Edit tour

Windows Analysis Report
54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe

Overview

General Information

Sample name:	54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe
Analysis ID:	1592541
MD5:	433d5cc92f9e4a787e197f04c977ca36
SHA1:	b5e3ed631ababd71b3de12b44ce4a0669279f505
SHA256:	eda2bf8423a8046d884b20532a74bed0ce7219a2ee5f9fe829a72624d081e3df
Tags:	exeMassLoggeruser-lowmal3
Infos:

Detection

MassLogger RAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected MassLogger RAT

Yara detected Telegram RAT

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe (PID: 4924 cmdline: "C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe" MD5: 433D5CC92F9E4A787E197F04C977CA36)

powershell.exe (PID: 2532 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 6052 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 4784 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NoCGdFUXaoNd" /XML "C:\Users\user\AppData\Local\Temp\tmp70BF.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe (PID: 2620 cmdline: "C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe" MD5: 433D5CC92F9E4A787E197F04C977CA36)

NoCGdFUXaoNd.exe (PID: 5140 cmdline: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe MD5: 433D5CC92F9E4A787E197F04C977CA36)

schtasks.exe (PID: 5016 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NoCGdFUXaoNd" /XML "C:\Users\user\AppData\Local\Temp\tmp7C49.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

NoCGdFUXaoNd.exe (PID: 4544 cmdline: "C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe" MD5: 433D5CC92F9E4A787E197F04C977CA36)

NoCGdFUXaoNd.exe (PID: 6764 cmdline: "C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe" MD5: 433D5CC92F9E4A787E197F04C977CA36)

cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "serverche399@gpsamsterdamqroup.com", "Password": "     j4YX(KT7UCZ1      ", "Server": "fiber13.dnsiaas.com", "To": "almightstephen@gmail.com", "Port": 587}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000D.00000002.3396422686.00000000033E4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.2206223221.000000000439F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000008.00000002.2206223221.000000000439F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.2206223221.000000000439F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000008.00000002.2206223221.000000000439F000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1df:$a1: get_encryptedPassword 0xf507:$a2: get_encryptedUsername 0xef7a:$a3: get_timePasswordChanged 0xf09b:$a4: get_passwordField 0xf1f5:$a5: set_encryptedPassword 0x10b51:$a7: get_logins 0x10802:$a8: GetOutlookPasswords 0x105f4:$a9: StartKeylogger 0x10aa1:$a10: KeyLoggerEventArgs 0x10651:$a11: KeyLoggerEventArgsEventHandler
00000007.00000002.3393494273.000000000040F000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000007.00000002.3393494273.000000000040F000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.3393494273.000000000040F000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000007.00000002.3393494273.000000000040F000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1fa7:$a1: get_encryptedPassword 0x22cf:$a2: get_encryptedUsername 0x1d42:$a3: get_timePasswordChanged 0x1e63:$a4: get_passwordField 0x1fbd:$a5: set_encryptedPassword 0x3919:$a7: get_logins 0x35ca:$a8: GetOutlookPasswords 0x33bc:$a9: StartKeylogger 0x3869:$a10: KeyLoggerEventArgs 0x3419:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.2172358737.0000000004B8E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000000.00000002.2172358737.0000000004B8E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2172358737.0000000004B8E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.2172358737.0000000004B8E000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xfec7:$a1: get_encryptedPassword 0x101ef:$a2: get_encryptedUsername 0xfc62:$a3: get_timePasswordChanged 0xfd83:$a4: get_passwordField 0xfedd:$a5: set_encryptedPassword 0x11839:$a7: get_logins 0x114ea:$a8: GetOutlookPasswords 0x112dc:$a9: StartKeylogger 0x11789:$a10: KeyLoggerEventArgs 0x11339:$a11: KeyLoggerEventArgsEventHandler
00000008.00000002.2206223221.0000000004241000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000008.00000002.2206223221.0000000004241000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.2206223221.0000000004241000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000008.00000002.2206223221.0000000004241000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x13717:$a1: get_encryptedPassword 0x2a337:$a1: get_encryptedPassword 0x13a3f:$a2: get_encryptedUsername 0x2a65f:$a2: get_encryptedUsername 0x134b2:$a3: get_timePasswordChanged 0x2a0d2:$a3: get_timePasswordChanged 0x135d3:$a4: get_passwordField 0x2a1f3:$a4: get_passwordField 0x1372d:$a5: set_encryptedPassword 0x2a34d:$a5: set_encryptedPassword 0x15089:$a7: get_logins 0x2bca9:$a7: get_logins 0x14d3a:$a8: GetOutlookPasswords 0x2b95a:$a8: GetOutlookPasswords 0x14b2c:$a9: StartKeylogger 0x2b74c:$a9: StartKeylogger 0x14fd9:$a10: KeyLoggerEventArgs 0x2bbf9:$a10: KeyLoggerEventArgs 0x14b89:$a11: KeyLoggerEventArgsEventHandler 0x2b7a9:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.2172358737.00000000049B4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000000.00000002.2172358737.00000000049B4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2172358737.00000000049B4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.2172358737.00000000049B4000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf2ef:$a1: get_encryptedPassword 0x91407:$a1: get_encryptedPassword 0xf617:$a2: get_encryptedUsername 0x9172f:$a2: get_encryptedUsername 0xf08a:$a3: get_timePasswordChanged 0x911a2:$a3: get_timePasswordChanged 0xf1ab:$a4: get_passwordField 0x912c3:$a4: get_passwordField 0xf305:$a5: set_encryptedPassword 0x9141d:$a5: set_encryptedPassword 0x10c61:$a7: get_logins 0x92d79:$a7: get_logins 0x10912:$a8: GetOutlookPasswords 0x92a2a:$a8: GetOutlookPasswords 0x10704:$a9: StartKeylogger 0x9281c:$a9: StartKeylogger 0x10bb1:$a10: KeyLoggerEventArgs 0x92cc9:$a10: KeyLoggerEventArgs 0x10761:$a11: KeyLoggerEventArgsEventHandler 0x92879:$a11: KeyLoggerEventArgsEventHandler
00000007.00000002.3395787831.00000000031E4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe PID: 4924	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe PID: 4924	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe PID: 4924	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe PID: 4924	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe PID: 4924	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xa20f:$a1: get_encryptedPassword 0xa783e:$a1: get_encryptedPassword 0xa528:$a2: get_encryptedUsername 0xa7b57:$a2: get_encryptedUsername 0x9fbe:$a3: get_timePasswordChanged 0xa75ed:$a3: get_timePasswordChanged 0xa0df:$a4: get_passwordField 0xa770e:$a4: get_passwordField 0xa225:$a5: set_encryptedPassword 0xa7854:$a5: set_encryptedPassword 0xbb28:$a7: get_logins 0xa9157:$a7: get_logins 0xb7d9:$a8: GetOutlookPasswords 0xa8e08:$a8: GetOutlookPasswords 0xb5cb:$a9: StartKeylogger 0xa8bfa:$a9: StartKeylogger 0xba78:$a10: KeyLoggerEventArgs 0xa90a7:$a10: KeyLoggerEventArgs 0xb628:$a11: KeyLoggerEventArgsEventHandler 0xa8c57:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe PID: 2620	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe PID: 2620	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe PID: 2620	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe PID: 2620	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2259d:$a1: get_encryptedPassword 0x228b6:$a2: get_encryptedUsername 0x2234c:$a3: get_timePasswordChanged 0x2246d:$a4: get_passwordField 0x225b3:$a5: set_encryptedPassword 0x23eb6:$a7: get_logins 0x23b67:$a8: GetOutlookPasswords 0x23959:$a9: StartKeylogger 0x23e06:$a10: KeyLoggerEventArgs 0x239b6:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: NoCGdFUXaoNd.exe PID: 5140	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: NoCGdFUXaoNd.exe PID: 5140	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: NoCGdFUXaoNd.exe PID: 5140	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: NoCGdFUXaoNd.exe PID: 5140	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: NoCGdFUXaoNd.exe PID: 5140	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x26fc9:$a1: get_encryptedPassword 0x5e134:$a1: get_encryptedPassword 0x272e2:$a2: get_encryptedUsername 0x5e44d:$a2: get_encryptedUsername 0x26d78:$a3: get_timePasswordChanged 0x5dee3:$a3: get_timePasswordChanged 0x26e99:$a4: get_passwordField 0x5e004:$a4: get_passwordField 0x26fdf:$a5: set_encryptedPassword 0x5e14a:$a5: set_encryptedPassword 0x288e2:$a7: get_logins 0x5fa4d:$a7: get_logins 0x28593:$a8: GetOutlookPasswords 0x5f6fe:$a8: GetOutlookPasswords 0x28385:$a9: StartKeylogger 0x5f4f0:$a9: StartKeylogger 0x28832:$a10: KeyLoggerEventArgs 0x5f99d:$a10: KeyLoggerEventArgs 0x283e2:$a11: KeyLoggerEventArgsEventHandler 0x5f54d:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: NoCGdFUXaoNd.exe PID: 6764	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 32 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.49b4148.3.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.49b4148.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.49b4148.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.49b4148.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3a7:$a1: get_encryptedPassword 0xd6cf:$a2: get_encryptedUsername 0xd142:$a3: get_timePasswordChanged 0xd263:$a4: get_passwordField 0xd3bd:$a5: set_encryptedPassword 0xed19:$a7: get_logins 0xe9ca:$a8: GetOutlookPasswords 0xe7bc:$a9: StartKeylogger 0xec69:$a10: KeyLoggerEventArgs 0xe819:$a11: KeyLoggerEventArgsEventHandler
0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.49b4148.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x123ab:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x118a9:$a3: \Google\Chrome\User Data\Default\Login Data 0x11bb7:$a4: \Orbitum\User Data\Default\Login Data 0x129af:$a5: \Kometa\User Data\Default\Login Data
8.2.NoCGdFUXaoNd.exe.4245570.1.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
8.2.NoCGdFUXaoNd.exe.4245570.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.NoCGdFUXaoNd.exe.4245570.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
8.2.NoCGdFUXaoNd.exe.4245570.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3a7:$a1: get_encryptedPassword 0xd6cf:$a2: get_encryptedUsername 0xd142:$a3: get_timePasswordChanged 0xd263:$a4: get_passwordField 0xd3bd:$a5: set_encryptedPassword 0xed19:$a7: get_logins 0xe9ca:$a8: GetOutlookPasswords 0xe7bc:$a9: StartKeylogger 0xec69:$a10: KeyLoggerEventArgs 0xe819:$a11: KeyLoggerEventArgsEventHandler
8.2.NoCGdFUXaoNd.exe.4245570.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x123ab:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x118a9:$a3: \Google\Chrome\User Data\Default\Login Data 0x11bb7:$a4: \Orbitum\User Data\Default\Login Data 0x129af:$a5: \Kometa\User Data\Default\Login Data
7.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.400000.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
7.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1a7:$a1: get_encryptedPassword 0xf4cf:$a2: get_encryptedUsername 0xef42:$a3: get_timePasswordChanged 0xf063:$a4: get_passwordField 0xf1bd:$a5: set_encryptedPassword 0x10b19:$a7: get_logins 0x107ca:$a8: GetOutlookPasswords 0x105bc:$a9: StartKeylogger 0x10a69:$a10: KeyLoggerEventArgs 0x10619:$a11: KeyLoggerEventArgsEventHandler
7.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x141ab:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x136a9:$a3: \Google\Chrome\User Data\Default\Login Data 0x139b7:$a4: \Orbitum\User Data\Default\Login Data 0x147af:$a5: \Kometa\User Data\Default\Login Data
0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.4b8ed20.1.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.4b8ed20.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.4b8ed20.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.4b8ed20.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3a7:$a1: get_encryptedPassword 0xd6cf:$a2: get_encryptedUsername 0xd142:$a3: get_timePasswordChanged 0xd263:$a4: get_passwordField 0xd3bd:$a5: set_encryptedPassword 0xed19:$a7: get_logins 0xe9ca:$a8: GetOutlookPasswords 0xe7bc:$a9: StartKeylogger 0xec69:$a10: KeyLoggerEventArgs 0xe819:$a11: KeyLoggerEventArgsEventHandler
0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.4b8ed20.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x123ab:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x118a9:$a3: \Google\Chrome\User Data\Default\Login Data 0x11bb7:$a4: \Orbitum\User Data\Default\Login Data 0x129af:$a5: \Kometa\User Data\Default\Login Data
0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.4b8ed20.1.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.4b8ed20.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.4b8ed20.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.4b8ed20.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1a7:$a1: get_encryptedPassword 0xf4cf:$a2: get_encryptedUsername 0xef42:$a3: get_timePasswordChanged 0xf063:$a4: get_passwordField 0xf1bd:$a5: set_encryptedPassword 0x10b19:$a7: get_logins 0x107ca:$a8: GetOutlookPasswords 0x105bc:$a9: StartKeylogger 0x10a69:$a10: KeyLoggerEventArgs 0x10619:$a11: KeyLoggerEventArgsEventHandler
0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.4b8ed20.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x141ab:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x136a9:$a3: \Google\Chrome\User Data\Default\Login Data 0x139b7:$a4: \Orbitum\User Data\Default\Login Data 0x147af:$a5: \Kometa\User Data\Default\Login Data
8.2.NoCGdFUXaoNd.exe.4245570.1.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
8.2.NoCGdFUXaoNd.exe.4245570.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.NoCGdFUXaoNd.exe.4245570.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
8.2.NoCGdFUXaoNd.exe.4245570.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1a7:$a1: get_encryptedPassword 0x25dc7:$a1: get_encryptedPassword 0xf4cf:$a2: get_encryptedUsername 0x260ef:$a2: get_encryptedUsername 0xef42:$a3: get_timePasswordChanged 0x25b62:$a3: get_timePasswordChanged 0xf063:$a4: get_passwordField 0x25c83:$a4: get_passwordField 0xf1bd:$a5: set_encryptedPassword 0x25ddd:$a5: set_encryptedPassword 0x10b19:$a7: get_logins 0x27739:$a7: get_logins 0x107ca:$a8: GetOutlookPasswords 0x273ea:$a8: GetOutlookPasswords 0x105bc:$a9: StartKeylogger 0x271dc:$a9: StartKeylogger 0x10a69:$a10: KeyLoggerEventArgs 0x27689:$a10: KeyLoggerEventArgs 0x10619:$a11: KeyLoggerEventArgsEventHandler 0x27239:$a11: KeyLoggerEventArgsEventHandler
0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.49b4148.3.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.49b4148.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.49b4148.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.49b4148.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1a7:$a1: get_encryptedPassword 0x912bf:$a1: get_encryptedPassword 0xf4cf:$a2: get_encryptedUsername 0x915e7:$a2: get_encryptedUsername 0xef42:$a3: get_timePasswordChanged 0x9105a:$a3: get_timePasswordChanged 0xf063:$a4: get_passwordField 0x9117b:$a4: get_passwordField 0xf1bd:$a5: set_encryptedPassword 0x912d5:$a5: set_encryptedPassword 0x10b19:$a7: get_logins 0x92c31:$a7: get_logins 0x107ca:$a8: GetOutlookPasswords 0x928e2:$a8: GetOutlookPasswords 0x105bc:$a9: StartKeylogger 0x926d4:$a9: StartKeylogger 0x10a69:$a10: KeyLoggerEventArgs 0x92b81:$a10: KeyLoggerEventArgs 0x10619:$a11: KeyLoggerEventArgsEventHandler 0x92731:$a11: KeyLoggerEventArgsEventHandler
Click to see the 28 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe", ParentImage: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, ParentProcessId: 4924, ParentProcessName: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe", ProcessId: 2532, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NoCGdFUXaoNd" /XML "C:\Users\user\AppData\Local\Temp\tmp7C49.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NoCGdFUXaoNd" /XML "C:\Users\user\AppData\Local\Temp\tmp7C49.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe, ParentImage: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe, ParentProcessId: 5140, ParentProcessName: NoCGdFUXaoNd.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NoCGdFUXaoNd" /XML "C:\Users\user\AppData\Local\Temp\tmp7C49.tmp", ProcessId: 5016, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NoCGdFUXaoNd" /XML "C:\Users\user\AppData\Local\Temp\tmp70BF.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NoCGdFUXaoNd" /XML "C:\Users\user\AppData\Local\Temp\tmp70BF.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe", ParentImage: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, ParentProcessId: 4924, ParentProcessName: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NoCGdFUXaoNd" /XML "C:\Users\user\AppData\Local\Temp\tmp70BF.tmp", ProcessId: 4784, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe", ParentImage: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, ParentProcessId: 4924, ParentProcessName: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe", ProcessId: 2532, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NoCGdFUXaoNd" /XML "C:\Users\user\AppData\Local\Temp\tmp70BF.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NoCGdFUXaoNd" /XML "C:\Users\user\AppData\Local\Temp\tmp70BF.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe", ParentImage: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, ParentProcessId: 4924, ParentProcessName: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NoCGdFUXaoNd" /XML "C:\Users\user\AppData\Local\Temp\tmp70BF.tmp", ProcessId: 4784, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-16T09:15:09.344208+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49713	132.226.8.169	80	TCP
2025-01-16T09:15:19.829127+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49717	132.226.8.169	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.4b8ed20.1.raw.unpack

Malware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "serverche399@gpsamsterdamqroup.com", "Password": " j4YX(KT7UCZ1 ", "Server": "fiber13.dnsiaas.com", "To": "almightstephen@gmail.com", "Port": 587}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe

ReversingLabs: Detection: 31%

Multi AV Scanner detection for submitted file

Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Virustotal: Detection: 33%			Perma Link
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	ReversingLabs: Detection: 31%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.6:49740 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.6:49813 version: TLS 1.0

Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 4x nop then jmp 0A395B87h	0_2_0A39530E
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 4x nop then jmp 01509731h	7_2_01509480
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 4x nop then jmp 01509E5Ah	7_2_01509A40
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 4x nop then jmp 01509E5Ah	7_2_01509A30
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 4x nop then jmp 01509E5Ah	7_2_01509D87
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 4x nop then jmp 05CE8830h	7_2_05CE8588
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 4x nop then jmp 05CE47C9h	7_2_05CE4520
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 4x nop then jmp 05CE76D0h	7_2_05CE7428
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 4x nop then jmp 05CEF700h	7_2_05CEF458
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 4x nop then jmp 05CE76D0h	7_2_05CE7428
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 4x nop then jmp 05CEE9F8h	7_2_05CEE750
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 4x nop then jmp 05CE5929h	7_2_05CE5680
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 4x nop then jmp 05CE83D8h	7_2_05CE8130
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 4x nop then jmp 05CEF2A8h	7_2_05CEF000
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 4x nop then jmp 05CEE5A0h	7_2_05CEE2F8
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 4x nop then jmp 05CE54D1h	7_2_05CE5228
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 4x nop then jmp 05CE5079h	7_2_05CE4DD0
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 4x nop then jmp 05CE7F80h	7_2_05CE7CD8
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 4x nop then jmp 05CE7278h	7_2_05CE6FD0
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 4x nop then jmp 05CE4C21h	7_2_05CE4978
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 4x nop then jmp 05CE7B28h	7_2_05CE7880
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 4x nop then jmp 05CEFB58h	7_2_05CEF8B0
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 4x nop then jmp 05CEEE50h	7_2_05CEEBA8
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 4x nop then jmp 05CE5E15h	7_2_05CE5AD8
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 4x nop then jmp 03194E8Fh	8_2_03194616
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 4x nop then jmp 03099731h	13_2_03099480
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 4x nop then jmp 03099E5Ah	13_2_03099A30
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 4x nop then jmp 03099E5Ah	13_2_03099D87
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 4x nop then jmp 05C68830h	13_2_05C68588
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 4x nop then jmp 05C647C9h	13_2_05C64520
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 4x nop then jmp 05C6F700h	13_2_05C6F458
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 4x nop then jmp 05C676D0h	13_2_05C67428
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 4x nop then jmp 05C6E9F8h	13_2_05C6E750
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 4x nop then jmp 05C65929h	13_2_05C65680
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 4x nop then jmp 05C6E5A0h	13_2_05C6E180
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 4x nop then jmp 05C683D8h	13_2_05C68130
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 4x nop then jmp 05C6F2A8h	13_2_05C6F000
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 4x nop then jmp 05C654D1h	13_2_05C65228
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 4x nop then jmp 05C65079h	13_2_05C64DD0
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 4x nop then jmp 05C67F80h	13_2_05C67CD8
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 4x nop then jmp 05C67278h	13_2_05C66FD0
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 4x nop then jmp 05C64C21h	13_2_05C64978
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 4x nop then jmp 05C67B28h	13_2_05C67880
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 4x nop then jmp 05C6FB58h	13_2_05C6F8B0
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 4x nop then jmp 05C6EE50h	13_2_05C6EBA8
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 4x nop then jmp 05C65E15h	13_2_05C65AD8

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 104.21.64.1 104.21.64.1
Source: Joe Sandbox View	IP Address: 104.21.64.1 104.21.64.1

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49713 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49717 -> 132.226.8.169:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.6:49740 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.6:49813 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000007.00000002.3395787831.000000000313F000.00000004.00000800.00020000.00000000.sdmp, NoCGdFUXaoNd.exe, 0000000D.00000002.3396422686.000000000330E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000007.00000002.3395787831.000000000313F000.00000004.00000800.00020000.00000000.sdmp, NoCGdFUXaoNd.exe, 0000000D.00000002.3396422686.000000000330E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000007.00000002.3395787831.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000007.00000002.3395787831.000000000313F000.00000004.00000800.00020000.00000000.sdmp, NoCGdFUXaoNd.exe, 0000000D.00000002.3396422686.00000000032FC000.00000004.00000800.00020000.00000000.sdmp, NoCGdFUXaoNd.exe, 0000000D.00000002.3396422686.000000000330E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000007.00000002.3395787831.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, NoCGdFUXaoNd.exe, 0000000D.00000002.3396422686.0000000003291000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000007.00000002.3395787831.000000000313F000.00000004.00000800.00020000.00000000.sdmp, NoCGdFUXaoNd.exe, 0000000D.00000002.3396422686.000000000330E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000000.00000002.2172358737.00000000049B4000.00000004.00000800.00020000.00000000.sdmp, 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000000.00000002.2172358737.0000000004B8E000.00000004.00000800.00020000.00000000.sdmp, 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000007.00000002.3393494273.000000000040F000.00000040.00000400.00020000.00000000.sdmp, NoCGdFUXaoNd.exe, 00000008.00000002.2206223221.0000000004241000.00000004.00000800.00020000.00000000.sdmp, NoCGdFUXaoNd.exe, 00000008.00000002.2206223221.000000000439F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000007.00000002.3395787831.000000000313F000.00000004.00000800.00020000.00000000.sdmp, NoCGdFUXaoNd.exe, 0000000D.00000002.3396422686.000000000330E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, NoCGdFUXaoNd.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, NoCGdFUXaoNd.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, NoCGdFUXaoNd.exe.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000007.00000002.3395787831.000000000315B000.00000004.00000800.00020000.00000000.sdmp, NoCGdFUXaoNd.exe, 0000000D.00000002.3396422686.000000000332B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000007.00000002.3395787831.000000000315B000.00000004.00000800.00020000.00000000.sdmp, NoCGdFUXaoNd.exe, 0000000D.00000002.3396422686.000000000332B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000000.00000002.2171623456.00000000031D3000.00000004.00000800.00020000.00000000.sdmp, 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000007.00000002.3395787831.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, NoCGdFUXaoNd.exe, 00000008.00000002.2205049755.0000000003249000.00000004.00000800.00020000.00000000.sdmp, NoCGdFUXaoNd.exe, 0000000D.00000002.3396422686.0000000003291000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000000.00000002.2172358737.00000000049B4000.00000004.00000800.00020000.00000000.sdmp, 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000000.00000002.2172358737.0000000004B8E000.00000004.00000800.00020000.00000000.sdmp, 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000007.00000002.3393494273.000000000040F000.00000040.00000400.00020000.00000000.sdmp, NoCGdFUXaoNd.exe, 00000008.00000002.2206223221.0000000004241000.00000004.00000800.00020000.00000000.sdmp, NoCGdFUXaoNd.exe, 00000008.00000002.2206223221.000000000439F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000007.00000002.3395787831.000000000313F000.00000004.00000800.00020000.00000000.sdmp, NoCGdFUXaoNd.exe, 0000000D.00000002.3396422686.000000000330E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000000.00000002.2172358737.00000000049B4000.00000004.00000800.00020000.00000000.sdmp, 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000000.00000002.2172358737.0000000004B8E000.00000004.00000800.00020000.00000000.sdmp, 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000007.00000002.3393494273.000000000040F000.00000040.00000400.00020000.00000000.sdmp, 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000007.00000002.3395787831.000000000313F000.00000004.00000800.00020000.00000000.sdmp, NoCGdFUXaoNd.exe, 00000008.00000002.2206223221.0000000004241000.00000004.00000800.00020000.00000000.sdmp, NoCGdFUXaoNd.exe, 00000008.00000002.2206223221.000000000439F000.00000004.00000800.00020000.00000000.sdmp, NoCGdFUXaoNd.exe, 0000000D.00000002.3396422686.000000000330E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000007.00000002.3395787831.000000000313F000.00000004.00000800.00020000.00000000.sdmp, NoCGdFUXaoNd.exe, 0000000D.00000002.3396422686.000000000330E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000007.00000002.3395787831.000000000313F000.00000004.00000800.00020000.00000000.sdmp, NoCGdFUXaoNd.exe, 0000000D.00000002.3396422686.000000000330E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, NoCGdFUXaoNd.exe.0.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.49b4148.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.49b4148.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.NoCGdFUXaoNd.exe.4245570.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.NoCGdFUXaoNd.exe.4245570.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.4b8ed20.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.4b8ed20.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.4b8ed20.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.4b8ed20.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.NoCGdFUXaoNd.exe.4245570.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.49b4148.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000008.00000002.2206223221.000000000439F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000007.00000002.3393494273.000000000040F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2172358737.0000000004B8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000008.00000002.2206223221.0000000004241000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2172358737.00000000049B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe PID: 4924, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe PID: 2620, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: NoCGdFUXaoNd.exe PID: 5140, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_015825B0	0_2_015825B0
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_01580870	0_2_01580870
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_01581408	0_2_01581408
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_015834F0	0_2_015834F0
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_01589860	0_2_01589860
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_01581C30	0_2_01581C30
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_01584210	0_2_01584210
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_01584200	0_2_01584200
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_01584410	0_2_01584410
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_01584400	0_2_01584400
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_01584F50	0_2_01584F50
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_01584F60	0_2_01584F60
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_01581361	0_2_01581361
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_01585250	0_2_01585250
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_015835D8	0_2_015835D8
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_015835EF	0_2_015835EF
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_01583442	0_2_01583442
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_01583402	0_2_01583402
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_01583715	0_2_01583715
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_015857F8	0_2_015857F8
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_0158379C	0_2_0158379C
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_01585659	0_2_01585659
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_01585668	0_2_01585668
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_01585808	0_2_01585808
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_01585A18	0_2_01585A18
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_01585A09	0_2_01585A09
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_09EF29A9	0_2_09EF29A9
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_09EF7990	0_2_09EF7990
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_09EF0AD0	0_2_09EF0AD0
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_09EF5A78	0_2_09EF5A78
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_09EF1C90	0_2_09EF1C90
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_09EF70E0	0_2_09EF70E0
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_09EF0040	0_2_09EF0040
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_09EF6018	0_2_09EF6018
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_09EF12D8	0_2_09EF12D8
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_09EF5638	0_2_09EF5638
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_09EF7980	0_2_09EF7980
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_09EF3968	0_2_09EF3968
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_09EF3959	0_2_09EF3959
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_09EF6910	0_2_09EF6910
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_09EF4BA8	0_2_09EF4BA8
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_09EF4B98	0_2_09EF4B98
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_09EF5A69	0_2_09EF5A69
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_09EF4DC8	0_2_09EF4DC8
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_09EF4DB8	0_2_09EF4DB8
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_09EF5CC0	0_2_09EF5CC0
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_09EF5CB1	0_2_09EF5CB1
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_09EF1C81	0_2_09EF1C81
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_09EF7F60	0_2_09EF7F60
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_09EF7F70	0_2_09EF7F70
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_09EFF1B8	0_2_09EFF1B8
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_09EF70D0	0_2_09EF70D0
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_09EF5040	0_2_09EF5040
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_09EF0021	0_2_09EF0021
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_09EF5030	0_2_09EF5030
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_09EF6008	0_2_09EF6008
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_09EF12C9	0_2_09EF12C9
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_09EF4508	0_2_09EF4508
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_09EF4518	0_2_09EF4518
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_09EF6460	0_2_09EF6460
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_09EF6451	0_2_09EF6451
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_09EF1720	0_2_09EF1720
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_09EF1711	0_2_09EF1711
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_09EF5629	0_2_09EF5629
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_0A3902A0	0_2_0A3902A0
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_0A390B10	0_2_0A390B10
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_0A390B00	0_2_0A390B00
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_0A3906D8	0_2_0A3906D8
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_0A3D6BDC	0_2_0A3D6BDC
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_0A3D90E8	0_2_0A3D90E8
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 7_2_0150C530	7_2_0150C530
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 7_2_01502DD1	7_2_01502DD1
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 7_2_01509480	7_2_01509480
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 7_2_015019B8	7_2_015019B8
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 7_2_0150C521	7_2_0150C521
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 7_2_0150946F	7_2_0150946F
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 7_2_05CE6138	7_2_05CE6138
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 7_2_05CEBC60	7_2_05CEBC60
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 7_2_05CEAF00	7_2_05CEAF00
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 7_2_05CE89E0	7_2_05CE89E0
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 7_2_05CE8588	7_2_05CE8588
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 7_2_05CE8579	7_2_05CE8579
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 7_2_05CE450F	7_2_05CE450F
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 7_2_05CE4520	7_2_05CE4520
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 7_2_05CE7428	7_2_05CE7428
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 7_2_05CEF458	7_2_05CEF458
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 7_2_05CEF455	7_2_05CEF455
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 7_2_05CE741B	7_2_05CE741B
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 7_2_05CE7428	7_2_05CE7428
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 7_2_05CEE740	7_2_05CEE740
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 7_2_05CEE750	7_2_05CEE750
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 7_2_05CE5680	7_2_05CE5680
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 7_2_05CE566F	7_2_05CE566F
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 7_2_05CE612B	7_2_05CE612B
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 7_2_05CE8120	7_2_05CE8120
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 7_2_05CE8130	7_2_05CE8130
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 7_2_05CEF000	7_2_05CEF000
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 7_2_05CE13A8	7_2_05CE13A8
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 7_2_05CE0320	7_2_05CE0320
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 7_2_05CE0330	7_2_05CE0330
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 7_2_05CEE2F8	7_2_05CEE2F8
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 7_2_05CEE2F5	7_2_05CEE2F5
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 7_2_05CE521B	7_2_05CE521B
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 7_2_05CE5228	7_2_05CE5228
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 7_2_05CE4DC0	7_2_05CE4DC0
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 7_2_05CE4DD0	7_2_05CE4DD0
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 7_2_05CE7CC8	7_2_05CE7CC8
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 7_2_05CE0CD8	7_2_05CE0CD8
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 7_2_05CE7CD8	7_2_05CE7CD8
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 7_2_05CE6FC3	7_2_05CE6FC3
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 7_2_05CE6FD0	7_2_05CE6FD0
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 7_2_05CEEFFD	7_2_05CEEFFD
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 7_2_05CE4969	7_2_05CE4969
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 7_2_05CE4978	7_2_05CE4978
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 7_2_05CE7880	7_2_05CE7880
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 7_2_05CEF8A1	7_2_05CEF8A1
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 7_2_05CEF8B0	7_2_05CEF8B0
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 7_2_05CE7871	7_2_05CE7871
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 7_2_05CEEB98	7_2_05CEEB98
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 7_2_05CEEBA8	7_2_05CEEBA8
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 7_2_05CE5ACA	7_2_05CE5ACA
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 7_2_05CE5AD8	7_2_05CE5AD8
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 7_2_05CE0AB8	7_2_05CE0AB8
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_030325B0	8_2_030325B0
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_03030870	8_2_03030870
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_03031408	8_2_03031408
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_030334F0	8_2_030334F0
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_03039860	8_2_03039860
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_03031C30	8_2_03031C30
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_03034200	8_2_03034200
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_03034210	8_2_03034210
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_03034400	8_2_03034400
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_03034410	8_2_03034410
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_03034F50	8_2_03034F50
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_03034F60	8_2_03034F60
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_03031361	8_2_03031361
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_03033393	8_2_03033393
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_030333B6	8_2_030333B6
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_030333F0	8_2_030333F0
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_03035250	8_2_03035250
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_03033715	8_2_03033715
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_0303379C	8_2_0303379C
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_030357F8	8_2_030357F8
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_03035659	8_2_03035659
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_03035668	8_2_03035668
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_030335D8	8_2_030335D8
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_030335EF	8_2_030335EF
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_03035A09	8_2_03035A09
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_03035A18	8_2_03035A18
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_03035808	8_2_03035808
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_03196500	8_2_03196500
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_031908F8	8_2_031908F8
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_031908E8	8_2_031908E8
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_03190D30	8_2_03190D30
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_031904C0	8_2_031904C0
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_08896BDC	8_2_08896BDC
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_088990F3	8_2_088990F3
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_0B487B10	8_2_0B487B10
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_0B485BF8	8_2_0B485BF8
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_0B480AD0	8_2_0B480AD0
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_0B481C90	8_2_0B481C90
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_0B487260	8_2_0B487260
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_0B4812D8	8_2_0B4812D8
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_0B486198	8_2_0B486198
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_0B480040	8_2_0B480040
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_0B4857B8	8_2_0B4857B8
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_0B487B00	8_2_0B487B00
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_0B485BE9	8_2_0B485BE9
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_0B484B98	8_2_0B484B98
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_0B484BA8	8_2_0B484BA8
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_0B486A91	8_2_0B486A91
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_0B483959	8_2_0B483959
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_0B483968	8_2_0B483968
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_0B485E40	8_2_0B485E40
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_0B485E31	8_2_0B485E31
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_0B48EEF3	8_2_0B48EEF3
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_0B48BE90	8_2_0B48BE90
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_0B484DC8	8_2_0B484DC8
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_0B484DB8	8_2_0B484DB8
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_0B481C81	8_2_0B481C81
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_0B48F338	8_2_0B48F338
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_0B487250	8_2_0B487250
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_0B4812C9	8_2_0B4812C9
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_0B486188	8_2_0B486188
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_0B485040	8_2_0B485040
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_0B480006	8_2_0B480006
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_0B485030	8_2_0B485030
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_0B4880E2	8_2_0B4880E2
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_0B4880F0	8_2_0B4880F0
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_0B481719	8_2_0B481719
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_0B481720	8_2_0B481720
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_0B4857A8	8_2_0B4857A8
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_0B484508	8_2_0B484508
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_0B484518	8_2_0B484518
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_0B4865D0	8_2_0B4865D0
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_0B4865E0	8_2_0B4865E0
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 13_2_030927B9	13_2_030927B9
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 13_2_0309C530	13_2_0309C530
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 13_2_03092DD1	13_2_03092DD1
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 13_2_03099480	13_2_03099480
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 13_2_0309C521	13_2_0309C521
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 13_2_0309946F	13_2_0309946F
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 13_2_05C66138	13_2_05C66138
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 13_2_05C6BC60	13_2_05C6BC60
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 13_2_05C6AF00	13_2_05C6AF00
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 13_2_05C689E0	13_2_05C689E0
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 13_2_05C68588	13_2_05C68588
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 13_2_05C68579	13_2_05C68579
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 13_2_05C6450F	13_2_05C6450F
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 13_2_05C64520	13_2_05C64520
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 13_2_05C6F448	13_2_05C6F448
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 13_2_05C6F458	13_2_05C6F458
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 13_2_05C67418	13_2_05C67418
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 13_2_05C67428	13_2_05C67428
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 13_2_05C6E740	13_2_05C6E740
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 13_2_05C6E750	13_2_05C6E750
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 13_2_05C65680	13_2_05C65680
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 13_2_05C6566F	13_2_05C6566F
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 13_2_05C6E180	13_2_05C6E180
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 13_2_05C68120	13_2_05C68120
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 13_2_05C68130	13_2_05C68130
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 13_2_05C6F000	13_2_05C6F000
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 13_2_05C6602A	13_2_05C6602A
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 13_2_05C6032B	13_2_05C6032B
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 13_2_05C60330	13_2_05C60330
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 13_2_05C6521A	13_2_05C6521A
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 13_2_05C65228	13_2_05C65228
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 13_2_05C64DC0	13_2_05C64DC0
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 13_2_05C64DD0	13_2_05C64DD0
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 13_2_05C67CC8	13_2_05C67CC8
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 13_2_05C60CD8	13_2_05C60CD8
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 13_2_05C67CD8	13_2_05C67CD8
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 13_2_05C66FC3	13_2_05C66FC3
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 13_2_05C66FD0	13_2_05C66FD0
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 13_2_05C6EFF0	13_2_05C6EFF0
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 13_2_05C689D0	13_2_05C689D0
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 13_2_05C64969	13_2_05C64969
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 13_2_05C64978	13_2_05C64978
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 13_2_05C67880	13_2_05C67880
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 13_2_05C6F8A1	13_2_05C6F8A1
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 13_2_05C6F8B0	13_2_05C6F8B0
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 13_2_05C67871	13_2_05C67871
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 13_2_05C6EB98	13_2_05C6EB98
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 13_2_05C6EBA8	13_2_05C6EBA8
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 13_2_05C65ACA	13_2_05C65ACA
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 13_2_05C65AD8	13_2_05C65AD8
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 13_2_05C60AB8	13_2_05C60AB8

Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe

Static PE information: invalid certificate

Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000000.00000002.2178629864.0000000008720000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000000.00000002.2172358737.00000000049B4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000000.00000002.2172358737.00000000049B4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000000.00000002.2179699202.000000000EA10000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000000.00000000.2126156560.0000000000D52000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameDzXb.exe" vs 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000000.00000002.2171623456.00000000031D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000000.00000002.2169401089.000000000123E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000000.00000002.2172358737.0000000004B8E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000000.00000002.2172358737.0000000004B8E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000007.00000002.3393764269.00000000012F7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Binary or memory string: OriginalFilenameDzXb.exe" vs 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe

Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.49b4148.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.49b4148.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.NoCGdFUXaoNd.exe.4245570.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.NoCGdFUXaoNd.exe.4245570.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.4b8ed20.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.4b8ed20.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.4b8ed20.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.4b8ed20.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.NoCGdFUXaoNd.exe.4245570.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.49b4148.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000008.00000002.2206223221.000000000439F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000007.00000002.3393494273.000000000040F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2172358737.0000000004B8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000008.00000002.2206223221.0000000004241000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2172358737.00000000049B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe PID: 4924, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe PID: 2620, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: NoCGdFUXaoNd.exe PID: 5140, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: NoCGdFUXaoNd.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@18/11@2/2

Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe

File created: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Mutant created: \Sessions\1\BaseNamedObjects\QzAmJJy
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6764:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4420:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6824:120:WilError_03

Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe

File created: C:\Users\user\AppData\Local\Temp\tmp70BF.tmp

Jump to behavior

Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%

Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000007.00000002.3395787831.000000000319F000.00000004.00000800.00020000.00000000.sdmp, 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000007.00000002.3397468149.00000000040ED000.00000004.00000800.00020000.00000000.sdmp, 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000007.00000002.3395787831.00000000031DE000.00000004.00000800.00020000.00000000.sdmp, 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000007.00000002.3395787831.00000000031AE000.00000004.00000800.00020000.00000000.sdmp, 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000007.00000002.3395787831.00000000031BD000.00000004.00000800.00020000.00000000.sdmp, 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000007.00000002.3395787831.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, NoCGdFUXaoNd.exe, 0000000D.00000002.3396422686.000000000336E000.00000004.00000800.00020000.00000000.sdmp, NoCGdFUXaoNd.exe, 0000000D.00000002.3396422686.000000000338C000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Virustotal: Detection: 33%
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	ReversingLabs: Detection: 31%

Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe

File read: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe "C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe"
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NoCGdFUXaoNd" /XML "C:\Users\user\AppData\Local\Temp\tmp70BF.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process created: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe "C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NoCGdFUXaoNd" /XML "C:\Users\user\AppData\Local\Temp\tmp7C49.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process created: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe "C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe"
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process created: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe "C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe"
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe"	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NoCGdFUXaoNd" /XML "C:\Users\user\AppData\Local\Temp\tmp70BF.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process created: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe "C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NoCGdFUXaoNd" /XML "C:\Users\user\AppData\Local\Temp\tmp7C49.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process created: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe "C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process created: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe "C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe"	Jump to behavior

Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Code function: 0_2_09EF036B push ecx; ret	0_2_09EF036C
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_08898C88 pushfd ; retf 0007h	8_2_08898C89
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_08890488 push 5007CA97h; ret	8_2_0889048D
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 8_2_0B48036B push ecx; ret	8_2_0B48036C
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 13_2_0309B3A8 push eax; iretd	13_2_0309B445
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Code function: 13_2_0309BB22 push 00000005h; iretd	13_2_0309BB44

Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Static PE information: section name: .text entropy: 7.4325084092117395
Source: NoCGdFUXaoNd.exe.0.dr	Static PE information: section name: .text entropy: 7.4325084092117395

Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe

File created: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NoCGdFUXaoNd" /XML "C:\Users\user\AppData\Local\Temp\tmp70BF.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe PID: 4924, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NoCGdFUXaoNd.exe PID: 5140, type: MEMORYSTR

Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Memory allocated: 1580000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Memory allocated: 3160000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Memory allocated: 5160000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Memory allocated: 5740000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Memory allocated: 6740000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Memory allocated: 6870000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Memory allocated: 7870000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Memory allocated: B810000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Memory allocated: 9F00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Memory allocated: C810000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Memory allocated: D810000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Memory allocated: EA70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Memory allocated: FA70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Memory allocated: 10A70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Memory allocated: 1500000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Memory allocated: 30C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Memory allocated: 50C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Memory allocated: 3030000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Memory allocated: 3240000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Memory allocated: 3190000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Memory allocated: 5830000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Memory allocated: 6830000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Memory allocated: 6960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Memory allocated: 7960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Memory allocated: B490000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Memory allocated: C490000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Memory allocated: C920000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Memory allocated: 6960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Memory allocated: B490000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Memory allocated: C920000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Memory allocated: 1700000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Memory allocated: 3290000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Memory allocated: 1700000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7410			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2146			Jump to behavior

Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe TID: 4196	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1372	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe TID: 6524	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000007.00000002.3394727391.0000000001547000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllq
Source: NoCGdFUXaoNd.exe, 0000000D.00000002.3393823248.00000000011F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe"
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Memory written: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Memory written: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe"	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NoCGdFUXaoNd" /XML "C:\Users\user\AppData\Local\Temp\tmp70BF.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Process created: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe "C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NoCGdFUXaoNd" /XML "C:\Users\user\AppData\Local\Temp\tmp7C49.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process created: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe "C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Process created: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe "C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe"	Jump to behavior

Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Queries volume information: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Queries volume information: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Queries volume information: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Queries volume information: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match	File source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.49b4148.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.NoCGdFUXaoNd.exe.4245570.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.4b8ed20.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.4b8ed20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.NoCGdFUXaoNd.exe.4245570.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.49b4148.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2206223221.000000000439F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3393494273.000000000040F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2172358737.0000000004B8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2206223221.0000000004241000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2172358737.00000000049B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe PID: 4924, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe PID: 2620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NoCGdFUXaoNd.exe PID: 5140, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.49b4148.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.NoCGdFUXaoNd.exe.4245570.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.4b8ed20.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.4b8ed20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.NoCGdFUXaoNd.exe.4245570.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.49b4148.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2206223221.000000000439F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3393494273.000000000040F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2172358737.0000000004B8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2206223221.0000000004241000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2172358737.00000000049B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe PID: 4924, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe PID: 2620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NoCGdFUXaoNd.exe PID: 5140, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.49b4148.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.NoCGdFUXaoNd.exe.4245570.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.4b8ed20.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.4b8ed20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.NoCGdFUXaoNd.exe.4245570.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.49b4148.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.3396422686.00000000033E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2206223221.000000000439F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3393494273.000000000040F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2172358737.0000000004B8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2206223221.0000000004241000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2172358737.00000000049B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3395787831.00000000031E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe PID: 4924, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe PID: 2620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NoCGdFUXaoNd.exe PID: 5140, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NoCGdFUXaoNd.exe PID: 6764, type: MEMORYSTR

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match	File source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.49b4148.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.NoCGdFUXaoNd.exe.4245570.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.4b8ed20.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.4b8ed20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.NoCGdFUXaoNd.exe.4245570.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.49b4148.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2206223221.000000000439F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3393494273.000000000040F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2172358737.0000000004B8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2206223221.0000000004241000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2172358737.00000000049B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe PID: 4924, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe PID: 2620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NoCGdFUXaoNd.exe PID: 5140, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.49b4148.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.NoCGdFUXaoNd.exe.4245570.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.4b8ed20.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.4b8ed20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.NoCGdFUXaoNd.exe.4245570.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.49b4148.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2206223221.000000000439F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3393494273.000000000040F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2172358737.0000000004B8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2206223221.0000000004241000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2172358737.00000000049B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe PID: 4924, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe PID: 2620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NoCGdFUXaoNd.exe PID: 5140, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	1 Masquerading	1 OS Credential Dumping	1 Query Registry	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	1 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	13 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	33%	Virustotal		Browse
54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	32%	ReversingLabs	Win32.Trojan.Sonbokli
54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe	32%	ReversingLabs	Win32.Trojan.Sonbokli

Source	Detection	Scanner	Label
http://checkip.dyndns.comd	0%	Avira URL Cloud	safe
http://reallyfreegeoip.orgd	0%	Avira URL Cloud	safe
http://checkip.dyndns.orgd	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.64.1	true	false	high
checkip.dyndns.com	132.226.8.169	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/8.46.123.189	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189l	54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000007.00000002.3395787831.000000000313F000.00000004.00000800.00020000.00000000.sdmp, NoCGdFUXaoNd.exe, 0000000D.00000002.3396422686.000000000330E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.comd	54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000007.00000002.3395787831.000000000313F000.00000004.00000800.00020000.00000000.sdmp, NoCGdFUXaoNd.exe, 0000000D.00000002.3396422686.000000000330E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org/q	54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000000.00000002.2172358737.00000000049B4000.00000004.00000800.00020000.00000000.sdmp, 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000000.00000002.2172358737.0000000004B8E000.00000004.00000800.00020000.00000000.sdmp, 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000007.00000002.3393494273.000000000040F000.00000040.00000400.00020000.00000000.sdmp, NoCGdFUXaoNd.exe, 00000008.00000002.2206223221.0000000004241000.00000004.00000800.00020000.00000000.sdmp, NoCGdFUXaoNd.exe, 00000008.00000002.2206223221.000000000439F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://reallyfreegeoip.orgd	54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000007.00000002.3395787831.000000000315B000.00000004.00000800.00020000.00000000.sdmp, NoCGdFUXaoNd.exe, 0000000D.00000002.3396422686.000000000332B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.189d	54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000007.00000002.3395787831.000000000313F000.00000004.00000800.00020000.00000000.sdmp, NoCGdFUXaoNd.exe, 0000000D.00000002.3396422686.000000000330E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://reallyfreegeoip.org	54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000007.00000002.3395787831.000000000315B000.00000004.00000800.00020000.00000000.sdmp, NoCGdFUXaoNd.exe, 0000000D.00000002.3396422686.000000000332B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.orgd	54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000007.00000002.3395787831.000000000313F000.00000004.00000800.00020000.00000000.sdmp, NoCGdFUXaoNd.exe, 0000000D.00000002.3396422686.000000000330E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org	54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000007.00000002.3395787831.000000000313F000.00000004.00000800.00020000.00000000.sdmp, NoCGdFUXaoNd.exe, 0000000D.00000002.3396422686.000000000330E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org	54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000007.00000002.3395787831.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000007.00000002.3395787831.000000000313F000.00000004.00000800.00020000.00000000.sdmp, NoCGdFUXaoNd.exe, 0000000D.00000002.3396422686.00000000032FC000.00000004.00000800.00020000.00000000.sdmp, NoCGdFUXaoNd.exe, 0000000D.00000002.3396422686.000000000330E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.com	54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000007.00000002.3395787831.000000000313F000.00000004.00000800.00020000.00000000.sdmp, NoCGdFUXaoNd.exe, 0000000D.00000002.3396422686.000000000330E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/d	54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000007.00000002.3395787831.000000000313F000.00000004.00000800.00020000.00000000.sdmp, NoCGdFUXaoNd.exe, 0000000D.00000002.3396422686.000000000330E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000000.00000002.2171623456.00000000031D3000.00000004.00000800.00020000.00000000.sdmp, 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000007.00000002.3395787831.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, NoCGdFUXaoNd.exe, 00000008.00000002.2205049755.0000000003249000.00000004.00000800.00020000.00000000.sdmp, NoCGdFUXaoNd.exe, 0000000D.00000002.3396422686.0000000003291000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, NoCGdFUXaoNd.exe.0.dr	false		high
https://api.telegram.org/bot-/sendDocument?chat_id=	54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000000.00000002.2172358737.00000000049B4000.00000004.00000800.00020000.00000000.sdmp, 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000000.00000002.2172358737.0000000004B8E000.00000004.00000800.00020000.00000000.sdmp, 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000007.00000002.3393494273.000000000040F000.00000040.00000400.00020000.00000000.sdmp, NoCGdFUXaoNd.exe, 00000008.00000002.2206223221.0000000004241000.00000004.00000800.00020000.00000000.sdmp, NoCGdFUXaoNd.exe, 00000008.00000002.2206223221.000000000439F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/	54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000000.00000002.2172358737.00000000049B4000.00000004.00000800.00020000.00000000.sdmp, 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000000.00000002.2172358737.0000000004B8E000.00000004.00000800.00020000.00000000.sdmp, 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000007.00000002.3393494273.000000000040F000.00000040.00000400.00020000.00000000.sdmp, 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000007.00000002.3395787831.000000000313F000.00000004.00000800.00020000.00000000.sdmp, NoCGdFUXaoNd.exe, 00000008.00000002.2206223221.0000000004241000.00000004.00000800.00020000.00000000.sdmp, NoCGdFUXaoNd.exe, 00000008.00000002.2206223221.000000000439F000.00000004.00000800.00020000.00000000.sdmp, NoCGdFUXaoNd.exe, 0000000D.00000002.3396422686.000000000330E000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
132.226.8.169	checkip.dyndns.com	United States		16989	UTMEMUS	false
104.21.64.1	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1592541
Start date and time:	2025-01-16 09:14:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@18/11@2/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 99% Number of executed functions: 410 Number of non-executed functions: 41
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.28.90.27, 13.107.246.45, 4.245.163.56
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, PID 2620 because it is empty
Execution Graph export aborted for target NoCGdFUXaoNd.exe, PID 6764 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:14:58	API Interceptor	1x Sleep call for process: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe modified
03:15:00	API Interceptor	12x Sleep call for process: powershell.exe modified
03:15:01	API Interceptor	1x Sleep call for process: NoCGdFUXaoNd.exe modified
09:15:00	Task Scheduler	Run new task: NoCGdFUXaoNd path: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
132.226.8.169	WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Confirm Bank Statement.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	tN8GsMV1le.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	QUOTATION REQUIRED_Enatel s.r.l..bat.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	PDF-3093900299039 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Receipt-2502-AJL2024.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	c7WJL1gt32.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	MBOaS3GRtF.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
104.21.64.1	NVIDIAShare.exe.bin.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	bibaprog.ru/ProviderEternallineauthmultiTrackwordpressWpDownloads.php
	gem2.exe	Get hash	malicious	Unknown	Browse	securetextweb.cc/STB/c2VjdXJldGV4dHdlYg==M.txt
	SpCuEoekPa.exe	Get hash	malicious	FormBook	Browse	www.mffnow.info/0pqe/
	4sfN3Gx1vO.exe	Get hash	malicious	FormBook	Browse	www.vilakodsiy.sbs/w7eo/
	1162-201.exe	Get hash	malicious	FormBook	Browse	www.mzkd6gp5.top/utww/
	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	www.mzkd6gp5.top/3u0p/
	Sales Acknowledgement - HES #982323.pdf	Get hash	malicious	Unknown	Browse	ordrr.statementquo.com/QCbxA/
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	adsfirm.com/administrator/index.php
	PO2412010.exe	Get hash	malicious	FormBook	Browse	www.bser101pp.buzz/v89f/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	ORDER-202577008.lnk	Get hash	malicious	Unknown	Browse	104.21.96.1
	INQUIRY LIST 292.vbs	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	104.21.96.1
	Contrarre.scr.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	PI ITS15235 (2).doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	rDEKONT-1_16_2025__75kb__pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
	JHGFDFG.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	New PO.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.32.1
	WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
	order6566546663.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
checkip.dyndns.com	ORDER-202577008.lnk	Get hash	malicious	Unknown	Browse	193.122.6.168
	INQUIRY LIST 292.vbs	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	193.122.6.168
	Contrarre.scr.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	PI ITS15235 (2).doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	rDEKONT-1_16_2025__75kb__pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	JHGFDFG.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	New PO.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	MV Nicos Tomasos Vessel Parts.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UTMEMUS	ORDER-202577008.lnk	Get hash	malicious	Unknown	Browse	132.226.247.73
	Contrarre.scr.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	PI ITS15235 (2).doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	rDEKONT-1_16_2025__75kb__pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	order6566546663.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	BNXCXCJSD.jse	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	NEWORDER.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	330tqxXVzm.dll	Get hash	malicious	Wannacry	Browse	132.224.47.164
	QUOTATION REQUIRED_Enatel s.r.l..exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
CLOUDFLARENETUS	http://links.888brands.net/ctt?m=34615482&r=LTg3OTY1NDQ3MDYS1&b=0&j=Mjc2MDE1OTMzMwS2&mt=1&kt=12&kx=1&k=email-router-cross_secureutils&kd=//american-faucet-and-coatings-corporation.jimdosite.com	Get hash	malicious	HTMLPhisher	Browse	162.159.128.70
	55ryoipjfdr.exe	Get hash	malicious	Trickbot	Browse	104.26.12.205
	ORDER-202577008.lnk	Get hash	malicious	Unknown	Browse	104.21.96.1
	INQUIRY LIST 292.vbs	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	104.21.96.1
	Contrarre.scr.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	PI ITS15235 (2).doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	QT202515010642.JPG.PDF.vbs	Get hash	malicious	Unknown	Browse	104.17.151.117
	Personliche Nachricht fur Friedhelm Hanusch.pdf	Get hash	malicious	Unknown	Browse	104.18.94.41
	arm7.elf	Get hash	malicious	Unknown	Browse	1.12.192.222
	https://solve.xfzz.org/awjsx.captcha?u=20d5b468-46a4-4894-abf8-dabd03b71a69	Get hash	malicious	Unknown	Browse	172.67.215.98

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	ORDER-202577008.lnk	Get hash	malicious	Unknown	Browse	104.21.64.1
	INQUIRY LIST 292.vbs	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	104.21.64.1
	Contrarre.scr.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
	PI ITS15235 (2).doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
	rDEKONT-1_16_2025__75kb__pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
	JHGFDFG.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
	MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
	New PO.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.64.1
	WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
	order6566546663.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.64.1

Process:	C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NoCGdFUXaoNd.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380805901110357
Encrypted:	false
SSDEEP:	48:lylWSU4xympjgs4RIoU99tK8NPZHUl7u1iMuge//MM0Uyus:lGLHxvCsIfA2KRHmOugA1s
MD5:	F2AC51E0515B24DBB9500606FFBD4AA8
SHA1:	D0CD1F1A2DA0F9F182FBB6A92D97CD7671AC3466
SHA-256:	D8F3559B90EF30312BBE0F8B35482D84155A197B4B38F117F1408D5B4194C09B
SHA-512:	597985FE6249D0C591823858DB028872BECA8FD002C7079FF6A271601241671759FBF5BC88D22BEB7FCC961361A172B3E7A0D7A5CBCE8939AA89530775391093
Malicious:	false
Preview:	@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_01oklfum.3x4.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_04jochd3.krr.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c0dpwzdr.vnd.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ztd4lsxz.hgd.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp70BF.tmp

Download File

Process:	C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1599
Entropy (8bit):	5.099308621025138
Encrypted:	false
SSDEEP:	24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLgVxvn:cge7QYrFdOFzOzN33ODOiDdKrsuT8rv
MD5:	97E12F24F7FA926E12191982114FAFAD
SHA1:	BDD442D4C3B57E76744C65109AD71388B5B49A90
SHA-256:	887291B6722AB002EC2491EFF690BBF30A4CDB5BB258030E04EA64EAC3F8D392
SHA-512:	875DB9FDCFABCBF1CBC9D6EEA85599627CCB67292B774C9EFCAD4B16C2104A7F437910D0447F0BB077CDEFA14B5063C9FC2CB5FBE0DAF33F5801F03A38AC18DD
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

C:\Users\user\AppData\Local\Temp\tmp7C49.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	1599
Entropy (8bit):	5.099308621025138
Encrypted:	false
SSDEEP:	24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLgVxvn:cge7QYrFdOFzOzN33ODOiDdKrsuT8rv
MD5:	97E12F24F7FA926E12191982114FAFAD
SHA1:	BDD442D4C3B57E76744C65109AD71388B5B49A90
SHA-256:	887291B6722AB002EC2491EFF690BBF30A4CDB5BB258030E04EA64EAC3F8D392
SHA-512:	875DB9FDCFABCBF1CBC9D6EEA85599627CCB67292B774C9EFCAD4B16C2104A7F437910D0447F0BB077CDEFA14B5063C9FC2CB5FBE0DAF33F5801F03A38AC18DD
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe

Download File

Process:	C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	754184
Entropy (8bit):	7.449798439925127
Encrypted:	false
SSDEEP:	12288:4rvpM8gwUCGTyWXV7Ox8xvv5Pfv7EMNWvFh/Imr1jLLzWWqOv8bUfuBGT3kR:4bpPgwmxOxMCbFxImZjrNqOvvW
MD5:	433D5CC92F9E4A787E197F04C977CA36
SHA1:	B5E3ED631ABABD71B3DE12B44CE4A0669279F505
SHA-256:	EDA2BF8423A8046D884B20532A74BED0CE7219A2EE5F9FE829A72624D081E3DF
SHA-512:	CAE5A275A91EA9443CDB926FABEB324E5FF56323C680326D9C9227617BC4644F223D6F4BB4BB914E4C7A0F4611F2678A148B05D66134F28B5AD26F02DD603E49
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 32%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....l.g..............0......8.......1... ...@....... ....................................@.................................P1..K....@...5...........L...6........................................................... ............... ..H............text........ ...................... ..`.rsrc....5...@...6..................@..@.reloc...............J..............@..B.................1......H...........P.......O....... ............................................+x.a.y..kv...u..+.S...B.w.>..Y+.....r.......f..<n.C.J.Q=.Zs..}v$%x.%.......Q..z...(Aj~>..j.dqB....a."2.J>.....".P.o....t.q.rzD.....\...5.]......-...uy=\|..8.3..Q.....P...G2.E...D.0.g._.\.....^\'=...P..hUHx.U.".x..Z.,..I;....ys.8...r.8.#.(5....<...".f>r......-...N.M=dA..Tg......-..T....(..A.w=V.E.......1_%@.nH.s..t>.$.......4~.S.....s.1......v...T.Fh...R.7...............K.m%.(.Z.P.

C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.449798439925127
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.98% Win32 Executable (generic) a (10002005/4) 49.93% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe
File size:	754'184 bytes
MD5:	433d5cc92f9e4a787e197f04c977ca36
SHA1:	b5e3ed631ababd71b3de12b44ce4a0669279f505
SHA256:	eda2bf8423a8046d884b20532a74bed0ce7219a2ee5f9fe829a72624d081e3df
SHA512:	cae5a275a91ea9443cdb926fabeb324e5ff56323c680326d9c9227617bc4644f223d6f4bb4bb914e4c7a0f4611f2678a148b05d66134f28b5ad26f02dd603e49
SSDEEP:	12288:4rvpM8gwUCGTyWXV7Ox8xvv5Pfv7EMNWvFh/Imr1jLLzWWqOv8bUfuBGT3kR:4bpPgwmxOxMCbFxImZjrNqOvvW
TLSH:	90F4AEC03B25B30ACD6DAD35C53AECB8A2106E64B105F6E379DE2B5B75CD2169A0CF50
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....l.g..............0......8.......1... ...@....... ....................................@................................

File Icon


Icon Hash:	7fe6e7e7e3e3651f

Static PE Info

General

Entrypoint:	0x110b319e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x11000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67886CBB [Thu Jan 16 02:19:39 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/11/2018 01:00:00 09/11/2021 00:59:59
Subject Chain	CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
Version:	3
Thumbprint MD5:	DABD77E44EF6B3BB91740FA46696B779
Thumbprint SHA-1:	5B9E273CF11941FD8C6BE3F038C4797BBE884268
Thumbprint SHA-256:	4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
Serial:	7C1118CBBADC95DA3752C46E47A27438

Entrypoint Preview

Instruction
jmp dword ptr [11002000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb3150	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb4000	0x3580	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xb4c00	0x3608
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb8000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xb11a4	0xb1200	09ef0c0f0c36208e885e9097cda42433	False	0.8118397693189837	data	7.4325084092117395	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xb4000	0x3580	0x3600	3b79fd9500b9dd78428b467f84306c77	False	0.9107349537037037	data	7.684747035552338	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xb8000	0xc	0x200	a5397f9088f68193d5dd88393386c155	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xb4130	0x2f83	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9727041026062649
RT_GROUP_ICON	0xb70b4	0x14	data	1.05
RT_VERSION	0xb70c8	0x2cc	data	0.43575418994413406
RT_MANIFEST	0xb7394	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-16T09:15:09.344208+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49713	132.226.8.169	80	TCP
2025-01-16T09:15:19.829127+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49717	132.226.8.169	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 16, 2025 09:15:01.577318907 CET	49713	80	192.168.2.6	132.226.8.169
Jan 16, 2025 09:15:01.582195044 CET	80	49713	132.226.8.169	192.168.2.6
Jan 16, 2025 09:15:01.582257032 CET	49713	80	192.168.2.6	132.226.8.169
Jan 16, 2025 09:15:01.582516909 CET	49713	80	192.168.2.6	132.226.8.169
Jan 16, 2025 09:15:01.587368011 CET	80	49713	132.226.8.169	192.168.2.6
Jan 16, 2025 09:15:04.325859070 CET	49717	80	192.168.2.6	132.226.8.169
Jan 16, 2025 09:15:04.331029892 CET	80	49717	132.226.8.169	192.168.2.6
Jan 16, 2025 09:15:04.331157923 CET	49717	80	192.168.2.6	132.226.8.169
Jan 16, 2025 09:15:04.331307888 CET	49717	80	192.168.2.6	132.226.8.169
Jan 16, 2025 09:15:04.336189032 CET	80	49717	132.226.8.169	192.168.2.6
Jan 16, 2025 09:15:08.020188093 CET	80	49713	132.226.8.169	192.168.2.6
Jan 16, 2025 09:15:08.024090052 CET	49713	80	192.168.2.6	132.226.8.169
Jan 16, 2025 09:15:08.029089928 CET	80	49713	132.226.8.169	192.168.2.6
Jan 16, 2025 09:15:09.298470020 CET	80	49713	132.226.8.169	192.168.2.6
Jan 16, 2025 09:15:09.308368921 CET	49740	443	192.168.2.6	104.21.64.1
Jan 16, 2025 09:15:09.308409929 CET	443	49740	104.21.64.1	192.168.2.6
Jan 16, 2025 09:15:09.308542967 CET	49740	443	192.168.2.6	104.21.64.1
Jan 16, 2025 09:15:09.317029953 CET	49740	443	192.168.2.6	104.21.64.1
Jan 16, 2025 09:15:09.317043066 CET	443	49740	104.21.64.1	192.168.2.6
Jan 16, 2025 09:15:09.344208002 CET	49713	80	192.168.2.6	132.226.8.169
Jan 16, 2025 09:15:09.805103064 CET	443	49740	104.21.64.1	192.168.2.6
Jan 16, 2025 09:15:09.805169106 CET	49740	443	192.168.2.6	104.21.64.1
Jan 16, 2025 09:15:09.808057070 CET	49740	443	192.168.2.6	104.21.64.1
Jan 16, 2025 09:15:09.808063984 CET	443	49740	104.21.64.1	192.168.2.6
Jan 16, 2025 09:15:09.808353901 CET	443	49740	104.21.64.1	192.168.2.6
Jan 16, 2025 09:15:09.859833956 CET	49740	443	192.168.2.6	104.21.64.1
Jan 16, 2025 09:15:09.911427975 CET	49740	443	192.168.2.6	104.21.64.1
Jan 16, 2025 09:15:09.959362984 CET	443	49740	104.21.64.1	192.168.2.6
Jan 16, 2025 09:15:10.026876926 CET	443	49740	104.21.64.1	192.168.2.6
Jan 16, 2025 09:15:10.027040005 CET	443	49740	104.21.64.1	192.168.2.6
Jan 16, 2025 09:15:10.027107954 CET	49740	443	192.168.2.6	104.21.64.1
Jan 16, 2025 09:15:10.035140991 CET	49740	443	192.168.2.6	104.21.64.1
Jan 16, 2025 09:15:18.138384104 CET	80	49717	132.226.8.169	192.168.2.6
Jan 16, 2025 09:15:18.145396948 CET	49717	80	192.168.2.6	132.226.8.169
Jan 16, 2025 09:15:18.150232077 CET	80	49717	132.226.8.169	192.168.2.6
Jan 16, 2025 09:15:19.774763107 CET	80	49717	132.226.8.169	192.168.2.6
Jan 16, 2025 09:15:19.776756048 CET	49813	443	192.168.2.6	104.21.64.1
Jan 16, 2025 09:15:19.776789904 CET	443	49813	104.21.64.1	192.168.2.6
Jan 16, 2025 09:15:19.777017117 CET	49813	443	192.168.2.6	104.21.64.1
Jan 16, 2025 09:15:19.781466961 CET	49813	443	192.168.2.6	104.21.64.1
Jan 16, 2025 09:15:19.781487942 CET	443	49813	104.21.64.1	192.168.2.6
Jan 16, 2025 09:15:19.829127073 CET	49717	80	192.168.2.6	132.226.8.169
Jan 16, 2025 09:15:20.236754894 CET	443	49813	104.21.64.1	192.168.2.6
Jan 16, 2025 09:15:20.236846924 CET	49813	443	192.168.2.6	104.21.64.1
Jan 16, 2025 09:15:20.239819050 CET	49813	443	192.168.2.6	104.21.64.1
Jan 16, 2025 09:15:20.239825964 CET	443	49813	104.21.64.1	192.168.2.6
Jan 16, 2025 09:15:20.240179062 CET	443	49813	104.21.64.1	192.168.2.6
Jan 16, 2025 09:15:20.281687975 CET	49813	443	192.168.2.6	104.21.64.1
Jan 16, 2025 09:15:20.320837975 CET	49813	443	192.168.2.6	104.21.64.1
Jan 16, 2025 09:15:20.363360882 CET	443	49813	104.21.64.1	192.168.2.6
Jan 16, 2025 09:15:20.430763006 CET	443	49813	104.21.64.1	192.168.2.6
Jan 16, 2025 09:15:20.430835962 CET	443	49813	104.21.64.1	192.168.2.6
Jan 16, 2025 09:15:20.430916071 CET	49813	443	192.168.2.6	104.21.64.1
Jan 16, 2025 09:15:20.433784962 CET	49813	443	192.168.2.6	104.21.64.1
Jan 16, 2025 09:16:14.304327011 CET	80	49713	132.226.8.169	192.168.2.6
Jan 16, 2025 09:16:14.304497004 CET	49713	80	192.168.2.6	132.226.8.169
Jan 16, 2025 09:16:24.774266005 CET	80	49717	132.226.8.169	192.168.2.6
Jan 16, 2025 09:16:24.774770975 CET	49717	80	192.168.2.6	132.226.8.169
Jan 16, 2025 09:16:49.313677073 CET	49713	80	192.168.2.6	132.226.8.169
Jan 16, 2025 09:16:49.318536043 CET	80	49713	132.226.8.169	192.168.2.6
Jan 16, 2025 09:16:59.782607079 CET	49717	80	192.168.2.6	132.226.8.169
Jan 16, 2025 09:16:59.787516117 CET	80	49717	132.226.8.169	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 16, 2025 09:15:01.563596964 CET	59110	53	192.168.2.6	1.1.1.1
Jan 16, 2025 09:15:01.570466042 CET	53	59110	1.1.1.1	192.168.2.6
Jan 16, 2025 09:15:09.300436020 CET	61973	53	192.168.2.6	1.1.1.1
Jan 16, 2025 09:15:09.307610035 CET	53	61973	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 16, 2025 09:15:01.563596964 CET	192.168.2.6	1.1.1.1	0xd8c8	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 16, 2025 09:15:09.300436020 CET	192.168.2.6	1.1.1.1	0xc516	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 16, 2025 09:15:01.570466042 CET	1.1.1.1	192.168.2.6	0xd8c8	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 16, 2025 09:15:01.570466042 CET	1.1.1.1	192.168.2.6	0xd8c8	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 16, 2025 09:15:01.570466042 CET	1.1.1.1	192.168.2.6	0xd8c8	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 16, 2025 09:15:01.570466042 CET	1.1.1.1	192.168.2.6	0xd8c8	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 16, 2025 09:15:01.570466042 CET	1.1.1.1	192.168.2.6	0xd8c8	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 16, 2025 09:15:01.570466042 CET	1.1.1.1	192.168.2.6	0xd8c8	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 16, 2025 09:15:09.307610035 CET	1.1.1.1	192.168.2.6	0xc516	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 16, 2025 09:15:09.307610035 CET	1.1.1.1	192.168.2.6	0xc516	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 16, 2025 09:15:09.307610035 CET	1.1.1.1	192.168.2.6	0xc516	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 16, 2025 09:15:09.307610035 CET	1.1.1.1	192.168.2.6	0xc516	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 16, 2025 09:15:09.307610035 CET	1.1.1.1	192.168.2.6	0xc516	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 16, 2025 09:15:09.307610035 CET	1.1.1.1	192.168.2.6	0xc516	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 16, 2025 09:15:09.307610035 CET	1.1.1.1	192.168.2.6	0xc516	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49713	132.226.8.169	80	2620	C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 16, 2025 09:15:01.582516909 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 16, 2025 09:15:08.020188093 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 08:15:07 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 16, 2025 09:15:08.024090052 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 16, 2025 09:15:09.298470020 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 08:15:09 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49717	132.226.8.169	80	6764	C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe

Timestamp	Bytes transferred	Direction	Data
Jan 16, 2025 09:15:04.331307888 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 16, 2025 09:15:18.138384104 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 08:15:18 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 16, 2025 09:15:18.145396948 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 16, 2025 09:15:19.774763107 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 08:15:19 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49740	104.21.64.1	443	2620	C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-16 08:15:09 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-16 08:15:10 UTC	857	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 08:15:09 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2330099 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QwzlpZMbKUWM2KjcaZhbYUXuxbxDg%2Be8Z9aMCvuo2L%2FxAyHAR538NRd%2FiXnvMHwNmYfCopaQE8rd8c9fTdQVQXHHVuBmpumpHqvwYWuNrF%2Fpy8IH9aqgAMFhBdxs5PrTVqVgEdJY"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902ca7f74c6d8ca1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1988&min_rtt=1987&rtt_var=748&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1460730&cwnd=168&unsent_bytes=0&cid=57f44ebf4fb84761&ts=231&x=0"
2025-01-16 08:15:10 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49813	104.21.64.1	443	6764	C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-16 08:15:20 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-16 08:15:20 UTC	851	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 08:15:20 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2330109 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=W7gTDeNybKRzfdC6qqZcKKuMurkKnsSLawKArjQl6lluMn88FeAgZyJoLjY1R87ZpjOY5VQ1oCNMQB8WecToKhfJXhlhemOXpH21CuCPNVH9KXYHhKb%2FmW2VpUqayJ8ZSOX576FJ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902ca8385cd5c358-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1496&min_rtt=1488&rtt_var=574&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1881443&cwnd=155&unsent_bytes=0&cid=fc9dd0bb01606e5d&ts=200&x=0"
2025-01-16 08:15:20 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	03:14:58
Start date:	16/01/2025
Path:	C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe"
Imagebase:	0xd50000
File size:	754'184 bytes
MD5 hash:	433D5CC92F9E4A787E197F04C977CA36
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.2172358737.0000000004B8E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2172358737.0000000004B8E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2172358737.0000000004B8E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2172358737.0000000004B8E000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.2172358737.00000000049B4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2172358737.00000000049B4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2172358737.00000000049B4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2172358737.00000000049B4000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:14:59
Start date:	16/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe"
Imagebase:	0xf10000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:14:59
Start date:	16/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:14:59
Start date:	16/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NoCGdFUXaoNd" /XML "C:\Users\user\AppData\Local\Temp\tmp70BF.tmp"
Imagebase:	0x980000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:14:59
Start date:	16/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	03:15:00
Start date:	16/01/2025
Path:	C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe"
Imagebase:	0xe40000
File size:	754'184 bytes
MD5 hash:	433D5CC92F9E4A787E197F04C977CA36
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000007.00000002.3393494273.000000000040F000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.3393494273.000000000040F000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000007.00000002.3393494273.000000000040F000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000007.00000002.3393494273.000000000040F000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.3395787831.00000000031E4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	03:15:00
Start date:	16/01/2025
Path:	C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe
Imagebase:	0xe80000
File size:	754'184 bytes
MD5 hash:	433D5CC92F9E4A787E197F04C977CA36
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000008.00000002.2206223221.000000000439F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2206223221.000000000439F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000008.00000002.2206223221.000000000439F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000008.00000002.2206223221.000000000439F000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000008.00000002.2206223221.0000000004241000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2206223221.0000000004241000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000008.00000002.2206223221.0000000004241000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000008.00000002.2206223221.0000000004241000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 32%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	03:15:01
Start date:	16/01/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff717f30000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	03:15:02
Start date:	16/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NoCGdFUXaoNd" /XML "C:\Users\user\AppData\Local\Temp\tmp7C49.tmp"
Imagebase:	0x980000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	03:15:02
Start date:	16/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	03:15:02
Start date:	16/01/2025
Path:	C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe"
Imagebase:	0x160000
File size:	754'184 bytes
MD5 hash:	433D5CC92F9E4A787E197F04C977CA36
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	03:15:03
Start date:	16/01/2025
Path:	C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe"
Imagebase:	0xcc0000
File size:	754'184 bytes
MD5 hash:	433D5CC92F9E4A787E197F04C977CA36
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.3396422686.00000000033E4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	14.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	1%
Total number of Nodes:	299
Total number of Limit Nodes:	23

Executed Functions

Function 09EF6008 Relevance: 2.7, Strings: 2, Instructions: 168
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

or, xrefs: 09EF606E
\~$, xrefs: 09EF6138

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID: \~$$or
API String ID: 0-2796768027
Opcode ID: d5d9cdfe515e7c1023946b58ecc214ffd4de07c201f13b4be909e229a24c73a5
Instruction ID: f62a47a418794b9d64af33cdd14386ba1a1478e2a75ae1850a29634f32036a81
Opcode Fuzzy Hash: d5d9cdfe515e7c1023946b58ecc214ffd4de07c201f13b4be909e229a24c73a5
Instruction Fuzzy Hash: 546116B5E05209CFCB18CFAAD5516EEFBF2BF88750F20902AD516A7358E6349A418F50

Function 09EF6018 Relevance: 2.7, Strings: 2, Instructions: 165
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

or, xrefs: 09EF606E
\~$, xrefs: 09EF6138

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID: \~$$or
API String ID: 0-2796768027
Opcode ID: dc7a0288a586ee741ec43b5776e1a890a0ba3055153890a854384ce52886a552
Instruction ID: 73707a011970c44b611a90f7a3e7a3ffa8f22b1b5af2ee09971bff96c7e22883
Opcode Fuzzy Hash: dc7a0288a586ee741ec43b5776e1a890a0ba3055153890a854384ce52886a552
Instruction Fuzzy Hash: 876126B5E05209CFCB18CFA6D5915EEFBB2BF88740F20902AD516A7358E7349A418F50

Function 0A3D6BDC Relevance: 1.9, Strings: 1, Instructions: 623
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,G>, xrefs: 0A3D9131

Memory Dump Source

Source File: 00000000.00000002.2179306430.000000000A3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a3d0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID: ,G>
API String ID: 0-526755516
Opcode ID: e04f97240cdd6ecb7b3bb79a1f3b8a18d68489e933537fc6ad5cf2253a78bce1
Instruction ID: 74fc36d3e93500493758da7eb5a3ebb5e18b6dd1d856cc5aee3f9991fd3242fe
Opcode Fuzzy Hash: e04f97240cdd6ecb7b3bb79a1f3b8a18d68489e933537fc6ad5cf2253a78bce1
Instruction Fuzzy Hash: D0326B71E00218CFDB55DFA9D8507AEBBF2AF88300F1485AAD409AB7A5DB349C41CF95

Function 0A3D90E8 Relevance: 1.5, Strings: 1, Instructions: 282COMMON

Download Yara Rule

Strings

,G>, xrefs: 0A3D9131

Memory Dump Source

Source File: 00000000.00000002.2179306430.000000000A3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a3d0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID: ,G>
API String ID: 0-526755516
Opcode ID: a4e417ffebcf0f452ca39d3e080b8ca29436928438a7286f091cd11409f5e43d
Instruction ID: 08f8fdaa2a616633b3d15d352a1cc1d69e0f9e20786cc6b3e0ae8620d1be338a
Opcode Fuzzy Hash: a4e417ffebcf0f452ca39d3e080b8ca29436928438a7286f091cd11409f5e43d
Instruction Fuzzy Hash: EBC14872E00258DFCF55CFA5E88079ABBB2AF88310F14C5A9E419AB665DB309985CF50

Function 09EF7990 Relevance: 1.5, Strings: 1, Instructions: 270COMMON

Download Yara Rule

Strings

?w=>, xrefs: 09EF7C5C

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID: ?w=>
API String ID: 0-1933253675
Opcode ID: 376a655d1ceb470e15daa78b80cc8fb659bc2cf28ff052bacd5c3b31168bf488
Instruction ID: 8b6f60ba31c9bd094b32a9ce6155618159f7a40b8732a10fd54f2a2dc357be39
Opcode Fuzzy Hash: 376a655d1ceb470e15daa78b80cc8fb659bc2cf28ff052bacd5c3b31168bf488
Instruction Fuzzy Hash: 6EB11570E05619DBDB18CFA6D8805DEFBB2FF89340F10A52AD516AB224DB359A02CF14

Function 09EF7980 Relevance: 1.5, Strings: 1, Instructions: 267COMMON

Download Yara Rule

Strings

?w=>, xrefs: 09EF7C5C

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID: ?w=>
API String ID: 0-1933253675
Opcode ID: 5499598df20f0b90c7e4da836bf1a0a2f4861dbf42445ee1c5ed47c8eaeae9be
Instruction ID: 56632ef97d2b50b70d72102e85edfbff85b2c3e4b50a634bd0d37cf70036b246
Opcode Fuzzy Hash: 5499598df20f0b90c7e4da836bf1a0a2f4861dbf42445ee1c5ed47c8eaeae9be
Instruction Fuzzy Hash: 3BB11470E05619DBDB18CFA6D8805DEFBB2FFC8340F10A52AD516AB264DB359A06CF14

Function 09EF5629 Relevance: 1.5, Strings: 1, Instructions: 250COMMON

Download Yara Rule

Strings

5{, xrefs: 09EF5822

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID: 5{
API String ID: 0-2291050889
Opcode ID: d0030f9d6c02f7393bd24ddb1bc51ce70c0b252003b1e8bffee138794813519a
Instruction ID: 9aa347b59b344dd8bcdba0350cc379cf50067eb4831e9b32ff82ca15469126bf
Opcode Fuzzy Hash: d0030f9d6c02f7393bd24ddb1bc51ce70c0b252003b1e8bffee138794813519a
Instruction Fuzzy Hash: ECB14A74E0160ADFCB04DFA9D5945AEBBB2FF89310F20946AE416AB364DB349D02CF51

Function 09EF5638 Relevance: 1.5, Strings: 1, Instructions: 246COMMON

Download Yara Rule

Strings

5{, xrefs: 09EF5822

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID: 5{
API String ID: 0-2291050889
Opcode ID: 647f5f6a88003cf6bfb6ab0ad477172c0baec611cbcc532c436aefdbcf9b066d
Instruction ID: bba807aec221132e6ebb545a8d0424d7c2d0b895cfd93981c809f0f5fd56dc99
Opcode Fuzzy Hash: 647f5f6a88003cf6bfb6ab0ad477172c0baec611cbcc532c436aefdbcf9b066d
Instruction Fuzzy Hash: F4A14B74E0160ADFCB04DFA9D5544AEBBB2FF89310F10946AE516AB354DB349D02CF91

Function 09EF70E0 Relevance: 1.5, Strings: 1, Instructions: 208COMMON

Download Yara Rule

Strings

j4$y, xrefs: 09EF72F6

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID: j4$y
API String ID: 0-2391584009
Opcode ID: 2f65f134bcc07dfbf137112e1c63f13208e0f0fe0e28f48996e98be71c896d05
Instruction ID: fa166e1083597b98c82f995e2559c0d73cd866ef988c4d48a1ad3147695ed12e
Opcode Fuzzy Hash: 2f65f134bcc07dfbf137112e1c63f13208e0f0fe0e28f48996e98be71c896d05
Instruction Fuzzy Hash: EA811871D05209EFDB08CFA6D9808DEFBB2EF89350F10E42AE516AB224D7359946CF14

Function 09EF70D0 Relevance: 1.5, Strings: 1, Instructions: 208COMMON

Download Yara Rule

Strings

j4$y, xrefs: 09EF72F6

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID: j4$y
API String ID: 0-2391584009
Opcode ID: 7d6cdd00da6fe9ad7b2e32c9a39d4754642254675fe27ae8af34f0008cc5a074
Instruction ID: ebd42b31e8aa1135c4257529c779d7021d1f9171d70f63780be3a0fd9d33cde6
Opcode Fuzzy Hash: 7d6cdd00da6fe9ad7b2e32c9a39d4754642254675fe27ae8af34f0008cc5a074
Instruction Fuzzy Hash: 96811971D05209EFDB08CFA6D9909DEFBB2EF89350F10E42AE516AB264D7359946CF00

Function 015835EF Relevance: 1.4, Strings: 1, Instructions: 132COMMON

Download Yara Rule

Strings

{&x., xrefs: 015835F6

Memory Dump Source

Source File: 00000000.00000002.2170596551.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1580000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID: {&x.
API String ID: 0-2592750818
Opcode ID: 8a6744c9da777a72701b7f628ad499723c4f6c6925a9234f76042c9f44e7e3ce
Instruction ID: 78bd550d2bf79102bed3221e07399fd9b343e05b520c3024f4273c3c65d04cf0
Opcode Fuzzy Hash: 8a6744c9da777a72701b7f628ad499723c4f6c6925a9234f76042c9f44e7e3ce
Instruction Fuzzy Hash: B451F6B0E0520ADFCB44DFA9C5818AEFBB2FF88600F549919D116AB314D735D982CFA4

Function 09EF29A9 Relevance: .4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd01a9c39087f713602df2617a18df180981c43244dbe89371b093cbe3d0d6ac
Instruction ID: b454e2ebfe2bae56cc0702ae268e0abbabd6c9460f0f08400b07e6000d7412d7
Opcode Fuzzy Hash: dd01a9c39087f713602df2617a18df180981c43244dbe89371b093cbe3d0d6ac
Instruction Fuzzy Hash: EDF17D70E0420ADFDB14CFA6C4914DEBBB2FF89340B50A56AC626EB354D7349982CF94

Function 09EF0AD0 Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43e264ec93d02fac0310c578827471741921853f20924bfdff146b8d51bd074b
Instruction ID: 0a68a14768792edb39643e0fd4cc93693a347a1f8e01478c1f6a9065f2950cdc
Opcode Fuzzy Hash: 43e264ec93d02fac0310c578827471741921853f20924bfdff146b8d51bd074b
Instruction Fuzzy Hash: D7B14574E05259DFDB48DFE5C895ADEBBF2FF89300F14802AD90AAB265DB315901CB50

Function 01581361 Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2170596551.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1580000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 656e8b0aad247d8a4002c9c4209c4bce98c0a85f401be035ed861380b1b9b4a5
Instruction ID: fe23bf5e33599ff9111e7476e3c826ffe15724822d454714a6b8ac27cf274b7b
Opcode Fuzzy Hash: 656e8b0aad247d8a4002c9c4209c4bce98c0a85f401be035ed861380b1b9b4a5
Instruction Fuzzy Hash: 42A11470E05349CFCB48CFA9C894A9DBBF2FF88310F28846AD419AB265D7759946CF50

Function 01583402 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2170596551.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1580000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91489d513cfeec8a7d8233788ec1995c6673dcd1dc57bd4ff2b698da049de570
Instruction ID: 807aa704db7f26752c9e514793b321ae584d057066384b125efe3b7ae1c5b676
Opcode Fuzzy Hash: 91489d513cfeec8a7d8233788ec1995c6673dcd1dc57bd4ff2b698da049de570
Instruction Fuzzy Hash: ABA15C7094434ACFC745DFA9C4948AEFBF2FF85220B19899AC005AF215D779D982CF94

Function 01583442 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2170596551.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1580000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76d86083a40dd42f87f5e66dfd113aa4d15b1c816eff85d3cfd59fd78cc4ce13
Instruction ID: ed65be37cebfef9bc19b6796f5822a0c044f0bdcdf079163d5b5591b9888c1b9
Opcode Fuzzy Hash: 76d86083a40dd42f87f5e66dfd113aa4d15b1c816eff85d3cfd59fd78cc4ce13
Instruction Fuzzy Hash: CD915C7090434ACFCB45DFA9C4948AEFBF2FF85320B19856AC405AB225D775D982CF94

Function 01589860 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2170596551.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1580000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cde2b8ac3e460ae80577649bc50684fb0d67e5dc2f7afabe4c845c177815cb4
Instruction ID: f45fb2a4cbec5e48a67f1411b4da5442d43e01f29098c9fe10cba0f6d0faa480
Opcode Fuzzy Hash: 5cde2b8ac3e460ae80577649bc50684fb0d67e5dc2f7afabe4c845c177815cb4
Instruction Fuzzy Hash: 55919274E01259CFDB14DFA9D984A9EBBF2FF88300F10816AD919AB364DB34A941CF50

Function 01581408 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2170596551.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1580000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5e0eb7c87508db63f941b43d23ece1ceb96042d899497b529e786e7c042ee20
Instruction ID: 18fdc0f39eecb419b741286f69bd00131db5402502837669d2b045b694865862
Opcode Fuzzy Hash: b5e0eb7c87508db63f941b43d23ece1ceb96042d899497b529e786e7c042ee20
Instruction Fuzzy Hash: 9E81A274E016198FDB08DFA9C884AAEBBF2FF88300F24842AD519BB364D7745946CF50

Function 015834F0 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2170596551.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1580000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b26a3ae3ca9b97fe9ccf245e2e93475436f7a99ce4aa8e8bca2677d2c2343fe
Instruction ID: e09b555eb1900a913156a4fb9a426442896a3d1a0816f61c91133bf9d76c6a7a
Opcode Fuzzy Hash: 1b26a3ae3ca9b97fe9ccf245e2e93475436f7a99ce4aa8e8bca2677d2c2343fe
Instruction Fuzzy Hash: 977104B0E0520ADBCB48DFA9C5808AEFBB2BF88700F149519D516AB314D735E942CFA4

Function 09EF5A69 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d03993fcd568f1db364b38cab4218531a56068c904b700a615299feb0b0a6152
Instruction ID: 8a1dd7ad18fb4e3ae78670848cde95fd2cc0908e43abedbed1097e7cf33a0174
Opcode Fuzzy Hash: d03993fcd568f1db364b38cab4218531a56068c904b700a615299feb0b0a6152
Instruction Fuzzy Hash: 395108B4E056099FCB08CFA5D9855AEFBB2FF89310F14942AE416E7354DB389A11CF50

Function 09EF5A78 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 903ba5ef21be6b247d5d0819e0b362d50177e6c860e7663ca87377d495824f59
Instruction ID: dfa8ef24219ece57ab044d1bc628298b7c0605b81e13f1ac1ce4558db4f92689
Opcode Fuzzy Hash: 903ba5ef21be6b247d5d0819e0b362d50177e6c860e7663ca87377d495824f59
Instruction Fuzzy Hash: EE5118B4E05609DFCB08CFA5D9854AEFBB2FF89310F14A42AE416E7354DB389A118F50

Function 01583715 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2170596551.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1580000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7692ea820a18763e7acca2f20deca5e0be31bd8fb601b5026e516179d32358ef
Instruction ID: ab78e0cccb4aad258a914bde159df4220d0c010e33195b4a76684987e4ea0f7b
Opcode Fuzzy Hash: 7692ea820a18763e7acca2f20deca5e0be31bd8fb601b5026e516179d32358ef
Instruction Fuzzy Hash: C55137B0E0520ADFCB44DFA9C5818AEFBB2FF89610F249959C112AB314D735D942CFA4

Function 01581C30 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2170596551.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1580000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d52fc6e7e761b8c1d161fb4dd1d5498cd084b207481c6b065f454eb68acd1e1b
Instruction ID: 2d3ad0b0f54c2d2a9acc8a1582e7368f08a23256bd936b51e0d8bbfb4dd020be
Opcode Fuzzy Hash: d52fc6e7e761b8c1d161fb4dd1d5498cd084b207481c6b065f454eb68acd1e1b
Instruction Fuzzy Hash: 89513970E056198FDB08DFA9C4806AEFBF2BF89300F14D56AD419BB254D7748A42CBA5

Function 0158379C Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2170596551.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1580000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9745181652db14134287f9b5a89cc8a6655c50336fa1c0221d8eddaa54b68320
Instruction ID: 12df0ad728ae7608b2ca2f4016c145dd8182ff0058776a2c7defa208818fdb4b
Opcode Fuzzy Hash: 9745181652db14134287f9b5a89cc8a6655c50336fa1c0221d8eddaa54b68320
Instruction Fuzzy Hash: 3B5126B0E0420ADFCB44DFA9C4818AEFBB2FF89600B649919D106AB314D735D942CFA4

Function 015835D8 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2170596551.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1580000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05720f51840660b3c4a3d78d57965379030f0b086342b54057533917d50bdbbe
Instruction ID: 8ff4ac2298ab8fe811106eb4a71751583cebe340841058349926dd27c7321c8d
Opcode Fuzzy Hash: 05720f51840660b3c4a3d78d57965379030f0b086342b54057533917d50bdbbe
Instruction Fuzzy Hash: 355116B0E0520ADFCB54DFA9C5818AEFBB2FF88600F549919D116AB314D735D942CFA4

Function 09EF12D8 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7d54417a35d25f7473c3b902d2f028d190e8fb1f2604568d892602fd8d7dbfd
Instruction ID: df5ae9742f9cc3aaa75f33b530066c836fe78a732ba36328648a7e37c2422b10
Opcode Fuzzy Hash: f7d54417a35d25f7473c3b902d2f028d190e8fb1f2604568d892602fd8d7dbfd
Instruction Fuzzy Hash: 294115B4E09219CFDB08CFAAD8506AEFBF2BF88310F14D16AD519B7255D7348A418F64

Function 09EF12C9 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4c699878e662842f9ff9fc9dba0aa0a322a3fe968c6e8827343fe12717cafa0
Instruction ID: 2f55825e99d2e249d60261926404452aa3a7a229bfe09d317a9e3803632ea6da
Opcode Fuzzy Hash: d4c699878e662842f9ff9fc9dba0aa0a322a3fe968c6e8827343fe12717cafa0
Instruction Fuzzy Hash: 114104B4E05249CFDB08CFAAD850AAEFBF2AF88310F15D16AD509B7255D7344A42CF64

Function 01580870 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2170596551.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1580000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f1b7e0aa3966b4aba29b095a856061c9a7dda45127919c08245df028c1cffa6
Instruction ID: 9eafb67d141b9746946be24674f73dfbfddf724642bfa3585c6af3babc3aadcd
Opcode Fuzzy Hash: 3f1b7e0aa3966b4aba29b095a856061c9a7dda45127919c08245df028c1cffa6
Instruction Fuzzy Hash: 1C31FB71E006189FEB58CFAAD84079EFBF3BFC9200F04C1AAD508BA264DB305A558F51

Function 015825B0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2170596551.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1580000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deaa09a61ff3accae57aa8d7f1e6302aa76ccb7462304bb04c75734a6ccda05d
Instruction ID: 749b1d26f203d8a78aeb698c73dfd6ca1dc5d03d317280ea5ab0f0d9d789d224
Opcode Fuzzy Hash: deaa09a61ff3accae57aa8d7f1e6302aa76ccb7462304bb04c75734a6ccda05d
Instruction Fuzzy Hash: E531FCB1E006588BDB19CFAAD8447DEBBF3BFC9310F18C16AD409AA254DB75095ACF50

Function 09EF1C90 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eeb1b6da18e675dbb3144c15ffdc7573c8d2742d2a01751ba03e780499eb5d4f
Instruction ID: 3876a6cb369be5b748305d3c88943ee30fb1e2193afdd69be62919edf8135f2b
Opcode Fuzzy Hash: eeb1b6da18e675dbb3144c15ffdc7573c8d2742d2a01751ba03e780499eb5d4f
Instruction Fuzzy Hash: 48310471E01618CBDB18CFAAD95469EBBB7AFC8311F14C1AAD509AB364DB315E81CF40

Function 09EF0040 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a56642e45e759fd85a7017ff3268eea9b647feb993b10f3e756a65d4d8c06e3
Instruction ID: df7a47a6e46adcaa3e1b0e7e8a6872bc3f17238f328888d8e7637c3a778174f5
Opcode Fuzzy Hash: 9a56642e45e759fd85a7017ff3268eea9b647feb993b10f3e756a65d4d8c06e3
Instruction Fuzzy Hash: 1421B971E006189BEB58CFABD85079EFBF7EFC8201F04D5BAD508A6264EB341A458F51

Function 09EF1C81 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f912d71fa457df14216ed8284ec5554c993945b324c09e31605286b363429fea
Instruction ID: 12f56179f32fed39c4f8db4b32249c3d38dbeabe7edbc421211e6eac327f1c5c
Opcode Fuzzy Hash: f912d71fa457df14216ed8284ec5554c993945b324c09e31605286b363429fea
Instruction Fuzzy Hash: 36211AB0E016588BDB18CFABC8542DEBFF3AFC9310F14C16AD408AA258DB740A45CF41

Function 0A39530E Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179240459.000000000A390000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a390000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e9ab06175cc627018c9bcc94ac657ada3017582b75560a2f1e7adac1626e6a8
Instruction ID: 8e455a6e9e0b981fdc349accc69a2a9742cd8213c77b80ddd26547afd775357b
Opcode Fuzzy Hash: 5e9ab06175cc627018c9bcc94ac657ada3017582b75560a2f1e7adac1626e6a8
Instruction Fuzzy Hash: FAC04826A8E008B7CD225C8864010F8EB2CC6AB026F013062C60EA2D024AA282AA4588

Function 09EFE672 Relevance: 7.7, Strings: 6, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

p*, xrefs: 09EFEC6A
*, xrefs: 09EFE72A
*, xrefs: 09EFE926
*, xrefs: 09EFE810
h+, xrefs: 09EFEBF2
h+, xrefs: 09EFEBDF

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID: h+$h+$p*$*$*$*
API String ID: 0-3032380786
Opcode ID: d5b14d625194c0f24dbe7c9ecf8a410ceee5239ef40df972a5a5dba63a140b0f
Instruction ID: 4a210ba58ac75f419ef6ddc0e372aef3cd866fded494abbff5ee8df73ceb72c5
Opcode Fuzzy Hash: d5b14d625194c0f24dbe7c9ecf8a410ceee5239ef40df972a5a5dba63a140b0f
Instruction Fuzzy Hash: 72618E34E06259CFDB14CFA4E954BADBBB6FB84300F00A1AAD61AAB351DB705D42CF51

Function 09EFE5B2 Relevance: 5.1, Strings: 4, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

*, xrefs: 09EFE72A
*, xrefs: 09EFE926
h+, xrefs: 09EFEBF2
h+, xrefs: 09EFEBDF

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID: h+$h+$*$*
API String ID: 0-841402585
Opcode ID: 78011122fc0cb24bf612cb57b8690250c3f9ed46584f631f5591c0bf12515e2d
Instruction ID: 90645874364df71457d09dcdb4b0ab0c6d636ce4efbda9aa4a0fb89f041913bf
Opcode Fuzzy Hash: 78011122fc0cb24bf612cb57b8690250c3f9ed46584f631f5591c0bf12515e2d
Instruction Fuzzy Hash: 70414934A06259CFDB10CFA4E594BADBBB5FB48300F00A1AAD51AEB391D770AD41CF50

Function 09EFE5CD Relevance: 2.6, Strings: 2, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

p*, xrefs: 09EFEC6A
*, xrefs: 09EFE810

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID: p*$*
API String ID: 0-1058661272
Opcode ID: 401d17e763a1fdc09bfaf877173c5295c1f51de82cca4445b547e8bc99d47e3f
Instruction ID: 3bee2515f9fb5907a5b49f6a595e97458a8b2472417f468255b9eded1cc0903d
Opcode Fuzzy Hash: 401d17e763a1fdc09bfaf877173c5295c1f51de82cca4445b547e8bc99d47e3f
Instruction Fuzzy Hash: 6D214834A02268CFDB65DF24D945BA97BB6FB88300F0091D9DA1E97701DB301E82CF62

Function 09EFEBD0 Relevance: 2.5, Strings: 2, Instructions: 23
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

h+, xrefs: 09EFEBF2
h+, xrefs: 09EFEBDF

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID: h+$h+
API String ID: 0-1587447244
Opcode ID: 5ad25f4939ebff3c5c762815abb70532ffe273ee9ac3df6a57f105ed73e91ada
Instruction ID: e601c7a22ec6bf4de9c70e41f18e73b0389caeb449e43c1020d7d79b1722ff9b
Opcode Fuzzy Hash: 5ad25f4939ebff3c5c762815abb70532ffe273ee9ac3df6a57f105ed73e91ada
Instruction Fuzzy Hash: D7F06D30E02598CFD705CFD8E9554ACBBB6FB84302B509019D6129B349CBB44C06CB41

Function 0A391BFD Relevance: 1.8, APIs: 1, Instructions: 250
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0A391E3E

Memory Dump Source

Source File: 00000000.00000002.2179240459.000000000A390000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a390000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 3f39ed836bfeb0403063a00635c18c6a1b70882a98a7f70570f7cc82e5ff2e19
Instruction ID: 0bc4962bb2df62a066e0dd4610ce987c5247f417289f70a9c9aaccac92fdcabc
Opcode Fuzzy Hash: 3f39ed836bfeb0403063a00635c18c6a1b70882a98a7f70570f7cc82e5ff2e19
Instruction Fuzzy Hash: 95A13B71D1021ADFEF64CF68C8417EEBBB2BB48310F148669E849B7240DB749985CF91

Function 0A391C08 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0A391E3E

Memory Dump Source

Source File: 00000000.00000002.2179240459.000000000A390000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a390000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 0215005627a877ba41f002d3fe8827ab7c959bde98372c0abf186eea64b2ac75
Instruction ID: 12f30ecfeb3d72cdf41f1c711c4ea4997fc77860fedfe5f62ae1d717283744ae
Opcode Fuzzy Hash: 0215005627a877ba41f002d3fe8827ab7c959bde98372c0abf186eea64b2ac75
Instruction Fuzzy Hash: 43914A71D1021ADFEF64CF68C8417EEBBB2BB48310F148669E809B7280DB749985CF91

Function 0158AFD4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 0158B091

Memory Dump Source

Source File: 00000000.00000002.2170596551.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1580000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: daf61cbcb43aecab6f2fa4d53e6cbd7ab714809993d68110d00b2e902c5fdda0
Instruction ID: 9c56d8f4878b6ddcb76ad5dce554a3a9afa7d0e1d8dab8f478f91bad8eb48cd2
Opcode Fuzzy Hash: daf61cbcb43aecab6f2fa4d53e6cbd7ab714809993d68110d00b2e902c5fdda0
Instruction Fuzzy Hash: E3410FB0C0071DCFEB24DFA9C844B8EBBB5BF49304F20846AD418AB251DBB56946CF90

Function 01589AC8 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 0158B091

Memory Dump Source

Source File: 00000000.00000002.2170596551.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1580000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: a00dfe4da61dfe9f95eead447f4c7e66233d998f879a483bca85dc5997aec65e
Instruction ID: 086d0a44528f235c31dd9564bb54c54dee3dc5d9d10ec167d6e7f95f4f48448c
Opcode Fuzzy Hash: a00dfe4da61dfe9f95eead447f4c7e66233d998f879a483bca85dc5997aec65e
Instruction Fuzzy Hash: C5410FB0C0071DCBDB24DFA9C844B9EBBF5BF49304F20846AD508AB251DBB56946CF90

Function 0A3D9A20 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179306430.000000000A3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a3d0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: e049219be2cc4780f4691482732d105000f5e2b92ed7b830dff17b3e202799e4
Instruction ID: ee4344fdafa9e23655dd34d7c3ac6fe7d094784cb15bd5b776c0be2408af39b2
Opcode Fuzzy Hash: e049219be2cc4780f4691482732d105000f5e2b92ed7b830dff17b3e202799e4
Instruction Fuzzy Hash: 41319872904389DFCB11CFA9D844AEEBFF4EF09310F14806AE954AB221C3359950CFA1

Function 0A391979 Relevance: 1.6, APIs: 1, Instructions: 74injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0A391A10

Memory Dump Source

Source File: 00000000.00000002.2179240459.000000000A390000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a390000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: d6b4a64339ec18786ae74a4186dcc3b2b16c5ab3d13e694c327cd34cf0d9e4e0
Instruction ID: c53babd74b47719df26d6234ca56a1ff3466d11229efefb71e05b4a6c9770049
Opcode Fuzzy Hash: d6b4a64339ec18786ae74a4186dcc3b2b16c5ab3d13e694c327cd34cf0d9e4e0
Instruction Fuzzy Hash: 4E31277190034A9FDF50CFA9C885BEEBBF1FF48320F10852AE959A7251C7799950CBA0

Function 0A3D7EB8 Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 0A3D7F57

Memory Dump Source

Source File: 00000000.00000002.2179306430.000000000A3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a3d0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 71b5d6a4073047824996e327b27fc6f78d33b4918a6c183eea989c80ed5e074c
Instruction ID: 51a55e6319f81cb8f6434e59b13ae01f5d8a939333b8710094f1ce95e535641e
Opcode Fuzzy Hash: 71b5d6a4073047824996e327b27fc6f78d33b4918a6c183eea989c80ed5e074c
Instruction Fuzzy Hash: 9831C2B5D00249DFDB10CFAAD884ADEFBF5BF58314F14842AE919A7210D775A944CFA0

Function 0A391980 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0A391A10

Memory Dump Source

Source File: 00000000.00000002.2179240459.000000000A390000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a390000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: ba13cf3d02c4d41349a5be83d2a7b731bb81b82210c30f3a3930eef4b2709809
Instruction ID: b1eb2413eb17b563aa34a3b25caf0ed40ce73035e55c194843266ee8f44c285c
Opcode Fuzzy Hash: ba13cf3d02c4d41349a5be83d2a7b731bb81b82210c30f3a3930eef4b2709809
Instruction Fuzzy Hash: BE21157590034A9FDF10CFAAC885BDEBBF5FF48310F10842AE918A7240D7789950CBA4

Function 0A3D7EC0 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 0A3D7F57

Memory Dump Source

Source File: 00000000.00000002.2179306430.000000000A3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a3d0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 081826bfeac79931688f87d392bf6f3f67dcc609efb5adc1cabc7d725f12b683
Instruction ID: 8a96eea7a761242360d74f5a06a87352702e08c075f950c3bb474c13ee01fbb6
Opcode Fuzzy Hash: 081826bfeac79931688f87d392bf6f3f67dcc609efb5adc1cabc7d725f12b683
Instruction Fuzzy Hash: 5B21C3B5D00309DFDB10CF9AD884A9EFBF8FB48320F14842AE919A7210D775A944CFA4

Function 0A391A68 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0A391AF0

Memory Dump Source

Source File: 00000000.00000002.2179240459.000000000A390000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a390000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: eb5adfad52938bdf09c6f90ce11d8fa37807d5a6be8033e2e2566f74aa647856
Instruction ID: c6654a417c782fb609e5daaa5a8913c1659d71c8e61b381d2140a1bf425d95f5
Opcode Fuzzy Hash: eb5adfad52938bdf09c6f90ce11d8fa37807d5a6be8033e2e2566f74aa647856
Instruction Fuzzy Hash: 3821247180134A9FDF10CFA9C885AEEBBF1BF88310F10842AE559A7251C7799950CBA5

Function 0A3917E0 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0A391866

Memory Dump Source

Source File: 00000000.00000002.2179240459.000000000A390000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a390000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: fb35e3716f50ec91267784b87b9c906911bda06a456cc60c06e4983520e36ae4
Instruction ID: ee694816b8ce18f801613c7ef3fab9ce71a0ea12cdf5f8eaf84881ba331bb431
Opcode Fuzzy Hash: fb35e3716f50ec91267784b87b9c906911bda06a456cc60c06e4983520e36ae4
Instruction Fuzzy Hash: 83213471D0430A8FDB50CFAAC4857EEBBF0AF88310F14842AD559A7240CB789944CFA5

Function 0A3DC9D8 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

MonitorFromPoint.USER32(?,?,00000002), ref: 0A3DCA57

Memory Dump Source

Source File: 00000000.00000002.2179306430.000000000A3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a3d0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID: FromMonitorPoint
String ID:
API String ID: 1566494148-0
Opcode ID: b4b39f4eb1d8c3ffc88abfc1a1a07654c2dbbb4b20342e8078d283f3c3f5933d
Instruction ID: b2bffea3e4ccd9a708ec098699d0365837d2e31c6539c4d2774b2eb536117c82
Opcode Fuzzy Hash: b4b39f4eb1d8c3ffc88abfc1a1a07654c2dbbb4b20342e8078d283f3c3f5933d
Instruction Fuzzy Hash: 1F214CB5900249DFCB11DFAAD404BAEFBF5FB88710F10841AE955AB390C7756944CFA1

Function 0A391A70 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0A391AF0

Memory Dump Source

Source File: 00000000.00000002.2179240459.000000000A390000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a390000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 152ea5364f85df02aad628b72a9b24b15f7576d271108eed5b84bbd595b37cab
Instruction ID: 6954903738e3050a757fe2f9154bbda0814af205faa6c829b17fe712d1a76633
Opcode Fuzzy Hash: 152ea5364f85df02aad628b72a9b24b15f7576d271108eed5b84bbd595b37cab
Instruction Fuzzy Hash: AF21167180034A9FDF10CFAAC881ADEBBF5FF48310F50842AE519A7240D7799910CBA5

Function 0A3917E8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0A391866

Memory Dump Source

Source File: 00000000.00000002.2179240459.000000000A390000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a390000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 96303ca80e1ed852451a76ba5867dbe3dd951835ca5185087ba30c809091c8a3
Instruction ID: 9ce11ab9e8f417f4bff6915a2a2656c3deba9ee1db9fb777933db294308f68a4
Opcode Fuzzy Hash: 96303ca80e1ed852451a76ba5867dbe3dd951835ca5185087ba30c809091c8a3
Instruction Fuzzy Hash: 87211871D0430A8FDB50DFAAC4857AEFBF4EF88724F148429D519A7240DB78A944CFA5

