec401aaf318bd478fc498c9e66a9ddeecc5f7fa9dee112b262f8
Opcode Fuzzy Hash: 6ddd1abffeaba5d9e713e93a4ed407c4370a7d4370ae1a45fd8275d428fa442b
Instruction Fuzzy Hash: D43129357042555FDB056B29EC409AF7BA6EFD9364B20407EFA05CB390DE329C15C7A0

Function 06549019 Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

4'fq, xrefs: 06549061

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID: 4'fq
API String ID: 0-2007657732
Opcode ID: 3dfd95314e2a6dd7ec375e98af41555527bd04f907f20474ab21b2beb4f39a8a
Instruction ID: e537d833de44cf8ea12f1522ad06b949cc3ad4b6c3993b3576865801b8170238
Opcode Fuzzy Hash: 3dfd95314e2a6dd7ec375e98af41555527bd04f907f20474ab21b2beb4f39a8a
Instruction Fuzzy Hash: 402191356001119FCF159FA4D898DAE7BB7FF88710B0540A9FA069B3A5CA72DC46DB90

Function 014A3E9D Relevance: 1.3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

Tefq, xrefs: 014A3F18

Memory Dump Source

Source File: 00000004.00000002.2047982492.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14a0000_wpappx.jbxd

Similarity

API ID:
String ID: Tefq
API String ID: 0-1066582953
Opcode ID: 277e01fb566ddf0aeaa11917aaaf8d67e25af1d2ba6a5b72c4b7ded520bf2549
Instruction ID: b0e89bda8afd792f663ccd994357cee08e6e500c01dbc33329a132660eb221c0
Opcode Fuzzy Hash: 277e01fb566ddf0aeaa11917aaaf8d67e25af1d2ba6a5b72c4b7ded520bf2549
Instruction Fuzzy Hash: 4021BF307002459FCB44DB79C498AAEBBF6BFA9300F51416EE405AB3B5CE349C05CB90

Function 06544730 Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

p<fq, xrefs: 0654477A

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID: p<fq
API String ID: 0-1940909823
Opcode ID: 0fa34503bee18065128a5196e6a8b7b0da337baa70c2cdc12827bb8af43a3952
Instruction ID: 5ecaafe6021195d76b1322fa856f3e116a3944ac8c7b6faf5f777b111b0256a0
Opcode Fuzzy Hash: 0fa34503bee18065128a5196e6a8b7b0da337baa70c2cdc12827bb8af43a3952
Instruction Fuzzy Hash: EA217C74308244AFCB159F2AC880EAB3BEAFF8A254B054095F944CB271CA31EC52CF60

Function 06541A20 Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

,jq, xrefs: 06541A93

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID: ,jq
API String ID: 0-1538246120
Opcode ID: 912381675397fc46d8b7ab341c85d635f7f611976bc27f3f572b374d2738265a
Instruction ID: 36c8f2db4a8f583c12527c3ecb4b6a3c5b10e14836da4ef4680630260af5fc80
Opcode Fuzzy Hash: 912381675397fc46d8b7ab341c85d635f7f611976bc27f3f572b374d2738265a
Instruction Fuzzy Hash: 3D21D334A006059FCB10EF69D850AAABFF9EF85340F1581AAE9409F361DB31ED40CBA1

Function 06320D7D Relevance: 1.3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

Strings

4'fq, xrefs: 06321549

Memory Dump Source

Source File: 00000004.00000002.2075327960.0000000006320000.00000040.00000800.00020000.00000000.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6320000_wpappx.jbxd

Similarity

API ID:
String ID: 4'fq
API String ID: 0-2007657732
Opcode ID: 11fa36265943e70ec37acd0775962b97fd4769cb36b877c65a060765f4ff66fa
Instruction ID: 9a97da18745639b12f83f3bdd85c8fab9a4e4c4f1dd5d8415a53047db5b0a14a
Opcode Fuzzy Hash: 11fa36265943e70ec37acd0775962b97fd4769cb36b877c65a060765f4ff66fa
Instruction Fuzzy Hash: E831DD30D0526ACFDB59CFA9C5146BEBBB1FF45300F1480AAC125A7291D7386989CFD1

Function 06544740 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

p<fq, xrefs: 0654477A

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID: p<fq
API String ID: 0-1940909823
Opcode ID: 9a5aa08f4e9764679455d3a761bf7a796d203129c95a1aa75a737245cdc175a3
Instruction ID: 79d17c5ac498eb4fc92b17cb1a1089297086fe9f0a457f5371d4d69859c23c30
Opcode Fuzzy Hash: 9a5aa08f4e9764679455d3a761bf7a796d203129c95a1aa75a737245cdc175a3
Instruction Fuzzy Hash: 6F215974344154AFCB55DF2AC880EAA7BEAFF8A244B044095FC14CB2A1DB31EC52DF60

Function 014A3EB8 Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

Tefq, xrefs: 014A3F18

Memory Dump Source

Source File: 00000004.00000002.2047982492.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14a0000_wpappx.jbxd

Similarity

API ID:
String ID: Tefq
API String ID: 0-1066582953
Opcode ID: dae7064e20bfff818549cfd77acc4ec7049ce1854464a10ef1d19d6a54ab8cff
Instruction ID: c5eaa13a9b65b3aa453bc99198fbe846fbfb88a54e095253d935cbe2c3401b2b
Opcode Fuzzy Hash: dae7064e20bfff818549cfd77acc4ec7049ce1854464a10ef1d19d6a54ab8cff
Instruction Fuzzy Hash: 6F21AE707002159FCB48EF7AC458A6EBAF6BFA8700F514429E506EB3A4DE719C05CB90

Function 014A1E2A Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

\sfq, xrefs: 014A1E8F

Memory Dump Source

Source File: 00000004.00000002.2047982492.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14a0000_wpappx.jbxd

Similarity

API ID:
String ID: \sfq
API String ID: 0-3800904836
Opcode ID: b32c90b3a13e51b1d8ff4b6b59a3f0df42529f2fd80514a196c8618e3b30ad12
Instruction ID: 85d1557623a1f3f997398452ba9e5c7c0babf1a36acb08baf9a6d0f6d55210dc
Opcode Fuzzy Hash: b32c90b3a13e51b1d8ff4b6b59a3f0df42529f2fd80514a196c8618e3b30ad12
Instruction Fuzzy Hash: E70184707006118FD765DF39D854C3B37FAAF89A60B1285AED50ACB372DA30DC418B51

Function 063DC67C Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

I, xrefs: 063DC718

Memory Dump Source

Source File: 00000004.00000002.2075643461.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63d0000_wpappx.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 90e0e7c417fd6ef0edce50aabfc27bee16033c4ff3d2cad172130ff091c53c09
Instruction ID: 446c1a433862bae192b3dadb299aecb8fa5321597ef5b285c128a684b961402e
Opcode Fuzzy Hash: 90e0e7c417fd6ef0edce50aabfc27bee16033c4ff3d2cad172130ff091c53c09
Instruction Fuzzy Hash: E6214E74915628CFDBA4DF29DC88B9EBBB1BB49302F0441EB9809A7290DB305E85CF41

Function 063D056F Relevance: 1.3, Strings: 1, Instructions: 28COMMON

Download Yara Rule

Strings

o, xrefs: 063D0DA7

Memory Dump Source

Source File: 00000004.00000002.2075643461.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63d0000_wpappx.jbxd

Similarity

API ID:
String ID: o
API String ID: 0-252678980
Opcode ID: 3d3349d9c17e3ddc335428a3da18291061436262cdf6a7896fccf6d6dcb497f7
Instruction ID: c7db651ef3b57d3ab0da344b9d3e302002ec1e01b694236e6732ae97dc0d43f5
Opcode Fuzzy Hash: 3d3349d9c17e3ddc335428a3da18291061436262cdf6a7896fccf6d6dcb497f7
Instruction Fuzzy Hash: DD01EF79D15228CFDBA5DF64E888B9DBBB1BF0A318F5450EAD509A2242C7300988CF56

Function 063D0D70 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

o, xrefs: 063D0DA7

Memory Dump Source

Source File: 00000004.00000002.2075643461.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63d0000_wpappx.jbxd

Similarity

API ID:
String ID: o
API String ID: 0-252678980
Opcode ID: 872ad26f15a2c2c3830309b26e593967eee8ffbc94ec09b7e63a26a5e44956ea
Instruction ID: 96504ae107d8b2483f177bbfe2e1be55107025ea96ff7b85b7924add8150dd08
Opcode Fuzzy Hash: 872ad26f15a2c2c3830309b26e593967eee8ffbc94ec09b7e63a26a5e44956ea
Instruction Fuzzy Hash: 15F0CF74D112198FDBA4DF28D889B8DBBB1BF0A328F5052DAD518A7692C7304D88CF11

Function 063D7ED4 Relevance: 1.3, Strings: 1, Instructions: 13COMMON

Download Yara Rule

Strings

., xrefs: 063DB284

Memory Dump Source

Source File: 00000004.00000002.2075643461.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63d0000_wpappx.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: e5db8872eb1d0e32acf49e5f2a8d6166690366f76294ad392521dfae65ac7719
Instruction ID: f2dd2040b0372e72c36ab5d5a6ce304fb4cbd14a5ccc96a27e48db7f6ff02fd2
Opcode Fuzzy Hash: e5db8872eb1d0e32acf49e5f2a8d6166690366f76294ad392521dfae65ac7719
Instruction Fuzzy Hash: 23D05EF16002388FDBA4EF39E884A5E77B9FB45300F104698D00AAB388DE301D858FD1

Function 0654DE88 Relevance: .4, Instructions: 437COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 705700bc140bf4e40c802244820f12df899178635f353b422f8f01bb445a32c2
Instruction ID: fe97643e8e93b72936adb7a8b13190a01be78767025e4b0a793fd40a3885d544
Opcode Fuzzy Hash: 705700bc140bf4e40c802244820f12df899178635f353b422f8f01bb445a32c2
Instruction Fuzzy Hash: D8120934A002198FCB54EF64C995B9DB7B2BF89304F5185A8E54AAB365DF30ED89CF40

Function 065412C8 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cae9bcb75fedabe3477215ac3c7a34fd304a58587c59e1030ec2b505dc87762
Instruction ID: 03dce0e07256659f552c8b8012471eec43986098bcd1c0549f8e8010cd6d6305
Opcode Fuzzy Hash: 4cae9bcb75fedabe3477215ac3c7a34fd304a58587c59e1030ec2b505dc87762
Instruction Fuzzy Hash: FE918835A016149FCB25EFA5D584AADBBF2FB88755F1080A9E9029B390CB31DD85CF90

Function 0654DE78 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25824a3ff2ebf544ea0612e58a0e898509f9240f19eb919449b8913798e869fb
Instruction ID: 3fe59839e5e797d7aed3c3ef542a0781a85839fd0db8282cc32bff172970b1e0
Opcode Fuzzy Hash: 25824a3ff2ebf544ea0612e58a0e898509f9240f19eb919449b8913798e869fb
Instruction Fuzzy Hash: 63A11834A002158FDB64EF24C889B9DBBB6BF89314F5085E8E549AB355DF30AD85CF50

Function 063D25D0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2075643461.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63d0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e343276dd5f6d6f35ca3c0666f7633715b831ec5a37ae8b4aab3749b5751cd3
Instruction ID: 019b23f697a5e5be5ebd58dbe71860519f7d69e1cf06f0b76aa67cb2498af95f
Opcode Fuzzy Hash: 3e343276dd5f6d6f35ca3c0666f7633715b831ec5a37ae8b4aab3749b5751cd3
Instruction Fuzzy Hash: 2BA13774E05218DFDB94DFA8E4446AEBBB6FF49310F104129E605BB384CB746A85CF90

Function 0654EE30 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a3cc35d2c999ce1356f9161d05f3c23e66474b513b3bcfdcf1ed48c2095ff38
Instruction ID: 84c0face60e1c9b46cf75b3d09751e3f2e2375beadaf77705b59d959bbdc8c80
Opcode Fuzzy Hash: 6a3cc35d2c999ce1356f9161d05f3c23e66474b513b3bcfdcf1ed48c2095ff38
Instruction Fuzzy Hash: 39914D30B10215DFCB54EF68D898AADB7B6FF89714F1040A9E50A9B3A5CB35DC45CB90

Function 065468B0 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 091ddd37ecd7f0e84a840da9d79fd057ece2fd8f5e064ca77b28a11221dde76d
Instruction ID: 635c769cbfc35649abbfa11dc6f4ae48df0028666fda7ba02fa9f6a562424ec8
Opcode Fuzzy Hash: 091ddd37ecd7f0e84a840da9d79fd057ece2fd8f5e064ca77b28a11221dde76d
Instruction Fuzzy Hash: F3813875A00618CFCB54EF68C484A9EBBF5FF89354B1580A9E8069B361DB31ED42CF90

Function 063D25C0 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2075643461.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63d0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2cddd28fbe63d13dccc4f38d88fed41457962e18e2bb005d4371a8eff2ba8d4
Instruction ID: 045eb5010cee230b8befee58bc710f55ffaa4b93bef1d29cad3687d093e70316
Opcode Fuzzy Hash: e2cddd28fbe63d13dccc4f38d88fed41457962e18e2bb005d4371a8eff2ba8d4
Instruction Fuzzy Hash: 27816975D04258DFDB94DFA8E4446EEBBF9FF49310F10802AE605AB644C7746A89CF90

Function 0654EE20 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee8392ab16eccee985e6d9fcd5e5c16594b8cf3c51abdafe4ab99949707b58d0
Instruction ID: 4c5f49b6ae373511ad1b0a84c1455d622e34f3b255b19965a4ca58427c7f43bb
Opcode Fuzzy Hash: ee8392ab16eccee985e6d9fcd5e5c16594b8cf3c51abdafe4ab99949707b58d0
Instruction Fuzzy Hash: 80613B34B11215DFCB54EF68D898AAEB7B6FF89714F1081A9E5069B365CB30EC41CB90

Function 063D607D Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2075643461.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63d0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 775567f3dea201ab5921cf75cd26b237342a35f55134d4f4cb5f0daf8f1509d4
Instruction ID: 4ec04b0928f838cf7c141be02f4971851bb5e6df1f08ab8c67c710a8d57b2a0d
Opcode Fuzzy Hash: 775567f3dea201ab5921cf75cd26b237342a35f55134d4f4cb5f0daf8f1509d4
Instruction Fuzzy Hash: EF713CB1D05218CFEB50DFA9E886BADBBF6BF46304F108069D029AB755D7749984CF80

Function 063D2D80 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2075643461.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63d0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 524df125d971c4456742eb1250285dacab5621c3d977b32aa489011d89ff67d0
Instruction ID: f1f4e0170d5a14216ab3eccd21fd72e06dba2d3fd7753f85d6caac3f04ec0381
Opcode Fuzzy Hash: 524df125d971c4456742eb1250285dacab5621c3d977b32aa489011d89ff67d0
Instruction Fuzzy Hash: F0519075D04219DFDB44DFA8E4845AEBBFABF49300F10846AE626BB350DB706A45CF90

Function 06549B78 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 519c0997b3fa602ae5c4d048ebd2b59a0f81051af400de354749bb11eed548a4
Instruction ID: f0d9debe1d760f4617f8d05c0b1c84c4969a63992efd66a57ff082da1c05e2a1
Opcode Fuzzy Hash: 519c0997b3fa602ae5c4d048ebd2b59a0f81051af400de354749bb11eed548a4
Instruction Fuzzy Hash: C5516E34B006199FCB04EF64E858AAEB7B6FFC8705F008119F5429B364DF74994ADB91

Function 063D2D70 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2075643461.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63d0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 465e83dd18be1c454a59a8f3993e24147b999ecef945623f38417a23e74c4b58
Instruction ID: f22a7910409c0bfa7e791ba59070a998636993f6ceef1579e857da1c6335dc87
Opcode Fuzzy Hash: 465e83dd18be1c454a59a8f3993e24147b999ecef945623f38417a23e74c4b58
Instruction Fuzzy Hash: 5551A375D14219DFDB44DFA8E4849AEBBFAFF49300F108469E526AB350DB306A45CF90

Function 063D6A00 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2075643461.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63d0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a41b0b87ffb2ad723413910a24187ff9cf894f33588d97b1664f869de6a199b
Instruction ID: 780b98306cde3d9a7f07c22ebeb293550f5205f4b75f357a50842693ddf43601
Opcode Fuzzy Hash: 7a41b0b87ffb2ad723413910a24187ff9cf894f33588d97b1664f869de6a199b
Instruction Fuzzy Hash: 0D51D374E01208CFDB58DFBAD585A9DBBB2FF89300F209029E416AB364DB319945CF90

Function 0654F120 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4782bd9bdde332389739001e9bf5c55ced94b1fb899e2a07b868e3dd781e9f82
Instruction ID: aed613046b17e5b4addc54ab7c293d487aae4dd744d285d6365d308469c3b835
Opcode Fuzzy Hash: 4782bd9bdde332389739001e9bf5c55ced94b1fb899e2a07b868e3dd781e9f82
Instruction Fuzzy Hash: C6319039A01219AFCB14EFA5DC55AEEBBB9FF89310F104065E905B7290CB319D05CBB0

Function 0654C750 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c0a30ff943bf4b4da645cf6d452fbec94d1b38c352951fea41bdf1c22cf6410
Instruction ID: d2e5b71e695fcb3d869c87ff405dd8fccd004e9f83d8d81984fb50a3c1e3449c
Opcode Fuzzy Hash: 2c0a30ff943bf4b4da645cf6d452fbec94d1b38c352951fea41bdf1c22cf6410
Instruction Fuzzy Hash: 0931F536A111149FCB45DF99D888E99BBB2FF88724B0680A8E5099B372CB31EC55DF40

Function 06541778 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d0ce229e4de8cb7fba4b890700f1f4e6abd32de363d9f3c8b472ccb6f3a53c7
Instruction ID: 4293a249ca6383067b5147e85300ec0cf5e35003590837bce99ad7951b2a8a06
Opcode Fuzzy Hash: 7d0ce229e4de8cb7fba4b890700f1f4e6abd32de363d9f3c8b472ccb6f3a53c7
Instruction Fuzzy Hash: DB41BF71E0062A8FDB60EFA5C9446BEBBB1FF88344F0085A9D905E7265D730D985CF90

Function 014A0861 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2047982492.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14a0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b800b89ae4466a72d17379b0fdc59acc474304080c0e0199fdc2a4ec94133879
Instruction ID: eb2165519d67d79ad26840c950ccdb5257ea2d74bc2cae38d1146d19bef2baee
Opcode Fuzzy Hash: b800b89ae4466a72d17379b0fdc59acc474304080c0e0199fdc2a4ec94133879
Instruction Fuzzy Hash: 4F31F6317003148FD758AB78D4546AE3BF6EFC9310F11056AE406DB3A5DF384C068BA2

Function 063DDC58 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2075643461.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63d0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9bc598ee0d71b18f436ad5605bccc2f3e510998d5f0c75028adf0e779edfcb2
Instruction ID: 4b46c4e35ef7695bb6aebab0675589ff0b554a4d784e965d951a640b673a02da
Opcode Fuzzy Hash: d9bc598ee0d71b18f436ad5605bccc2f3e510998d5f0c75028adf0e779edfcb2
Instruction Fuzzy Hash: BB41F2B1E41218DFDB44DF9AE944BEEBBF6BF88310F109029E409A7250D7B05A84CB90

Function 0654641C Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01aac07d099ee45966bebdc2ec8b00a53d70a71dd77897729478ddf7a06ea997
Instruction ID: dc125b8a141290d954f11c7411edc8d4b38f1a560038cb06fb5e43fb5ca66e9d
Opcode Fuzzy Hash: 01aac07d099ee45966bebdc2ec8b00a53d70a71dd77897729478ddf7a06ea997
Instruction Fuzzy Hash: 573181317042518FDB559F24D894AAA3BB2AF85345F1440AAE841CF2E2CA35DC45DBA1

Function 06543E1A Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1ff8838acc032e2df94ee4c9eac89497ae394af802b99f456800a84132b207c
Instruction ID: ff2b0dbe791e770fb65a291d7a1d403a0e97691fa74b7c7dac326c093cbac12a
Opcode Fuzzy Hash: a1ff8838acc032e2df94ee4c9eac89497ae394af802b99f456800a84132b207c
Instruction Fuzzy Hash: FA318D30601711EFC729EF25D88496AB7B6FF85745710486CE9468B3A5CF35EC4ACBA0

Function 063D6270 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2075643461.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63d0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3187c7f28e7fda7cd74329b24e1b179a192d1e7aff19cd8ceb1f9e58098fd0d
Instruction ID: 9be149c157b3914aa9ea15a9768fcc91ed072a1cc05d4c24f64578ba7a1db5c2
Opcode Fuzzy Hash: e3187c7f28e7fda7cd74329b24e1b179a192d1e7aff19cd8ceb1f9e58098fd0d
Instruction Fuzzy Hash: B4414EB1D01218CFEB60DF69D84AB9DBBF6BF46304F104169D419B7651DBB49984CF80

Function 0654EA51 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be3d8f70bf152507c482b68e2de71b163326b98f0fedbee418850707bf4c2cbf
Instruction ID: a752c6a8071cd6f6b3a8c57b836406eab5fcdffad88b61c92d11e2074599cdd4
Opcode Fuzzy Hash: be3d8f70bf152507c482b68e2de71b163326b98f0fedbee418850707bf4c2cbf
Instruction Fuzzy Hash: 3B31CF34A013089FCB54EF78D8859AEBBB2FFC9314F1445A9E5129B365CB30E845CB91

Function 063DF518 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2075643461.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63d0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f9bda28ec519ad837ddd86b2f32d775d793281defaa61ae29c66e4792de45ef
Instruction ID: 04e17da85963b2511f30538acb02cf60a9c264e3e3052e0ca653e90314f0c38f
Opcode Fuzzy Hash: 4f9bda28ec519ad837ddd86b2f32d775d793281defaa61ae29c66e4792de45ef
Instruction Fuzzy Hash: B03112B4E00219DFDB44DFAAE4846AEBBF6FB89314F10C06AD41AA7354D7349945CF90

Function 0654A918 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dded11c09a5a587a22eb2745148a56ebd4e915a31eb26b3c3044d18cd35852c4
Instruction ID: 0bdc184f973322f51cad5a30f3bd773b83f8dd449e611c4addd3ef9dc4e068e1
Opcode Fuzzy Hash: dded11c09a5a587a22eb2745148a56ebd4e915a31eb26b3c3044d18cd35852c4
Instruction Fuzzy Hash: 3421D6323452105FD3A49B69E880967BBE9EBC1324B1684BAE44DC7245DB23EC45C7A0

Function 014A88D2 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2047982492.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14a0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b8facf6db2f2d00266ebdde15ebbee1aab67a5bd68b5f5ff4f48e19032ce68a
Instruction ID: eb4413681a47ff2d227d53113f36ae08b107244fb4016f3fbd27e50c9e25c833
Opcode Fuzzy Hash: 4b8facf6db2f2d00266ebdde15ebbee1aab67a5bd68b5f5ff4f48e19032ce68a
Instruction Fuzzy Hash: 573146B4E0020ACBEB50DFA9C9043EEBBF9FB88305F00852AD518A7394D7784945CF92