Function 0A3DC9CB Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

MonitorFromPoint.USER32(?,?,00000002), ref: 0A3DCA57

Memory Dump Source

Source File: 00000000.00000002.2179306430.000000000A3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a3d0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID: FromMonitorPoint
String ID:
API String ID: 1566494148-0
Opcode ID: fe6f18926b459401a82fc96c42ebbef8e674a7281bff30e80de9aa7dcc912ce8
Instruction ID: 55ca8701cb2d416ea6e6296cad197713cc13f5ff79620f011f1b863533e5186d
Opcode Fuzzy Hash: fe6f18926b459401a82fc96c42ebbef8e674a7281bff30e80de9aa7dcc912ce8
Instruction Fuzzy Hash: 092189B5804389DFCB11DFA9D444BAEBFF4FB49720F10845AE954AB280C7786904CFA1

Function 0A3918B8 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0A39192E

Memory Dump Source

Source File: 00000000.00000002.2179240459.000000000A390000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a390000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2b394fbec33ccc096ed2dc21b0d54191fbeb3b376d9cc83d77d872be5b5185d9
Instruction ID: 77e1161c65f10d6cc88970b9e8bd8162d285326c0b27a4f0c273b71281535742
Opcode Fuzzy Hash: 2b394fbec33ccc096ed2dc21b0d54191fbeb3b376d9cc83d77d872be5b5185d9
Instruction Fuzzy Hash: AA21367190024ADFDF24CFA9C845BEEBFF5AF88320F14841AE655A7250C7759550CFA1

Function 0A3D6C24 Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,0A3D9A3A,?,?,?,?,?), ref: 0A3D9ADF

Memory Dump Source

Source File: 00000000.00000002.2179306430.000000000A3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a3d0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 9de1e10ab6aa57a04921609b2b0a374ded5c940eac732dcbf2aff084e16f7557
Instruction ID: 3e79e161637c5c2cdf0f5fb18950f440c73d2c5f31024a8cd0fce27b070745c3
Opcode Fuzzy Hash: 9de1e10ab6aa57a04921609b2b0a374ded5c940eac732dcbf2aff084e16f7557
Instruction Fuzzy Hash: 9B112CB6800259DFDB10CF99D844BDEBFF8EB48320F148419E515A7610C375A950CFA4

Function 0A3918C0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0A39192E

Memory Dump Source

Source File: 00000000.00000002.2179240459.000000000A390000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a390000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 7c811f51d294341793e321c95e1a5afc392f0a733cb0407bb763401f69953a46
Instruction ID: 1083379b4972da24a4ca54d02aec03da20a2a2ac2eb5305afea609481ef06f25
Opcode Fuzzy Hash: 7c811f51d294341793e321c95e1a5afc392f0a733cb0407bb763401f69953a46
Instruction Fuzzy Hash: 3D11567280024ADFDF10CFAAC844BDEBBF5EF88320F148419E519A7250C775A510CFA4

Function 0A391731 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0A39179A

Memory Dump Source

Source File: 00000000.00000002.2179240459.000000000A390000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a390000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 1a337d3dddf64c092c822a30604512918cca0a1edd1b9b43a09e3c05cc2ad285
Instruction ID: 27367810df23d33a8487b0723802ed9e92f2ea9aec1fff330f56728155376713
Opcode Fuzzy Hash: 1a337d3dddf64c092c822a30604512918cca0a1edd1b9b43a09e3c05cc2ad285
Instruction Fuzzy Hash: A011467590024ACFDB20DFAAC4457AEFBF5AF88320F248419D519A7240CB79A940CB94

Function 0A391738 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0A39179A

Memory Dump Source

Source File: 00000000.00000002.2179240459.000000000A390000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a390000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 3002c5aa130c3dc2d1a41d924a0817c2aba96e8d3087f8842aa01f6214fd4de4
Instruction ID: 8ae09cbe2825e1c0dcb93037e5fc03b79fbb45c8ae779ba6532e7658b37ffd18
Opcode Fuzzy Hash: 3002c5aa130c3dc2d1a41d924a0817c2aba96e8d3087f8842aa01f6214fd4de4
Instruction Fuzzy Hash: EF11287590034A8FDB20DFAAC44579EFBF4AF88724F248419D519A7240CB79A944CBA5

Function 0A3910EC Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0A3961F5

Memory Dump Source

Source File: 00000000.00000002.2179240459.000000000A390000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a390000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 4ba88703249e3f682f0e5a615785119705d85ccfdbd24296b1321ca64a7199c9
Instruction ID: 43fc8c658e7cb72ede5e3545f888843d589fa832e454b1d9303d2980d3446e69
Opcode Fuzzy Hash: 4ba88703249e3f682f0e5a615785119705d85ccfdbd24296b1321ca64a7199c9
Instruction Fuzzy Hash: 7D11E3B5800349DFDB20CF99D445BDEBFF8EB48320F108419E518A7201C3B5A954CFA5

Function 0A396191 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0A3961F5

Memory Dump Source

Source File: 00000000.00000002.2179240459.000000000A390000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a390000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 5441a922615e2f865cd68b02d8db79d81e1a59d4877268eb0d6ac6a83c7dd39c
Instruction ID: 0d5fb21ef0be05d117c61335ee8a85b10225dbed899016943d38b3fb7fa29ea6
Opcode Fuzzy Hash: 5441a922615e2f865cd68b02d8db79d81e1a59d4877268eb0d6ac6a83c7dd39c
Instruction Fuzzy Hash: B111D2B5800249DFDB20CFA9D545BDEFBF8FB48310F20841AD554A7210C375A544CFA5

Function 09EF1470 Relevance: 1.3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

Strings

OijW, xrefs: 09EF1529

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID: OijW
API String ID: 0-3475513506
Opcode ID: 352aa6e5bb39b32edcd2801362f4bdd23165ac638eba80865a46de9e93c03701
Instruction ID: e7d639632641ae61ffd4c4a0c05a2c905ea48e75f7ef3f743397e281da6221f4
Opcode Fuzzy Hash: 352aa6e5bb39b32edcd2801362f4bdd23165ac638eba80865a46de9e93c03701
Instruction Fuzzy Hash: 7D31D6B4E0421ADFCB44CFAAC491AAEFBF2AF89350F10956AC919A7354D3349A41CF51

Function 09EFC7C6 Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

r, xrefs: 09EFC90A

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID: r
API String ID: 0-1812594589
Opcode ID: 3899815adf6f1ea5e7e7a2a00eb08048332f137b864c8c8ec0995f16bd2a8e74
Instruction ID: bbd4de5becb1831f7007cfbd449cdb66632ea33dbeca61bfcd5ab0c4314b3868
Opcode Fuzzy Hash: 3899815adf6f1ea5e7e7a2a00eb08048332f137b864c8c8ec0995f16bd2a8e74
Instruction Fuzzy Hash: 2C310470909109CBCB04CFA8D0A49EDF7B9FF4E341B30A556D65BAA252C730AC81CB60

Function 09EFC821 Relevance: 1.3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

Strings

r, xrefs: 09EFC90A

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID: r
API String ID: 0-1812594589
Opcode ID: 924c3d94bc641d16bbafbcf1cee870b541c58ed0005c4420025a6a5660642630
Instruction ID: 2a580e1771845bde2c3cd3c96f731f317083dcff800abf511927e46032a5ec42
Opcode Fuzzy Hash: 924c3d94bc641d16bbafbcf1cee870b541c58ed0005c4420025a6a5660642630
Instruction Fuzzy Hash: 4821F474904209CBCB04CFA8D0649EDF7B9FF4A341B34A556D64AAB251C731AC82CB60

Function 09EF3181 Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

?H,a, xrefs: 09EF31C7

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID: ?H,a
API String ID: 0-4093759987
Opcode ID: cc75e0952175a38ff95d7af30deb1be6769fca349ece0b780a7460e882355aa4
Instruction ID: e70a0669ddbee82263e0b64f84286ebeb3d39507a5e65d9febc91164f5760a7b
Opcode Fuzzy Hash: cc75e0952175a38ff95d7af30deb1be6769fca349ece0b780a7460e882355aa4
Instruction Fuzzy Hash: 61218974E04248EFDB44CFA9C954A9DFBF2BF88340F14D5AAC519DB265E6309E01CB01

Function 09EFE778 Relevance: 1.3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

Strings

*, xrefs: 09EFE72A

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID: *
API String ID: 0-2892194033
Opcode ID: 77e900b77a3348aff411706c5e29deba8afe6b1302f31fa3235e70e9798966cc
Instruction ID: e5c36a87ac5591966a9c89312cd4f6e3d8e1ab219311bd37eb0587e265cebb7b
Opcode Fuzzy Hash: 77e900b77a3348aff411706c5e29deba8afe6b1302f31fa3235e70e9798966cc
Instruction Fuzzy Hash: B8215C70905259CFD754DB68E9A4BAD7BB9FB44300F04A2AED60E9B3A1D730AD42CF50

Function 09EF7E99 Relevance: 1.3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

u|P, xrefs: 09EF7EDF

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID: u|P
API String ID: 0-1764873574
Opcode ID: 6292d8c6442eff44384245f21afef5468aaa52c5245728f439269ed92fefe761
Instruction ID: 23cfbaeec20598a87bfc892dca180467ca567f82bab00fa62e97206ee3126329
Opcode Fuzzy Hash: 6292d8c6442eff44384245f21afef5468aaa52c5245728f439269ed92fefe761
Instruction Fuzzy Hash: 5F1137B4E05249DFCB08CFA9D9402AEBBF2AF89310F2491AAC509E7354E6358E41CB45

Function 09EF7EA8 Relevance: 1.3, Strings: 1, Instructions: 52COMMON

Download Yara Rule

Strings

u|P, xrefs: 09EF7EDF

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID: u|P
API String ID: 0-1764873574
Opcode ID: f73ac0f0dbcf63979a65b3a8d1fd7e3e5e89a418df2fcd1375f807e9c9a21bec
Instruction ID: f799cbaffdd037ab874409e8583b684ee91ef554242734ce6360522bc8c39b80
Opcode Fuzzy Hash: f73ac0f0dbcf63979a65b3a8d1fd7e3e5e89a418df2fcd1375f807e9c9a21bec
Instruction Fuzzy Hash: 7A11F8B4E05209DFCB44CFA9D9516AEBBF2BB88300F20E4AA9509A7354E6359F41CB45

Function 09EF5E70 Relevance: 1.3, Strings: 1, Instructions: 49COMMON

Download Yara Rule

Strings

G'/., xrefs: 09EF5EF6

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID: G'/.
API String ID: 0-3562003039
Opcode ID: 7965dce043f35e4510f9a54ff40a324356f4dd64f4574451c6728c3b76c46b81
Instruction ID: 5ec8079e473692bef7139203435a6a56063190d13dd2cf3afd221ef3d7da4dc8
Opcode Fuzzy Hash: 7965dce043f35e4510f9a54ff40a324356f4dd64f4574451c6728c3b76c46b81
Instruction Fuzzy Hash: 2801C070E09388DFDB09CFB4D8546A9BFF2EBD6311F2494A6D105E72A4E6308E40CB02

Function 09EFE719 Relevance: 1.3, Strings: 1, Instructions: 49COMMON

Download Yara Rule

Strings

*, xrefs: 09EFE72A

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID: *
API String ID: 0-2892194033
Opcode ID: 0bc9675e4207520ae6c9857ce6ded61309364788bfa8d0d3da5df4cef8c8dbda
Instruction ID: 2e3543bab81eb0824740f9ed675a02e736bd2fb886b7fc47ba347b83fe447fb9
Opcode Fuzzy Hash: 0bc9675e4207520ae6c9857ce6ded61309364788bfa8d0d3da5df4cef8c8dbda
Instruction Fuzzy Hash: 34111734A05259CFDB50DB94EA94B9DBBF9FB48300F04A2AAD51DAB3A1D7306D81CF50

Function 09EF5E80 Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

G'/., xrefs: 09EF5EF6

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID: G'/.
API String ID: 0-3562003039
Opcode ID: 21028b608735406bda228589bb94ee47652d11bf84aaa605abca46613861db70
Instruction ID: 0d2cca8a452f9c6be7bd0e74f80526550116383af40a3c9b86f4713f928f4efa
Opcode Fuzzy Hash: 21028b608735406bda228589bb94ee47652d11bf84aaa605abca46613861db70
Instruction Fuzzy Hash: 73017C70E05308DBCB08DFA5D9556ADFAB6ABD5300F24E4A6D506E3254EB309E40DB05

Function 09EFE571 Relevance: 1.3, Strings: 1, Instructions: 32COMMON

Download Yara Rule

Strings

p*, xrefs: 09EFECB4

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID: p*
API String ID: 0-1496849365
Opcode ID: 1a927dcf58ea4ff06f05c870e34ef22c54bef46eb0635f04b52c3c4d18ec44df
Instruction ID: 711d706ecbad60eba9196660b7e97901b1f8943359f856658d352271e4792448
Opcode Fuzzy Hash: 1a927dcf58ea4ff06f05c870e34ef22c54bef46eb0635f04b52c3c4d18ec44df
Instruction Fuzzy Hash: B2F02430908284CFE721EBA5D8247987FB9DF86300F04A0BEC24A6B271DA742C46C712

Function 09EFE795 Relevance: 1.3, Strings: 1, Instructions: 28COMMON

Download Yara Rule

Strings

*, xrefs: 09EFE7B0

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID: *
API String ID: 0-2892194033
Opcode ID: 61c69a3fb2366330f170b9f6e104851abfe93d14246881c29a07f0e7f491a145
Instruction ID: 9052c7dc66980fb9995305eb915af5a474fb01310fc9bbd0331ddd4501e8aa8c
Opcode Fuzzy Hash: 61c69a3fb2366330f170b9f6e104851abfe93d14246881c29a07f0e7f491a145
Instruction Fuzzy Hash: 88F01D74A07118CFDB20CB16E854B99BB76FB88300F00A2E9D61AA3354D7701E428F21

Function 09EFE580 Relevance: 1.3, Strings: 1, Instructions: 27COMMON

Download Yara Rule

Strings

p*, xrefs: 09EFECB4

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID: p*
API String ID: 0-1496849365
Opcode ID: 6859d392f08475a4731cb4bf3edc4ade59ffe1a050a40db3d8547a79b160f5cf
Instruction ID: 956b3fc41aec736ad4fb814ff46283d4f706b80147bb4a308b152ef619d7954d
Opcode Fuzzy Hash: 6859d392f08475a4731cb4bf3edc4ade59ffe1a050a40db3d8547a79b160f5cf
Instruction Fuzzy Hash: 10F0E530908148CBEB25EBA5D8157A97BBDDF88300F10B07EC20A66260EE706D46CB22

Function 09EFFC50 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7c0b515c25cc56ffe27134ee478bbbacbf330ce4169bcf226b0c7938c70a287
Instruction ID: 147fc14a868bb49051467e3dbe81444cb3e855740c7c6fe7546fe90b14ad1d5c
Opcode Fuzzy Hash: a7c0b515c25cc56ffe27134ee478bbbacbf330ce4169bcf226b0c7938c70a287
Instruction Fuzzy Hash: CA61E571F002198BCF25DFB8C4643AEBBB2AFC4355B101D6AD606A7391EB359D02C7A1

Function 09EFB698 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c75508fcdeba7614a9ed221f2df11b470d5ef96471b6f9a38d0408fb1f49780
Instruction ID: 62efbaea5cebab88097cf97f13ce82d22d8a6bafb9ca9161ce1fe6aebcf56bf3
Opcode Fuzzy Hash: 7c75508fcdeba7614a9ed221f2df11b470d5ef96471b6f9a38d0408fb1f49780
Instruction Fuzzy Hash: 41313A74D08208CBDB08CF9AC5606FEFBFAAB8D340F18E16AD51EA6291D7748D41CB50

Function 09EF52C4 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45137551cc7ecb514f34b7acf7db609d15fe1de6a9d3989db86f34a4c9053571
Instruction ID: aade5c6fcca1d901b70007f4cb4b1533ef0b05ed29b9c7612fa7fbf967f24a99
Opcode Fuzzy Hash: 45137551cc7ecb514f34b7acf7db609d15fe1de6a9d3989db86f34a4c9053571
Instruction Fuzzy Hash: 2F3159B19002499FDF14CFA9D844ADEBFF5EF88314F14846AE509E7210D775A950CFA0

Function 09EFB688 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f759948e8eb6c83975b9a453ce79ec632dd95224bc02fbc19c15926e9aadebc
Instruction ID: 6aa0183c5c095d5c4969c4fc1ac297b33a8701057fe9189ad3cf64929bb9cd15
Opcode Fuzzy Hash: 8f759948e8eb6c83975b9a453ce79ec632dd95224bc02fbc19c15926e9aadebc
Instruction Fuzzy Hash: 58315A74D08248CBDB08CFAAC4606EEBBF6AB8D301F19E1AAD50EA7291D7744D41CB50

Function 09EFC762 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72493e722514b8e1be5d0210a322ea00c8f383a29408bf8ab5cc143a8ddce8e9
Instruction ID: a52e426b40355c5b21d3e18c8de5bf01fed48dad58617fb198b0c95b8d6fd6f0
Opcode Fuzzy Hash: 72493e722514b8e1be5d0210a322ea00c8f383a29408bf8ab5cc143a8ddce8e9
Instruction Fuzzy Hash: F2313E70D08258DFC704CF66C8505EDBBFAAF8A340B24E0A6D59AE7262D7349D05CF50

Function 09EF8700 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9b35bdcddb4290f8fbb5f714f8e7d8799c1c2a25fa299f48bf074c6eb6d9762
Instruction ID: af0e4116d442b000a005671e2473c1be427930396207a20cf21c9431889e6880
Opcode Fuzzy Hash: c9b35bdcddb4290f8fbb5f714f8e7d8799c1c2a25fa299f48bf074c6eb6d9762
Instruction Fuzzy Hash: 05311674E04209DFDB48CFA9D5946AEBBF2FB88310F20A56AC516E7390D7349E41CB51

Function 09EF67D8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d32fbe0abfc0506e1208a7fe0a571b9e6ee1e97d21ef3d47c1154f5cde55295
Instruction ID: 65c6d7079e61ccf99d99f77be91b040834e5db5192d999b691b991714a691d2f
Opcode Fuzzy Hash: 9d32fbe0abfc0506e1208a7fe0a571b9e6ee1e97d21ef3d47c1154f5cde55295
Instruction Fuzzy Hash: 7D31F0B4E00219EFDB08CFA9D4546EEBBB2FF88314F10946AEA16A7354DB349941CF50

Function 09EF67C8 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c74e49f96027fba08231e3bd28ea81a92c08cfafce3f5b75ed154e5b90b44052
Instruction ID: c85d5cf0e916b96727e3bc7ab418ce9169b8ba5ac0562492bad4af0e3caeb269
Opcode Fuzzy Hash: c74e49f96027fba08231e3bd28ea81a92c08cfafce3f5b75ed154e5b90b44052
Instruction Fuzzy Hash: EB3122B4E00259AFCB08CFA9D8546EEBBF2FF88314F10946AE912A7354DB345A41CF50

Function 09EF86F0 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b453074c57b490f75c5858bf316c23d9887f217cfdb2dd95155bf844ff0a406
Instruction ID: 0ee7409113f1ff6b9503c0fd14afaccf21f0585ee80b8f07000ac2320443d007
Opcode Fuzzy Hash: 0b453074c57b490f75c5858bf316c23d9887f217cfdb2dd95155bf844ff0a406
Instruction Fuzzy Hash: C0315B74E04209DFDB44CFA9D5946AEBBF2AB88310F10A5ABC506E7290D7349A41CF51

Function 09EF8553 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b79d025985db4014c60473b1e9312e6c520d88f79143931d0a6a7ffd157c440
Instruction ID: 504aafdf75f173f325839fdad68f6b5774374e4d56828d35361015a90b55c3b1
Opcode Fuzzy Hash: 3b79d025985db4014c60473b1e9312e6c520d88f79143931d0a6a7ffd157c440
Instruction Fuzzy Hash: A13113B4E05209DFDB48CFA9D5901AEBBF2FF89300F2495AAC50AE7354E6309E41CB11

Function 014ED3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2170233471.00000000014ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 014ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14ed000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ed6cf4a437ffd8d30aaf393a3e86c5b75c9ee02f2739ac2018b10ae61326f20
Instruction ID: ffd08b31975693651775b3094017b20a89c6f5c9c1835fd1a12717dbca75192d
Opcode Fuzzy Hash: 9ed6cf4a437ffd8d30aaf393a3e86c5b75c9ee02f2739ac2018b10ae61326f20
Instruction Fuzzy Hash: 2D213676900204DFDB05DF44D9C4B66BFA5FB94325F20C57EE9090B266C336E456CAA1

Function 09EFAF42 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ed0ef250694ae03aab50fb57918d2a0ab9f392b0ff9046114c81cb3c4524432
Instruction ID: 5fc5626cde87d94586f17cb55467cd0565d31890f3b3bd1c4362b813742ae65d
Opcode Fuzzy Hash: 7ed0ef250694ae03aab50fb57918d2a0ab9f392b0ff9046114c81cb3c4524432
Instruction Fuzzy Hash: BA31C075E04209CFCB08CFA9C4909EDBBB2FF48310F24916AEA1AAB361D7315946CB50

Function 014FD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2170275037.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14fd000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdb4ea91ed2e6d1fc002ff3643aa536bb3bb8d297a76d1a16eec2f767d1183bb
Instruction ID: 63ac0b4784f87582d878f4af7d8dab1b6fb85df6cb6a434557ba3b7b3ee86102
Opcode Fuzzy Hash: fdb4ea91ed2e6d1fc002ff3643aa536bb3bb8d297a76d1a16eec2f767d1183bb
Instruction Fuzzy Hash: 2A2125B5904200EFDB15DF54D9C0B26BB61FB84318F20C56EDA0A4B366C776D407CA61

Function 014FD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2170275037.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14fd000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf85fd28be718cc30c2833b24042a9fc1af792bebe2ef0a7d9c5b925fabd60dc
Instruction ID: c252586b125bc6a941cb1db895fbecf211848e652d00b3f4ac43602b86469962
Opcode Fuzzy Hash: cf85fd28be718cc30c2833b24042a9fc1af792bebe2ef0a7d9c5b925fabd60dc
Instruction Fuzzy Hash: 38212679904304EFDB05DF94D9C0B26BBA5FB84324F20C56EEA094B362C776D446CAA1

Function 09EF15A9 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1b828fbf6555d9873784455452c6d181265c372326e63567e29af7d2168600f
Instruction ID: 95ccdc42be31ee9a3a8c3ed7caa52c3f028b8d1cc3fbd53dbc8a11e82f9ff118
Opcode Fuzzy Hash: a1b828fbf6555d9873784455452c6d181265c372326e63567e29af7d2168600f
Instruction Fuzzy Hash: 0431F270E04249DFCB08CFAAC585AAEBBF2BF89300F24D5AAC519A7214D630DA418F51

Function 09EF15B8 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55260bc7e9397c2d3003b68eb2c4ae0d8c33011523e132d1e268b889fb687ce2
Instruction ID: 90e189119613c59a4a77c953420ed7bd4fa01cd3387091a856d9852c9d78d4ad
Opcode Fuzzy Hash: 55260bc7e9397c2d3003b68eb2c4ae0d8c33011523e132d1e268b889fb687ce2
Instruction Fuzzy Hash: 8F21F5B0E04609DFCB08CFAAC5859AEBBF2FF89300F55D5AAC519A7214E630DA418F51

Function 09EF8490 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4649d21a5452926d70270dc10c64b89486f72843294f28061bd190131873267b
Instruction ID: 10c22353206cb3058aeb0234bcad7b38d231c6036e69d04d7476104779454753
Opcode Fuzzy Hash: 4649d21a5452926d70270dc10c64b89486f72843294f28061bd190131873267b
Instruction Fuzzy Hash: 9821F3B4E04259DFDB44CFA9C4546AEBBF2FF89310F1495AAC51AA7360E7709A40CF50

Function 09EF3088 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7a9738f49c579d0c1e84bd8f5f5b4a98dd58d106099c2f4528160149a636ea6
Instruction ID: e7860dfda9f8e8af528d644afe3e24b9cc210cd7fd2da27a9d37ce8926605211
Opcode Fuzzy Hash: a7a9738f49c579d0c1e84bd8f5f5b4a98dd58d106099c2f4528160149a636ea6
Instruction Fuzzy Hash: 3B2157B0E0424ADFDB04CFA9C5816AEFFF1BF89340F14A1ABC505A7265E7749A41CB52

Function 09EFB7C0 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dd88b496ecf8ca827a766299ac5abca7031651f1e0b7da80b36f439d27e7810
Instruction ID: a6d3c61cc70bd8c1dfc0b1ab27af004abbf902f620dd1085700d6945f8dc65be
Opcode Fuzzy Hash: 9dd88b496ecf8ca827a766299ac5abca7031651f1e0b7da80b36f439d27e7810
Instruction Fuzzy Hash: 93210CB4D08248DFCB40CFA9C191AEEBFF5AB89340F146196D949A7352C3709E40CF91

Function 09EF3098 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 447f77b5e65a98562b58e99cc8e057892fd56c139b0768c0a6b1003179529736
Instruction ID: b50505aa58e926711abf660db0d017d4f442145ba04473c09246020b1a106e3c
Opcode Fuzzy Hash: 447f77b5e65a98562b58e99cc8e057892fd56c139b0768c0a6b1003179529736
Instruction Fuzzy Hash: A82139B0E0420ADFDB48DFAAC5516AEFBF1BF88340F10E56A8505A7254E7709B00CF91

Function 014FD006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2170275037.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14fd000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1706ab1a232e6e2f219c4c7422bda8c5dadcaec25fbef869e1755bef5ab3dbe6
Instruction ID: ae05889e1c7c687de779ac1570203f868a8c4472843ebbbc6bd9bef6e2f3f395
Opcode Fuzzy Hash: 1706ab1a232e6e2f219c4c7422bda8c5dadcaec25fbef869e1755bef5ab3dbe6
Instruction Fuzzy Hash: 9C217F755093808FCB06CF24D590716BF71EB46218F28C5EAD9498B7A7C33A980ACB62

Function 09EFBD10 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc94c966ff82fd91f8f0e2b2583c47e7049455b89ecea8ee52adca8fee935ea3
Instruction ID: 79fa019d77e6e06519e042123311fe4eed8be2cb062b90ade90b52763ce92ad9
Opcode Fuzzy Hash: cc94c966ff82fd91f8f0e2b2583c47e7049455b89ecea8ee52adca8fee935ea3
Instruction Fuzzy Hash: 95211A71D046988BEB19CF66C8543DEBFF7AFCA300F18D0AAC54DAA265DB740945CB50

Function 09EF8610 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b23517c8ba3b2774e6e55ea33cbd01d247ae03125009f875cd31fafdda7af4a2
Instruction ID: 66c70ec8be306eddf665648bcb153113d8ee5ea7da03e853213cd87c6d022eae
Opcode Fuzzy Hash: b23517c8ba3b2774e6e55ea33cbd01d247ae03125009f875cd31fafdda7af4a2
Instruction Fuzzy Hash: C71164B0E05249EFCF44CFA8E49029DBFF1AF89300F2095AAC906E7354E6349E40DB42

Function 09EF52D4 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acdaf7f6f9f9e44a7db63176e7255f57765d6f6f019c593a09773a27eb220175
Instruction ID: f6cfe95733ea9f8562131a4df2f88d6b02e8ad03052128d682c417e56b088b19
Opcode Fuzzy Hash: acdaf7f6f9f9e44a7db63176e7255f57765d6f6f019c593a09773a27eb220175
Instruction Fuzzy Hash: CF21D3B5900349DFCB10CF9AD884ADEBBF4FB48320F10841AEA19A7210D375A954CFA5

Function 014ED3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2170233471.00000000014ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 014ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14ed000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction ID: f3a0fcc397aad21f79da5f0e09e51fe897559299939966760bb72544a556549a
Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction Fuzzy Hash: 6F11D276804280CFCB02CF44D5C4B56BFB1FB94314F24C2AAD8090B267C33AD456CB91

Function 09EFB878 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1d1c03e22950f21bcb3db8933da2015b1eeef5df0d8b55e1bd1898feda85c67
Instruction ID: eaaf88572aaf996ffc80c4f6b5d997cf194e4013a0a32d101d15b04c1de7b740
Opcode Fuzzy Hash: d1d1c03e22950f21bcb3db8933da2015b1eeef5df0d8b55e1bd1898feda85c67
Instruction Fuzzy Hash: AC114974E09288EFCB04DFA9C0506ADBBF5AB89340F18A5DAC449A7212D3709A018B81

Function 014FD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2170275037.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14fd000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: 0dcd7801f3ae6c3346e4d897c16b5db25a9c80fa1d6348866a60aa2c86dcb33f
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: 7A11BE79904280DFCB02CF54C5C0B16BB61FB84224F24C6AED9494B366C33AD40ACB92

Function 09EF6718 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a4ac8d0dfd7d07c63ca638ba786757f6f53eb1185a1b385826160a386083ad2
Instruction ID: 5b2448ecf4ebf594450665aecf64b7e84622c065ecd45de8f77dc2c33467f4dc
Opcode Fuzzy Hash: 7a4ac8d0dfd7d07c63ca638ba786757f6f53eb1185a1b385826160a386083ad2
Instruction Fuzzy Hash: E0114CB4E05249CFDB45CFE9DA9029EBFF2EB8A310F2481AAC405E7394E7704A41DB51

Function 09EFB888 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1487b9b60c877630951318de484bf7ba4c4c375108f5f0e98c63696c447f0e6
Instruction ID: 977b90120c3b017ac83c1e4446d67878cf0119e42d874c60b1b392aa5920b34b
Opcode Fuzzy Hash: a1487b9b60c877630951318de484bf7ba4c4c375108f5f0e98c63696c447f0e6
Instruction Fuzzy Hash: 5811E574E08248EFCB04DFAAC5519ADBBF9FB88350F14A596D519A7316D3709E418F80

Function 09EFBD20 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de588df307886d42b12f47f76f5e2ecd5adbecc2a0660babadf2072f2518abd1
Instruction ID: 4da571b9c1ec2f12ea16a9722d23ecb5ead7cd75a3da1d276363f53eef164ca9
Opcode Fuzzy Hash: de588df307886d42b12f47f76f5e2ecd5adbecc2a0660babadf2072f2518abd1
Instruction Fuzzy Hash: 5911E8B1D006588BEB18CFABC9447DEFAF7AFC8300F18D57A950DA6264DB7419468F90

Function 09EF8560 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3806c18d5646c4ce63ae5269d0112134bd2c0ba9186cf21c78356d7cd2e55e7f
Instruction ID: aef7d2be32c7ceaf44620c5721b2c57e7b5920ec4d4643c0fc68d75a16473657
Opcode Fuzzy Hash: 3806c18d5646c4ce63ae5269d0112134bd2c0ba9186cf21c78356d7cd2e55e7f
Instruction Fuzzy Hash: A91133B0E05609DFDB48CFA9D5502AEBBF2BB88300F20D5AA8506A3354E770DA41CB51

Function 09EF84A0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef7379c2b6a42cc6ec6289ae21a4a80421bc700407f2c7b4090696ccb92922f8
Instruction ID: 8424537a67b48deeab8836458ca34d8098e7df31252b1699e22a67a0cc2aa218
Opcode Fuzzy Hash: ef7379c2b6a42cc6ec6289ae21a4a80421bc700407f2c7b4090696ccb92922f8
Instruction Fuzzy Hash: 381115B0E05209DBDB44CFA9D5502AEBBF6FF88340F20D4AAC51AE7214E7309E418F50

Function 09EFCBB8 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e75c3ac3cd2fafb2e251ad50eee9ab68683a46225e56d9ec0724be7a9b306ab7
Instruction ID: 3ceeeb0252ba24b3f13ed2f5c3e2dc7e5dc04f81ebc36f3074e11d48e256704f
Opcode Fuzzy Hash: e75c3ac3cd2fafb2e251ad50eee9ab68683a46225e56d9ec0724be7a9b306ab7
Instruction Fuzzy Hash: BD114074A08188DFCB01DFA9D5A4AECBFF5AF4A300F29A0D5D589DB266C6319E41DF00

Function 09EF5F60 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a3f20035e3e1115aabdebe22d8e174dc31b44af3f86588178b46eddb2f02010
Instruction ID: 68d79d0415d04927e28cbe6035c5a7135dffff2f9eeaece57fccac0a95ff57c9
Opcode Fuzzy Hash: 2a3f20035e3e1115aabdebe22d8e174dc31b44af3f86588178b46eddb2f02010
Instruction Fuzzy Hash: CC1145B4E04349DFCB45CFA9C5505AEBBF2BB99300F2484AAD408A3350EB308A018B11

Function 09EF6728 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3666f95ac72d6f7f5accd1c78f45b75a47825b26db9f81d86a797ac0461c16b3
Instruction ID: f8818718b764238346b4aafc792036f0795354cc337ae29af5d9b67d69999c27
Opcode Fuzzy Hash: 3666f95ac72d6f7f5accd1c78f45b75a47825b26db9f81d86a797ac0461c16b3
Instruction Fuzzy Hash: 6D1109B4E0520DDFCB48CFA9D6516AEFBF2EB88700F20D16AD509E3354E7309A419B91

Function 014ED731 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2170233471.00000000014ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 014ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14ed000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ef0199a249b8bcd1f83f56f1737ab0bc2a4f046112ea81636677ea503851546
Instruction ID: af0c32c680134e42a5b2ddb3d7c3953427a905086b6f165e8e86553e18a0b901
Opcode Fuzzy Hash: 4ef0199a249b8bcd1f83f56f1737ab0bc2a4f046112ea81636677ea503851546
Instruction Fuzzy Hash: E201A775844384DAF7105BA9CD88767FFD8DF41726F18C42BEE094A2A2C6B89840C6B1

Function 09EFCB42 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb6ea892c85a173299c8058bcaa92b7ba481a016fd3b0bd8dd465a48495a65b7
Instruction ID: 38d436d201d797058d5b9007d94fd5ea05c3933f16c2657248ee42180d11bc23
Opcode Fuzzy Hash: eb6ea892c85a173299c8058bcaa92b7ba481a016fd3b0bd8dd465a48495a65b7
Instruction Fuzzy Hash: EA01713490D28CCBCB05CF65C5619E8BFB9AF8B340F34E9E6D58A9B122C6704E44DB40

Function 09EF5F70 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4cd482024155bf3b063c0f5005d56de8ef01bd2cc81e7a900fce0622aaef313
Instruction ID: 41b58a2233577a2519551b64ac35de13b1cc1ddb89a9f2a6fa71821dd598a402
Opcode Fuzzy Hash: d4cd482024155bf3b063c0f5005d56de8ef01bd2cc81e7a900fce0622aaef313
Instruction Fuzzy Hash: 5A0129B4E04309DFCB44CFA9D5506AEBBF6FB98300F10D4AAE519A3354EB709E018B51

Function 09EF8658 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ce648c05c2aefb385b1c710fcdc0bd8a2d7a16835715b2355a891bf09b3dcd3
Instruction ID: e2254be9904f125348d55c0266c90f17f7daa97e326bcfc987f4fc220defa476
Opcode Fuzzy Hash: 4ce648c05c2aefb385b1c710fcdc0bd8a2d7a16835715b2355a891bf09b3dcd3
Instruction Fuzzy Hash: B7018B70E05209DFCB44CFA9D55528DBBF2AB8A300F29D4ABC005E3364D7309A05CB42

Function 09EFCB50 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 052b6502c583550eb6618cbdc9d5412f6a5912b766ed3b7a92358a3c74b71aa5
Instruction ID: 9eff814eef03f02f6cbf73ff25f93cf41e24deb367e2b0e12a2efcdb0923ddcc
Opcode Fuzzy Hash: 052b6502c583550eb6618cbdc9d5412f6a5912b766ed3b7a92358a3c74b71aa5
Instruction Fuzzy Hash: 88F0813490810CDBC704CF65C5109F8BBB9AF8A341F30F9A6954A5B212D7708E40DF44