Function 0654C741 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70332ecd02640f5d726bf98fe70677b7f54c3e18b280958e827bc6d6100db7d4
Instruction ID: c90ac29956c04399f6237afdd108eb1fc80a48e0129c153725e94d8429c99e1d
Opcode Fuzzy Hash: 70332ecd02640f5d726bf98fe70677b7f54c3e18b280958e827bc6d6100db7d4
Instruction Fuzzy Hash: 73214C36A11114AFCB05DFA9E848D9ABFB6FF89320B0640A9F1099B372C731DC15DB50

Function 0654FF00 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 852bfaddd5f3a34c386b5a9cb83cbcaabc6d6309e97703a040a5ed9cdbb1c997
Instruction ID: 12c89a7b9650839b5b694a73cb6ded158493b07dc1e1377b09d9ff91d8ba49f0
Opcode Fuzzy Hash: 852bfaddd5f3a34c386b5a9cb83cbcaabc6d6309e97703a040a5ed9cdbb1c997
Instruction Fuzzy Hash: 32219434B0061ACFCB40FF68C5548AEB7B5FFC9704B10426AD50697324EF30AA06CB91

Function 0126D4F4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2044489950.000000000126D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0126D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_126d000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c61e243e51d6f445442910b8ad56aea56b8d85fd69d2df3414425828187682b
Instruction ID: f03a37c99d03b2df9eb888271ee6835f3bae629c1c7305a42f2ccf82de23b128
Opcode Fuzzy Hash: 8c61e243e51d6f445442910b8ad56aea56b8d85fd69d2df3414425828187682b
Instruction Fuzzy Hash: EF2166B161420CDFCB15CF58E8C0F26BF69FB88318F20C569E9490A686C336D486CAA1

Function 014A88E0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2047982492.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14a0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bb90773babd8c507a836d4e0a53c8848a803170f34589323999c589ea79dbe0
Instruction ID: 94d8d3f32d560bdc2cd1eefa82a0edf2a8e1987441f06cfbe03bf11a6e0dd92f
Opcode Fuzzy Hash: 1bb90773babd8c507a836d4e0a53c8848a803170f34589323999c589ea79dbe0
Instruction Fuzzy Hash: 582144B4E0420ACBEB50DFA9C5043EEBBF9FB89305F00852AC519A7394DB7449418F92

Function 06543C00 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 624462b48fa4b670b9e07d2ef70e515c4cb1d4cc5611fc53b4fe3ee79b07dc25
Instruction ID: 48f1e50701e7d1732b6eecea97325467eba99f226ec9711388991c16012ef442
Opcode Fuzzy Hash: 624462b48fa4b670b9e07d2ef70e515c4cb1d4cc5611fc53b4fe3ee79b07dc25
Instruction Fuzzy Hash: 58215C71E00229DFDB90EBB9D5047AEBBF5BF44244F1084A6D915DB2A0E734CA44CB91

Function 0137D030 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2047700652.000000000137D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0137D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_137d000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ea8ad07fd342c9d9dae7d4181ddace47429393f9304c7debc88732cbd0a6413
Instruction ID: 42c867949b5fa93a182113c734e75831157ebfd29c3554a4867a1e898131157c
Opcode Fuzzy Hash: 7ea8ad07fd342c9d9dae7d4181ddace47429393f9304c7debc88732cbd0a6413
Instruction Fuzzy Hash: BA2125B1504204DFCB26DF58E9C0B26BF65FF84318F24C569E9091B246C33AD806CBA2

Function 0654FEF1 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f24cca7010f099ccfabdf8c2e6101ed35f6fab77b5300e24b5cc4aa88cce71c
Instruction ID: 9ac680f54654fcc8b0b29330063349af005d55a2f9be9704c8c62d0a74d682cb
Opcode Fuzzy Hash: 5f24cca7010f099ccfabdf8c2e6101ed35f6fab77b5300e24b5cc4aa88cce71c
Instruction Fuzzy Hash: F5219834A0061A9FCB40FF68D8558EFBBB5FF8A704B10416AE505D7364DB309A45CBE1

Function 0654F279 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 195f5d219821a1e240879d83618cd62a042aa140194e0132091b09618eb9ecba
Instruction ID: 858cb34c8f81d60482d4ac0baa9a027d23b678b1ef2c837af311c7699fb057fb
Opcode Fuzzy Hash: 195f5d219821a1e240879d83618cd62a042aa140194e0132091b09618eb9ecba
Instruction Fuzzy Hash: 4D219F39A042549FC765AA78EC44AAF7BA6FFC9328F1445A9E5158B290CF349C41CBA0

Function 014AF078 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2047982492.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14a0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b70f9961bb8cdc1d27217ef5dc1f270075c17df7ebfbeaf2259d45f50c85b874
Instruction ID: e5a7809ab15b8838d936b34676710082f1ec58fc7e71b6156cc24a82996b109b
Opcode Fuzzy Hash: b70f9961bb8cdc1d27217ef5dc1f270075c17df7ebfbeaf2259d45f50c85b874
Instruction Fuzzy Hash: 7F2189B4E45219CFDB04DFA9D4043EEBBF5FB98314F40802AD105B3354DB745A898B91

Function 06549DF0 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a14aa4c633ddd2bc3ea65518e702bd9d271fc10d4b7ca0f0536fccec5f63cf1
Instruction ID: 6d7b19ee72f55a7423f712eb1e4b42541f5a0fc2376e7674c5e479ce8319a715
Opcode Fuzzy Hash: 6a14aa4c633ddd2bc3ea65518e702bd9d271fc10d4b7ca0f0536fccec5f63cf1
Instruction Fuzzy Hash: 950109369001199FCF05DF94C804CD9BB76FF49310B0684A0EA056F235D272E929EB80

Function 0137D006 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2047700652.000000000137D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0137D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_137d000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83b8b17ddc97a902276d5d9da2cd06628c88da7ef7ae400d9191280e559dcfcd
Instruction ID: ef92dec2ee03d27cc0e4b8ccee4c4abc381063276f7c5791a2bf64e2eb54cfa3
Opcode Fuzzy Hash: 83b8b17ddc97a902276d5d9da2cd06628c88da7ef7ae400d9191280e559dcfcd
Instruction Fuzzy Hash: BA216D755093C08FDB13CF64D990715BF71AF46214F2981EBD8458F6A7C33A981ACB62

Function 06547DB8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26352bc0128b00a924e5f3d201031f1f6f8cf82d6f9e0c07e84ec17bb92ee184
Instruction ID: 90103451fe81e9d5c147f65a352c2bca06f433ffe96195094f5400afe886a835
Opcode Fuzzy Hash: 26352bc0128b00a924e5f3d201031f1f6f8cf82d6f9e0c07e84ec17bb92ee184
Instruction Fuzzy Hash: 5121F771A002198FDB54EFA4C580ADDB7F2FB8C305F2045A8E505BB361CB719D45CBA0

Function 014AF088 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2047982492.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14a0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 384f67cc8f03aa67beed9aa6b075e813f495e1bf6c0dedd836ee81e19edcb0a5
Instruction ID: 7bc6102368cae7f09d5c1730053a38bd8bfe3eb746ee9e9ae26542838779c28f
Opcode Fuzzy Hash: 384f67cc8f03aa67beed9aa6b075e813f495e1bf6c0dedd836ee81e19edcb0a5
Instruction Fuzzy Hash: 5A2179B4D09219CFDB04CFA9D5046EEBBF6FB99310F41802AD105B3354D7745A49CBA1

Function 063D7178 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2075643461.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63d0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb83c93db04cf25fee594e6717c372544cc8ddbbb26008e610aeed2e846f3ae0
Instruction ID: 3e76b215572ef437210d796e67e0cb444390ccfb92bc9e32cdff0738aa8d3d88
Opcode Fuzzy Hash: fb83c93db04cf25fee594e6717c372544cc8ddbbb26008e610aeed2e846f3ae0
Instruction Fuzzy Hash: 6D214875E0421ACFCB54DFE9E0446AEBBB6FB48304F14C2AAD815A7244D7349A82CFD0

Function 067D7231 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2077281462.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_67d0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23a3036979b905173fe5f16c8e4beefd466b9d36443225c38619d27ca24a3f40
Instruction ID: 01da75a826c23967dc0153b7f7b08ddf7efc7f81ff6b2c9476bace535a6d9d11
Opcode Fuzzy Hash: 23a3036979b905173fe5f16c8e4beefd466b9d36443225c38619d27ca24a3f40
Instruction Fuzzy Hash: 3E31A278A14228CFEB65CF68C884E99B7B1FB48315F1082E6D90CA7351DB31AE85CF00

Function 063DFD18 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2075643461.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63d0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fec7ada7f4fe919f142ba2025775152e434c4071647c347f125786a17c8f632
Instruction ID: b705cca51a56f9b38c506ebaccb9448ca5cf223729c06f82fc6ee4a1e40ff4d6
Opcode Fuzzy Hash: 7fec7ada7f4fe919f142ba2025775152e434c4071647c347f125786a17c8f632
Instruction Fuzzy Hash: FA218032A00218DFCB04DF68C8449DEBBB7FF8C720F149129E516A7394DB319845DB90

Function 014A42E7 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2047982492.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14a0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c332588c4b516f76c7060a256977038940360dd133ef288a7bfb76dd5f43771
Instruction ID: 3afa671e608a2dff830832444428d2759d09d31d091ff1c4dae9f016b6e69a3c
Opcode Fuzzy Hash: 7c332588c4b516f76c7060a256977038940360dd133ef288a7bfb76dd5f43771
Instruction Fuzzy Hash: 442157B0A00209DFEB14EFA8C0487ADBFF5FB99315F59C6AAD115A7264D7B45A84CB00

Function 014A42F8 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2047982492.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14a0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19ea3231268c1ddab114de19cdd5c27e92e417d428d2996374a30db3dfd4fa13
Instruction ID: 6debb293360f6161f5ffe2456eb8c5cccff49a0fd6d5c3df9c8ad31e40538e1f
Opcode Fuzzy Hash: 19ea3231268c1ddab114de19cdd5c27e92e417d428d2996374a30db3dfd4fa13
Instruction Fuzzy Hash: 38217970E00208DFDB10EFA8C0487ADBBF5FB99314F99C6AAC119A3254D7B44A84CB00

Function 014AFEC0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2047982492.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14a0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc636b88591b59bf0d088d8504eaf681b4fc2aabeee42c263022532f75d24f45
Instruction ID: 814c540177b5a3dddc0f4af42e8185406d1676dc3102f0d5b7df7960e9e118f8
Opcode Fuzzy Hash: fc636b88591b59bf0d088d8504eaf681b4fc2aabeee42c263022532f75d24f45
Instruction Fuzzy Hash: 9421D5706002259FC754EB69E84476E7BEAFF84740F108938E10ADB680DF75AD4A97D0

Function 014A9C90 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2047982492.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14a0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea4ef6e4e868862a0e9ce93e8d5c254982295af908d4157d3bcc506e1d08e15d
Instruction ID: 33a4f5b57b2214fc4d0ea6a2b28c6e352ce2702924c4a9593da63e87706f6b49
Opcode Fuzzy Hash: ea4ef6e4e868862a0e9ce93e8d5c254982295af908d4157d3bcc506e1d08e15d
Instruction Fuzzy Hash: FD213370D0460A8FCB14CFA9D8446EEBFF5FB88318F04802AD515A3264D7340985CBA0

Function 06540938 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0b0121ede7a606ac6cf51bd02f0f084c6b899f393cd73ecb4a2e1dd550daf6f
Instruction ID: 9c181330f03b103a2cdefe4509306f87e9a6aa915462996c957adcccd8a618a7
Opcode Fuzzy Hash: e0b0121ede7a606ac6cf51bd02f0f084c6b899f393cd73ecb4a2e1dd550daf6f
Instruction Fuzzy Hash: 5D11C836314650AFD7009F59EC80FAB7BB9EB89665F144096F604CB391C671CD05CB60

Function 014A9CA0 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2047982492.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14a0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cf525dcd9ac73071c0081c3832f47ec1c390c0a9c96f87d8b99e5064d197fac
Instruction ID: 3f56fd8558649e4da694a7bb466de52544f23e132f8873152dfc5ff6d43fc58e
Opcode Fuzzy Hash: 9cf525dcd9ac73071c0081c3832f47ec1c390c0a9c96f87d8b99e5064d197fac
Instruction Fuzzy Hash: 4E112370D0460ACFCB14CF99D8446EEBBFAFB88314F14802AD505A3264D7301986CBA0

Function 06540CF2 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84b715d4c098286bf4f4c45bc23616214c93a6e5f96b330f1308c590a1e647e4
Instruction ID: 85f4379579dab58e4b69638d95bcd04032b919fe27574007aa8f867f0b830f34
Opcode Fuzzy Hash: 84b715d4c098286bf4f4c45bc23616214c93a6e5f96b330f1308c590a1e647e4
Instruction Fuzzy Hash: AD11C135A00215AFCB64AF78CC00BBABBF6BB89641F148069E615DB3C0DB71C905DBA0

Function 0654A4C8 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ef30fac0b08806d14d571f300dcffa5c4e75e46caaaa090a1ea0e9be0f40491
Instruction ID: 7ad30a7ee199e7bc1d1181c71b2e0763fdafd9ba0b9f1efe03b12bd97ba09208
Opcode Fuzzy Hash: 4ef30fac0b08806d14d571f300dcffa5c4e75e46caaaa090a1ea0e9be0f40491
Instruction Fuzzy Hash: 170192327401108B8B54AE29E8C8DAEB7DBFFD8665318807AE606CB365DE31DC05DB90

Function 0126D4EF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2044489950.000000000126D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0126D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_126d000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
Instruction ID: 061167101f7d412ef2d960cda5f55d32761465cee20b992375062ed21171a844
Opcode Fuzzy Hash: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
Instruction Fuzzy Hash: 26110372504288CFCB12CF44D5C0B16BF72FB84318F24C5A9D9490BA97C33AD49ACBA1

Function 06540D00 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c1aa2938bc7d94ae7c7667c765492006812df18b86906995e6b6435e8f67254
Instruction ID: f92d776b1e606b0eb5abd0ada231bc2207ecd9c392a3941ce39a467967db0c32
Opcode Fuzzy Hash: 7c1aa2938bc7d94ae7c7667c765492006812df18b86906995e6b6435e8f67254
Instruction Fuzzy Hash: EA110631B002159FCB54AF78C8107AA7BF2BB88701F104069E605DB380DB71C905DBA0

Function 06540A69 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67c5bbaf7cc6201fa927a50a84abfb355bd55c7d940004bbb56429f5c4c5a17b
Instruction ID: 04503792d2fa15cdc018060b6aaa272388ec476d9a5f919e9407759620e42772
Opcode Fuzzy Hash: 67c5bbaf7cc6201fa927a50a84abfb355bd55c7d940004bbb56429f5c4c5a17b
Instruction Fuzzy Hash: E8216F79A42619AFDB04DFA8D594EADB7F2FF49704F204098E911AB361CB34AD41CF50

Function 0654CF08 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9df68c575f8ad2ff2950a792cb3017750ce972ae2e102bbc7c24061b7324e4d1
Instruction ID: 89a2d544ad2b49a1aa4103ba1cb9d718804954edd0cbb859dd43e1491a6ba25b
Opcode Fuzzy Hash: 9df68c575f8ad2ff2950a792cb3017750ce972ae2e102bbc7c24061b7324e4d1
Instruction Fuzzy Hash: 8401D435301214AFC7159B25EC48CAB7FBDEFC9661B0040EAF9858B361CA31EC46CBA0

Function 06540948 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f504031d16e7de598735df9dcd3179efd457ae2f02626f344962f02992438dc
Instruction ID: 2ee28531157f1d7c9e4839c1696a76dc0d0635cb89fb8b798cebfb5767c9cca5
Opcode Fuzzy Hash: 0f504031d16e7de598735df9dcd3179efd457ae2f02626f344962f02992438dc
Instruction Fuzzy Hash: 5301A736350215AFDB149F59DC84F9F77A9FB88B61F108066FB14CB390C6B2D9108B60

Function 067D56C5 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2077281462.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_67d0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 082e5287119e78f74656b19c60ead61b96f1f0f356541e8b6a5ebd092e52c42c
Instruction ID: 453e198fb0f3167d1f02a428e1fc1626901938139f9e6ba1ba5a98843d5c8ca2
Opcode Fuzzy Hash: 082e5287119e78f74656b19c60ead61b96f1f0f356541e8b6a5ebd092e52c42c
Instruction Fuzzy Hash: 33219778A10228CFEB64DF28C888AE9B7B5FB49314F1085D5E509A7744DB349F85CF50

Function 06549B6E Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cd3b2192bcb8358bc7d6f05a1b45f68827a7e1d19ad2a54ad4d7979594f7c7d
Instruction ID: 183b98dd196dc88e8bef4ced1eba44e08da301977b98689277b4c0bb34ddc5fc
Opcode Fuzzy Hash: 9cd3b2192bcb8358bc7d6f05a1b45f68827a7e1d19ad2a54ad4d7979594f7c7d
Instruction Fuzzy Hash: DAF0C836711108AFDB149629EC55DBBFBAEEFC4268B04806AFD1997321DA319C16C7F0

Function 067EDBF8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2077281462.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_67d0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adc88ea54b0904f060c0894444597c3e162bbab0ea8d15612fa633f5d2050ebc
Instruction ID: 1c5c89ab3ded188081bc9186cfdcd6c2a531bc792c0f636875d2008aed705095
Opcode Fuzzy Hash: adc88ea54b0904f060c0894444597c3e162bbab0ea8d15612fa633f5d2050ebc
Instruction Fuzzy Hash: EB11C9B0E0020A9FCB44DFF9C9456BFBBF5FF88300F10856A9518A7354DB315A419B91

Function 063D7168 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2075643461.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63d0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e2ec25263204b56d409896066845527962dcc379fde015f894047e9f00d2fcc
Instruction ID: 7efb636096559f0ca12cea44cadf75106e7b2271b3760d4dd0f05b744e0492bc
Opcode Fuzzy Hash: 6e2ec25263204b56d409896066845527962dcc379fde015f894047e9f00d2fcc
Instruction Fuzzy Hash: 710129B1D1420ADFDB94CFB9D4412AEBBF6FB49310F14C66AD418E2214E7314682CB80

Function 0654F288 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb87681ed6678af01cc4e75cf04f0e8a78a25c8f7bfd9e23f5d528f6bdfa7a7a
Instruction ID: 75d1986034fc5139aad2156943289a8af752b50154770ad3bae9cffeb0c2f999
Opcode Fuzzy Hash: fb87681ed6678af01cc4e75cf04f0e8a78a25c8f7bfd9e23f5d528f6bdfa7a7a
Instruction Fuzzy Hash: 07019A357042409FC368AB28C844A2A37A3FBC9328F2086ACE5564B794CF71EC02DB90

Function 06541B78 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 171e0586259266867e1d09ab21cf925de1276aed376c98eb312ad959b3a8db9e
Instruction ID: e327cc72597a4cea918f9c87fce3d88289acca7819030e8b8a558f5ecf0761c3
Opcode Fuzzy Hash: 171e0586259266867e1d09ab21cf925de1276aed376c98eb312ad959b3a8db9e
Instruction Fuzzy Hash: 0AF062317105109FD7149A1DD994E66F7DAFBCC654B2480B9EA09CB366DE35DC0287D0

Function 063D6C40 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2075643461.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63d0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0aca2fd5368deddfc2f71f55c462c477cc69e914749ec08dd3b933fba1c3cad6
Instruction ID: 25719da4abf28d89dbfdbba7bb40d70f5f18c2b39dc1fbb04bd208984f540e20
Opcode Fuzzy Hash: 0aca2fd5368deddfc2f71f55c462c477cc69e914749ec08dd3b933fba1c3cad6
Instruction Fuzzy Hash: 2F01FFB1D0520DDFCB50DFB8D9456AEBBF9EB09305F1084BAD819E3240DB319A45DB91

Function 06544F98 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c672509e5485587a72d86ed4c8a04fc9b9ce02a7ebd307b38d47ec8f388e80c3
Instruction ID: 33e40932fa29e9231b0fb7c5005476f02a936a3cd8c98483c3c26ef0e9bb92c1
Opcode Fuzzy Hash: c672509e5485587a72d86ed4c8a04fc9b9ce02a7ebd307b38d47ec8f388e80c3
Instruction Fuzzy Hash: 3D013C76A40208AFD768DE98D444B9ABBF9FF45324F2580AAE944D7394D731E980CF90

Function 06545140 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2aeaa8bf7a7d7ecc999e50f6ee261eb1176af90d4c9319ae8690b1dc0170e70
Instruction ID: 3682c3d88c5b8150b460a0877d752ac4966f9b6d31b65871d427a0e17ce47bdd
Opcode Fuzzy Hash: b2aeaa8bf7a7d7ecc999e50f6ee261eb1176af90d4c9319ae8690b1dc0170e70
Instruction Fuzzy Hash: 6C013C75A00209EFDB58DF98D844B9ABBF5FB48324F1584AAE584D7260E731A980CF54

Function 063DE7F8 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2075643461.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63d0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53d8826fffc72086ce7a9d3b076c2710e56e490b087e5263fe4593cb833d26b0
Instruction ID: 7ae5f6f347b3ebc02a28f3a7b88ce814ee2d0f499c46f11684d5a48daf1dd132
Opcode Fuzzy Hash: 53d8826fffc72086ce7a9d3b076c2710e56e490b087e5263fe4593cb833d26b0
Instruction Fuzzy Hash: C1016D71D04618CFEB54DF6AE844BEDBFBAFB89711F008025D5096A244DB345449CBA1

Function 067D176F Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2077281462.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_67d0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 713c0f7dd336a56e5031c2704e4553b4ed45b06845f9e0669b5c48df7f230e3a
Instruction ID: d11040269329a9ff53b676742d4be322d347c161d86531e8f5364ca747a28e75
Opcode Fuzzy Hash: 713c0f7dd336a56e5031c2704e4553b4ed45b06845f9e0669b5c48df7f230e3a
Instruction Fuzzy Hash: 2F11A578A15128CFCB68DF18D9849A9B7F6FF49310F5045D8D50EA7390CA30AE85CF41

Function 067EFF68 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2077281462.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_67d0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8776bb1f38bd6181ba1f7e0861f8049f1d16d3b59fcdfd7fe99aa82cea7db1c
Instruction ID: caac02a4a8e30c957cb63701ffc13927ab0a09bc5b20319afe835be2f44522c0
Opcode Fuzzy Hash: b8776bb1f38bd6181ba1f7e0861f8049f1d16d3b59fcdfd7fe99aa82cea7db1c
Instruction Fuzzy Hash: F1F0E972F056215FE3144619981472FF7A9EBCD720F148069F505AF340CB75AC45C7C4