Function 09EF8668 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a4153f2644ad60e4d077f0df9fd5449add3b3b21d74c176b32170378be1634f
Instruction ID: 1fe59baca4cd19a644f1ea7721edba19166cc49e2eb1c3fc7b01c4bca1149da9
Opcode Fuzzy Hash: 8a4153f2644ad60e4d077f0df9fd5449add3b3b21d74c176b32170378be1634f
Instruction Fuzzy Hash: 13018C70E05608DFCB44CFA5D55529DBBF6AB89300F25E0AAC50AA3354EB309F408B05

Function 09EFAF0E Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dce30e170f132f8bffbdd9f688f38cfd23cea26af322eaf0e532fa726a099720
Instruction ID: 775b795ad127a3dfe45bef02af53dedf0822c3bfa221ce5b5fa0f979bb41b66d
Opcode Fuzzy Hash: dce30e170f132f8bffbdd9f688f38cfd23cea26af322eaf0e532fa726a099720
Instruction Fuzzy Hash: 4501C074E05318CBCB04CFA5D994AEDBBB6FF49301F10A02AE51AAB294E7709C41CF40

Function 014ED730 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2170233471.00000000014ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 014ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14ed000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cc36bf72dd8170da9a6c9b44ba3e797139fbbe328e9fd627924d8c5c54571da
Instruction ID: e46749bc05b9f85f6f09f191877bc72842af7d49b23857345d9d6321c58cba67
Opcode Fuzzy Hash: 4cc36bf72dd8170da9a6c9b44ba3e797139fbbe328e9fd627924d8c5c54571da
Instruction Fuzzy Hash: B3F0C2728043849BE7108B19D988B67FFD8EB80735F18C45AEE080E292C2B89840CBB1

Function 09EF7060 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f75b309f8371b565b1635e431ed6d5d697801febf17dae4d5644616d972db990
Instruction ID: 1b98b0cea96ca32cb0a2c53348270708c14c297972d45f43ca748a16ddae9373
Opcode Fuzzy Hash: f75b309f8371b565b1635e431ed6d5d697801febf17dae4d5644616d972db990
Instruction Fuzzy Hash: C40124B4D082498FDB15CFB8C9103AEBFF1AF49320F0085AAD418A7391E7750A00CF52

Function 09EFC8F3 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f6b36a0e65a72c62f2e235a75ab5355f9208ad256c36f0b1fc70f2e14126526
Instruction ID: f8a2fbee4bdf24ece1a65f404765f91299399edffc76330f1181b1507fb9756f
Opcode Fuzzy Hash: 9f6b36a0e65a72c62f2e235a75ab5355f9208ad256c36f0b1fc70f2e14126526
Instruction Fuzzy Hash: 16F0AF31509284CFCB02CB68D464AE8BBB89F4B316F28A0DAC5869F183C3359C40CB11

Function 09EF74F9 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a56148413190df08c8eb478f57f66a38de2bfd6b0bae3cf57ed1b20626fd8c2
Instruction ID: 3ce11b8616af024d90880495a1ed7e234997ad7aaf2b21b347c062efbf4beb80
Opcode Fuzzy Hash: 1a56148413190df08c8eb478f57f66a38de2bfd6b0bae3cf57ed1b20626fd8c2
Instruction Fuzzy Hash: 46F0BE32604204AFDF08DF98DC519AA7FFAEB49224F24C2ABE404DB2A1E671DD00CB44

Function 09EF7070 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4e1372f9333e9c20f1108f666af8d3808ebd587d6e92c7f8da1281e94309131
Instruction ID: 6b96fa65b834ce595f7453fa053e48b5d6dd7fad69df6a6d3701646da268a7ab
Opcode Fuzzy Hash: c4e1372f9333e9c20f1108f666af8d3808ebd587d6e92c7f8da1281e94309131
Instruction Fuzzy Hash: 33F0F4B4D04209DFDB44DFA9C5056AEFBF5FF48310F00946A9819A3340EB755A00CF51

Function 09EFE896 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbdb9ad6b76a803116ef4cebee7bf7953e0dd255798acb941c9f4b876cbe04ce
Instruction ID: 0aebdf33a0b7f82b21b1ff0acea41594bcbcfaf5acbfd3a2b0610b94d8fff623
Opcode Fuzzy Hash: fbdb9ad6b76a803116ef4cebee7bf7953e0dd255798acb941c9f4b876cbe04ce
Instruction Fuzzy Hash: D0F09A30E0425A9FC705DB68E894A99BBB5EF44300B00A16AC1199B261D330AD03CF92

Function 09EFA3E0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cca7421c724f28315c95673ba6bc7d946ed832f0e23df1cb2077a4a588ec1bb
Instruction ID: 44e04fff0f79f5e25cfeb621f50131d0f4c3d46d8a63cbd6a816d7d1d20d6ac1
Opcode Fuzzy Hash: 3cca7421c724f28315c95673ba6bc7d946ed832f0e23df1cb2077a4a588ec1bb
Instruction Fuzzy Hash: 04F03A70C093889FDB06DFB8C84039DBFF1AF06310F0085EAD854AB251D7B54941DB41

Function 09EF8841 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1634008ffb0549a8d1b5b715b13c31c7ccead75bcf2861d9a08b8ecad67fa672
Instruction ID: 774b17b3c9fafef7a2def6df77f8ec9dedffeb54583e373eb1258a0c8731a5a3
Opcode Fuzzy Hash: 1634008ffb0549a8d1b5b715b13c31c7ccead75bcf2861d9a08b8ecad67fa672
Instruction Fuzzy Hash: ABF0F230D182889FCB51CFB8C484688BFF0AF0A224B1482EAD818DB3A1D2749A04CF41

Function 09EF2958 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e60c85aa95c88d22e862065f5c7fbffbbce4c1e8c3cf804d2bfa1f6dd3297532
Instruction ID: eff90befa26f8870cf7cf0b000b4e5774ef07e1e811d25e59906d670bf4fcd41
Opcode Fuzzy Hash: e60c85aa95c88d22e862065f5c7fbffbbce4c1e8c3cf804d2bfa1f6dd3297532
Instruction Fuzzy Hash: 81E06D36901214DFC720DF64E444984B334FF48322F1002E5E9268B2A2CB329E81CF50

Function 09EFAEF3 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35430ab2ff754ae4f44f8ed05cf721a05b030f02bc5abe0c2013e9bf25c1919f
Instruction ID: 5aedb733ec308f3a7261f2bec0f702086a76834a5c6827f2e4dc10da64f3f7bd
Opcode Fuzzy Hash: 35430ab2ff754ae4f44f8ed05cf721a05b030f02bc5abe0c2013e9bf25c1919f
Instruction Fuzzy Hash: CFE09A3090A204CFCB24CFA0CC90AE9BB39FF0A301F18204AE50B6F296E7719D01CB00

Function 09EFA3F0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf49b49e1743247e06ac9744d4efe9e117ba8c5eef46e5ea20ecaa1801f0da43
Instruction ID: 642e20347d1275a043c445da78eb07120388f91994440e1f1f957b6b7f2796bb
Opcode Fuzzy Hash: cf49b49e1743247e06ac9744d4efe9e117ba8c5eef46e5ea20ecaa1801f0da43
Instruction Fuzzy Hash: 0FE0C970D00309DFCB44DFA8C4056ADBBB5BB44310F1085BAD814A3340D7719A91DF80

Function 09EF5F21 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53741911733baa1f2a2bff6a67be4274766ac034def2f1787a91aedfd9e28b26
Instruction ID: 75f91ecf224aa87edd4aea7e8ef3fb2f59a46150a4408d0add0852ae076ac1d2
Opcode Fuzzy Hash: 53741911733baa1f2a2bff6a67be4274766ac034def2f1787a91aedfd9e28b26
Instruction Fuzzy Hash: 69E08C719193C9CFDB01DBB8A8553AC7FF1AB46211F2402EAC548926A2E7B00E40DB42

Function 09EF8850 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7641543810ce40aa40b6d8bd182478dd66c0ee1dd5716a32fc592135350ce44
Instruction ID: bb3d3b6197d30dc127189c13aa626bd63475bbdf3e1ff18ac99b17d6970399f3
Opcode Fuzzy Hash: b7641543810ce40aa40b6d8bd182478dd66c0ee1dd5716a32fc592135350ce44
Instruction Fuzzy Hash: 68E09274E10248EFCB84DFA9D449A9CBBF4EF48614F0081EAD818D7360E674AA40CF41

Function 09EF2940 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aa4edc215191b309f677ecc4b13a360f9bbc4385d4eb1e28a02c909594e9601
Instruction ID: 8f7152cd650bf489104c4787e9be2c6a99686fdc22f2124ad6f00f34feeda06e
Opcode Fuzzy Hash: 4aa4edc215191b309f677ecc4b13a360f9bbc4385d4eb1e28a02c909594e9601
Instruction Fuzzy Hash: 93E0EC36A01204DFC755DF64E554884B775FF89316B9001A6E6158B261C7329D50CB50

Function 09EF8620 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5dbbae7b0054df4c3d3ed965c25fbb30e3d94fe2ece5496f0dfc8419c3adb04
Instruction ID: 5e657afe68c236cfe2a8c944cc7d42695a404329988ef957369d88e2492d4d94
Opcode Fuzzy Hash: b5dbbae7b0054df4c3d3ed965c25fbb30e3d94fe2ece5496f0dfc8419c3adb04
Instruction Fuzzy Hash: 24E0E270E00208EFCB84EFA9D44539CBBF4AB44200F0081AA8818A3350E6745A44CF81

Function 09EF5F30 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9a7d63e7b328808ed67092adc785cb4d74c6f78f915bd19d24360dd07c29d0d
Instruction ID: 8ad1fa3204dce559571204d601c968b28562c987662d4d9122b2389a18ffb801
Opcode Fuzzy Hash: b9a7d63e7b328808ed67092adc785cb4d74c6f78f915bd19d24360dd07c29d0d
Instruction Fuzzy Hash: 25D0A93180134CDBCB04EFB8D80636DBBF4AB00200F1051EAD908932A0EB705F40DB81

Function 09EFA433 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffa4d918b5227bc9722506a8aa2a39de53b36c4a33c603b78e0f0dc1d4b893f4
Instruction ID: aa9ce956e99667c4eb78cdc8d59be22211a8beb099d34c4289e0964cc303afd3
Opcode Fuzzy Hash: ffa4d918b5227bc9722506a8aa2a39de53b36c4a33c603b78e0f0dc1d4b893f4
Instruction Fuzzy Hash: B9D017304093C05FCB22EB68E85D798BF605F06215F0915D5E4888A0A2C6E19841DB12

Function 09EFA9CA Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff9a74d35aaf17c58a53c036b060892b8e039c82b187282c3f6b8f6510479188
Instruction ID: bce700adb6b3ec1c7d9d844f405578be0a4a6decb84b772ca3c3dd7d533bb2cf
Opcode Fuzzy Hash: ff9a74d35aaf17c58a53c036b060892b8e039c82b187282c3f6b8f6510479188
Instruction Fuzzy Hash: C9D09235946119CFDB20CB58EC80BD8BB79FB88319F0022EAD10DA7550D7712E95CF40

Function 09EFC2D2 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de2a68430ecf6858858f8c9ea4ec60cd6ec45dab126ff487bca5c4ac09e272c8
Instruction ID: 0e29baec13db1025cb2aa197e3763c4b734dbc420f2f10e4a9ceb1a9aa9764cf
Opcode Fuzzy Hash: de2a68430ecf6858858f8c9ea4ec60cd6ec45dab126ff487bca5c4ac09e272c8
Instruction Fuzzy Hash: 6ED0A77480820CCACB108F81C4611FA7764FB19360734334383BBC91D6C5214C428F61

Function 09EFA440 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae7b9c0cb463c2cba047f7c5af965830c2cc27dbab3aea43df6e091701f9a940
Instruction ID: f852d66a95e470d35a02b35e70829a8be14314b92e6717ed21549d37719b0033
Opcode Fuzzy Hash: ae7b9c0cb463c2cba047f7c5af965830c2cc27dbab3aea43df6e091701f9a940
Instruction Fuzzy Hash: B4C08C300027448BC720BB95F80D724B26C5B04316F001060A60C841919AF0AC81CF52

Function 09EFAF65 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b05c8df4cf0949ee379577b0bb05bf0420bb26afe85361ba6e0e6737e97684f5
Instruction ID: c0b28ed9d39ef45379d67eab490265ed1095b55d55edf4521c631fdc107841b8
Opcode Fuzzy Hash: b05c8df4cf0949ee379577b0bb05bf0420bb26afe85361ba6e0e6737e97684f5
Instruction Fuzzy Hash: 9BC012B8D041488FCB04DFE5E0145ECFBF4FB98300B00902AD426AF2A8DA3018028F01

Function 09EF52B4 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56db2782c8bf5270b6748a2e76bfba2da5bb18733471da8253bc47d376a4b86a
Instruction ID: 760839b478ff7fb0ad17a93102c15483561ad2778a78efb1c23a1495fa1a1c53
Opcode Fuzzy Hash: 56db2782c8bf5270b6748a2e76bfba2da5bb18733471da8253bc47d376a4b86a
Instruction Fuzzy Hash: 96B012F6154600F2B4042F6848A5A3F6C10EBB9B94B90FC8B3705040D1CC714D24D51F

Function 09EF74D0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdf77b1e78040e63d5c6419f1e1a2ae19e97727257510db7cef92be3d085b611
Instruction ID: 98e710ebe0395d67989a339d03efd7cc4235a368601d741d1a5e6b8d944e90d0
Opcode Fuzzy Hash: bdf77b1e78040e63d5c6419f1e1a2ae19e97727257510db7cef92be3d085b611
Instruction Fuzzy Hash: 04C02BD341CBC08FE3013230081A0013B100F332183B040D365004D0F7D4904829C763

Function 09EFC268 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79c99b747a43cbb1d985b0a674cf3223ae00327f04521a875b1d5cb8d6952484
Instruction ID: 565a1b1f540b06929833dab6044359afce6504a50464dca81e088d44a4dadc6a
Opcode Fuzzy Hash: 79c99b747a43cbb1d985b0a674cf3223ae00327f04521a875b1d5cb8d6952484
Instruction Fuzzy Hash: 16B09231604220CFC325CB20C654EE87BBABB4A302F0414DAD20FDA262C731DC40CF00

Non-executed Functions

Function 09EF6910 Relevance: 6.5, Strings: 5, Instructions: 285COMMON

Download Yara Rule

Strings

nay, xrefs: 09EF6BF6
H4ux, xrefs: 09EF69E1
H4ux, xrefs: 09EF69DA
nay, xrefs: 09EF6BEC
H4ux, xrefs: 09EF69F8

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID: H4ux$H4ux$H4ux$nay$nay
API String ID: 0-1200253175
Opcode ID: ae034bb77bb7400ef5f1591cbee6c8f80c37fb1024c1a9cd47f1917e15c857d9
Instruction ID: e3101ac541f3f4182eec0b820f63e1130a6bc2c92cca42eea3c42ace8187bc19
Opcode Fuzzy Hash: ae034bb77bb7400ef5f1591cbee6c8f80c37fb1024c1a9cd47f1917e15c857d9
Instruction Fuzzy Hash: 2FD12A70E15219CFDB14CFA9D990A9EFBB2FF88304F24A1AAD509AB255D7309D41CF50

Function 09EF3968 Relevance: 5.2, Strings: 4, Instructions: 174COMMON

Download Yara Rule

Strings

%O@8, xrefs: 09EF3AD2
%O@8, xrefs: 09EF3AC4
tQ=), xrefs: 09EF39FE
tQ=), xrefs: 09EF3A05

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID: %O@8$%O@8$tQ=)$tQ=)
API String ID: 0-749352435
Opcode ID: da5a6c3fc3c502c8cbc6e2f39fae74b8b877e242c28e2cb873fd7f457915d09f
Instruction ID: 7cf519f2cdb929d5814800b9f5c4bfddeb0626619a7c561bcc52c248e973ee8c
Opcode Fuzzy Hash: da5a6c3fc3c502c8cbc6e2f39fae74b8b877e242c28e2cb873fd7f457915d09f
Instruction Fuzzy Hash: 1271D074E0520A9FCB44CF99D58499EFBF1FF88390F14A56AE519AB324D730AA41CF50

Function 09EF4518 Relevance: 5.2, Strings: 4, Instructions: 162COMMON

Download Yara Rule

Strings

18', xrefs: 09EF4654
18', xrefs: 09EF4662
aY, xrefs: 09EF4709
aY, xrefs: 09EF4702

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID: 18'$18'$aY$aY
API String ID: 0-3687307736
Opcode ID: ecef35814d99bf18743e0725ef7f3bcce2026eeb5de1c26c9df16cf1c4b9512c
Instruction ID: d8d2c6190152eeffb4e009c02e8c37dfcdbb9d39f5beee412ded7163ed137fc0
Opcode Fuzzy Hash: ecef35814d99bf18743e0725ef7f3bcce2026eeb5de1c26c9df16cf1c4b9512c
Instruction Fuzzy Hash: 157113B4D0020ACFCB04DF99C5949AEFBB2FF88350F14951AD515AB3A4E330A982CF95

Function 09EF3959 Relevance: 3.9, Strings: 3, Instructions: 176COMMON

Download Yara Rule

Strings

%O@8, xrefs: 09EF3AD2
tQ=), xrefs: 09EF39FE
tQ=), xrefs: 09EF3A05

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID: %O@8$tQ=)$tQ=)
API String ID: 0-2920369752
Opcode ID: ce19c1a4395391c16b491f7c030812d53ff186119f74d60a472418249bcfec71
Instruction ID: 9365ac177b792fb18ffabe3197862523f429a1b0aeb895ee3770df85c03941b8
Opcode Fuzzy Hash: ce19c1a4395391c16b491f7c030812d53ff186119f74d60a472418249bcfec71
Instruction Fuzzy Hash: EC710274E0520A9FCB48CFA9D58499EFBF1FF89390F14A556E419AB324D730AA41CF50

Function 09EF5030 Relevance: 3.9, Strings: 3, Instructions: 115COMMON

Download Yara Rule

Strings

,uRR, xrefs: 09EF5118
6yu[, xrefs: 09EF5196
6yu[, xrefs: 09EF518F

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID: ,uRR$6yu[$6yu[
API String ID: 0-86511755
Opcode ID: 2b79c74e84661e71b9ecb775f81366d5239f3725804f5ca22c12829557c61e98
Instruction ID: 665ce3dca38e00240e6451744472fc3c860657423d80a03d76a78802db66413d
Opcode Fuzzy Hash: 2b79c74e84661e71b9ecb775f81366d5239f3725804f5ca22c12829557c61e98
Instruction Fuzzy Hash: 2E4127B1E0560ADFCB04CFAAC5815EEFBF2EF89340F24E06AD505B7255D7309A418B95

Function 09EF5040 Relevance: 3.9, Strings: 3, Instructions: 114COMMON

Download Yara Rule

Strings

,uRR, xrefs: 09EF5118
6yu[, xrefs: 09EF5196
6yu[, xrefs: 09EF518F

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID: ,uRR$6yu[$6yu[
API String ID: 0-86511755
Opcode ID: f9cb99065ce2f4adb958eef89d07dd5ea7ccdf3c8b1c9eed9ae6d7673df4670d
Instruction ID: feb19aa3f31f2bdba38645a8399207d136313998a3f0de16ed2333c7ac025187
Opcode Fuzzy Hash: f9cb99065ce2f4adb958eef89d07dd5ea7ccdf3c8b1c9eed9ae6d7673df4670d
Instruction Fuzzy Hash: F44115B1E0560ADFCB04CFAAC5805EEFBF2BF89340F20E06AD505B7254D7309A428B95

Function 09EF7F70 Relevance: 2.8, Strings: 2, Instructions: 295COMMON

Download Yara Rule

Strings

9u"K, xrefs: 09EF801B
Zjsq, xrefs: 09EF801E

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID: 9u"K$Zjsq
API String ID: 0-1261923490
Opcode ID: 03a97663018537124a8f475bcd83cc44190a4404e540e9c73b99c72c2e78b46b
Instruction ID: d5b7867930fbd4100d5aeeedad9ade0156248106605764c726a92750bea8129c
Opcode Fuzzy Hash: 03a97663018537124a8f475bcd83cc44190a4404e540e9c73b99c72c2e78b46b
Instruction Fuzzy Hash: B8C1F371E05619DFDB08CFAAD59059EFBF2BF88310F14E52AD41AAB228D7349942CF10

Function 09EF7F60 Relevance: 2.8, Strings: 2, Instructions: 294COMMON

Download Yara Rule

Strings

9u"K, xrefs: 09EF801B
Zjsq, xrefs: 09EF801E

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID: 9u"K$Zjsq
API String ID: 0-1261923490
Opcode ID: a41378af9939a47a3b314565c59630b48f6d912ad68d6093b6eecb07ca5c368a
Instruction ID: eaa1ef86d1ea930d78fe93fe31ef9236bda9492e86c430077923b950adb4ff0f
Opcode Fuzzy Hash: a41378af9939a47a3b314565c59630b48f6d912ad68d6093b6eecb07ca5c368a
Instruction Fuzzy Hash: DAC10471E05619CFDB08CFAAD59059EFBF2BF88310F14E52AD41AAB268D7309942CF10

Function 09EF4508 Relevance: 2.7, Strings: 2, Instructions: 158COMMON

Download Yara Rule

Strings

18', xrefs: 09EF4662
aY, xrefs: 09EF4709

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID: 18'$aY
API String ID: 0-535677718
Opcode ID: ac9a8334ea2eef0d5ffaea35e28f67892b463cfa8cede1da3e2bac6029cf1eac
Instruction ID: f5236bf0940e460531157226886f8183a15dacdefc74b217b29f10ea189410ba
Opcode Fuzzy Hash: ac9a8334ea2eef0d5ffaea35e28f67892b463cfa8cede1da3e2bac6029cf1eac
Instruction Fuzzy Hash: C86117B4E0020ACFCB04DFA9C4949AEFBF1BF89350F149556D515AB3A4E334A982CF91

Function 01585250 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

LgT, xrefs: 015853A0
LgT, xrefs: 01585399

Memory Dump Source

Source File: 00000000.00000002.2170596551.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1580000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID: LgT$LgT
API String ID: 0-3880111843
Opcode ID: d2bbb50cc442d88af1598d48f5b6ee756ca0c4705ba92ed3ebdeea39cbd74769
Instruction ID: 2460c72ebac62dd9956491a3d67c495171d44e7a631acf1d46f59bfccd2f5a51
Opcode Fuzzy Hash: d2bbb50cc442d88af1598d48f5b6ee756ca0c4705ba92ed3ebdeea39cbd74769
Instruction Fuzzy Hash: 976105B0E1421ADFDB05DFA9C4816AEFBF1FF89300F14856AD455BB214E7349A428F91

Function 015857F8 Relevance: 2.6, Strings: 2, Instructions: 146COMMON

Download Yara Rule

Strings

Z@u, xrefs: 01585969
;I6k, xrefs: 01585952

Memory Dump Source

Source File: 00000000.00000002.2170596551.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1580000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID: ;I6k$Z@u
API String ID: 0-768051001
Opcode ID: 4aa7c56f5427cef9237a30e4d3bfecc781041853aa41d11cfd57444a14025a7d
Instruction ID: f8cba410143eac78f236beeb1c5cfca70f495d920d350daf931f8db24eb52de9
Opcode Fuzzy Hash: 4aa7c56f5427cef9237a30e4d3bfecc781041853aa41d11cfd57444a14025a7d
Instruction Fuzzy Hash: BD51E374E152098FCB08CFAAC5819DEBBF2FF89210F64946AD415BB324E7349A41CF64

Function 01585808 Relevance: 2.6, Strings: 2, Instructions: 145COMMON

Download Yara Rule

Strings

Z@u, xrefs: 01585969
Z@u, xrefs: 01585962

Memory Dump Source

Source File: 00000000.00000002.2170596551.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1580000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID: Z@u$Z@u
API String ID: 0-1701268636
Opcode ID: adb3416828893298176b347fb54a087321f18526f98d2c940f702b87d223d37a
Instruction ID: e9a2ec3a2d85ac6587959c294fff33dfe4650cc574c5fd6bec837c5bc548ed3d
Opcode Fuzzy Hash: adb3416828893298176b347fb54a087321f18526f98d2c940f702b87d223d37a
Instruction Fuzzy Hash: C251D374E216198FCB04DFAAC5809DEBBF2FF88210F64942AD415BB324E7309A41CF65

Function 01585A09 Relevance: 2.6, Strings: 2, Instructions: 116COMMON

Download Yara Rule

Strings

@Z&7, xrefs: 01585AD3
@Z&7, xrefs: 01585ACC

Memory Dump Source

Source File: 00000000.00000002.2170596551.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1580000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID: @Z&7$@Z&7
API String ID: 0-4235370400
Opcode ID: 5121bc897653ceeb123f3b942cb2ad535128cb4180b673f24a7cae3a3c953991
Instruction ID: 99a2c3c6f9ae682f8be25d6610c6930cc049e4ccb6d09df784ee112965a061a4
Opcode Fuzzy Hash: 5121bc897653ceeb123f3b942cb2ad535128cb4180b673f24a7cae3a3c953991
Instruction Fuzzy Hash: 6D41F6B1E1560ADFCB04DFA9C5915AEFBF2FF88300F24C46AC405BB214E7749A458B95

Function 01585A18 Relevance: 2.6, Strings: 2, Instructions: 114COMMON

Download Yara Rule

Strings

@Z&7, xrefs: 01585AD3
@Z&7, xrefs: 01585ACC

Memory Dump Source

Source File: 00000000.00000002.2170596551.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1580000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID: @Z&7$@Z&7
API String ID: 0-4235370400
Opcode ID: 5d22512d57ec51a1e148768908756838cfb3dfc969ad34ca8c820965f203eabd
Instruction ID: 7a16273285a5a319a260fc6541242947bc8d26a7fd42e95181616ff26d1ed5df
Opcode Fuzzy Hash: 5d22512d57ec51a1e148768908756838cfb3dfc969ad34ca8c820965f203eabd
Instruction Fuzzy Hash: 9441F7B1E1520ADFCB04DFAAC5815AEFBF2FF88300F24C46AC505BB214E7749A418B95

Function 01585659 Relevance: 2.6, Strings: 2, Instructions: 109COMMON

Download Yara Rule

Strings

7rx, xrefs: 01585713
?>N, xrefs: 01585727

Memory Dump Source

Source File: 00000000.00000002.2170596551.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1580000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID: 7rx$?>N
API String ID: 0-3151033331
Opcode ID: 0a12090a3aed76838d669c349d1d611dbda65a36bdefaa4f231d1d2a0495b741
Instruction ID: 0e91cf00e3656df65046db518243e46d958cf2c49bca14a000a8d37ff8fd9ffc
Opcode Fuzzy Hash: 0a12090a3aed76838d669c349d1d611dbda65a36bdefaa4f231d1d2a0495b741
Instruction Fuzzy Hash: BF41E6B0E1520A8FDB44DFAAC5805AEFBF2FF88344F14D96AC415BB254E3349A418F95

Function 01585668 Relevance: 2.6, Strings: 2, Instructions: 107COMMON

Download Yara Rule

Strings

7rx, xrefs: 01585713
?>N, xrefs: 01585727

Memory Dump Source

Source File: 00000000.00000002.2170596551.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1580000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID: 7rx$?>N
API String ID: 0-3151033331
Opcode ID: 9f0369bf4a41523592762e98361fb75423cc1400cb4371008592225a42212ea7
Instruction ID: 5600accdab7f9e90ed16fd812c84a0ace4520e65dfcde61d278f3765986248dc
Opcode Fuzzy Hash: 9f0369bf4a41523592762e98361fb75423cc1400cb4371008592225a42212ea7
Instruction Fuzzy Hash: 1B4118B0D1160ACBDB44DFAAC5805AEFBF2BF88344F24D86AC415BB214E7349A418F95

Function 09EFF1B8 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

$!:, xrefs: 09EFF386

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID: $!:
API String ID: 0-4075289797
Opcode ID: d3149606f4990c0889b52b6fee02cfad224e3b50c1c883be21ce1afb9a21660d
Instruction ID: c5a4f0a6fb783291399abcd4e6c2db1322994f440bef0c3d4cb869998fff05f2
Opcode Fuzzy Hash: d3149606f4990c0889b52b6fee02cfad224e3b50c1c883be21ce1afb9a21660d
Instruction Fuzzy Hash: BAE10A74E042598FDB14CFA9C590AAEBBF2FF89304F24866AD514A7355D730AD82CF60

Function 0A3902A0 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

L/:, xrefs: 0A39046B

Memory Dump Source

Source File: 00000000.00000002.2179240459.000000000A390000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a390000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID: L/:
API String ID: 0-116067875
Opcode ID: 077de24c9bb0e683b1887d4a0a197703dee06506f1dbbf3759259414618687b8
Instruction ID: e5e990e568df5fb95f090eb05efe008c8b7ed7a0445ed6f2d9fa2f7f76fe672a
Opcode Fuzzy Hash: 077de24c9bb0e683b1887d4a0a197703dee06506f1dbbf3759259414618687b8
Instruction Fuzzy Hash: A3E1F874E142598FDB14DFA9C580AAEBBF2FF89304F248269D454AB355D730AD82CF60

Function 01584F60 Relevance: 1.4, Strings: 1, Instructions: 162COMMON

Download Yara Rule

Strings

BT/,, xrefs: 01584FB2

Memory Dump Source

Source File: 00000000.00000002.2170596551.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1580000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID: BT/,
API String ID: 0-1529388360
Opcode ID: 81c104a808c919b345fe9a8a38b625532149be2938edd926b8a64c21f24de236
Instruction ID: 1cfb5a160106b8c9225383af79dd1eb7dfda0eddfd06c0bdc12326ddd50be389
Opcode Fuzzy Hash: 81c104a808c919b345fe9a8a38b625532149be2938edd926b8a64c21f24de236
Instruction Fuzzy Hash: 0571C4B4E1120ADFCB04DF99D584AAEFBB2BF88310F14855AD815BB314D334A942CFA4

Function 01584F50 Relevance: 1.4, Strings: 1, Instructions: 156COMMON

Download Yara Rule

Strings

BT/,, xrefs: 01584FB2

Memory Dump Source

Source File: 00000000.00000002.2170596551.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1580000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID: BT/,
API String ID: 0-1529388360
Opcode ID: eb3d0ca7c2c262e5eef8232236fe3fa4973749a6d245ad4909c36fdcf4bf4eb9
Instruction ID: 6b7526c81bae88797952b76fb4ce91c7941458003e3c7d79cf3fd1a8530d49a2
Opcode Fuzzy Hash: eb3d0ca7c2c262e5eef8232236fe3fa4973749a6d245ad4909c36fdcf4bf4eb9
Instruction Fuzzy Hash: 1C61E674E1420ADFCB04DF99C484AAEFBB2BF88250F14855AD815BB315D7349982CFA4

Function 0A390B00 Relevance: 1.4, Strings: 1, Instructions: 133COMMON

Download Yara Rule

Strings

3:, xrefs: 0A390B00

Memory Dump Source

Source File: 00000000.00000002.2179240459.000000000A390000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a390000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID: 3:
API String ID: 0-470857148
Opcode ID: 64b40394a943cc29a3344e2c83030135b576a392ee7ab5f6b7c5447fc16903f6
Instruction ID: f86228c3ba5901f82075783fbededd6f479cdc853d95abb7ef33415359468c21
Opcode Fuzzy Hash: 64b40394a943cc29a3344e2c83030135b576a392ee7ab5f6b7c5447fc16903f6
Instruction Fuzzy Hash: 83510870E102598FDB18CFA9C5805AEBBF2FF89304F2481A9D458AB256D7319D82CF61

Function 01584200 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

:!), xrefs: 0158435D

Memory Dump Source

Source File: 00000000.00000002.2170596551.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1580000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID: :!)
API String ID: 0-1099663795
Opcode ID: 0528d676930e367e647d047a0c073ab24df830293f60f6430fd4f15582bb52a7
Instruction ID: e963463908e0a221ab0bb8b8255338c7e5af221cd94c4034393c0ee1165f2dc5
Opcode Fuzzy Hash: 0528d676930e367e647d047a0c073ab24df830293f60f6430fd4f15582bb52a7
Instruction Fuzzy Hash: B5411D70E0911A9FDB04DFA9C54069EFBB2FF85240F24D5A9C816BB219D7349A81CF91

Function 01584210 Relevance: 1.4, Strings: 1, Instructions: 113COMMON

Download Yara Rule

Strings

:!), xrefs: 0158435D

Memory Dump Source

Source File: 00000000.00000002.2170596551.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1580000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID: :!)
API String ID: 0-1099663795
Opcode ID: dc9c7516b43fab03f859c69322007fede734b90450b4e398dc44644995b9c242
Instruction ID: e3302e8828e406871c28f8218a3143a45556ef57ac7f1380b2af0ed24880959e
Opcode Fuzzy Hash: dc9c7516b43fab03f859c69322007fede734b90450b4e398dc44644995b9c242
Instruction Fuzzy Hash: 08411D70D0911ADFDB04EFA9C54069EFBB2FF85200F24D569C916BB218D7349A81CF95

Function 09EF5CB1 Relevance: 1.4, Strings: 1, Instructions: 113COMMON

Download Yara Rule

Strings

i#)6, xrefs: 09EF5D51

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID: i#)6
API String ID: 0-3600651614
Opcode ID: b59bfb4ce6ea05285a9fc0877960361c290ed9891e32712c6de70c58a7184677
Instruction ID: c0bfe0ba02194882ed2024ba77921794071581c1fa638b3e621f99395f291eb6
Opcode Fuzzy Hash: b59bfb4ce6ea05285a9fc0877960361c290ed9891e32712c6de70c58a7184677
Instruction Fuzzy Hash: E3415CB0E1620ADFCB08CFA6C5457AFFBF1AF95340F20A86AD105B7254D7349B408B95

Function 09EF5CC0 Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

i#)6, xrefs: 09EF5D51

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID: i#)6
API String ID: 0-3600651614
Opcode ID: a932f9578c72b25170cf6c7bbfd1ca4e8355901156eb3fd538df16af6368e7bc
Instruction ID: 12cdb6ba99229bd48f406d6ca8a959dd395bb26e9907ff2c3addf4d86de1147a
Opcode Fuzzy Hash: a932f9578c72b25170cf6c7bbfd1ca4e8355901156eb3fd538df16af6368e7bc
Instruction Fuzzy Hash: B7411AB0E1620ADBCB08CFA6C5456AFFBF1AF95340F20E42AD106B7254D7349A458B95

Function 0A390B10 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179240459.000000000A390000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a390000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed94322e7a16aff6370bb1b311d5addb7f18a5f04a18ba1571a170a5833ee0df
Instruction ID: b0310e5757971c062d5e87e812f2272ba73364a83bca6e651299e9d5290b6c25
Opcode Fuzzy Hash: ed94322e7a16aff6370bb1b311d5addb7f18a5f04a18ba1571a170a5833ee0df
Instruction Fuzzy Hash: A6E1E974E102598FDB14CFA9C590AAEBBF2FF49304F248169D459AB355D730AD82CF60

Function 0A3906D8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179240459.000000000A390000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a390000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc92e80420cde6e0094c9bfed4de09a5b1087133edd7b428079f9649bcbda217
Instruction ID: 43ec33ebe11773e473a19cecefcf132e703c46ea360ee21138b934004488d7c0
Opcode Fuzzy Hash: dc92e80420cde6e0094c9bfed4de09a5b1087133edd7b428079f9649bcbda217
Instruction Fuzzy Hash: C8E1F974E142598FDB14CFA9C580AAEBBF2FF89304F248169D414A7355D770AD82CFA1

Function 09EF1711 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ff5d48301f886f63dbefee6088733d2a8f34a7e92d9dfe1a256f996ae568ede
Instruction ID: 8fb7a8a98c01fa6986ecf69edc8d2e78be30e5c24c43bd89786b50d89ad89d62
Opcode Fuzzy Hash: 7ff5d48301f886f63dbefee6088733d2a8f34a7e92d9dfe1a256f996ae568ede
Instruction Fuzzy Hash: 38713475E0524ADFCB08CF99C5A0AEEFBB2FB89350F14952AD506A7354C334AA41CF90

Function 01584400 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2170596551.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1580000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e86e1f7ac6e821e236eab7a06e7f708d528ac18313b4fddf4db54d4c704dfd58
Instruction ID: 754c33e3e544ffb823cc37aaa3f9cecf566e0aebcae5be0d4174f6964c34f501
Opcode Fuzzy Hash: e86e1f7ac6e821e236eab7a06e7f708d528ac18313b4fddf4db54d4c704dfd58
Instruction Fuzzy Hash: A371D074E1121A9FCB44CFA9D48499EFBF1FF89310F14856AE815AB325D734AA41CF50

Function 09EF1720 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bc2e66bb69f545a4617dc188ad082daef29e3021053da53787226833fff1bc7
Instruction ID: 3190d5a20b4f0c585148153c41ac5ae876cad9f4312008117f5640516acba32f
Opcode Fuzzy Hash: 8bc2e66bb69f545a4617dc188ad082daef29e3021053da53787226833fff1bc7
Instruction Fuzzy Hash: 62710374E0520EDFCB08CF99C590AEEFBB2FB89350F14952AE519A7354D334AA418F94

Function 01584410 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2170596551.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1580000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a77e83044283f9f2106164a9581492ecf874d6231c5d7371d70203ce4e898285
Instruction ID: 675fca3cf74965b78a1df8a0eae96cca27ec3af4051b1ceaf622e68642c38338
Opcode Fuzzy Hash: a77e83044283f9f2106164a9581492ecf874d6231c5d7371d70203ce4e898285
Instruction Fuzzy Hash: 8971C074E1121A9FCB48CF99D484A9EFBF1FF89310F14856AE819AB224D734AA41CF50

Function 09EF4DC8 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abb170f2787b963ec87b452b0506b25500077f20764175a368693e21577774db
Instruction ID: ded731ff998db499d5e61c6f65409114f74c3ab875341fda6e4bd58c14f7f1e7
Opcode Fuzzy Hash: abb170f2787b963ec87b452b0506b25500077f20764175a368693e21577774db
Instruction Fuzzy Hash: 84711275E052098FCB14CFA9C5849DEFBF2FF88310F24A42AD605BB364E7349A418B64

Function 09EF4DB8 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36947a3b7e255d5a90e0e083b4bbc7a165cfba14e280ce3efd32e11a2827d55c
Instruction ID: ee0b08675ae371ae84f31a345b3f7db2f0fc69e7b7448c3179bfe6dd5c549fca
Opcode Fuzzy Hash: 36947a3b7e255d5a90e0e083b4bbc7a165cfba14e280ce3efd32e11a2827d55c
Instruction Fuzzy Hash: A6612374E052098FCB14CFA9C5849DEFBF2FF89310F24A46AD505BB2A4E3349A418B64

Function 09EF6460 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c1a4375bc386b5d4faca5394caa1ecdfba81ebb0004f94a3dc6275a01656609
Instruction ID: 16d12477455d7dbd77f57fbe2371baa6d745ea950d10edd84cd697b00ac38c7c
Opcode Fuzzy Hash: 5c1a4375bc386b5d4faca5394caa1ecdfba81ebb0004f94a3dc6275a01656609
Instruction Fuzzy Hash: 30510574D0561DCFCF04CFA6C4502EEFAF2FB89741F10A42AC616B6254D7389A018F69

Function 09EF6451 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6beaa34d1f445046581c24d06df97f58a9d59410eaa543c21ae6bd864ce4fb2
Instruction ID: d352c673dea70aabb2aa7dfbadfd269acc4d22e5f88c966fd3db480444c76b8e
Opcode Fuzzy Hash: d6beaa34d1f445046581c24d06df97f58a9d59410eaa543c21ae6bd864ce4fb2
Instruction Fuzzy Hash: 6F512970D09219CFCF04CFA6C4502EEFBF2BF89741F14A46AC116B6254D3788A028F65

Function 09EF4B98 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be0d3c5178e92b2724e7cdc0146efac2b1f92b31eeca076cca0d451495fe641a
Instruction ID: ab75129fc2958fb106d8d5c7d95731ef86eb8f39d8a328d44ee17d0df1fa33c2
Opcode Fuzzy Hash: be0d3c5178e92b2724e7cdc0146efac2b1f92b31eeca076cca0d451495fe641a
Instruction Fuzzy Hash: 52414A70D0424A8FDB04CFAAC4906EEFBF2BF89310F14D0AAC515A7265E7345A41CF51

Function 09EF4BA8 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75885e53b190f0b223c392f3588467161e9154da30fac900332366febb7ac370
Instruction ID: c5ab5f70716429f353c7c13da77a958baa77e7e25a68c4a60f821d6c0011cfdf
Opcode Fuzzy Hash: 75885e53b190f0b223c392f3588467161e9154da30fac900332366febb7ac370
Instruction Fuzzy Hash: A64108B0D0520A9BDB04CFAAC5956EEFBF2BF88340F20D06AC516B7254E7349A418F94

Function 09EF0021 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179103681.0000000009EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ef0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fff76ccdfba7edcdffb1743f6ed99ccbdec503100afc53e02822893675fb7ce0
Instruction ID: 393425228cea2ac5f43063fed2f98d813cdaaac63d321293db1ae950727e028b
Opcode Fuzzy Hash: fff76ccdfba7edcdffb1743f6ed99ccbdec503100afc53e02822893675fb7ce0
Instruction Fuzzy Hash: 1021EC71E057588FEB19CFAB985079EFBF3AFC9200F09C1BAC858A6265DB7409458F11

Analysis Process: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exePID: 2620, Parent PID: 4924COMMON

Executed Functions

Function 0150C530 Relevance: 4.3, Strings: 1, Instructions: 3069COMMON

Download Yara Rule

Strings

N, xrefs: 0150F910

Memory Dump Source

Source File: 00000007.00000002.3394649787.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1500000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID: N
API String ID: 0-1130791706
Opcode ID: 07143ebb0b8c0a405ce87d47679ada8c8349cc35649c80721fc459435dcaa102
Instruction ID: ad65c2da67bb795312e6648ac1b4781662738e5ac0b31508bb95b514e12702ce
Opcode Fuzzy Hash: 07143ebb0b8c0a405ce87d47679ada8c8349cc35649c80721fc459435dcaa102
Instruction Fuzzy Hash: 7E73F531C1075A8EDB11EFA8C844A9DF7B1FF99300F15D69AE4486B261EB70AAC5CF41

Function 05CEBC60 Relevance: .9, Instructions: 904COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3399189897.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5ce0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef2222a8bb775901399ac930c22491d6048e459873aae92a1e8ea22524daf089
Instruction ID: 6d1fcf9cb8b71f7364b3cdd37e49300c0d969c7f1b661dfc151822018c91104a
Opcode Fuzzy Hash: ef2222a8bb775901399ac930c22491d6048e459873aae92a1e8ea22524daf089
Instruction Fuzzy Hash: 4A824935A04209DFCB15CF68C984EAEBBF2FF89314F158959E506AB2A1D734ED41CB90

Function 05CEAF00 Relevance: .9, Instructions: 896COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3399189897.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5ce0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fb5303d7cbb4e09b15c0702158cd2605e6da1a9fe13c4a419e859236809f6cf
Instruction ID: 8384fa05a0e5c35b32983e82473c3be31f9950cb5aa99c6b95f080033570f318
Opcode Fuzzy Hash: 9fb5303d7cbb4e09b15c0702158cd2605e6da1a9fe13c4a419e859236809f6cf
Instruction Fuzzy Hash: EF725D70A002199FDB14DFA9D884ABEBBF6FF88304F148569E405AB3A5DB34DD41CB90

Function 015019B8 Relevance: .8, Instructions: 845COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3394649787.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1500000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aac1bc9625f67ad88399a597f6e529a3b318b297a8b8476a45308ffb4b9efe8
Instruction ID: d1a6306dbac3c5e6484e73194bc7c48ffbf423202b991d546d8df311d18bae84
Opcode Fuzzy Hash: 2aac1bc9625f67ad88399a597f6e529a3b318b297a8b8476a45308ffb4b9efe8
Instruction Fuzzy Hash: 98623AB14983939FC7A28FA18848D97BFEDEBD1330719859DE0C48A152D7BD48C6CB61

Function 05CE89E0 Relevance: .7, Instructions: 745COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3399189897.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5ce0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d431761b54d1a2614c19ce217ce385280c79f94db187b9dfbeb8b997cc564620
Instruction ID: 3f0f89b4f4e733115ee19386a6536c6d8669f76d41d42acc5c8cffcfc33217ac
Opcode Fuzzy Hash: d431761b54d1a2614c19ce217ce385280c79f94db187b9dfbeb8b997cc564620
Instruction Fuzzy Hash: DA826974E01268DFDB64DF69D898BDDBBB2BB89300F1081EA940DA7265DB745E81CF40

Function 01502DD1 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3394649787.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1500000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71f9b329631f4cfe0dd81bb31d827cfa9a0775cf8268ab22e6790b4f4f84a022
Instruction ID: 9b9fbfb59e443ce1a324323392c5ee02820327f12de86da968525055190f83fe
Opcode Fuzzy Hash: 71f9b329631f4cfe0dd81bb31d827cfa9a0775cf8268ab22e6790b4f4f84a022
Instruction Fuzzy Hash: 1791C530B012599FDB59DBB5945827FBBF3BFC8710B05886EE406EB288DE358C028791

Function 01509480 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3394649787.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1500000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 479343f5074b9985f98fb295b47a58b0e7440d5616b3dbe25354b6026bedc7d3
Instruction ID: f34565105c20d576f107661351ce5216fae029f8df96cfaaa1361f5d37908461
Opcode Fuzzy Hash: 479343f5074b9985f98fb295b47a58b0e7440d5616b3dbe25354b6026bedc7d3
Instruction Fuzzy Hash: 65C19F74E01218CFDB15DFA5D994B9DBBB2BF88300F2081A9D809AB355DB395E85CF50

Function 0150C521 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3394649787.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1500000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a81ef32393b861a61f4368b45302d4477b780294176523a2d82eac8feb91abe8
Instruction ID: 539e9213d7dab13fbffb21417ffe72c4e0a47822e3372376a5ec9b722d57b311
Opcode Fuzzy Hash: a81ef32393b861a61f4368b45302d4477b780294176523a2d82eac8feb91abe8
Instruction Fuzzy Hash: E7A11471D0065A8FDB15DFA9C844B9DFBB1FF8A300F14C6AAD4486B261EB709A85CF41

Function 01509A40 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3394649787.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1500000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42142f8cd19b9cccd935c528a7a55ba5574743578974ab488aa0a3ed6704c6b0
Instruction ID: 4d456ae182ede8657673e3c368b23366815a612c4fd9b3731c1ba7e50fd5243a
Opcode Fuzzy Hash: 42142f8cd19b9cccd935c528a7a55ba5574743578974ab488aa0a3ed6704c6b0
Instruction Fuzzy Hash: 83A11670D00219CFEB14DFA9C9487DDBBB1FF88314F208269E408AB2A6DB749985CF54

Function 01509A30 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3394649787.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1500000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c77f0ab7e58fca8270b3e43b948d4ac4827d843889d24388846e66a04783356
Instruction ID: b6ac108624d0a4082ce2d08ac971ff91b5050a16b98cacc8dd992bedbb401aeb
Opcode Fuzzy Hash: 5c77f0ab7e58fca8270b3e43b948d4ac4827d843889d24388846e66a04783356
Instruction Fuzzy Hash: 76A11870D00219CFEB14DFA9C9887DDBBB1FF89314F208269E408AB2A5DB749985CF54

Function 01509D87 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3394649787.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1500000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb0d109925f03fe0827981139aa3e89453bbc232b37f16e4937984c3f5cb0ef5
Instruction ID: b2c9f2f48990080b4802bd042ce0a8ecaa57ee53e07b3810dcc732bbfa24c5d8
Opcode Fuzzy Hash: fb0d109925f03fe0827981139aa3e89453bbc232b37f16e4937984c3f5cb0ef5
Instruction Fuzzy Hash: 5391F470D00618CFEB11DFA8C588BDDBBB1FF49314F248269E409AB2A6DB759985CF14

Function 05CE6138 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3399189897.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5ce0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 074ec6ce9d28152a074d7c21131ec339dce7cb578ff0241e337acbbaaac5fee0
Instruction ID: a8a0c33764730e44deca1e49a94ff472b411be1723f79fe316414d085a9ddd8a
Opcode Fuzzy Hash: 074ec6ce9d28152a074d7c21131ec339dce7cb578ff0241e337acbbaaac5fee0
Instruction Fuzzy Hash: B981E174E00218CFDB58DFAAD894BADBBF2BF89304F20846AD419AB354DB345985CF50

Function 0150946F Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3394649787.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1500000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edb24588a6bba398259b10a86a3d606528664b2182ba31914448c650ea1b1a12
Instruction ID: b32bb4ce2fc4b59bdc72d49f433dfa1000425eb3d04c7ab135f82ca2e7566c2f
Opcode Fuzzy Hash: edb24588a6bba398259b10a86a3d606528664b2182ba31914448c650ea1b1a12
Instruction Fuzzy Hash: FB41C374D01248CBEB18CFEAD84469DFBB2BF89300F24C12AD419AB399EB394945CF50

Function 0150AD3D Relevance: 1.8, Strings: 1, Instructions: 516COMMON

Download Yara Rule

Strings

, xrefs: 0150B015

Memory Dump Source

Source File: 00000007.00000002.3394649787.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1500000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 7b47dafb31fa324d533159365e45c01ff996589930e9a554136218131173ef2b
Instruction ID: b6ba2ef02e550eea3c943f8867b179c56507e3e75595e19ce44ed9f79d8b83ae
Opcode Fuzzy Hash: 7b47dafb31fa324d533159365e45c01ff996589930e9a554136218131173ef2b
Instruction Fuzzy Hash: 1B81D3347106008FDB16AFB8D8A966E7FB6BFC9620B14856AE516DB3D1CF349C01CB61

Function 0150AF78 Relevance: 1.6, Strings: 1, Instructions: 319COMMON

Download Yara Rule

Strings

, xrefs: 0150B065

Memory Dump Source

Source File: 00000007.00000002.3394649787.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1500000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 8f696fc3917713a0a9e235ea4f56d08be650924e14f6900e69451ac85c37cd39
Instruction ID: fe1978cdb4c319a2ccf85846297a2dad8de520f72b9014e25f0ab51522a314f9
Opcode Fuzzy Hash: 8f696fc3917713a0a9e235ea4f56d08be650924e14f6900e69451ac85c37cd39
Instruction Fuzzy Hash: E7B1E4347006049FDB26AFB8E89466E7FA6FFC5660F14852AE5269B3D1CF358C01C761

Function 05CE67A0 Relevance: 1.3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

Strings

6T5:, xrefs: 05CE6E92

Memory Dump Source

Source File: 00000007.00000002.3399189897.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5ce0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID: 6T5:
API String ID: 0-4220314889
Opcode ID: 29881051e02f122606884032e91afc7c65992732e4f94b92929c6d5d41940806
Instruction ID: 723802994af634a1ce9e19e77b6f6f3c6409195e51296b2a0dbc7310305fc602
Opcode Fuzzy Hash: 29881051e02f122606884032e91afc7c65992732e4f94b92929c6d5d41940806
Instruction Fuzzy Hash: 3D1156B280020ADFCB10CF99D845BEEBFF4EF58320F148419E614A7250C379A990CFA0

Function 05CE6E70 Relevance: 1.3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

Strings

6T5:, xrefs: 05CE6E92

Memory Dump Source

Source File: 00000007.00000002.3399189897.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5ce0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID: 6T5:
API String ID: 0-4220314889
Opcode ID: 185ee035c3591bb59ad0776d6dc2c35a189268478efa2909c5783ba8e969ba12
Instruction ID: f302471f30cd8c3f958ae0db7231e33be9c66aacb9ea69db6a22b6c0cedbfce3
Opcode Fuzzy Hash: 185ee035c3591bb59ad0776d6dc2c35a189268478efa2909c5783ba8e969ba12
Instruction Fuzzy Hash: 411123B680024AEFDB10CF99D945BDEBFF4EF58320F14841AE618A7250C779A590DFA1

Function 05CECD28 Relevance: .8, Instructions: 826COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3399189897.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5ce0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae7f3c6b7de68a0a96061887d7536866fb64c75f244bf5ab02bf566cec4495ac
Instruction ID: 0006b001304d79821afb0ce18490ea8dd8973f5882acc9eda64440a4cb856402
Opcode Fuzzy Hash: ae7f3c6b7de68a0a96061887d7536866fb64c75f244bf5ab02bf566cec4495ac
Instruction Fuzzy Hash: 10721F74A00219CFEB15DBA9C850B9EBFB6FF95300F1080ADD20A6B3A5DE359D85CB51

Function 05CEDA68 Relevance: .4, Instructions: 404COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3399189897.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5ce0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3dc2a8dd004a3cb0b8bea8267455d0dc78756752aaf44ba779c4cd6f887b04f
Instruction ID: f183bb70b705b3659217e4f342cc996cdbc04d2b31c61a8dfe540408dc995efa
Opcode Fuzzy Hash: c3dc2a8dd004a3cb0b8bea8267455d0dc78756752aaf44ba779c4cd6f887b04f
Instruction Fuzzy Hash: 78F12D75A00215CFCB14CF69C8889ADBBF2FF89311B1A84A9E516AB361DB74ED41CB50

Function 0150B500 Relevance: .4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3394649787.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1500000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7ee9fcec8b299adf405e69f09dc26d5842ab3e12e7942027578e522994e29c7
Instruction ID: 9e3901b4069ff02cf38e7a740fc84e930c4cd4ef3ebdd3fd72a0c93a0ca132b3
Opcode Fuzzy Hash: b7ee9fcec8b299adf405e69f09dc26d5842ab3e12e7942027578e522994e29c7
Instruction Fuzzy Hash: D5D1B175B042048FDB16DBA8D890AAE7BB2BF89320F184569D505EF3E1DA31DC41CBA1

Function 05CEA620 Relevance: .3, Instructions: 339COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3399189897.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5ce0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4c6b9cb0bae758d9692d6e5c69a6edf36e2e3fd4fb711818541381e0f55045d
Instruction ID: c19bdf96211d0b24b43ce52de647a774aef6edbd68c68a9244d6a048245bb78d
Opcode Fuzzy Hash: f4c6b9cb0bae758d9692d6e5c69a6edf36e2e3fd4fb711818541381e0f55045d
Instruction Fuzzy Hash: 0CC1AD347042158FDB25AF69D898A7E7BF3BFC9600F158969E9068B395DB34CD02CB90

Function 05CEAAE0 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3399189897.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5ce0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4de3348ddd87caea1b6061f17adbc5b00cd2c69d8493c8127538ef397b3e1999
Instruction ID: 763307e2303f02f5becba8e5ccb734ec6504c271d082c881e775a888900fb85d
Opcode Fuzzy Hash: 4de3348ddd87caea1b6061f17adbc5b00cd2c69d8493c8127538ef397b3e1999
Instruction Fuzzy Hash: 7681B135B04109CFCB14DF69CC8896ABBB2FF89304B1989A9D406EB365DB35ED41CB90

Function 0150BF80 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3394649787.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1500000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4de853fd542760fe724d379ccc0a64094acc642899e40196131ee2cb555d8e4
Instruction ID: 92c93e897deb69303946f5a7f23e1d7f89244479c2ecee416fabe836ff8bb539
Opcode Fuzzy Hash: f4de853fd542760fe724d379ccc0a64094acc642899e40196131ee2cb555d8e4
Instruction Fuzzy Hash: C1610476B002059FC715CEBDD894A6FBBF9FBCA320B14866AE559DB380D631D801C7A0

Function 05CE69E8 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3399189897.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5ce0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56cfdf743b443cb7acff66fc894135d1e93c3b44465c4bebc3bb7cc49fcfea23
Instruction ID: 4986b48599cd1b0229f69524fb05dcfe27cb0228ca155044bbc7af1276ca10c9
Opcode Fuzzy Hash: 56cfdf743b443cb7acff66fc894135d1e93c3b44465c4bebc3bb7cc49fcfea23
Instruction Fuzzy Hash: 6771B331F102598BDB15EFB5D8506AEBBB2BFD5700F14452AE406A7380DF309D42CB91

Function 01500B29 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3394649787.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1500000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87bee6be691a42268e6b9f524111ad5cb083094c27d6ebaf851be626eb8bba8c
Instruction ID: b3c2463188572b76d338cdbeb3cfa2e30ed2aedc544f3293daf86031a64398bb
Opcode Fuzzy Hash: 87bee6be691a42268e6b9f524111ad5cb083094c27d6ebaf851be626eb8bba8c
Instruction Fuzzy Hash: 63A19674E1120ACFCB04EFA8E984A9DBBB1FB88301B109569E505BB365DB7C6D05CF81

Function 01500B30 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3394649787.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1500000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77e9c4ad4211eee2f6aa4ec77ccada692437caa508d4cd0f33ff2a908c3883f2
Instruction ID: 85ebc5891319cd8e921969118909fbc74c52c6cd95c39d7cd041d31ee64cfe72
Opcode Fuzzy Hash: 77e9c4ad4211eee2f6aa4ec77ccada692437caa508d4cd0f33ff2a908c3883f2
Instruction Fuzzy Hash: 0AA19674A1120ACFCB04EFA8E984A9DBBB1FB88301B109569E505BB365DB7C6D05CF81

Function 05CEC9D9 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3399189897.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5ce0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 209961a6b7c518bb54419aa9eb0a0bd5edf033f245b9c446b4d44033e112046e
Instruction ID: 27cc06ae7d27d49697ad25e89f42d14f5061cc286ff6a02091e0b26b84c83439
Opcode Fuzzy Hash: 209961a6b7c518bb54419aa9eb0a0bd5edf033f245b9c446b4d44033e112046e
Instruction Fuzzy Hash: 26518C317181559FCB14DF3ED885A6ABBEABF4964030548BAE516DB361EB70EC01CB60

Function 05CE89DD Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3399189897.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5ce0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84fce6754e631499b96096290ab6067903f0d40995c5262df24c7a036b7cf956
Instruction ID: ddde6e8d25d49985ab41305c0179120a5108d0b45d9f02a53604461a05de42a5
Opcode Fuzzy Hash: 84fce6754e631499b96096290ab6067903f0d40995c5262df24c7a036b7cf956
Instruction Fuzzy Hash: 0D819F74E01269DFDB65DF29D890BEDBBB2BB89300F1080EAD909A7254DB755E81CF40

Function 01503F78 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3394649787.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1500000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93ef2d8a0654e4bce88ad9dd5d3915c7713813ede7d4e13f9bcd89bd4960e3a7
Instruction ID: 8560d78e8954027a46d07ab05a7109f0523cb2ebfedf722dec41846b8213887a
Opcode Fuzzy Hash: 93ef2d8a0654e4bce88ad9dd5d3915c7713813ede7d4e13f9bcd89bd4960e3a7
Instruction Fuzzy Hash: 9451AE74E00208DFDB48DFAAD494A9DBBF2BF89310F148469E915BB364DB749942CF50

Function 01502C78 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3394649787.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1500000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af12e272e58ac99656d5a5a7bc1d5aaaaeda6e8986c93e2adb1818c7638ae5c6
Instruction ID: 744ed9975e25f459e457a14b041be825bb3e6309d108c0dfead23226b0a7f9c9
Opcode Fuzzy Hash: af12e272e58ac99656d5a5a7bc1d5aaaaeda6e8986c93e2adb1818c7638ae5c6
Instruction Fuzzy Hash: CC31C532B042159BDF1B4AF9989C27E6EE6BBD5200F18443ED906CB3D5DEB48C468761

Function 05CE69D8 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3399189897.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5ce0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64259e68a2dae6ad7a2a966befc7e4c6d68f94eaf8b5f4aa1c533778112b8725
Instruction ID: 5f6dfcecc479f8f03488423c4adf31618b2568cfdf5d5dc25d5bf7450274bbf1
Opcode Fuzzy Hash: 64259e68a2dae6ad7a2a966befc7e4c6d68f94eaf8b5f4aa1c533778112b8725
Instruction Fuzzy Hash: 07418331E1020A9BDB14DFA5D890AEEBBF5BF98700F248529E402B7340DB70AD85DB90

Function 01503158 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3394649787.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1500000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d799ebe2099b3d57ba5a1b3666c2ca8e9807dfaa6b3df5ab6555bccbf9940e6f
Instruction ID: 6adc3f40213ecae744afbec3b1dc707a8773696a2f1e51bcc069f08d7e5313c6
Opcode Fuzzy Hash: d799ebe2099b3d57ba5a1b3666c2ca8e9807dfaa6b3df5ab6555bccbf9940e6f
Instruction Fuzzy Hash: 11419175E01609DFCB49DFEAD88499DBBB2BF89300F249529E405BB364DB349842CF15

Function 05CEC7E8 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3399189897.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5ce0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a26cbdc779ec3b958bfc7c52dd390acf474cf0d115999d2637118f8c4fd94ebb
Instruction ID: 8fa0fc17d2795503edc368c0624586066812fbd72e68f7f2d9f3d61d675589da
Opcode Fuzzy Hash: a26cbdc779ec3b958bfc7c52dd390acf474cf0d115999d2637118f8c4fd94ebb
Instruction Fuzzy Hash: 05413775604215DFCB24DF29C988AAA7BB6FB48710F110869FA06DB3A1CB71DE41CB91

Function 01503168 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3394649787.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1500000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06e1e942b3c671eb623c66ce4fd2e1093c2ca7886a2168c1f59a2f956d97130b
Instruction ID: 0f65ea025e7e7100d66bb69a3653f0b14e4ac7a39494865ced17e7b467941b4d
Opcode Fuzzy Hash: 06e1e942b3c671eb623c66ce4fd2e1093c2ca7886a2168c1f59a2f956d97130b
Instruction Fuzzy Hash: CD419D74E01209DFCB48DFEAD88499DBBB2BF89300F249529E805BB364DB359845CF55

Function 01509249 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3394649787.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1500000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 993f66973ceb53f99c0ab92ef661af8d7e3d179c2ddb4c48aec842e1dc6362b7
Instruction ID: 32eba6993b2833783dc27050fd3beba5bf421b26224fe59d80b6f1f550b1b058
Opcode Fuzzy Hash: 993f66973ceb53f99c0ab92ef661af8d7e3d179c2ddb4c48aec842e1dc6362b7
Instruction Fuzzy Hash: D631B87507728ACFD2002B61A5AE27ABFB0FB4F73374AAC09F14E905558F341484AEB4

Function 0150B869 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3394649787.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1500000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e93c85773e5f996c8b463eef69ba40d85f696c98c5b0d241fffc27d11fd7311
Instruction ID: 24445bd8e0844cab7171b662eb6c0b3d78a1334a1e1c356560feb67f4639ec8c
Opcode Fuzzy Hash: 4e93c85773e5f996c8b463eef69ba40d85f696c98c5b0d241fffc27d11fd7311
Instruction Fuzzy Hash: C931F535B002098FDB45DFA8C480E9DBBB2FF88220F195559E501AF3A5DB71ED81CBA0

Function 05CE9D48 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3399189897.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5ce0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78d8468879922b76b919071af0c72e360ace6d77edd535e426dc19b1b8799048
Instruction ID: bbe620f24b819f813fa242539d0debe589b49b966b1ca85a3616185de1b1e81a
Opcode Fuzzy Hash: 78d8468879922b76b919071af0c72e360ace6d77edd535e426dc19b1b8799048
Instruction Fuzzy Hash: 2731933130421A9FCF15AF69D854ABF3BB3FB59200F108429FA1697294CB39DE61CB90

Function 0150B89D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3394649787.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1500000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ea4dc81b813adf5af18efb7004066d7273ba6d5974c923b2e9e5a45afccf565
Instruction ID: 9da41073014288fab4754468424c7564038270b203d949076b69423e84d0fb53
Opcode Fuzzy Hash: 7ea4dc81b813adf5af18efb7004066d7273ba6d5974c923b2e9e5a45afccf565
Instruction Fuzzy Hash: CB31F535B002098FDB45DBA8C480E9DBBB2FF88320F155558E601AF3A5DB71EC81CBA0

Function 05CECC09 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3399189897.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5ce0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05f770f98a9a1c92f78e4c5ca14bedbcbe9a0dfdca41c4db5880ba68ceab9abe
Instruction ID: ca12979437fc90592b5c4c30902ffbc4657aa04119573f9f4f527fb5544283e7
Opcode Fuzzy Hash: 05f770f98a9a1c92f78e4c5ca14bedbcbe9a0dfdca41c4db5880ba68ceab9abe
Instruction Fuzzy Hash: 8D2108313002124FDB25AB3AD455A3E3A97BFC96147148839E506DB399EF3ACD41A781

Function 05CECC18 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3399189897.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5ce0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85683443905c16d9eb3465161bc74d0f6954ca12b8c9125032855880c40c7c01
Instruction ID: f67c2789d74cd8ec5cf8b592e8dd4573d93f29b7f03f7f0dec91537dcca1dd42
Opcode Fuzzy Hash: 85683443905c16d9eb3465161bc74d0f6954ca12b8c9125032855880c40c7c01
Instruction Fuzzy Hash: 8821D8303046154BDB246B3AD455B7E3A97BFC9714F248839D506DB398DE7ACD42D780

Function 0150BDE8 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3394649787.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1500000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4745596073db1f5207c6970123dd791a8e582605eb6da9cbc71570752bc935f9
Instruction ID: d8e9b55d11770ff7f3167cd61175c06cd435907a9a2203f86ebd29fc8ca0fbd9
Opcode Fuzzy Hash: 4745596073db1f5207c6970123dd791a8e582605eb6da9cbc71570752bc935f9
Instruction Fuzzy Hash: 2D31A5347056099FCB05EFA9D890A6E7BB6FFC5210F148069D6058B3A5CF319D41CB90

Function 05CECB20 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3399189897.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5ce0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feebf7d99a9dc574bb2d6a9239b72c96ac4007c12318061bf07f91b789796381
Instruction ID: 1484b877d046edb9b0a812d75a4ac968045673b4dc84a428bd1db207fbd35ea8
Opcode Fuzzy Hash: feebf7d99a9dc574bb2d6a9239b72c96ac4007c12318061bf07f91b789796381
Instruction Fuzzy Hash: 712153317082999BD714CE7A9C80ABBBBEBFB89250B048836E912C7351DBF5DD41C760

Function 05CEDA58 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3399189897.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5ce0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f06b5d26949c4d11f1b115160412fb84be526b2dfb4813d014af3a88f619e28
Instruction ID: d11750d9721e0a821729db4e8cbf64992c9916005860e053b6e4c5c6bad50345
Opcode Fuzzy Hash: 4f06b5d26949c4d11f1b115160412fb84be526b2dfb4813d014af3a88f619e28
Instruction Fuzzy Hash: 97318170B041098FCB04CF68C884AAEBBF3FF85310B158599E526A73A5D7709C42CB94

Function 015018C8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3394649787.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1500000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b2c4725c160d0c9ec3acdfb0a1bb57245c8870e360525465731c79cde438eef
Instruction ID: 0e098ba980d768b82024725c8560a7b230ffe266d63cae3bc8fc2046961f9b6c
Opcode Fuzzy Hash: 2b2c4725c160d0c9ec3acdfb0a1bb57245c8870e360525465731c79cde438eef
Instruction Fuzzy Hash: 4C21C131A0054A9FCB15DF68D4809AE77A5FFC9360B50C45DE80AAB380DB35EE46CBD2

Function 0150BC28 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3394649787.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1500000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d460547b3dbbed1058f6b63e889581012de21c7767b7a1e7f19fdce802f15ae
Instruction ID: af85e2bf644a5cdae00435bae8cf597c9f4bc85270c7960c72189f76ea6857dd
Opcode Fuzzy Hash: 4d460547b3dbbed1058f6b63e889581012de21c7767b7a1e7f19fdce802f15ae
Instruction Fuzzy Hash: 7E21DE397153864FCB1BA7B8982976D3FA6EFC6251B0944FAD609CF2D2DD358802C360

Function 014AD030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3394288528.00000000014AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14ad000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ccdc84c47e19cafdd6e02d269a66d9e5886739075ea3c5d4afe1ee4cba6f400
Instruction ID: e75d448162b51903548d3407238bbaaedae3a9f26e796eeabccc2b8f0d71bc89
Opcode Fuzzy Hash: 5ccdc84c47e19cafdd6e02d269a66d9e5886739075ea3c5d4afe1ee4cba6f400
Instruction Fuzzy Hash: DE2167B1948200DFDB14DF54D9C0B26BB61FB94318F60C56ED90A0B762C376D447CA61

Function 014AD006 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3394288528.00000000014AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14ad000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8055c7a27f5361a624c3805a635a51db1e0caf032d3d9a966f7405360b73014
Instruction ID: 79d5a595df7d843270837a73f430051b4c1a7c4df9cd7d98f72b20091c054859
Opcode Fuzzy Hash: a8055c7a27f5361a624c3805a635a51db1e0caf032d3d9a966f7405360b73014
Instruction Fuzzy Hash: 9D218B7544D3C09FCB03CF64D990711BF71AB46214F29C5DBD8898F6A3C23A980ACB62

Function 0150BD01 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3394649787.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1500000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e65cae4cbf60156d5b953cff6951f86d5ddafd0a83ebd8f5fef0717c5219ddc1
Instruction ID: 54fc2fe874471d6ea74380ea42d0d5d09827ab3916adb4c0e67b22f3e53d7890
Opcode Fuzzy Hash: e65cae4cbf60156d5b953cff6951f86d5ddafd0a83ebd8f5fef0717c5219ddc1
Instruction Fuzzy Hash: D0216D75A001099FCB44EFB9D855AAEBBF6FF88200F108469E115DB295DB309E01CBA0

Function 01500EC8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3394649787.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1500000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e909438e7f3c437b9674611aea26022dea63fbfd0c72ebd668e088448c45aa58
Instruction ID: d754cca0d4c3743b997760376591a0931f4eda89c5ccbe40d1cc13af8fa1633c
Opcode Fuzzy Hash: e909438e7f3c437b9674611aea26022dea63fbfd0c72ebd668e088448c45aa58
Instruction Fuzzy Hash: FD213D70A00209DBDB09EFB9C4407AEBBB6FB99308F54C46E95146B3D4DBB89945CF81

Function 05CE6BC8 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3399189897.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5ce0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9faeb13d63c536a386c03ac9f7cbadc0d36591d3a303cb627a7abadac804789
Instruction ID: 67cb578a3d0ccb8ea070e20b3966ec318e0af1a28ebb2889df3e4615f7f56975
Opcode Fuzzy Hash: a9faeb13d63c536a386c03ac9f7cbadc0d36591d3a303cb627a7abadac804789
Instruction Fuzzy Hash: A01104363083915FDB4AAF7858142AE7FB3AFDA210B04446AD606DB391CF344C06D7A6

Function 05CEB518 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3399189897.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5ce0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75325122251061ff34cbfa25bea7f0407a34a5b4f65575248dfc76c056184698
Instruction ID: a48f8f753a7ab5478ea56f375cb5e82a06aeb0a451523a205938ba429ce1c856
Opcode Fuzzy Hash: 75325122251061ff34cbfa25bea7f0407a34a5b4f65575248dfc76c056184698
Instruction Fuzzy Hash: 6E21AC719002089FCB24DF54C848FBABBF6FB44318F00886AE55A9B201E376DE45CF90

Function 015017B8 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3394649787.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1500000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec4ccef2e130cdfa8c7f83fcdf83239f667e1e17cf600b48a1dc3e83f76faf28
Instruction ID: 6ecc68c9d841dba74db3e4b801366d7e9c7125aa3395e2e60ad1261b23aa3869
Opcode Fuzzy Hash: ec4ccef2e130cdfa8c7f83fcdf83239f667e1e17cf600b48a1dc3e83f76faf28
Instruction Fuzzy Hash: 71212370D056498FCB01EFA8D9445EEBFF0BF0A300F0441AAD405BB261EB349A85CBA2