Function 014A1BF2 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2047982492.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14a0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5aac3aececeac6d472133166c6df9a8f490cfc79b45700f1d69806093c3d8645
Instruction ID: 1f63faad7740ddd964b919ddfd03895b0633776fcc023edc88eae2e6d0a824aa
Opcode Fuzzy Hash: 5aac3aececeac6d472133166c6df9a8f490cfc79b45700f1d69806093c3d8645
Instruction Fuzzy Hash: 68F0AF30910715CFCB65DBA8E484AAE77F4EF40720F0189AED4099B261EB749D848B41

Function 06542030 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c291a55cba4b6b023d776b9291614f11b5789d744ae29370a21ed51683dde46b
Instruction ID: 51ee5ea09939ad68b63b663566f85babe4db6c6c3e9415423a97abb043ae8d27
Opcode Fuzzy Hash: c291a55cba4b6b023d776b9291614f11b5789d744ae29370a21ed51683dde46b
Instruction Fuzzy Hash: 39F0F630A042A47FEB06CB64C858BEE7FB6DB81650F04C0A9F009D7292D7745E45CBA0

Function 06548978 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8626ff785f05b4cdee03aeaa1c7fa2097dad609f0c68a4cc5952ed5935211361
Instruction ID: 5aa43247408ab926de6497dd657ddcccf40c565322e8f81636325d06acb977a1
Opcode Fuzzy Hash: 8626ff785f05b4cdee03aeaa1c7fa2097dad609f0c68a4cc5952ed5935211361
Instruction Fuzzy Hash: FEF027303066112FD705962CBC10CA77BEDEBC6354301C1AAB058C7265DA21CD498BF1

Function 06548F78 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9b1a42a6b35c762827c891279ce6143a7a653822b355ae5ff43b5edbd8f0340
Instruction ID: 74fe05a91f0de232ed9c35356229584222ff1be37a2b4c0a553c58ae2b293600
Opcode Fuzzy Hash: f9b1a42a6b35c762827c891279ce6143a7a653822b355ae5ff43b5edbd8f0340
Instruction Fuzzy Hash: 82E02BB170E5625FE752195D2C506AB97D9BBC9E14B4401FEF505C7381D4508C0947A0

Function 0654CF18 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25b569266e2287866b9a6e16ebd5e5c682fe80aab43096aa54ddeea5f8bbc58b
Instruction ID: 79ab93f4f1328497116419e5ae7e0404f6ac7109ddf9783fdc6e8f56181d2f5a
Opcode Fuzzy Hash: 25b569266e2287866b9a6e16ebd5e5c682fe80aab43096aa54ddeea5f8bbc58b
Instruction Fuzzy Hash: 29F03A393002109FC3049B19D858D2A77AAEFC8B21B1040A9EA868B360CA71EC42DB90

Function 063D2560 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2075643461.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63d0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33eb354f415ba8f9e2d482b2b1540a9cbd56f893e5a595ef9352be31ec0aea2c
Instruction ID: cb14e680685d385a82049d6d35e59c19710a0dc7b30d0ac8e6bcfb740219e158
Opcode Fuzzy Hash: 33eb354f415ba8f9e2d482b2b1540a9cbd56f893e5a595ef9352be31ec0aea2c
Instruction Fuzzy Hash: BBF01D75D04248AFCB94DFA9D850AAEFFF9AB49300F04C09AE858D3241D6359B11DB51

Function 014A0918 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2047982492.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14a0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fc4074fae28656d999ab85fc2d067bd1184a72b0c2c79a832295f73124af661
Instruction ID: 1e224d46766024827714f7082373fa950d114100704a38aedd5a5e8ba164fb71
Opcode Fuzzy Hash: 7fc4074fae28656d999ab85fc2d067bd1184a72b0c2c79a832295f73124af661
Instruction Fuzzy Hash: 2EF0E2316002299BDF14EB69C8147AEBEBABB98300F910429E001B7354CF780D058BE2

Function 063D4F20 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2075643461.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63d0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39c180f085c26adf67e029b6dbe7b3fe7aef90dde23c179d7f413da756abe8f6
Instruction ID: 4226345a8d47cf4f2fe2e279a8b0c872c90c959c59f0cc19e33efc085bced6d0
Opcode Fuzzy Hash: 39c180f085c26adf67e029b6dbe7b3fe7aef90dde23c179d7f413da756abe8f6
Instruction Fuzzy Hash: 2AF08274D05208AFD790EFB5E5097ADBBF9EB04300F0080D9EC48A3351DA359A44CF91

Function 063D2D18 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2075643461.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63d0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5576a8c33b26348afee2404fa9d783494ebef5a5b8f098537b54a18ee78dda25
Instruction ID: f9b335e6974a39cf790dd463aa93153cb1afb79b6cc26dce9323e9e8d34c1e72
Opcode Fuzzy Hash: 5576a8c33b26348afee2404fa9d783494ebef5a5b8f098537b54a18ee78dda25
Instruction Fuzzy Hash: 06F05EB5D05208AFC790DFA8D801AAEBFF8AF49300F14C0AA9818D7351D6359A42CF91

Function 014A9A58 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2047982492.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14a0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd28ea4d26df0bfb4374041b75f0c5d8197510ebff2f79ecffb474c749d52566
Instruction ID: 2d3d05cbcf4875c0810e8c2de5ddfc434744df02d1dcdeaf8d9b055b8ca1df86
Opcode Fuzzy Hash: fd28ea4d26df0bfb4374041b75f0c5d8197510ebff2f79ecffb474c749d52566
Instruction Fuzzy Hash: 60F05E75D04208AFCB80EFA8C45069CBFF4FB58304F04C09A9808A7321D6329A05DF40

Function 063D6052 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2075643461.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63d0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01577629cf2295a228f1eed03086364f5a40f4a426703294118d64416b012715
Instruction ID: e71176e5736d15e563fd221ff3f6507d7d4b6dd746f29eea8b4a8c11ec1570a5
Opcode Fuzzy Hash: 01577629cf2295a228f1eed03086364f5a40f4a426703294118d64416b012715
Instruction Fuzzy Hash: DD01F674D01228CFDB85DF69E488B9CB7FAFB09314F108055E409AB390CB745985CF80

Function 014A8A30 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2047982492.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14a0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9569b8cf85e33fd69991aba3596aed3ad44241c8f4383da55b185222d427ee8
Instruction ID: 4728398d1a4ed312091f376df567b555136f4a9af4ebddda7d8f94966ef44de5
Opcode Fuzzy Hash: d9569b8cf85e33fd69991aba3596aed3ad44241c8f4383da55b185222d427ee8
Instruction Fuzzy Hash: 1CE0DF3150010CAFCB60EBA8DA1478E7BB9EB0931AF1145A5900493200DE328A84A751

Function 014A0C48 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2047982492.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14a0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e89b6be117c3b61b1e3e51b5e0a1bfdefd2d1a319aed6d312b62a3285f71bcee
Instruction ID: 22a3ab899781aaaae2f116a1b2aeb4bc7f8b36ae9d31e434251fc651331a9c8e
Opcode Fuzzy Hash: e89b6be117c3b61b1e3e51b5e0a1bfdefd2d1a319aed6d312b62a3285f71bcee
Instruction Fuzzy Hash: 57E08632704228AFD718EAA9E4005DE7BEDEB49271F14007BE50DC3754EA32D940C790

Function 063D7118 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2075643461.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63d0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68156134fe81d35fea7a9803314d47411e7effb76ace77dba55573192fec3de8
Instruction ID: 947775e7863d62140a44699956a1e1982fc6d6560fd401beff582fe4f72fe981
Opcode Fuzzy Hash: 68156134fe81d35fea7a9803314d47411e7effb76ace77dba55573192fec3de8
Instruction Fuzzy Hash: DAF01C74D0A208EFC750DFA9E958A9CBFF8EF49304F1181EAE80497351D6349A44CF92

Function 063D2570 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2075643461.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63d0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a1d9cbabbbd6b72848eac96a968f4d8462e42cda407206f15979c1040e4cd14
Instruction ID: 23426f43bb3ca3a2afb877688224e5c751b476c20ad6c8f084eecc39250fdd93
Opcode Fuzzy Hash: 1a1d9cbabbbd6b72848eac96a968f4d8462e42cda407206f15979c1040e4cd14
Instruction Fuzzy Hash: 5DF05874D04208AFCB80CFA8D800AADFBF8AB4C300F04C09AA858D3240C2359B11DF90

Function 067D4A8A Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2077281462.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_67d0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1975a50e191a009694fa9a0af5182eaa5d811a267792c0eb8b6138013c5ef467
Instruction ID: ccd5790ec0e59e0db57ea3bc7ec95f2b9cf88f609db0d165fd6550b3ca1c7941
Opcode Fuzzy Hash: 1975a50e191a009694fa9a0af5182eaa5d811a267792c0eb8b6138013c5ef467
Instruction Fuzzy Hash: 88F03C78B04229CFC764DF54C844BAEB7B9FB4A324F1041E59509A3784CB309E85CF51

Function 014AF038 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2047982492.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14a0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 120d5628ddb43bdaada8fc3d30bc6ee126b6f220b5047581e4c05ec03a62868c
Instruction ID: fa30d7734c8cb9904889554aee4bd3acbcc6530dacd2d7aa7967fa04c7e8cf77
Opcode Fuzzy Hash: 120d5628ddb43bdaada8fc3d30bc6ee126b6f220b5047581e4c05ec03a62868c
Instruction Fuzzy Hash: F7E0D874A48108ABDB44EB98D9057ADFBB8EB81308F54809AC80467350CA329D82C741

Function 014A92CE Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2047982492.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14a0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a9bcc8474c0ebc421ea22e9ffd252a7ee7813135065e37605f53b7a2239337d
Instruction ID: 08daa8f24fc751bb85ed8ceb6394fad74ba98ae5ecf0f49ea63c4c78edbb53e9
Opcode Fuzzy Hash: 5a9bcc8474c0ebc421ea22e9ffd252a7ee7813135065e37605f53b7a2239337d
Instruction Fuzzy Hash: 1AF0F8B6A08219CFCB10CF95C440ADDBBB5FB98315F9285AAD509A7321C7309A418F10

Function 063D4EDA Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2075643461.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63d0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3234774b08fc3e57f1a1098498168d95b27a97e92619e7a831dc5e17a288c99a
Instruction ID: 2bd9dff744dc728d969c6e4b3288c1ef1d6b8b6e5534b396ddbeb5170b2a9c56
Opcode Fuzzy Hash: 3234774b08fc3e57f1a1098498168d95b27a97e92619e7a831dc5e17a288c99a
Instruction Fuzzy Hash: 48E06D75D55208AFCB90DFA8D544B987BF8EF08305F1044E8E80493361D2309954DB91

Function 0654AA38 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f2b97412eb4f50347237d0042d9dfe7f12161fe1e8f5d4d0828751707614e5d
Instruction ID: dd5c0f3be8cf0403012a9544d740204f1659a55c7a3e371674d3ccc4f206ffcd
Opcode Fuzzy Hash: 2f2b97412eb4f50347237d0042d9dfe7f12161fe1e8f5d4d0828751707614e5d
Instruction Fuzzy Hash: F0E08C7031A6512FD7169229AE608A33BEADBCAA08308859AB045D7306DD108E098BB1

Function 06542040 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bb74f6c84362ba9eaaac985b6a4d059784493d81069121deeb7e41ff8269685
Instruction ID: 40b6a31d4bee30092e07d1d4958e8f618cc79679ea5199672f305531dcaaba58
Opcode Fuzzy Hash: 4bb74f6c84362ba9eaaac985b6a4d059784493d81069121deeb7e41ff8269685
Instruction Fuzzy Hash: 06F03931E04628AFDB09DBA9D0886DDBFF7AB84665F1480A9E00993251DB705A85CB94