Function 0150BB48 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3394649787.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1500000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d13f8cb5110fda8a6fbf46c790e9df640738beea65e9a4327fa9a37cc0de76b
Instruction ID: d8cd7b47a304ac56f50f4530e2170b9f4fbb1a195baebcec564fabcad4797b43
Opcode Fuzzy Hash: 5d13f8cb5110fda8a6fbf46c790e9df640738beea65e9a4327fa9a37cc0de76b
Instruction Fuzzy Hash: 3B118C75300604CFD725DFA9D984E1ABBF6FF98721B20806AE2498F3A5CA71EC00CB50

Function 01504850 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3394649787.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1500000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79faf22ce5129d2af562ad254a2c5d3c5fdec0c11e8562909d6e184895e08462
Instruction ID: db14367a1f7039262f1b651e281d53fe5cb9aef2ce17d75495bd4503de774513
Opcode Fuzzy Hash: 79faf22ce5129d2af562ad254a2c5d3c5fdec0c11e8562909d6e184895e08462
Instruction Fuzzy Hash: 7E016832B016410FDB15ABF99C0812F7BEBAFC51607004839CA05CB395FE70C801C780

Function 0150BB22 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3394649787.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1500000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1298417255f95215af48a2f3d858416418b1824c30385ac1f9375d51a91ca24a
Instruction ID: cda0188bb90af6bbd5279cfd13ffdb647a51cc016ac41a792600e00da3e9925f
Opcode Fuzzy Hash: 1298417255f95215af48a2f3d858416418b1824c30385ac1f9375d51a91ca24a
Instruction Fuzzy Hash: A511B8756006008FD726CF69C988B9A7BE5FF99310F0A80AEE1498F2A6CA70D805CB11

Function 05CE6399 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3399189897.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5ce0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca29e6d304b43c11d99cc7bf26afe8cb8ec3fbbdc4e9e2836925be74cd1dcd8e
Instruction ID: 1d271f0bb5e6743722fb177413c7044362fd3e0409ed4414a7754ae63ef09bc4
Opcode Fuzzy Hash: ca29e6d304b43c11d99cc7bf26afe8cb8ec3fbbdc4e9e2836925be74cd1dcd8e
Instruction Fuzzy Hash: 00113034F40258CFDB00DFF8E850BAEBBB2EB54311F019465E809E7358DA719D828B50

Function 01504860 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3394649787.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1500000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d49e9978996a5f5ce3c925135971a2f13e994d417e1aa1cbb4c85774858b5362
Instruction ID: 99e1bf137f95485351eaed7bfa15589ac8dfbd914cd6f37053e30807d454f2c6
Opcode Fuzzy Hash: d49e9978996a5f5ce3c925135971a2f13e994d417e1aa1cbb4c85774858b5362
Instruction Fuzzy Hash: 7E018132B026554FD715ABBA984852F76EBAFC4560714493DDA05CB399FEB0CC018B91

Function 0150A508 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3394649787.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1500000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f015fccb4bbd8fad0e6fa8a28a7c55a7be63d5eacb7696a050168e1460d264a0
Instruction ID: d6022d821e81e778f74949781e6db6806d6ee0fa06afab2ed1981167c76a53ad
Opcode Fuzzy Hash: f015fccb4bbd8fad0e6fa8a28a7c55a7be63d5eacb7696a050168e1460d264a0
Instruction Fuzzy Hash: 75019E75E112099FCF15DFA8D8489AE7FB9FB88220F008439F91A97280DF309D10DBA1

Function 05CEA580 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3399189897.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5ce0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b27959849d400b9f95c5a09bca6be219b7c3eb4916505cef3a13c65fd7e09295
Instruction ID: fea56daf8a1ab3dac88e911ed24bc3f46a65eda5decfe3ff6615c566c2719c86
Opcode Fuzzy Hash: b27959849d400b9f95c5a09bca6be219b7c3eb4916505cef3a13c65fd7e09295
Instruction Fuzzy Hash: F701D6726081596FCB029F55DC00AEF3F67EB89750F15806AFA05C7240D631CD169791

Function 05CEA590 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3399189897.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5ce0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddf2046ea73037b6212e833b28ce81d17aa50585d2fb11adf1bcc5a614b2f0c8
Instruction ID: df415039b0696d24c2c2dd9ca6eb33be7f5329aacc9dd4acfe42b6df5890c2b8
Opcode Fuzzy Hash: ddf2046ea73037b6212e833b28ce81d17aa50585d2fb11adf1bcc5a614b2f0c8
Instruction Fuzzy Hash: FF01D632B041196F8F15AF599C04AAF3BABEBC9A50F14802AF606D7340DA71DD129790

Function 0150A4F9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3394649787.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1500000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d68a8f489f730a6d9de549ee9195fa1e802f64b2aa926aa109f5c032c9a5e937
Instruction ID: 4df2fb326fd5271f2fd80ff419399636209487ac4989ded8243c0df75c2a384d
Opcode Fuzzy Hash: d68a8f489f730a6d9de549ee9195fa1e802f64b2aa926aa109f5c032c9a5e937
Instruction Fuzzy Hash: FF01BC719002199FCF11DFA8DC44AAE7FB5FB88220F41802AFA5993240DB309910DFA1

Function 0150BEF8 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3394649787.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1500000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e780b0ae0eecf66bdf9eab0665614dee62ec1b872b75e1b153ca765cc69c03b7
Instruction ID: 6d479818f57869c814e71703d31943eccf8577d65194caf1a10acbd71113355b
Opcode Fuzzy Hash: e780b0ae0eecf66bdf9eab0665614dee62ec1b872b75e1b153ca765cc69c03b7
Instruction Fuzzy Hash: E9F0FC3A7102148BC71617B8E80926D3FEAEBC9621B144466E606CB381DE35CC02D764

Function 0150BD78 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3394649787.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1500000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3748030b9dd5b3c35dc3b25d8d52aa872c7655bbb63490cd27b94053026908f
Instruction ID: d9338c64e0bdd5fc558915c6ac33ee2de0582ec5487563e968c61fe53cedcd8b
Opcode Fuzzy Hash: c3748030b9dd5b3c35dc3b25d8d52aa872c7655bbb63490cd27b94053026908f
Instruction Fuzzy Hash: 94F06272A00109AFCB40EFA9DC44DBFBBF9FF8C210B004069F519D7251DA3099118BA0

Function 0150C1B0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3394649787.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1500000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f24462274af8919191c8d53413138ee555cec6a6fed47958e0529a4ead911a2b
Instruction ID: b21faee8654521f117337f00a6c5b4323f6aaf14e345d365866388a5ad1d5d38
Opcode Fuzzy Hash: f24462274af8919191c8d53413138ee555cec6a6fed47958e0529a4ead911a2b
Instruction Fuzzy Hash: 30F0A7327045125BC71656ADE45595EB7AAEFC563171440BAE509DB390CF31DC028790

Function 0150B9EA Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3394649787.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1500000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efcfbd9b9933b08a068c531ab12915ecdb754b597000c941b39dbb6fc59d4ab1
Instruction ID: 9411b1c3669af65424e6567ee1fe2fb2d4f4777abed833301dc4dc479a705a23
Opcode Fuzzy Hash: efcfbd9b9933b08a068c531ab12915ecdb754b597000c941b39dbb6fc59d4ab1
Instruction Fuzzy Hash: 87F0F6359042099F8B51DFA998809EFBFF5FF88250B400526D604D3241D6305502C7E1

Function 05CE6C38 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3399189897.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5ce0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ea77dcb3e851a63dd8edf59f6ae2a75c5678066c4d5a0249f5fdbdd28ec08b9
Instruction ID: 3d065227a896b616e5587856006f8e1232f82039f267530c762e3f52533d5432
Opcode Fuzzy Hash: 6ea77dcb3e851a63dd8edf59f6ae2a75c5678066c4d5a0249f5fdbdd28ec08b9
Instruction Fuzzy Hash: 0AF0893230025A6B8F456E9D9C449AF7FABEBD9250B004429F705D3250DA318C1157A5

Function 015046C9 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3394649787.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1500000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4bcd3dbe006a234aaf08d97f5e643b9064d5e4db63dc114b7af0dd46ca47f96
Instruction ID: eadddb3c648c065b88a23be43397091eb2ccd5eb0f859feea605e618c04677d1
Opcode Fuzzy Hash: e4bcd3dbe006a234aaf08d97f5e643b9064d5e4db63dc114b7af0dd46ca47f96
Instruction Fuzzy Hash: 2AF0FE31015796CFD3216B70A56C6297FB0EF0B30378B5C55D54ECA07ADB704404CB11

Function 0150B9F8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3394649787.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1500000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c20790ff2600f1d7088f7e8c59fdfad2283542ef34f62c7261bb250c30ad0988
Instruction ID: 1385c3409c3d44e2b12e7b16defda1e913296d2506505a73c4d6e133ccbbee60
Opcode Fuzzy Hash: c20790ff2600f1d7088f7e8c59fdfad2283542ef34f62c7261bb250c30ad0988
Instruction Fuzzy Hash: 08F08271A002089F8B60DFAD988099FBFF6FB98250B40452AD609D3200EA709911CBE1

Function 015046D8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3394649787.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1500000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa89bd051a6b74162f969f91935ffcc0fac0aa92688dd25a7a5813132457c849
Instruction ID: 00a22b944210b488b8cec61e9c6b4a753c65e62eb458b9c14614feb100f36c77
Opcode Fuzzy Hash: aa89bd051a6b74162f969f91935ffcc0fac0aa92688dd25a7a5813132457c849
Instruction Fuzzy Hash: 1FE00975022746CBE3242F65B6AC63E7EB5FB0B313BC66D00A14EC907D9FB444548B54

Function 01501877 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3394649787.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1500000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76d1fabad39ea399a08b7bfd9357b991ef70d7f6227555724c2ca4d5d6f19c3f
Instruction ID: 0f7971f41a5d6c2311e03de895c2bc699015bd787f0acb8ced67dab81d41cc86
Opcode Fuzzy Hash: 76d1fabad39ea399a08b7bfd9357b991ef70d7f6227555724c2ca4d5d6f19c3f
Instruction Fuzzy Hash: B6E08636D6166E5BCB00EAA5ED026DEBB79FF91251F448222EA1436240FB30365D86A0

Function 01501888 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3394649787.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1500000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e9674aa129b0af2804e01e4f5ceacbe864f820585b1f085e96cda4447177ac6
Instruction ID: 73aaf64c7bb5018b7e65ebf16bc7ffe48f22b4e9635f271f6c0d446ca8962ddd
Opcode Fuzzy Hash: 6e9674aa129b0af2804e01e4f5ceacbe864f820585b1f085e96cda4447177ac6
Instruction Fuzzy Hash: 57D02B31D2022B53CB00E7A1FC004DFF738EEC1220B404222E91033000FB302658C6F0

Function 05CEAD81 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3399189897.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5ce0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42d69812c4401c969c68b38d9d6b5103dcc08176f31e8191664c083797d50593
Instruction ID: 1fbef2d2bea5d82eb1dfd2ec0efab6a4bb0db1634548c855e27c70d66006f381
Opcode Fuzzy Hash: 42d69812c4401c969c68b38d9d6b5103dcc08176f31e8191664c083797d50593
Instruction Fuzzy Hash: ECE0C235409382CECB1AEB74D9440853F32EAA2200B0A48AFC1814A6A7CEBD0C4A8321

Function 05CED95D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3399189897.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5ce0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e173958749f7620ae717f551b0be93311b4db302d470c869d13c4edfcc2a355
Instruction ID: f08c270e75378223be6f9cc12d64b118315e8532c9d5eaebefe09a25e25f9bbc
Opcode Fuzzy Hash: 2e173958749f7620ae717f551b0be93311b4db302d470c869d13c4edfcc2a355
Instruction Fuzzy Hash: 38D0673AB40108AFCB149F98EC509EDF7B6FB98621B048126EA15A3260C6319D25DB50

Function 05CEAD90 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3399189897.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5ce0000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bdec563d0fa178a9886d4b436293dd6e5a1d01ac3a4a0d88dfadc898e38ae90
Instruction ID: f779c2fd7ad777d7c1d82a951ed60ab83d5b54684fa650283c9060f871eb8faf
Opcode Fuzzy Hash: 7bdec563d0fa178a9886d4b436293dd6e5a1d01ac3a4a0d88dfadc898e38ae90
Instruction Fuzzy Hash: FEC0123000030ACAD619FB76E9455153B7AEAD0200F509929920515269DFFD1C454690

Function 01504831 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3394649787.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1500000_54403 ADVANCED DEMURRAGE PROFORMA 15.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d325e76a929c033f93b096d9e37266bebd3670cfa304ddfaeb77b9cb5cb9737
Instruction ID: 0f14c43a3c68f94cb9893d6c155d885360ce101d476d2f5f7a9c511501108168
Opcode Fuzzy Hash: 8d325e76a929c033f93b096d9e37266bebd3670cfa304ddfaeb77b9cb5cb9737
Instruction Fuzzy Hash: 0DB01277921B881FEF255770F51B35D3BD0DB52204F9804DD8943C118AEF5CC000C240

Analysis Process: NoCGdFUXaoNd.exePID: 5140, Parent PID: 1064COMMON

Execution Graph

Execution Coverage:	14.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	304
Total number of Limit Nodes:	21

Executed Functions

Function 0B486188 Relevance: 2.7, Strings: 2, Instructions: 168
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

or, xrefs: 0B4861EE
\~$, xrefs: 0B4862B8

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID: \~$$or
API String ID: 0-2796768027
Opcode ID: 0c15956081c1eb98929cac2cdf2eb02a73575057ee370ddec1ad474fa0b2973e
Instruction ID: 10a3fbcaee5225754a11da3fe0f341f38403451b75efa794811afdc44d745b26
Opcode Fuzzy Hash: 0c15956081c1eb98929cac2cdf2eb02a73575057ee370ddec1ad474fa0b2973e
Instruction Fuzzy Hash: F26127B5E052098FCB48CFAAD5815AEFBF2EF89300F14942AD415E7365DB389A42CF50

Function 0B486198 Relevance: 2.7, Strings: 2, Instructions: 165
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

or, xrefs: 0B4861EE
\~$, xrefs: 0B4862B8

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID: \~$$or
API String ID: 0-2796768027
Opcode ID: 68b17a1309a91cf367957425027855870e3bcff13a8e74a87082647b7def2df4
Instruction ID: 5e923d5457335116f0c8e577ae943a54322f686470ae6a9e689e426ab7599a98
Opcode Fuzzy Hash: 68b17a1309a91cf367957425027855870e3bcff13a8e74a87082647b7def2df4
Instruction Fuzzy Hash: C56115B5E05209DBCB48CFA6D5815AEFBF2FF88300F10942AD425E7254EB389A42CF50

Function 0B487B00 Relevance: 1.5, Strings: 1, Instructions: 270COMMON

Download Yara Rule

Strings

?w=>, xrefs: 0B487DDC

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID: ?w=>
API String ID: 0-1933253675
Opcode ID: 3b299270089b78caefb0f2bc1fb8736b2fe622891e44c22d5d60dc48170632d4
Instruction ID: 3e729af99abf396a70febc8aaec4b73fe18da6e8a126e86d568fa0d21ae571d8
Opcode Fuzzy Hash: 3b299270089b78caefb0f2bc1fb8736b2fe622891e44c22d5d60dc48170632d4
Instruction Fuzzy Hash: 8BB11BB0E05219DFDB18DFA6D84059EFBB2FF89350F20956AD415AB264DB389A02CF50

Function 0B487B10 Relevance: 1.5, Strings: 1, Instructions: 270COMMON

Download Yara Rule

Strings

?w=>, xrefs: 0B487DDC

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID: ?w=>
API String ID: 0-1933253675
Opcode ID: 40ebc064dcd48b1cc5d6719f07b78434249a18d8cfd43d2120ef1307c97545fc
Instruction ID: 74b284387ea13e7263715e998a4ee3debbf4525135b9467ec014ce655f0bf3d1
Opcode Fuzzy Hash: 40ebc064dcd48b1cc5d6719f07b78434249a18d8cfd43d2120ef1307c97545fc
Instruction Fuzzy Hash: B2B12BB0D05219DFDB18DFA6D88059EFBB2FF88350F20956AD415AB264DB389E02CF54

Function 0B4857A8 Relevance: 1.5, Strings: 1, Instructions: 258COMMON

Download Yara Rule

Strings

5{, xrefs: 0B4859A2

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID: 5{
API String ID: 0-2291050889
Opcode ID: 928a32072ecf9bb2910073c6c1cbeec9ec36bec5eadb03773d4bcb6849809359
Instruction ID: 2c925893d32c8d0dc4401b8754e82c73f4de0530af747239ea894c5209868c22
Opcode Fuzzy Hash: 928a32072ecf9bb2910073c6c1cbeec9ec36bec5eadb03773d4bcb6849809359
Instruction Fuzzy Hash: 3AB15D74E02209DFCB04DFA9D5444AEBBF2FF89310F14846AD459AB364DB349A46CF61

Function 0B4857B8 Relevance: 1.5, Strings: 1, Instructions: 246COMMON

Download Yara Rule

Strings

5{, xrefs: 0B4859A2

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID: 5{
API String ID: 0-2291050889
Opcode ID: 71365247772dfd95d5addf07f15fa74a9632f6612ce4a5d24cb8027467c0458c
Instruction ID: b510a593221363b77869d73b97e746cb9658fcf5c6beb398f754388552e020a7
Opcode Fuzzy Hash: 71365247772dfd95d5addf07f15fa74a9632f6612ce4a5d24cb8027467c0458c
Instruction Fuzzy Hash: 2EA13B74E02209DFCB04DFA9D5444AEBBF2FF89300F14846AD459AB364DB359A46CF61

Function 0B487260 Relevance: 1.5, Strings: 1, Instructions: 208COMMON

Download Yara Rule

Strings

j4$y, xrefs: 0B487476

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID: j4$y
API String ID: 0-2391584009
Opcode ID: 22e11246bce090b80c81edac5da68a3d62260de367761f5e4e48649b4a9efc5d
Instruction ID: bb9d91e40dfe02d09eaec319fb4becc6c4a12272b2424d3291ac672019b89b8c
Opcode Fuzzy Hash: 22e11246bce090b80c81edac5da68a3d62260de367761f5e4e48649b4a9efc5d
Instruction Fuzzy Hash: 50810975D05209EFCB08CFEAD59099EFBB2FF99310F20942AE415AB264D7349A42CF45

Function 0B487250 Relevance: 1.5, Strings: 1, Instructions: 205COMMON

Download Yara Rule

Strings

j4$y, xrefs: 0B487476

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID: j4$y
API String ID: 0-2391584009
Opcode ID: bfad0effcdf793a6407ffec34efbbb25f3d620309b2410002d4a9b451e0270a0
Instruction ID: 2f60b0b235514ff91f9ba0e7b66feb66d238cd86b99773fba66918760686448c
Opcode Fuzzy Hash: bfad0effcdf793a6407ffec34efbbb25f3d620309b2410002d4a9b451e0270a0
Instruction Fuzzy Hash: BB810875D05209EFDB08CFEAD59099EFBB2FF99310F20942AE415AB264D7349A46CF01

Function 0B480AD0 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 029652dd1e6a723c4024eb29dc7582c4491fa4e4fdebdf41e82eb587e5853ad3
Instruction ID: 86af5c4008d0cbacf7e4e32c283c6253b333cf3ccc310e2dadc823f7eabedda6
Opcode Fuzzy Hash: 029652dd1e6a723c4024eb29dc7582c4491fa4e4fdebdf41e82eb587e5853ad3
Instruction Fuzzy Hash: BBB12674D056589FDB48DFE9C894ADEBBF2FF89300F14806AD809AB365D734A905CB60

Function 0B485BE9 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a501753d2981600517bf255425008e2af1e00cb2cd5e44737b357f1d603d2e0
Instruction ID: 0f239eb76b789397ccc9169dede7c3579d72e7e8069aa50f1e8db8558c681891
Opcode Fuzzy Hash: 9a501753d2981600517bf255425008e2af1e00cb2cd5e44737b357f1d603d2e0
Instruction Fuzzy Hash: 3B511A74E0620A9FCB48DFAAD9458AEFBF2FF89200F14946AD415F7264D7389A01CF54

Function 0B485BF8 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b2b107d41385ba898b29f50bd6b969ad2610854eaf2ed9fff5acb61cf163e8f
Instruction ID: d30aec0556e3c1f69d8045904b7cafb5a7f9008f6c21e84774019322767c89e7
Opcode Fuzzy Hash: 2b2b107d41385ba898b29f50bd6b969ad2610854eaf2ed9fff5acb61cf163e8f
Instruction Fuzzy Hash: DE510874E0220A9FCB48DFAAD9458AEFBF2FF89200F10942AD419F7254D7389A01CF54

Function 0B4812D8 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ef51efd6a16c8484b1dd513d0561a237499d41c513a23252f90e19f39334be7
Instruction ID: 6fa38bfb0a9a6a413bbbe219f63da0edb8c6114ac99eb0b4b270fc7cce3fef29
Opcode Fuzzy Hash: 0ef51efd6a16c8484b1dd513d0561a237499d41c513a23252f90e19f39334be7
Instruction Fuzzy Hash: 3A41F5B4E04219CFDB08DFAAD9406AEFBF2BB8C310F14D16AD419B7251D7748A428F54

Function 0B4812C9 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d84118a9962de87add0c22feb548437037b5069fe798772c363940d40127879
Instruction ID: 54cf779cf4752e9618d856107c86265449f25ee4c12502ff4ad9aa82239cf50e
Opcode Fuzzy Hash: 1d84118a9962de87add0c22feb548437037b5069fe798772c363940d40127879
Instruction Fuzzy Hash: 1641E3B4E042199FEB08DFAAD8406AEFBF2AF8C310F14D16AD419B7255D7744A428F54

Function 0B481C90 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6b4fb1b94ec1efe33e5c9fe05f01073551959f29bd650084b360d275cb61506
Instruction ID: 574848731789f08bfaa2e5c20ac50f2e00724eb67930f91f02888921995dc3e3
Opcode Fuzzy Hash: b6b4fb1b94ec1efe33e5c9fe05f01073551959f29bd650084b360d275cb61506
Instruction Fuzzy Hash: 2F31F271E016188BEB58CFAAD94469EBBF3EFC8311F14C1AAD409AB354DB315A81CF50

Function 0B480040 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2d3904b7fede9803401332ec98ca98ad52448243a64ab7093ea310b894e5980
Instruction ID: 4f10c17c21234d278013c307376ce91f7ae7df78e34c701d7f6e00afd3ac3fa6
Opcode Fuzzy Hash: a2d3904b7fede9803401332ec98ca98ad52448243a64ab7093ea310b894e5980
Instruction Fuzzy Hash: 5B21A875E006189BEB58CFABD84079EFBF7AFC8200F04C1BAC418A6264EB741A458F51

Function 0B481C81 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e66324079e8e669f25a2d1e62fc7fb92c791f3869182b74adb2cbfef910e569
Instruction ID: e5164ab9d13891e6ad3c7f2f5ae2446fb499a37ddb7dbff0431300bdf9eb4598
Opcode Fuzzy Hash: 1e66324079e8e669f25a2d1e62fc7fb92c791f3869182b74adb2cbfef910e569
Instruction Fuzzy Hash: 4C21FA70E056488BDB18CFABC84469EBFF3AFC9300F14C1AAD409AB359DA701A45CF51

Function 0B48BE90 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9144872aa34de2e3f8026703c741ce005eabf56c7a7983b712fe0e267f35dc40
Instruction ID: b65bcda266c8571e8ff3cbf38049e44926e7bd514a3646b76da99129c1a285ae
Opcode Fuzzy Hash: 9144872aa34de2e3f8026703c741ce005eabf56c7a7983b712fe0e267f35dc40
Instruction Fuzzy Hash: 5E212971D046588BEB18CFABC84439EBFF7AFC9300F08C4AAC409A7265DB740A568B50

Function 03191A1C Relevance: 1.7, APIs: 1, Instructions: 245
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 03191C5E

Memory Dump Source

Source File: 00000008.00000002.2204890334.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3190000_NoCGdFUXaoNd.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: f9850949f285d865b685b9ef3d78a3c60cf94875e44fdbf111ab2adddd046673
Instruction ID: bd1c7952c09bc84b72df55cd353d61f284338c0ae24c813ec735220f36761c7f
Opcode Fuzzy Hash: f9850949f285d865b685b9ef3d78a3c60cf94875e44fdbf111ab2adddd046673
Instruction Fuzzy Hash: 9CA16C71D0025ADFEF24CF68C9417EDBBB2BF48314F1485AAE819A7280DB749985CF91

Function 03191A28 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 03191C5E

Memory Dump Source

Source File: 00000008.00000002.2204890334.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3190000_NoCGdFUXaoNd.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: d28a9c47a79b7cc1cbc5eef3b3b0de6972c004aed0e3f418830dee1c697692b2
Instruction ID: d76bd542341b2790f05b3f582756e7eb985253c5f0f53c9eb1e69e27da150743
Opcode Fuzzy Hash: d28a9c47a79b7cc1cbc5eef3b3b0de6972c004aed0e3f418830dee1c697692b2
Instruction Fuzzy Hash: 5D916C71D0025ADFEF24CF68C9417EDBBB2BF48310F1485AAE819A7280DB749985CF91

Function 03039AC8 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 0303B091

Memory Dump Source

Source File: 00000008.00000002.2204769572.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3030000_NoCGdFUXaoNd.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 5d958cf023b0bddc43ed60cde581e54bd1e21d03f8aefe10d37ac8d57f720472
Instruction ID: 270ea057efc9ca042c932f6925fa6c4d76d04a030c45eaf8242a0b03743022db
Opcode Fuzzy Hash: 5d958cf023b0bddc43ed60cde581e54bd1e21d03f8aefe10d37ac8d57f720472
Instruction Fuzzy Hash: 2641FFB0C0472DCBDB24DFA9C844B9EBBF5BF49304F20846AD418AB251DBB16946CF90

Function 0303AFDF Relevance: 1.6, APIs: 1, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 0303B091

Memory Dump Source

Source File: 00000008.00000002.2204769572.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3030000_NoCGdFUXaoNd.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: bd2b599a244ead227aea6439ea71fc405812b417f3e040ea2346734721210efe
Instruction ID: c1817094657346f3b9b54fa0b7241ec85f5c5831d6e1bcc2b62dcc886ed88d91
Opcode Fuzzy Hash: bd2b599a244ead227aea6439ea71fc405812b417f3e040ea2346734721210efe
Instruction Fuzzy Hash: CD41DDB0C0071DCBDB24CFA9C944B9EBBF5BF89704F20846AD418AB251DBB56946CF90

Function 08897EB9 Relevance: 1.6, APIs: 1, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 08897F57

Memory Dump Source

Source File: 00000008.00000002.2209845393.0000000008890000.00000040.00000800.00020000.00000000.sdmp, Offset: 08890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8890000_NoCGdFUXaoNd.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: a2623c03e0c88dcc50760bad0eff109696407c3982c63321629fade49342c3ed
Instruction ID: 152f36a9a36b17442e26fed8266e89db2d1cf661c26f45db1ae429aa72bb8491
Opcode Fuzzy Hash: a2623c03e0c88dcc50760bad0eff109696407c3982c63321629fade49342c3ed
Instruction Fuzzy Hash: 2A31E0B59002499FDF10DF9AD880ADEBBF4BF48320F18842AE919A7210D774A944CFA0

Function 0319179B Relevance: 1.6, APIs: 1, Instructions: 70
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 03191830

Memory Dump Source

Source File: 00000008.00000002.2204890334.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3190000_NoCGdFUXaoNd.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 7f0863eabbafbe3931184015c985cf86d96a8c24e5da2cb6955605adfcf41398
Instruction ID: 31bac1c9e5012d2ce2508d1d42b7b36a88986fc1718311dfb9b0bae7b0927c42
Opcode Fuzzy Hash: 7f0863eabbafbe3931184015c985cf86d96a8c24e5da2cb6955605adfcf41398
Instruction Fuzzy Hash: 7721067590034A9FDF10CFA9C881BEEBBF1BF88314F14852AE919A7250C7789950DBA4

Function 08897EC0 Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 08897F57

Memory Dump Source

Source File: 00000008.00000002.2209845393.0000000008890000.00000040.00000800.00020000.00000000.sdmp, Offset: 08890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8890000_NoCGdFUXaoNd.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 7b7b41c1884e5b076c7ff8017aef5880354fc759376d6c687a8904f43370d79f
Instruction ID: ca121ca7c615ab7cd9416c0c6256d2f4b76c65f2ff2b350912687d7fc3c9c8a5
Opcode Fuzzy Hash: 7b7b41c1884e5b076c7ff8017aef5880354fc759376d6c687a8904f43370d79f
Instruction Fuzzy Hash: AE21CEB59003499FDF10DF9AD880A9EFBF5BF48320F14842AE919A7610D775A954CFA0

Function 031917A0 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 03191830

Memory Dump Source

Source File: 00000008.00000002.2204890334.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3190000_NoCGdFUXaoNd.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: f5952333b111a10aa6eb7396336349ce49910e859d0135ceb67164db8e3c23c1
Instruction ID: 5e1ede6f54e21c7d37d453bb94eca89ad873ad55e16601656d59ad6b19a9e1e3
Opcode Fuzzy Hash: f5952333b111a10aa6eb7396336349ce49910e859d0135ceb67164db8e3c23c1
Instruction Fuzzy Hash: 592125B590034A9FDF10CFAAC881BDEBBF5FF48310F14842AE918A7240C7789950DBA4

Function 03191888 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 03191910

Memory Dump Source

Source File: 00000008.00000002.2204890334.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3190000_NoCGdFUXaoNd.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: b19daa234a85e0b0638a07436af1fe9f180ca07aab19a36bce5d2d7439fdc8c3
Instruction ID: 71f77a6800c7369e6b6fa09482ea58dfcaacadf7e15717eeb609f7a3d5fc0c66
Opcode Fuzzy Hash: b19daa234a85e0b0638a07436af1fe9f180ca07aab19a36bce5d2d7439fdc8c3
Instruction Fuzzy Hash: B12125B18003499FDF10CFAAC881BEEBBF5FF88310F14842AE559A7241C7789950CBA1

Function 03191600 Relevance: 1.6, APIs: 1, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 03191686

Memory Dump Source

Source File: 00000008.00000002.2204890334.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3190000_NoCGdFUXaoNd.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 6f1fb7577ff7b2fecad906b024aba822915e262238b39998526f8b1207099c53
Instruction ID: a47c8477bb96c1e27c200995606742120bcc65a9722a4beb122baf26479f3b4f
Opcode Fuzzy Hash: 6f1fb7577ff7b2fecad906b024aba822915e262238b39998526f8b1207099c53
Instruction Fuzzy Hash: 07213A71D003499FEB10DFAAC4857EEBBF5AF88314F14842AD519A7240CBB89944CF95

Function 03191890 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 03191910

Memory Dump Source

Source File: 00000008.00000002.2204890334.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3190000_NoCGdFUXaoNd.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 49b0ebedd70dd5335d4f41a85346743a0924d00deafbeafbe33e26f93f764792
Instruction ID: 4f7a9746097dff7bb174e486a1b14ca2571d7308cc414cddf85fa2eaf1270d9e
Opcode Fuzzy Hash: 49b0ebedd70dd5335d4f41a85346743a0924d00deafbeafbe33e26f93f764792
Instruction Fuzzy Hash: A72116718003499FDF10DFAAC881ADEBBF5FF48310F10842AE519A7240C7799950DBA5

Function 03191608 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 03191686

Memory Dump Source

Source File: 00000008.00000002.2204890334.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3190000_NoCGdFUXaoNd.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 988ab753d669f742daed7969fb99e117a216f7cadbc68c05adbd38e208c67717
Instruction ID: f21a243c664a60be15de0a3bda8f4df705c33feaaef4073b6ec744f1cd4de3c7
Opcode Fuzzy Hash: 988ab753d669f742daed7969fb99e117a216f7cadbc68c05adbd38e208c67717
Instruction Fuzzy Hash: A7211A71D003099FEB10DFAAC4857EEBBF5AF48714F14842AD519A7240D7B89944CFA5

Function 031916D8 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0319174E

Memory Dump Source

Source File: 00000008.00000002.2204890334.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3190000_NoCGdFUXaoNd.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: dbc372753e7b05266c398710ec4716cdba16a05cbf0e76ab9528e0fcdfe433c1
Instruction ID: 2f17a0d87700fef8de7955e55129132d203eb7a3b1291ddcc676fb9d35f6100e
Opcode Fuzzy Hash: dbc372753e7b05266c398710ec4716cdba16a05cbf0e76ab9528e0fcdfe433c1
Instruction Fuzzy Hash: 5B11597280034ADFDF20DFAAC845BDEBBF1AF88324F14881AE519A7250C7759550CFA1

Function 08896C24 Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,08899A3A,?,?,?,?,?), ref: 08899ADF

Memory Dump Source

Source File: 00000008.00000002.2209845393.0000000008890000.00000040.00000800.00020000.00000000.sdmp, Offset: 08890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8890000_NoCGdFUXaoNd.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 28b309c7b9b92a2ec7d09f1ce07dc64b4821f902e8f37364f8212aaffbb4eb5c
Instruction ID: 68af4e5726f9a0d5d1bffb618f4237eb70d9604a23763993ef840537bee60307
Opcode Fuzzy Hash: 28b309c7b9b92a2ec7d09f1ce07dc64b4821f902e8f37364f8212aaffbb4eb5c
Instruction Fuzzy Hash: 331147B1800249DFDF10DF9AC944BEEBFF8EB48320F14801AE955A3210C375A950CFA4

Function 08899A6D Relevance: 1.6, APIs: 1, Instructions: 55windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,08899A3A,?,?,?,?,?), ref: 08899ADF

Memory Dump Source

Source File: 00000008.00000002.2209845393.0000000008890000.00000040.00000800.00020000.00000000.sdmp, Offset: 08890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8890000_NoCGdFUXaoNd.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: ee568c30ec1f1c851b57e5aba8e991e90f44c0f0e03a33daae8e681e105ea6fb
Instruction ID: d081331c334e28e1cb692ea7d4d8f234070208261e2517abd05ad5ff55981246
Opcode Fuzzy Hash: ee568c30ec1f1c851b57e5aba8e991e90f44c0f0e03a33daae8e681e105ea6fb
Instruction Fuzzy Hash: B61126B58002499FDB10CFAAC944BDEBFF8EF48320F14841AE554A7210C375A954CFA4

Function 031916E0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0319174E

Memory Dump Source

Source File: 00000008.00000002.2204890334.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3190000_NoCGdFUXaoNd.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ddf3c5923a5286c656d13c5783e46da61917ddc0ddff07ed2b273655dde5dc04
Instruction ID: 5735a7c9625d3ce21471dd766c4542361768d8a97210717769cb49a3f6c95629
Opcode Fuzzy Hash: ddf3c5923a5286c656d13c5783e46da61917ddc0ddff07ed2b273655dde5dc04
Instruction Fuzzy Hash: 9011567280034A9FDF10DFAAC845BDFBBF5AF88320F14841AE519A7250C775A950CBA1

Function 03191551 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 031915BA

Memory Dump Source

Source File: 00000008.00000002.2204890334.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3190000_NoCGdFUXaoNd.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: f012c74ab4e56055fc6f30823d333a6d19135e61c107a0aade23793a752b0ddf
Instruction ID: 112aa7d42b1a7f1b57740673cd4e5a3fa6be510df73967ddeb02e3d0a0e81b7a
Opcode Fuzzy Hash: f012c74ab4e56055fc6f30823d333a6d19135e61c107a0aade23793a752b0ddf
Instruction Fuzzy Hash: A3114675900349CFEB20DFAAC4457AEBBF5AF88324F24841AD119A7340CB75A940CB95