Function 063D4F30 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2075643461.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63d0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d4a4a71085e8a39ccdd328da7593c837ab26e9e2106008aa860196e6c19dd68
Instruction ID: 6b0aa338af89d9ddfd182b04924b51c22ef4f8d2780012a6ed1638c7fa2185dc
Opcode Fuzzy Hash: 1d4a4a71085e8a39ccdd328da7593c837ab26e9e2106008aa860196e6c19dd68
Instruction Fuzzy Hash: E2F03074D05208EFC790EFA5E0056ACBBF9EB04300F0080D9E848A3351DA319A44CF81

Function 06548FD8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b112108306f8a72b4300f2a960432014ac9fc97d3e55d73225670ff625d2bf3
Instruction ID: bc8e036079d33ef598a1008f6b83299fce4d1e75e7d47fe636d3bdfcdaf4fd93
Opcode Fuzzy Hash: 4b112108306f8a72b4300f2a960432014ac9fc97d3e55d73225670ff625d2bf3
Instruction Fuzzy Hash: B6E09A313002055BC7149A1AEC8484BFB9AEFC0360300DA3AB14A87221CE70AC4A96E0

Function 014AD3E2 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2047982492.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14a0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21338e8ce49f8b6a27912916bfa52d16d657ba8ea38690902bef60d7899ac812
Instruction ID: c1791f5f4fcd71e222907f1b99d351053912f6ad518942f2b82c9acaf7da2652
Opcode Fuzzy Hash: 21338e8ce49f8b6a27912916bfa52d16d657ba8ea38690902bef60d7899ac812
Instruction Fuzzy Hash: 3BE0DF34A08208EBD704DAE8E9457ECBBB8EB80304F1480A98844A7751C632AE46CB80

Function 014A0992 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2047982492.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14a0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98a95f1f9c77445cbd88d9bcb57e0976961e1d985e50138a8db68e22b60cfe88
Instruction ID: 74582246e82ade647993bb839166fb7fefc9c4efdec0c3a5747cc756f0e33502
Opcode Fuzzy Hash: 98a95f1f9c77445cbd88d9bcb57e0976961e1d985e50138a8db68e22b60cfe88
Instruction Fuzzy Hash: 33E065B1A00225CBEF28EB75D4543AD7EA6BBA8340F91051AE006EB255CF780D058B92

Function 063D6241 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2075643461.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63d0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aae507bfc072316e3ebe0b7de60197ac70b8dc16d7bd3f00fcf379e4793a7d3e
Instruction ID: 1383c3d1ca582d25b93f32e929121e677f930088875a96492886dd4d2690a89f
Opcode Fuzzy Hash: aae507bfc072316e3ebe0b7de60197ac70b8dc16d7bd3f00fcf379e4793a7d3e
Instruction Fuzzy Hash: EAF05874D11228CFEB90DF65E488B9CB7F5BB09324F409099E418AB390CB7858C9CF80

Function 063D4E92 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2075643461.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63d0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ad6e3b10edef5c46d9ce1191a24b55068aa9d6927b4440a2134d946437e6ef0
Instruction ID: 282ab035db9f2c2b70ae831a5574daa6ad41e53dc318f658e4ac38f2e8cad90f
Opcode Fuzzy Hash: 0ad6e3b10edef5c46d9ce1191a24b55068aa9d6927b4440a2134d946437e6ef0
Instruction Fuzzy Hash: 8EE09A76C16218BFCB90DFA8E94839DBBF8EB08300F0050A8D804A3241E6306A44DBC1

Function 063D2FB1 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2075643461.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63d0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4df0829cb6c5c3669a6e9d4ee4106cf1ba867e0b2277bbf4488bd6e67ecddcb1
Instruction ID: 70f89b58bdf2b564a8818d4a1877bb4f5a73b203091befc89089918c551dc7cf
Opcode Fuzzy Hash: 4df0829cb6c5c3669a6e9d4ee4106cf1ba867e0b2277bbf4488bd6e67ecddcb1
Instruction Fuzzy Hash: B5E06DB4915208AFC790DFA8E544ADABFF8EF08300F1044E9E904A3361E6309A80CB91

Function 063D65AB Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2075643461.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63d0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8f371a3ba7bff070bd88a3cdabfa9c8f8149e7ca5a2697952360a689f19f054
Instruction ID: 60af3987f4b67c4fff61067ed478dadcbe673127873619438cdf6b0d4a97d76e
Opcode Fuzzy Hash: f8f371a3ba7bff070bd88a3cdabfa9c8f8149e7ca5a2697952360a689f19f054
Instruction Fuzzy Hash: E1E09270C0B348AFC781DFB8D50559DBFF89B06200F0500E6D404E3242DA300A44CB91

Function 067E4E70 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2077281462.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_67d0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2699bb3f88dc4b374a0e96d1b9a354b090202cfa7d86dce54fe32d5045d476f4
Instruction ID: 5eddfda3d3eee7563c3065eb1d6367b833f9048c461d9136f82dc2c5142c5b00
Opcode Fuzzy Hash: 2699bb3f88dc4b374a0e96d1b9a354b090202cfa7d86dce54fe32d5045d476f4
Instruction Fuzzy Hash: 12E0C274E05208EFCB94DFA8D944AADBBF8EB4C310F14C0AA9818A3344D6329A55DF80

Function 067E9028 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2077281462.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_67d0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2699bb3f88dc4b374a0e96d1b9a354b090202cfa7d86dce54fe32d5045d476f4
Instruction ID: d627108a4b568a826462220760af3a5954f2d2e57b962602d6735287a05ff050
Opcode Fuzzy Hash: 2699bb3f88dc4b374a0e96d1b9a354b090202cfa7d86dce54fe32d5045d476f4
Instruction Fuzzy Hash: C8E0E574E05208EFCB94DFA8D545AACFBF8EB48310F14C0AA9808A3340D6369A55DF80

Function 014ACF88 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2047982492.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14a0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fb6080d22d0f3d45f9d7c1e42f284330952e3bd77cba7464e24caaecc224b40
Instruction ID: c8ea199aca7fcc8925f026ccf3a265a4ac36125f7bd5fba3dfa0b8e886b27019
Opcode Fuzzy Hash: 9fb6080d22d0f3d45f9d7c1e42f284330952e3bd77cba7464e24caaecc224b40
Instruction Fuzzy Hash: C2E0CD70605104ABD744C748D591BD9F7ACEB91318F659499E8084B391C6369D43C680

Function 063D4E4A Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2075643461.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63d0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2fdeadfe3d7ad5152bb95dfee8cf7a6e1c96b092e74cf9c6e5d9f86961f1f6a
Instruction ID: 9f13ee541a88f2de46fbee7065592ac29fa4e5260eed18131d169ecedcb09bdf
Opcode Fuzzy Hash: d2fdeadfe3d7ad5152bb95dfee8cf7a6e1c96b092e74cf9c6e5d9f86961f1f6a
Instruction Fuzzy Hash: F6E06D71915248EFC791DFB8D544A58BFF8AF09311F1540E9D84497362D2309940CB81

Function 063D50B0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2075643461.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63d0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a360778d2fe327eb5ee83bcfa3a2794ff0788bee4262a124a16b4e2ec3cd1fa6
Instruction ID: 98b84b4d9de091cd15bd497abcf395ba3b5a4a92947dd2728e87ef90ddb1bbc1
Opcode Fuzzy Hash: a360778d2fe327eb5ee83bcfa3a2794ff0788bee4262a124a16b4e2ec3cd1fa6
Instruction Fuzzy Hash: A7F06D75D09208EFD755CFA4DA00AADBFB1EB49314F14C0EAD805A3750C2368A56DF81

Function 06544028 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f13d4fa49ca8e506b2bb91517772c030dd32432e7e64a1f5c8a280b58dc81520
Instruction ID: 68ca67d0b532dba0b19d195f62abd1d0ecad200980382216b4b9bf33b26776a2
Opcode Fuzzy Hash: f13d4fa49ca8e506b2bb91517772c030dd32432e7e64a1f5c8a280b58dc81520
Instruction Fuzzy Hash: DAE0CD307C03149BDBE0F6B55C1176177D5FBC6A18F1048E9D71A9F280DD72E8418795

Function 067EF758 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2077281462.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_67d0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce06fded459e8ebd365572a08d06fa74a4df2a906bce3d11dd8ec7b57424f81b
Instruction ID: 6b54b0c16bb116e25bd40a5fc0e06c71ece722eab645f83757fac1c0b8a86516
Opcode Fuzzy Hash: ce06fded459e8ebd365572a08d06fa74a4df2a906bce3d11dd8ec7b57424f81b
Instruction Fuzzy Hash: 25E0E574E05208EFCB94DFA8D5446ACBBF4EB48304F14C0A9D80893390D6359A46CF80

Function 067ED718 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2077281462.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_67d0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d94672ea398d436957a0a8e8fc2bad31f3f0cfd59cf96b9e9cdc34624fbb3a1
Instruction ID: f4479b783bf3d543d8590d1b5fa5744b40f116d92998a81b6b047caa331933b9
Opcode Fuzzy Hash: 0d94672ea398d436957a0a8e8fc2bad31f3f0cfd59cf96b9e9cdc34624fbb3a1
Instruction Fuzzy Hash: A0E04F74D4920CDFDBA1EFB8D5497ADBBF8EB49315F1081A9D80893340DA305A44CB51

Function 067EBF18 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2077281462.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_67d0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce06fded459e8ebd365572a08d06fa74a4df2a906bce3d11dd8ec7b57424f81b
Instruction ID: 8aeecbca7854d7e901747fb350c8d5da39a72d14e41fa1ba1b85e1c550e888c5
Opcode Fuzzy Hash: ce06fded459e8ebd365572a08d06fa74a4df2a906bce3d11dd8ec7b57424f81b
Instruction Fuzzy Hash: FBE07574E05208EFCB94DFA9D645AACBBF4EB48314F14C1A9981893341D6359A46DF81

Function 014AF1E8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2047982492.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14a0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc29966ece43e9718498497fbf5564eaf812bd7e13dc54ef40ea1881782a8c7d
Instruction ID: ec2f2df0640cb8454633ddf68e1a77f8343cc1d44253a05781c55d124ecf6a94
Opcode Fuzzy Hash: fc29966ece43e9718498497fbf5564eaf812bd7e13dc54ef40ea1881782a8c7d
Instruction Fuzzy Hash: E7E02238049244AFC716CBA8E2008AA7F70AB12318F0980EACC44072A7C3335C0BC744

Function 063DFA98 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2075643461.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63d0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 564800a84d823894447c0ab346f50ad0b5c8e75aabbc3ac23a9df3a06184e9db
Instruction ID: 8ca57ac6400b0f8e432d64ec728b29e0aeac33b3fd257a43f521007e35c0bede
Opcode Fuzzy Hash: 564800a84d823894447c0ab346f50ad0b5c8e75aabbc3ac23a9df3a06184e9db
Instruction Fuzzy Hash: 7BE0E575E05208EFCB94DFA8E5846ACBBF8EB48304F14C0A9980993340D6319A46CF80

Function 063DDB80 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2075643461.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63d0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73633adfad2d1b3b8fef4754c8e0f7d7a16c3987dc9513e342ee3b49408a9651
Instruction ID: e3c433250f9855745c866788c23a9ab488785af47a74105b0d7711f2b80111b3
Opcode Fuzzy Hash: 73633adfad2d1b3b8fef4754c8e0f7d7a16c3987dc9513e342ee3b49408a9651
Instruction Fuzzy Hash: 1AE0E5B4D05208EFCB94DFA8E504A9DBFF9EF48314F10C0A9D814A3354D6359A54DF80

Function 067EE978 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2077281462.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_67d0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 828001d86ce2bcfcf1ffcb11aa624dcb430439fec1530810f08b9b92e04dcf3d
Instruction ID: 84e3d899786afdfb3bee0e0bcc438c1220a3a48ad80c6c8f2b1003e6501a60c3
Opcode Fuzzy Hash: 828001d86ce2bcfcf1ffcb11aa624dcb430439fec1530810f08b9b92e04dcf3d
Instruction Fuzzy Hash: ACE08674909208EFC794DF98E5409BDBFFCAB49310F14D499D84457341C6329A45DB91

Function 063D50C0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2075643461.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63d0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 672b838f138b9fa925436d4fb1935ddbe3a8a1ac8bfcc29ae476271db8309fb5
Instruction ID: 225a9a428eadee8a41bfaae529bd60cc67016586824f4f32455109429705a7ed
Opcode Fuzzy Hash: 672b838f138b9fa925436d4fb1935ddbe3a8a1ac8bfcc29ae476271db8309fb5
Instruction Fuzzy Hash: 8CE01A75D05208EFCB54DF98E9409ACFFB8EB48314F24C0AADC4463741D6329A52DBC0

Function 067E79C8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2077281462.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_67d0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08f17f2a351994a4a967f2a68a7cd15bf5850daed095d205a85070d542c8642f
Instruction ID: 9d239d1e5dfe244d9e595bfb6240a3745360e56e1869f69444b2324833904fc2
Opcode Fuzzy Hash: 08f17f2a351994a4a967f2a68a7cd15bf5850daed095d205a85070d542c8642f
Instruction Fuzzy Hash: 6EE04F34D09208EFC754DFA9D5416ACFBF8EF49304F14C0E9D84893341C6329A45DB80

Function 014A1C32 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2047982492.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14a0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fe0ffb6c83777e583775be399d90d919a53ace42fa906070939401641235b52
Instruction ID: 383ba6c14b883989f0ad042531afeb53e67aabdf6374c1bbb89faef1228a7bf3
Opcode Fuzzy Hash: 0fe0ffb6c83777e583775be399d90d919a53ace42fa906070939401641235b52
Instruction Fuzzy Hash: A8E08670915249EFCB11EFB4EA644AC7BF5EB85304B1046EAE408EB251D6341E58EB11

Function 063D4E58 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2075643461.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63d0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3facfaf9096ad9a7d358653fd96ca41bca2a2f5a5994c4aa010160012df9ca1f
Instruction ID: 03454f3de68f1c3f32cf3d831fe9cddfc1d8a45b129f492cd0c4ccb32f7372d8
Opcode Fuzzy Hash: 3facfaf9096ad9a7d358653fd96ca41bca2a2f5a5994c4aa010160012df9ca1f
Instruction Fuzzy Hash: CCE04674945208EFCB80DFA8E648AACBFF8AB08314F1041E9D80893321E730AE40CB81

Function 063D5FFF Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2075643461.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63d0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72590bb8d79d693e4446ca0e55d598bd1fa049b365c18e3ba210afc3a9576cb6
Instruction ID: adba94e5853a9076cd11c35297c6f92d9cb4cb4c5b77e461c7924b3d398ad750
Opcode Fuzzy Hash: 72590bb8d79d693e4446ca0e55d598bd1fa049b365c18e3ba210afc3a9576cb6
Instruction Fuzzy Hash: BBF0F274901228CFDB80EF69E484B8CB7F6FB19324F108094E408AB364CB75AD85CF40

Function 063D2FC0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2075643461.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63d0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa5570b86429c84d61e4e721cd586953304a39269f5de946a7cf5d6769182082
Instruction ID: 1466d9d509a1b86e665d59d77ebfeb0d4ace556c4ac71117535677304804c190
Opcode Fuzzy Hash: fa5570b86429c84d61e4e721cd586953304a39269f5de946a7cf5d6769182082
Instruction Fuzzy Hash: 10E04674925208EFC780EFA8E548A9CBBF8AB08304F1040E9E90893320E6309E80CB91

Function 063DF400 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2075643461.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63d0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7156a052bab85ed2997216ea41e6f3a51417213623ae41ea42b64b3c4db31555
Instruction ID: 2359507eeba6cf1fe7be257279eb48b6f0e605470a99efa3c4142e031796d2e6
Opcode Fuzzy Hash: 7156a052bab85ed2997216ea41e6f3a51417213623ae41ea42b64b3c4db31555
Instruction Fuzzy Hash: 15E0BF74915208EFC794EFA8E68569CBBF8AB48314F1480AD9909D3341D6319A45CB81

Function 063D1539 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2075643461.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63d0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a0f14309a007f40aaba511cdac0e560f338e9652bc9ff471ca86b6fed7965e1
Instruction ID: caef5a7bb0f3f5b9e1b902f2eee3e30e0133869f0a47d0868b3c6deb724e8462
Opcode Fuzzy Hash: 2a0f14309a007f40aaba511cdac0e560f338e9652bc9ff471ca86b6fed7965e1
Instruction Fuzzy Hash: C4F07478941268CFDBA4EF14D888AADB7B1FB49310F2042D6D91967364CB319D81DF54

Function 067EC830 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2077281462.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_67d0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ce8d7199a89534815d0f7529b6edbddbd577d67aeca5de279c8932a324b922b
Instruction ID: ef4968e50a98b7935565675b8ae1ded9d1b8fd037ae52d5b145a6463c3ad8741
Opcode Fuzzy Hash: 3ce8d7199a89534815d0f7529b6edbddbd577d67aeca5de279c8932a324b922b
Instruction Fuzzy Hash: B0E05E7194220CEFC791FFF9DA05A9EBBFCEB4A300F1045EA950597110EE325A44EB92

Function 067ECAA8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2077281462.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_67d0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 269c24436d3b88f90e4d5ac04dc9768ff607eef4f91cdb41f68b8ec37beae99f
Instruction ID: d9d211aef672f880a0979c6b6669d1ec8c4b80d811c82b0c3f8101a2b3567846
Opcode Fuzzy Hash: 269c24436d3b88f90e4d5ac04dc9768ff607eef4f91cdb41f68b8ec37beae99f
Instruction Fuzzy Hash: BAE01238949208EBC754EF94E5459ACBBB9EB89314F18C1EDD80817341DA329E46DB81

Function 014AF048 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2047982492.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14a0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8c9859c8761bced1e07b3df4719b1ac450669afd1f7544c6baddc5747c99f52
Instruction ID: 35cd8c7d024d2995db43777eba95381383fbdd2cbd31b82da3b4e576b78fb488
Opcode Fuzzy Hash: f8c9859c8761bced1e07b3df4719b1ac450669afd1f7544c6baddc5747c99f52
Instruction Fuzzy Hash: 80E0C274949208EBCB44DF98E5409BDFFB8EB45304F14C0DDC80827350CA729E46CB80

Function 014A8858 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2047982492.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14a0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf84bc455283d7a944e6c628ac299742f6864ab7facf4e1fa52dcefe71b3f5e0
Instruction ID: 19f01d635c09c3272f695e22eb57b37ec019c745bc2bcfcdce245e1aa34333d8
Opcode Fuzzy Hash: bf84bc455283d7a944e6c628ac299742f6864ab7facf4e1fa52dcefe71b3f5e0
Instruction Fuzzy Hash: 84D0A7210419080EE3B1729AAF0535C3A98AB11309FCD0015914C46A50CE2980908752

Function 014A8890 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2047982492.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14a0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 188da3d9a2659bf1187586c500efc6a627ee5546616a5dbbc6f266376bfad8e9
Instruction ID: 6126a40b64261c2f6ab6dd11976ac4914b363a689172d3c231b1a61ccbfe5535
Opcode Fuzzy Hash: 188da3d9a2659bf1187586c500efc6a627ee5546616a5dbbc6f266376bfad8e9
Instruction Fuzzy Hash: C5D02B6049E7468BF371A778B008AB97F68DB6332EF06496FC80D43595C93844498302

Function 014A8A40 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2047982492.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14a0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7007d9368502d8994945ed3c62c7d207089b2610e90e5aea8b3953952e2dc59e
Instruction ID: e8eb119a600dfa31cf2ba54758a15551c622f6c652c430d99b786fd1c8aacc7c
Opcode Fuzzy Hash: 7007d9368502d8994945ed3c62c7d207089b2610e90e5aea8b3953952e2dc59e
Instruction Fuzzy Hash: A6E0127140120CEFCB60EFF8DA0469E7BF8EB09315F1145A6950593110EE324A44AB92

Function 063DD8D0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2075643461.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63d0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66b899b29fa5bde35da4025ca31f958f4ff88c504ea38efdf3ce51fcb3e4bb34
Instruction ID: 15686a240b88a1e8c5a09b52d8fa7175cbf5ce1bc0a99cfc9d1da4904da11a2e
Opcode Fuzzy Hash: 66b899b29fa5bde35da4025ca31f958f4ff88c504ea38efdf3ce51fcb3e4bb34
Instruction Fuzzy Hash: 83E01275D5620CEFC790EFF8E94969CBFFCAB04311F1050A9D908A3340E6315A84DB81

Function 063D65B8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2075643461.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63d0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a952f5345ee77613be30c71aadace9a941990d7ac38447304ba2bdc248788ed
Instruction ID: 08d0e4e2f32e991d193a0431b5af361b72717723ccf7c8d0a994cea8a3e9942b
Opcode Fuzzy Hash: 1a952f5345ee77613be30c71aadace9a941990d7ac38447304ba2bdc248788ed
Instruction Fuzzy Hash: A8E01274D5621CEFCB90DFB8E54969CBFF9AB05301F1040A99909A3345EF305A84CB81

Function 014AFE50 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2047982492.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14a0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 735c68b89679121a855476ddb6c9c4f20d453e1ae7687905e1763c3042492e6e
Instruction ID: 4e9ae6149b42d2133a8e629dde7c8d9bde06ac1976a9d05a7ca40a535cf7314f
Opcode Fuzzy Hash: 735c68b89679121a855476ddb6c9c4f20d453e1ae7687905e1763c3042492e6e
Instruction Fuzzy Hash: 21E01270A10248EFCB04DFB5E94066DB7BAEB45640F1085A9E909AB240DD315E05AB85

Function 063D4EA0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2075643461.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63d0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27fe7b24c125b0a422bd892b082fb7be6716e8d7c8089187a3c8163249c0ef99
Instruction ID: d1d265db4334378409359ed73b0e14749af54c38467ff1b4b14544b76b2fc0b0
Opcode Fuzzy Hash: 27fe7b24c125b0a422bd892b082fb7be6716e8d7c8089187a3c8163249c0ef99
Instruction Fuzzy Hash: 86E0EC74D16218EFC790EFA8E54969CBBF8AB04301F1051A9980893351E6705A84DB81

Function 067EFDA0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2077281462.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_67d0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a6ead9e660b05d5b55f6ba0dbf3e7f011215663f3a142641597fe1db5b1068f
Instruction ID: 035869380a35d4ec759e8889afb249a236cad94acb14d6e398afaf798a73c9a4
Opcode Fuzzy Hash: 5a6ead9e660b05d5b55f6ba0dbf3e7f011215663f3a142641597fe1db5b1068f
Instruction Fuzzy Hash: 3CE01270A01209EFCB44DFA5E94065DB7FAEB45200F108598E509E7340D9715F44A791

Function 014ACF98 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2047982492.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14a0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c47ed9422fe7d54d60196bea584245a4f0090a85198f8001f1e50dbe791ddc16
Instruction ID: 37c3335491a1763288d315d75e09878dd74d67bbd15b1e80ccc849f689b8e400
Opcode Fuzzy Hash: c47ed9422fe7d54d60196bea584245a4f0090a85198f8001f1e50dbe791ddc16
Instruction Fuzzy Hash: B9D0A77050A108EFC794CB98D550A69FBBCDB55318F54C0DEA80847391CB339D02C780

Function 014A1C40 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2047982492.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14a0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7390b4c12524bce4e5c9428b25522ec37b5aa939ae38e04e12e2d49d6d55714
Instruction ID: 1f71812e594cace63c70b5434e087e644f1bcfd8b8d868f28e3ccdeeb253c502
Opcode Fuzzy Hash: b7390b4c12524bce4e5c9428b25522ec37b5aa939ae38e04e12e2d49d6d55714
Instruction Fuzzy Hash: 72D05EB0A1020DEFCB14EFA9E95599DB7FDFB44304F1045A9E409E7241EB312F489B81

Function 06543BD0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09b9c0b151867b68ea79dc249021ac82beea0b77ed8d34b9d3bbf9346d9bfce0
Instruction ID: c11734cfc36cc508453f2b88a1a9ce62bfb100f03b98b95f4ade39e86cddb4f9
Opcode Fuzzy Hash: 09b9c0b151867b68ea79dc249021ac82beea0b77ed8d34b9d3bbf9346d9bfce0
Instruction Fuzzy Hash: 86D080F011B6503FD7030710CD15CF73F7DD5D1740B01859AF140C602286244E34D6B1

Function 063DA684 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2075643461.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63d0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae93c56eae8c16a55359d7a156d57540a876cf19430e78d960970e44d79aae5c
Instruction ID: 04759f0aa6abf8ef279fd1da5e17f553f5e831c974b19ee98687e8b0c1c407f1
Opcode Fuzzy Hash: ae93c56eae8c16a55359d7a156d57540a876cf19430e78d960970e44d79aae5c
Instruction Fuzzy Hash: C7E0B6B1A05228CFEBB4CB14ED48BDD77B5FB01306F001299904962680CB701A84CF86

Function 0654CEE1 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed4f972bf2a1d26370227a0a42c4070f65c64d88ae9f5ae84e8da6afb2e03934
Instruction ID: cb01b30f328e6f4836a6396aa42b4ccb111ecc60ba7e3378e238a19a74b4937d
Opcode Fuzzy Hash: ed4f972bf2a1d26370227a0a42c4070f65c64d88ae9f5ae84e8da6afb2e03934
Instruction Fuzzy Hash: 2CD0A93120B380DFC702CF20E884C827FB0AF4A71030581C3F08A8B173C230A924CB65

Function 0654EDF9 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b81668079e2d4d291424f4ef65df599fe09c86559e4e96bfe9ef2a754b35464
Instruction ID: d9e275dbbc419826b2b260484b2c1d5c0b262b9e8fe98f2fbdfd7cd914c748d8
Opcode Fuzzy Hash: 7b81668079e2d4d291424f4ef65df599fe09c86559e4e96bfe9ef2a754b35464
Instruction Fuzzy Hash: 21D0523028B3C6AFC3038B20E840C823F64AF8A61030904CAF8868B233C2219A28C760

Function 067ECEC8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2077281462.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_67d0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a69bf44fbb7cdcf6472ed58c6ef78876ae73473fafe8fc8ea0b4027ee2dbfc1
Instruction ID: 65bfbcc8d153ac6110a1393a4b6ea57bd1760dc35affa28ff8043181a6eaa845
Opcode Fuzzy Hash: 4a69bf44fbb7cdcf6472ed58c6ef78876ae73473fafe8fc8ea0b4027ee2dbfc1
Instruction Fuzzy Hash: 7FC09B340DBB08CED3E516A4B90E7757FDC9B0F315F4C6C50951D12465CF616458C695

Function 063D5E3A Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2075643461.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63d0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f23da8661e9afc355affe5d42066176ee44bd0c2ede19cc3c004fb8b14de8e8
Instruction ID: 93930064ddac5d4a7e641ac76c86551fe21cb67cbb2431ee461a1095f06cf77a
Opcode Fuzzy Hash: 1f23da8661e9afc355affe5d42066176ee44bd0c2ede19cc3c004fb8b14de8e8
Instruction Fuzzy Hash: C0D052B2910200CFC704DB29E44881537B0BB59319B0206AAE00A8B2A6D222E802CA01

Function 0654AA20 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 848b67c39d83c310b5c71c5d1f771d11650c524bf247cbdc7dbca1ceb012a778
Instruction ID: 82aff2f5040db48488b1a3583e06bcbcc3f49b19486f6b44d9e40173459e2f74
Opcode Fuzzy Hash: 848b67c39d83c310b5c71c5d1f771d11650c524bf247cbdc7dbca1ceb012a778
Instruction Fuzzy Hash: 83C0926400E3823EEF427B200CD08FB6B3CECD274078980EBF490A9053DA189A0683B1

Function 014A8868 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2047982492.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14a0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4ad6c993b6213e41ca2f98394325747df2d7b20f21a9c8ec80fd77bb6520ccc
Instruction ID: 833d1abe71446a7db7930bbca5132a467438f7203dcfcbae8af1030b3a7a44c0
Opcode Fuzzy Hash: a4ad6c993b6213e41ca2f98394325747df2d7b20f21a9c8ec80fd77bb6520ccc
Instruction Fuzzy Hash: 62C08C200812084ED2B037EABB0876C3AAC5B22306FC9001AE20C025208E749040CB26

Function 06541F70 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8384e27b1cd1e5ed4961b11c82f937066479ff982c5f8d9930d97efcb090860c
Instruction ID: f2b45251243010848599bd5b3161ef4a0f979da8d3224479c19a6e8f0f635e15
Opcode Fuzzy Hash: 8384e27b1cd1e5ed4961b11c82f937066479ff982c5f8d9930d97efcb090860c
Instruction Fuzzy Hash: C7C08C70208620CFCB29EB28F584C82B3E2EF4070130189ADE00A8B220CB70EC81CF80

Function 014A1C82 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2047982492.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14a0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9db53f153096563c8306e45298168e43eae51071c7c86d8f85ac56be85524acb
Instruction ID: e2053e1a4e7abecfafe9048b3826ff041128af8873b83bc184fa1d35b1c1b089
Opcode Fuzzy Hash: 9db53f153096563c8306e45298168e43eae51071c7c86d8f85ac56be85524acb
Instruction Fuzzy Hash: 96C08C3008C7939FCB529B208865640BF30BB02322F0543CBD0049A09AC32D4846C7B2

Function 063D5E48 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2075643461.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63d0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c46eacaef1f4ce285e7165dcddda00ba5c9a209c1e20024c02ff8e5d7811ba0
Instruction ID: 0e7ba73ce8b16ff68d0bb5daa4430bcf56e0bf57dab2596f0dd5e4b853815f9f
Opcode Fuzzy Hash: 0c46eacaef1f4ce285e7165dcddda00ba5c9a209c1e20024c02ff8e5d7811ba0
Instruction Fuzzy Hash: A3C00235250214CF8704EB5AE485C1173B9BB4D6197110294E5094B365C721FC41CA50

Function 063D6BF2 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2075643461.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63d0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ecf654a74945da8ef83f078d04d7f987c2065f36f02371ac3cee4ccff24f60c
Instruction ID: 746016191c738103762bd6cc8407111de534c2903a50945bc0a0a47886d40326
Opcode Fuzzy Hash: 7ecf654a74945da8ef83f078d04d7f987c2065f36f02371ac3cee4ccff24f60c
Instruction Fuzzy Hash: A8C00276E5001A9A8B00DAD9E8508DCB774EB94322B004026D215A6104D63015268B50

Function 063DA42D Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2075643461.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63d0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ec2d8ae92c4c9f73262e9175111646484e95707a646bcf35f251de23cfe9021
Instruction ID: 6b444cc31aa042c9c9744cc40a7021306f9d7b864fc89c6bc5b636298cf576de
Opcode Fuzzy Hash: 5ec2d8ae92c4c9f73262e9175111646484e95707a646bcf35f251de23cfe9021
Instruction Fuzzy Hash: 9DD092B4A00628CFDB64DB24DC84B9D7775FB01306F0016989049A3645CB302A848F85

Function 014A1E10 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2047982492.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14a0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ff0627ca48a0d9d9e33ae6eb910681fcc4a811e95e71cc39119011aa47938fe
Instruction ID: 3e3c40aa865806e2e30dcb02bd277e81d4bb5a718980b7da2120a7bcc10d5f2d
Opcode Fuzzy Hash: 9ff0627ca48a0d9d9e33ae6eb910681fcc4a811e95e71cc39119011aa47938fe
Instruction Fuzzy Hash: 02B012702046080A7A6067F52815A2336CC5600914B800025D51CC1101F510D0000640

Function 063D63F6 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2075643461.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63d0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa73cc5aae12d76f8b963db823ba115225907296add6c067d5a85ec00d00f901
Instruction ID: ca27415ca1e59d8c2fde9003a72c9dccfc9fc777b7a8cee5ed9dff36781a8066
Opcode Fuzzy Hash: aa73cc5aae12d76f8b963db823ba115225907296add6c067d5a85ec00d00f901
Instruction Fuzzy Hash: 10D0EA78D06228CFEB64DF24ED95B99BBF6BB19301F0061D9D60EA3791DB741A848F40

Function 0654CEF0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2076026425.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6540000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
Instruction ID: a5ced1602b898661de329531365079a034e3d75a808f59c5ffcbefa728424f66
Opcode Fuzzy Hash: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
Instruction Fuzzy Hash: 58C0927A140208EFC700DF69E848C85BBB8EF1977171180A1FA088B332C732EC60DA94

Function 014A0982 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2047982492.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14a0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b468f27f8d9e51cc56da08b58d6385914bb84d64f14fc3bedb784eb4b46932e
Instruction ID: 49e083581a0bde5758acc8a60b0b102ac427dfe4e59233e622709b7161aa85cb
Opcode Fuzzy Hash: 9b468f27f8d9e51cc56da08b58d6385914bb84d64f14fc3bedb784eb4b46932e
Instruction Fuzzy Hash: 57B01237A00004C68A244A85B0090DCF738D280373F410063E60D92010833002294780

Function 014A0848 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2047982492.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14a0000_wpappx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ee546458a072a184b16f117961c484ab90e6dbefaaaa36b108b576eb0b922dc
Instruction ID: b5b312fda3349ded4c5b74a4badb306185dc564355a5674ee9781a7294d48afc
Opcode Fuzzy Hash: 1ee546458a072a184b16f117961c484ab90e6dbefaaaa36b108b576eb0b922dc
Instruction Fuzzy Hash: ACA0113000030C8FCA383BA0B80C008BB2CAB80332FA02820A00EB000AAA2028008B80

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PO# EB202329720241007_Hardy_Process^^^^.pif.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

C:\Users\user\AppData\Roaming\wpappx.exe

C:\Users\user\AppData\Roaming\wpappx.exe:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
PO# EB202329720241007_Hardy_Process^^^^.pif.exe

Function 027C8A90 Relevance: 6.0, Strings: 4, Instructions: 983
COMMON

Function 05EA5B50 Relevance: 3.1, Strings: 2, Instructions: 637
COMMON

Function 027C0C98 Relevance: 3.1, Strings: 2, Instructions: 578
COMMON

Function 05EFBB88 Relevance: 3.0, Strings: 2, Instructions: 543
COMMON

Function 027C0C89 Relevance: 2.9, Strings: 2, Instructions: 365
COMMON

Function 027C0CD2 Relevance: 2.9, Strings: 2, Instructions: 353
COMMON

Function 027C0D49 Relevance: 2.8, Strings: 2, Instructions: 325
COMMON

Function 05EFBB78 Relevance: 2.7, Strings: 2, Instructions: 162
COMMON