Function 03191558 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 031915BA

Memory Dump Source

Source File: 00000008.00000002.2204890334.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3190000_NoCGdFUXaoNd.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 72cf13e34856e56b1d45b756b7722256cc3df3e59e0ceb25b51c8f5bdbbb7679
Instruction ID: 359918e8218edc34f81beab4860eeafc094817f3ddb6b147b4f14ede52346f20
Opcode Fuzzy Hash: 72cf13e34856e56b1d45b756b7722256cc3df3e59e0ceb25b51c8f5bdbbb7679
Instruction Fuzzy Hash: 1B113A759003498FEB10DFAAC44579FFBF5AF88724F24841AD519A7340CB75A940CF95

Function 03195559 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 031955BD

Memory Dump Source

Source File: 00000008.00000002.2204890334.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3190000_NoCGdFUXaoNd.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 9fed6ee7519d3c12fb66ddfe58f72af4cd2cc8f9ecc2651d4ac2f663a4355827
Instruction ID: 2ce0e3ba520e289c7b04151e62e85c46621a61ff488e933ab7fcd7a28ef7c02d
Opcode Fuzzy Hash: 9fed6ee7519d3c12fb66ddfe58f72af4cd2cc8f9ecc2651d4ac2f663a4355827
Instruction Fuzzy Hash: 5B11E0B68003499FDB21CFA9D585BDEBFF5EB48324F24845AD518A7201C3B5AA44CFA1

Function 03193670 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 031955BD

Memory Dump Source

Source File: 00000008.00000002.2204890334.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3190000_NoCGdFUXaoNd.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: e0b5f864d1c6d769d7bc83267a6e45c2105b3b494167bb584d463dc0abd340ca
Instruction ID: 85e186f7e6b6bab4ca220784efa84c21df6c106eb956d140c08fba7fa3601f54
Opcode Fuzzy Hash: e0b5f864d1c6d769d7bc83267a6e45c2105b3b494167bb584d463dc0abd340ca
Instruction Fuzzy Hash: 791122B5800349DFEB10DF9AD844BDEBBF9EB48320F20841AE518B3201C3B5A940CFA0

Function 0B481470 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

OijW, xrefs: 0B481529

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID: OijW
API String ID: 0-3475513506
Opcode ID: 881a4ebf2b62595d4cc2df4ff70672bf69a418ee4bcdee0491fe243d4e29c24d
Instruction ID: 77af1f916b021499661c20fd6cfd5fae277aabf851b2fdd8341f5b4e388b414b
Opcode Fuzzy Hash: 881a4ebf2b62595d4cc2df4ff70672bf69a418ee4bcdee0491fe243d4e29c24d
Instruction Fuzzy Hash: 4431D7B4E0421A9FCB44DFA9C4816AEBBF1AF89700F10956AC819A7355D3389A41CF51

Function 0B483181 Relevance: 1.3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

Strings

?H,a, xrefs: 0B4831C7

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID: ?H,a
API String ID: 0-4093759987
Opcode ID: 22700215037af2ae9c46e9960bedab86158c3d0cc8fba2f195e581a1a93a3d3e
Instruction ID: 7e6e6f4a34952bc7ef4d166868477ab3fa82bd4fc933add6a64de0793306c216
Opcode Fuzzy Hash: 22700215037af2ae9c46e9960bedab86158c3d0cc8fba2f195e581a1a93a3d3e
Instruction Fuzzy Hash: 56219070E05248DFDB45CFA8C984A9DFBF2EF89710F14C19AD4249B3A5D6309A41CB01

Function 0B488018 Relevance: 1.3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

u|P, xrefs: 0B48805F

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID: u|P
API String ID: 0-1764873574
Opcode ID: 3542d4ee6ce3c9fd272a2774a9a1a80e2aa9f8c7320f319104a07fe2be6effc1
Instruction ID: deff2cc0707fdee58c4ec55679fe6782d36cf173fbe2beb8173aead3060a92c5
Opcode Fuzzy Hash: 3542d4ee6ce3c9fd272a2774a9a1a80e2aa9f8c7320f319104a07fe2be6effc1
Instruction Fuzzy Hash: 96214CB4E06249DFCB44CFAAC54159EBFF2EF8A300F2484AAC509E7314D6349B41DB45

Function 0B483270 Relevance: 1.3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

Strings

?H,a, xrefs: 0B4831C7

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID: ?H,a
API String ID: 0-4093759987
Opcode ID: 8bcdd6acb295f16ebb2e3ba3c52c469ee57cf87a30da40c8b6bf6b819940469b
Instruction ID: d293116e7b10fde027ad870346858a76e46f5583bd951465c399e2f826700769
Opcode Fuzzy Hash: 8bcdd6acb295f16ebb2e3ba3c52c469ee57cf87a30da40c8b6bf6b819940469b
Instruction Fuzzy Hash: E0111974A05248EFDB05CFA8C9909ADFBF2FF89700B15C496D515EB365D630DA02CB04

Function 0B488028 Relevance: 1.3, Strings: 1, Instructions: 52COMMON

Download Yara Rule

Strings

u|P, xrefs: 0B48805F

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID: u|P
API String ID: 0-1764873574
Opcode ID: 910b8924f0687029356174776f3f910958ed239b69177d0e0491e8651e697461
Instruction ID: dab10b5c28796624301a0e407ac96d2ae62c367f3c180c57862e47d951f84e9f
Opcode Fuzzy Hash: 910b8924f0687029356174776f3f910958ed239b69177d0e0491e8651e697461
Instruction Fuzzy Hash: D0113AB4E05209DFCB44DFAAC9411AEBBF2EB89300F2084AAC509E3304E6349B41CB45

Function 0B485FF1 Relevance: 1.3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

Strings

G'/., xrefs: 0B486076

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID: G'/.
API String ID: 0-3562003039
Opcode ID: d3c2d2aa3dab62454f26ba52b0030696207899a90940dc8651e65065d6ecf379
Instruction ID: 8fae2f5822b07a41a86facf207e469e1eadff17fb0c5967a3bd7ab2da81cc51a
Opcode Fuzzy Hash: d3c2d2aa3dab62454f26ba52b0030696207899a90940dc8651e65065d6ecf379
Instruction Fuzzy Hash: E3016D70E15248DFCB89DFA5D94055DBFF2AB86201F2494BAC40AD72A4E6359B01DA04

Function 0B486000 Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

G'/., xrefs: 0B486076

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID: G'/.
API String ID: 0-3562003039
Opcode ID: bd64d2fb091a470befe21ae461e04d296f577f8cab6f0233b2b9197e8d5eb18d
Instruction ID: bece9888532e425b3efb54d9dd409ac2803f5e5896c305aa696ca7a85029cc52
Opcode Fuzzy Hash: bd64d2fb091a470befe21ae461e04d296f577f8cab6f0233b2b9197e8d5eb18d
Instruction Fuzzy Hash: 8D018F70E15608DFCB88EFA5DA4565EFAB6EB86201F20E47AC409E3254E6349B419A48

Function 0B48B818 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be2f7b8733f79494176af879abdbeba9c501cc78e7686030a48a748c3af27573
Instruction ID: 0fc28855e633ccbda9d18a89c14af382520f8bd890695e1b64abfcd51c001550
Opcode Fuzzy Hash: be2f7b8733f79494176af879abdbeba9c501cc78e7686030a48a748c3af27573
Instruction Fuzzy Hash: CA313974D08209CFDF08DF9AD8406BEBBF6EB8D301F14E16AD429A7251C7398A42CB54

Function 0B48B808 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27ff9bc1c68aa90a7ab22e7f1abdd79c275ac556cb483f17f1e3e3ef318bc980
Instruction ID: a7248a6fb194350d95d645ca5c81f21cbe126a3516effe607f04fe60616cc775
Opcode Fuzzy Hash: 27ff9bc1c68aa90a7ab22e7f1abdd79c275ac556cb483f17f1e3e3ef318bc980
Instruction Fuzzy Hash: 25314B74D09208CFDB08DFA6D8542BEBBF6EF8D301F14D06AD429A7251D7394A02CB54

Function 0B48E732 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfc8b9393c6234559c2f3d96d5479e7907f12fbdb25555eb936b79cd70f6bdb0
Instruction ID: c1a70de6fb58f21e427707563f79afb6a1b72d4751d19c4a698616409417db14
Opcode Fuzzy Hash: bfc8b9393c6234559c2f3d96d5479e7907f12fbdb25555eb936b79cd70f6bdb0
Instruction Fuzzy Hash: 5541907890421ACFDB14EF98D944BADBBF6FB88300F00965AD419AB355C7749E82CF50

Function 0B485454 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ddf752b84a6f8015b85f5139f898eed2d218532b6d8a5928cca3d399d946314
Instruction ID: 00034a18323239766d1b8390ab50d9d50fff04473d129374f9da28a606994d85
Opcode Fuzzy Hash: 2ddf752b84a6f8015b85f5139f898eed2d218532b6d8a5928cca3d399d946314
Instruction Fuzzy Hash: B93159B5900209AFDF14DFA9D885ADEBFF5EF48320F10846AE518E7250D775A940CFA0

Function 0B48C8E2 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eebfabf153690e1af39a6510d51fe798990494d80c7664aeef27a78b0671dc8
Instruction ID: febe4fee0842e7fc436f1268d206f46878526978ff7b90fe1f79721d397b5022
Opcode Fuzzy Hash: 9eebfabf153690e1af39a6510d51fe798990494d80c7664aeef27a78b0671dc8
Instruction Fuzzy Hash: 3B310A70D09654DFDB05DFAAD4805EDBBBAEF8A300B04D0ABD465A7263C7349A46CF60

Function 0B488880 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 523ccd4d316bd601035a86a8dd9c8288912874dcc5763c8f8f2f7db2facc461d
Instruction ID: abf1d354f7f7fff175f49fe5cc0bcfbb8e83f58b0acce93b1de607e51eab1828
Opcode Fuzzy Hash: 523ccd4d316bd601035a86a8dd9c8288912874dcc5763c8f8f2f7db2facc461d
Instruction Fuzzy Hash: 09311770E05209DFDB48DFAAD5846AEBBF2BB88310F60946AC415A7354D7349B41CF51

Function 0B486958 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f59943cb8a827e975644124c613f06d624fb661b36c310b6b9092f66e5f1748
Instruction ID: 36094ff8d0b7bd09fefea833c1614ea9aecbaf6ac5d07b5284297a105b42fa37
Opcode Fuzzy Hash: 6f59943cb8a827e975644124c613f06d624fb661b36c310b6b9092f66e5f1748
Instruction Fuzzy Hash: 0B3104B4E01219DFDB48DFA9D4456AEBBB2FF88310F10942AE515A7354DB349A41CF50

Function 0B486948 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c399bd42fa7b39b7d51116e71112382f6eb3b67a66ea8be9c38d3f0d5164f91
Instruction ID: 7290d670786f8153747eb63fcd5f4a016510169dc365dbd175f88fe7c1db9491
Opcode Fuzzy Hash: 0c399bd42fa7b39b7d51116e71112382f6eb3b67a66ea8be9c38d3f0d5164f91
Instruction Fuzzy Hash: 433104B4E052199FDB88DFA9D8456AEBBF2FF89300F10846AE415A7394DB349A41CF50

Function 0B488870 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4302dcd97058e9c48eab2d0189b4463f8bba3e573f33a857dfab2056d2d9242f
Instruction ID: a8e30f912db4d9038fbeb9c856e0eb122bd193e7c873aa2714d09819e4819b98
Opcode Fuzzy Hash: 4302dcd97058e9c48eab2d0189b4463f8bba3e573f33a857dfab2056d2d9242f
Instruction Fuzzy Hash: 20314870E05209DFDB44DFAAD5806AEBBF2BF88310F6495AAC425A7360D7349B41CF51

Function 0B48FDD0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c364735b34f7a91d6faaa16c680c99c024a465fda40665d1becb63fc1990dba2
Instruction ID: 9237629c54f8e8a12acfb1fa14ebda26915e49865b6b3d4f83c68f21f1f21967
Opcode Fuzzy Hash: c364735b34f7a91d6faaa16c680c99c024a465fda40665d1becb63fc1990dba2
Instruction Fuzzy Hash: B421CE70E00208ABDB14EBB5D8447EEBBB2FF88310F10482AD402A7384DF355A45CB71

Function 0182D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2199927825.000000000182D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0182D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_182d000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e44fde24b1ae36fe0f64d406fee7c45c7c45664327d4dba6dc86e18eadad30fd
Instruction ID: d7e979f9fd77828dff4f4928e6eeca5be4a10083e4c5d7b22fbd130d05ab7520
Opcode Fuzzy Hash: e44fde24b1ae36fe0f64d406fee7c45c7c45664327d4dba6dc86e18eadad30fd
Instruction Fuzzy Hash: 50214572504244EFDB06DF54DAC0B26BF61FB88318F20C66DE9098B256C376D596CAA1

Function 0B48B0C2 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 964500997acd1c2c9c5ac876509e4f4de897b229b5f93986b1ba933112435866
Instruction ID: 8691b3939fec715c99c3992d4704448fb6d600f5597f5ff99b968c725f629b32
Opcode Fuzzy Hash: 964500997acd1c2c9c5ac876509e4f4de897b229b5f93986b1ba933112435866
Instruction Fuzzy Hash: 1831B174E04209CFCB09DFE9C8949EDBBB5FF89310F20916AD929AB365C7316946CB50

Function 0183D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2199970739.000000000183D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0183D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_183d000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 008e5ef0f256b26a46a2ae649587b55ee9a7d6e64969bc16a77cba702c4800c1
Instruction ID: ff45bda94072c24e8f18496065af2c64a2cab4f86516470e102e19e3b44245ee
Opcode Fuzzy Hash: 008e5ef0f256b26a46a2ae649587b55ee9a7d6e64969bc16a77cba702c4800c1
Instruction Fuzzy Hash: 3A214671504304EFDB05DF94D9C0B26BBA1FBC4328F68C66DE9098B252C77AE506CAA1

Function 0183D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2199970739.000000000183D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0183D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_183d000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b90ffd17aa16f3f25b0dd1f7a75c3ea81330dc855fb8870621b8ed64fbf9b00
Instruction ID: bd66b221c0cd942bdb31f58a4f4090e8508f9e73586c0b34a116bb39d4c8611d
Opcode Fuzzy Hash: 3b90ffd17aa16f3f25b0dd1f7a75c3ea81330dc855fb8870621b8ed64fbf9b00
Instruction Fuzzy Hash: 78214571504204DFCB14DF54D5D0B26FB61FBC4B14F68C66DD90A8B252C37AC407CAA1

Function 0B4815A9 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 182191ca214bbb3045e4e38b8d15829190de4e2e4cc847ec1f75de19735f5b6c
Instruction ID: 5d6b0ca9bad66b56177893cf61a8832d3a60e77eed72874ea1e1ab30d2b03b0b
Opcode Fuzzy Hash: 182191ca214bbb3045e4e38b8d15829190de4e2e4cc847ec1f75de19735f5b6c
Instruction Fuzzy Hash: 5531E770E04249DFCB48DFAAC585AAEBBF2FF89300F14C5AAC819A7315D6349A458F51

Function 0B48BF52 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34439202b5affd4316c5232848c09f1099e0faecb81bc2f6a61dddf6de939151
Instruction ID: 2fccc3ffc25d16e13153598f87ae0c0d1d44376cf7023df3cbd949a920f5ad4b
Opcode Fuzzy Hash: 34439202b5affd4316c5232848c09f1099e0faecb81bc2f6a61dddf6de939151
Instruction Fuzzy Hash: 3731C174A09228CFDB10DF98CA80BEDB7B5FB48300F1081AAD51AA7346D2349E81CF61

Function 0B4815B8 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e79be9219d68142525770c0ce6b5fb54e9e8305aff6e24eee52d6482304236d6
Instruction ID: 5a09682e6293432e3565bc5fd508eb6f85b9b1e4be7920ee19bfa2a83a75f83e
Opcode Fuzzy Hash: e79be9219d68142525770c0ce6b5fb54e9e8305aff6e24eee52d6482304236d6
Instruction Fuzzy Hash: 3121B670E04209DFCB48DFAAC5459AEBBF2FB89300F54C5AAC419B7314E6349B428F51

Function 0B483088 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 827dec06973d0c5e059759754b4dba08bc952f76846b94510c03afe854e6ee62
Instruction ID: e48c5093cb243938dccfb7204dee5f06b945356366a391ca1a08767b64f6c850
Opcode Fuzzy Hash: 827dec06973d0c5e059759754b4dba08bc952f76846b94510c03afe854e6ee62
Instruction Fuzzy Hash: BB216670E0424ADFDB09DFA9C5816AEFFF2BF8A600F14C5AAD404A7265E7749B01CB51

Function 0B48B93F Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d3ff29b5f7d431a9ac545a8d323c98886b40a7043657d3c65f65a0470c868f9
Instruction ID: ab6c47a358dfcbb35316af8cd3a7de74b84ecffb840ce7ea3a349e99d0175cd1
Opcode Fuzzy Hash: 8d3ff29b5f7d431a9ac545a8d323c98886b40a7043657d3c65f65a0470c868f9
Instruction Fuzzy Hash: 3E211AB4D08249DFCB40DFA9C590AAEBBF5EF49300F20909AD859A7352D7359A41CF91

Function 0B483098 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b54f7f4148779e784592dff91ef482797d83cf177c4214d823c720e5825489f8
Instruction ID: 2d091c6fea74742d7fdbefd21073216617d902af55bc7f1665968a790eec2e5c
Opcode Fuzzy Hash: b54f7f4148779e784592dff91ef482797d83cf177c4214d823c720e5825489f8
Instruction Fuzzy Hash: 552139B0E0420ADFDB44DFAAC5416AEFBF1BF89B00F10D5AA9414A7254E7749B01CF95

Function 0B48B9F8 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4f6544d5ac78e7fbf03a56799994184ccfc4ac961774229dd9cd65385fe9da5
Instruction ID: aef6ac844523fbbcab4bd21cab2d0d18c5cf1601dbba9214177dd44f2f6890f1
Opcode Fuzzy Hash: f4f6544d5ac78e7fbf03a56799994184ccfc4ac961774229dd9cd65385fe9da5
Instruction Fuzzy Hash: 0C1116B0E09248DFCB04EFA9C4809ADBFF5EF4A310F14929AC469A7262D3759B41CF40

Function 0B485464 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2fd1620b9fd2a38163e244f17109048cceecf27b9b0dee6cb73487cd4d3df2a
Instruction ID: 700cb933e33fc8235903bd074b3800f0e07bc36955688b269e17f4d463d0bc6d
Opcode Fuzzy Hash: b2fd1620b9fd2a38163e244f17109048cceecf27b9b0dee6cb73487cd4d3df2a
Instruction Fuzzy Hash: 2A2103B5800349DFCB10DF9AD884ADEBBF4FB48720F10841AE918A7300C775A954CFA5

Function 0182D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2199927825.000000000182D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0182D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_182d000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction ID: 49b342305c74836910f809b84ddcfd500dc3a8cf52dc353416b673f5f0165c86
Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction Fuzzy Hash: A2112676404280CFCB02CF54D6C0B16BF71FB84318F24C6A9E8094B257C33AD596CBA1

Function 0B48E74D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2da0e2640582b7017c17cb84db27de51624c10293400a2307108f9e73895fb35
Instruction ID: 8a74759764bf3c568a20eb54358f108460e3c7ad2390165e9ded4dd71d6321e9
Opcode Fuzzy Hash: 2da0e2640582b7017c17cb84db27de51624c10293400a2307108f9e73895fb35
Instruction Fuzzy Hash: F921073CA402198FD764EF24C904BA97BB2FF89201F108995950EA7746DB705E82CF61

Function 0B4886D2 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9e516d9e36308af250ac611a0e74511eb91a0997c9680a0fc208db1841a8976
Instruction ID: 61c6563aab8c7c898f8bea1df9a26f736bee3c49dbd2c10a1b4a13c1950c05d4
Opcode Fuzzy Hash: d9e516d9e36308af250ac611a0e74511eb91a0997c9680a0fc208db1841a8976
Instruction Fuzzy Hash: A41128B4E05609DFDB48CFA9D94029EBBF2AF89300F2485AAC405E7364EB749B41DB51

Function 0183D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2199970739.000000000183D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0183D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_183d000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: 52d9a807a350411f4163258ea26a240ae955ae9a6346c5d09ef6c098c35e29ad
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: 3411BB75504280CFCB12CF54D5D4B15FBA2FB84714F28C6AAD8498B656C33AD50ACBA2

Function 0183D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2199970739.000000000183D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0183D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_183d000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: 4994788088799eb6904e721435f5182eea2cae6476c66282d4038fb03abcc601
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: CD11BB75504280DFCB02CF54C5C0B15BBA2FB84324F28C6A9D8498B2A6C33AE50ACBA1

Function 0B48BA08 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6495154aa02bd8f9f3db6ee6b7ca48eeee774643d702d82002c4d7101a258e42
Instruction ID: 706bf696e63cce89962f863654eb5a961ac430f7efa32c0fa396187071abc770
Opcode Fuzzy Hash: 6495154aa02bd8f9f3db6ee6b7ca48eeee774643d702d82002c4d7101a258e42
Instruction Fuzzy Hash: AF1109B4E08208DFCB04EF99C5809AEBBF9FB49310F109596C429A7316D3759B42CF80

Function 0B48BEA0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5124ecb15175dee1d066bf2c0efbd248866a90a4ef741721d2346a4365ec21a5
Instruction ID: afd2f966c2213c3f9f038d17e64fcedf5f8312b44cd67656aab1e0a404f4843c
Opcode Fuzzy Hash: 5124ecb15175dee1d066bf2c0efbd248866a90a4ef741721d2346a4365ec21a5
Instruction Fuzzy Hash: 8B1106B1D046588BEB18DFABC8443EEFAF7EFC8300F14C47A851DA6254DB740A468A90

Function 0B4860E0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5193865dc65d6722a4e36d6329abfec791cf9ddaf473f28c75b7e58c6c26561d
Instruction ID: bdff7b584488f7075f18c71e5e863d4c0c24953cb6cc0b553247cb836c050691
Opcode Fuzzy Hash: 5193865dc65d6722a4e36d6329abfec791cf9ddaf473f28c75b7e58c6c26561d
Instruction Fuzzy Hash: C61127B4E05209DFCB89DFA9D9405AEBBF2FF89200F14C4AAC419A7355EB709B00CB51

Function 0B488620 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf24317b0ea0cbb1c9a5d17fa2a2252cc167aafe717c99e77aad53ae40f63e4f
Instruction ID: c8f5fb55ef4910908aa4efd9071343b7d1fc4c8e7895fdd4aaccbcab02aded40
Opcode Fuzzy Hash: bf24317b0ea0cbb1c9a5d17fa2a2252cc167aafe717c99e77aad53ae40f63e4f
Instruction Fuzzy Hash: 9B1118B0E05209DBCB44DFA9D5446AEBBF6FF98200F60C5AAC419E7314E7309B018F50

Function 0B4886E0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a4c0da0b13da10b7e7fac828c7361dd65453a921ad82ccf093e25f2795cc90e
Instruction ID: d25f89cc3263f880a61c9d36b2ff893761063e237d5cb281350f58d209844c02
Opcode Fuzzy Hash: 0a4c0da0b13da10b7e7fac828c7361dd65453a921ad82ccf093e25f2795cc90e
Instruction Fuzzy Hash: F91148B4E05209DFCB48DFA9D94029EBBF2AF88300F60D5AAC409E3354E7749B419B55

Function 0B48E899 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7dfc33341f079a3cbb67837c067acf1082ebad61a9bdc979bcb9071ea6c051c
Instruction ID: 9fc154cec8552df2c07db7ecf40c535db973ef6bf268616ad138cc4d03d223b5
Opcode Fuzzy Hash: d7dfc33341f079a3cbb67837c067acf1082ebad61a9bdc979bcb9071ea6c051c
Instruction Fuzzy Hash: 4E114C38905219CFEB14DF58D944B5EBBF6FB88710F04929AD419A7391CB345E82CF50

Function 0B48861A Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb44ea443cb5827889c7d92fdd87800e7b3b5b42b5cbac01c6325e05dc351a8f
Instruction ID: 6c66196c780f6fa7cd456e8addbf6481366130d21e4ceb922840d4f1ab58f4d2
Opcode Fuzzy Hash: cb44ea443cb5827889c7d92fdd87800e7b3b5b42b5cbac01c6325e05dc351a8f
Instruction Fuzzy Hash: 8411F5B4E01209DBDB44DFA9D54469EBBB2FF98210F64C6AAC429E7254E7309B418B10

Function 0B48CD38 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9da69803d34a2b972ca86d2315e1d64c6c22e6528d3a23255375bfdae1a9f87d
Instruction ID: 48208d3e97c7db297266f1c7a8c5ff288d428c40f5a59bf9ca4cd2a8961889dd
Opcode Fuzzy Hash: 9da69803d34a2b972ca86d2315e1d64c6c22e6528d3a23255375bfdae1a9f87d
Instruction Fuzzy Hash: 11111B34908148EFDB01EFA8C594AADBFF6EF4A300F1980DAD4099B263C7309E51DB50

Function 0B486899 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6529bfbf6135be2b3720221ea6e56adda34b9dee79cf36878680eb532febc2b7
Instruction ID: 734c99197fc877dbd114071edf63822f3470e4e53151e32cffd6f7c56be2105c
Opcode Fuzzy Hash: 6529bfbf6135be2b3720221ea6e56adda34b9dee79cf36878680eb532febc2b7
Instruction Fuzzy Hash: 67111FB4E0520ADFCB84CFA9D58169EBBF1EB88304F2485AAD409A7344D7345B459B91

Function 0B4868A8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92b337d2086e2f278205cc2e4fbf0044ac8be6bf6bd380a55645ea259ea91c7b
Instruction ID: 9adf2f23dd039918a8c7b624e77ee35628065c4fe477d8230e3d66a2974d4275
Opcode Fuzzy Hash: 92b337d2086e2f278205cc2e4fbf0044ac8be6bf6bd380a55645ea259ea91c7b
Instruction Fuzzy Hash: 8F110CB4E05209DFCB84DFA9D6416AEBBF2EB88300F20846AD409A3344E7349B459F91

Function 0B488792 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64d3915f17cd71b8b9831542ac933c4c450927a59f37b51e92d859a6f018f66e
Instruction ID: 85920c0f4a5b05810cd17016ae19e38be67583c194f5d78ded1f2fa2e1f83255
Opcode Fuzzy Hash: 64d3915f17cd71b8b9831542ac933c4c450927a59f37b51e92d859a6f018f66e
Instruction Fuzzy Hash: FB014C70E15209DFCB44DFA9E54525DBBF2AB8A210F1485EAC419E7394E6349B44CF41

Function 0182D731 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2199927825.000000000182D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0182D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_182d000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad3d129cd96be89cf08325f566c21ec2bb76d326d5b6155217fc60c0c8cb773d
Instruction ID: 39e8e2eaaea83dda6d594ab5c63fdfc29913a9546759b6e078f3cc5a06b111b0
Opcode Fuzzy Hash: ad3d129cd96be89cf08325f566c21ec2bb76d326d5b6155217fc60c0c8cb773d
Instruction Fuzzy Hash: 3A012B714053949EF7124AA9CDC0766FF98DF80364F18C61AEE08CF192C7BC9980C6B1

Function 0B4860F0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61bccc9dbff62dd27d09abaca061598adf7c02c7e904f79a9703099dd369a64d
Instruction ID: b8e7134fbb61cbf5db2c92ea3ebce2e278cb584f5db3e3a7f0b8c18bd989b8ec
Opcode Fuzzy Hash: 61bccc9dbff62dd27d09abaca061598adf7c02c7e904f79a9703099dd369a64d
Instruction Fuzzy Hash: 8B014CB4E05209DFCB85DFA9D9416AEFBF6FB88300F10C4AAC419A3315EB709B018B51

Function 0B48CCC3 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5661942015341c40ac82c0356fea7098b8567721e82f9c868f3d9c54f999ea53
Instruction ID: 3f577b628971c6d7ae4843a6cc52a1637ad9d009f41420517681a3dc35d7f7a9
Opcode Fuzzy Hash: 5661942015341c40ac82c0356fea7098b8567721e82f9c868f3d9c54f999ea53
Instruction Fuzzy Hash: 3D018F3090C288DFD704EF69D4809ADBFF9EF4A300B14D1AAC4199B253C7749B02DB60

Function 0B48C2B9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25702069adf3da2f47e1e2d657bda553712a8f85cf587e3c06e63e66d7b6bf30
Instruction ID: eb5ddbf45bd839c6ed46212e7a8c66a3bfc5140a7613ccf97736bddf0eef38bc
Opcode Fuzzy Hash: 25702069adf3da2f47e1e2d657bda553712a8f85cf587e3c06e63e66d7b6bf30
Instruction Fuzzy Hash: 4E01B374A08218CBDB04DF94C5C0AEDBBB6FB49711F54515AD519BB306C336AE81CF60

Function 0B4887D8 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5873664d876cd78275e5b5bf767245a5415efc5639f7830461c63373ced11bf
Instruction ID: 1f24e34dfd926a8cb3fae5ef972fcbb282ad41913fcfd960e42708a956df4663
Opcode Fuzzy Hash: b5873664d876cd78275e5b5bf767245a5415efc5639f7830461c63373ced11bf
Instruction Fuzzy Hash: AA014F70E56249DFCB44DFB9E54525DBFF2AB86200F24D4AAC408E3355D6348B44DB15

Function 0B48CABC Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f11e5eb54afca97fc618e97c25b271a14e8bc4ed9e14244fc1396a568550b9a0
Instruction ID: b520baf1d1e69573fbca1d9083cfd62101fe0910eab720a8e4e8ed8cfff1e8b2
Opcode Fuzzy Hash: f11e5eb54afca97fc618e97c25b271a14e8bc4ed9e14244fc1396a568550b9a0
Instruction Fuzzy Hash: D101BF7490D504DFD704DF69D5849FCBBB9EF4E606B00D09AD42A97263D7399682CF20

Function 0B485291 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e1d213b67f99d532041f1a5bab086b1459fb9afb2893dbfa2daf137c3b7261e
Instruction ID: c1d64d547976f2a904a40128fbd5601251bae8119b294c8d60d4c9f1a1d401f9
Opcode Fuzzy Hash: 2e1d213b67f99d532041f1a5bab086b1459fb9afb2893dbfa2daf137c3b7261e
Instruction Fuzzy Hash: 90011AB0E0021ADFDB14EFA9C841AAEBBF4BF48704F10445AD515EB341EBB49605CFA1

Function 0B48CCD0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f92356969778389428a743c48f58ce86a2a5e9d8fc9e26eae4d5aec3c23a480
Instruction ID: 358a74b845a839c3ce3019f33e50e2dc5b5d4e385fb8a8b3e718687f4e6fdbcf
Opcode Fuzzy Hash: 4f92356969778389428a743c48f58ce86a2a5e9d8fc9e26eae4d5aec3c23a480
Instruction Fuzzy Hash: 20F03C70908148DBD704EF59D5809BDBBF9EB8A700F10E1AA9419AB213D7749B46DB60

Function 0B4887E8 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3f2310074ea23ec8000f743fbb57f11a85eafb5604cafb3101867586a22e356
Instruction ID: b867d42eceaf945d0d6f5266f70f9a88313e2be21905d5f11d407368d2f1349c
Opcode Fuzzy Hash: e3f2310074ea23ec8000f743fbb57f11a85eafb5604cafb3101867586a22e356
Instruction Fuzzy Hash: 7D014F74E56209DFCB44DFA9E54525EFBF6AB89300F24D4AAC408A3354EB349B458B44

Function 0B48B08E Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcf29cfec830747925f2bf3b6923062fc7bc2c42d6fcfbb0c09658967a6ed236
Instruction ID: b304d99065a257087df679fe39527f0307f0a21c8eaf6a52cef9156c44493f0b
Opcode Fuzzy Hash: fcf29cfec830747925f2bf3b6923062fc7bc2c42d6fcfbb0c09658967a6ed236
Instruction Fuzzy Hash: A401A274E05218CFDB01EFA4C8846ADBBF5FF49301F10812AE829AB385D7359902CB00

Function 0182D730 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2199927825.000000000182D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0182D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_182d000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 670889222f0fc288e955684e5e6e615340a56da04ddac9ca6717e05f2e1c0194
Instruction ID: b56b5a216e56be85ec4d709d1f54dc4a6fc5ca308ec2d0c3e3742a0d0e03f43f
Opcode Fuzzy Hash: 670889222f0fc288e955684e5e6e615340a56da04ddac9ca6717e05f2e1c0194
Instruction Fuzzy Hash: 3DF0C2724053949EF7118A19C984B66FF98EB80734F18C55AED088B282C3789840CA71

Function 0B4871E0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fb54aea48bde0dc317fb6cc8d8d55de516af0d445cf434885329087f4095d15
Instruction ID: d02e9edbd4f8069bb1a73e18fcfc4f30fec764423856848af7d7942be3024534
Opcode Fuzzy Hash: 0fb54aea48bde0dc317fb6cc8d8d55de516af0d445cf434885329087f4095d15
Instruction Fuzzy Hash: A40146B4D0A2499FCB85DFB9C4052AEBFF1AF09300F1084AAD408A7392EB740A40CF52

Function 0B487678 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d1e365e8ab7216bc1aa6447742a307236e7aae467d02e21bc944493efb8fc25
Instruction ID: 08c6e4cb478b453cf22a6710da00b31d108439c6d319c333c4aa66f8c3e9d1f2
Opcode Fuzzy Hash: 9d1e365e8ab7216bc1aa6447742a307236e7aae467d02e21bc944493efb8fc25
Instruction Fuzzy Hash: F1F0B4316042046FDB09DF98D852A9E7FFAEF59220B1480EFE808DB261D6319D51CB50

Function 0B48E6F1 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e6285a2d0e6d01fbe4f42c8c1c8fcf591c57af57d490419217e7011c0d16298
Instruction ID: 599d599d3df453c9b5a6671d23b8818ba75824726df1d9013064463c5d29ef4d
Opcode Fuzzy Hash: 3e6285a2d0e6d01fbe4f42c8c1c8fcf591c57af57d490419217e7011c0d16298
Instruction Fuzzy Hash: 6FF0F63440C284CFD717ABA5C5103A97FB59F8B300F04A0A7C0459B2ABCA74164ACB62

Function 0B48E911 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 061424da23710dd2d777ec7faa87ab515ecf86626751a75227a00009a1328bb9
Instruction ID: 35198cb1f6da29fa0f32fa9c330f00b24604986c49d2f28b2c0b0b2962ecd115
Opcode Fuzzy Hash: 061424da23710dd2d777ec7faa87ab515ecf86626751a75227a00009a1328bb9
Instruction Fuzzy Hash: 71F06D78A46108CFD724DB16DD54A9CBBB1FBCC300F109AE9C51AA3245D7740E838F11

Function 0B4871F0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58859e4996b8806792575e0622d21b66fb50bf365ff6ed441be1c99eaa24a86b
Instruction ID: c082a6109b30024dd968bb5df2db9f65f213eae1c1728f3eea3b6476b4dba7f5
Opcode Fuzzy Hash: 58859e4996b8806792575e0622d21b66fb50bf365ff6ed441be1c99eaa24a86b
Instruction Fuzzy Hash: 70F017B4D052099FCB84DFE9C5052AEBBF5FB48300F1084AA9818E7341EB745A40CF91

Function 0B4852A0 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3160f11bfc91bf1ff14e1a9abd16f1751e4893b41f35d9cd147ab14e6fab2c24
Instruction ID: 0007eaa366eade6dd2bcc5c916e537c98a29568ed13a90ca7d9c4342527c5a9f
Opcode Fuzzy Hash: 3160f11bfc91bf1ff14e1a9abd16f1751e4893b41f35d9cd147ab14e6fab2c24
Instruction Fuzzy Hash: 50F0DAB0D0430A9FDB44EFA9D841AAEFBF4AB48200F1085AAD918E7301E7B496018F91

Function 0B485237 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d7610085b5e3ba78cf718dd7e5e116e1aa04fa0791f208c94ab203a0a161c6d
Instruction ID: 9533101047641304681d741f26e394a0aa97f21822396a8bc0ffaeef2beecfcb
Opcode Fuzzy Hash: 6d7610085b5e3ba78cf718dd7e5e116e1aa04fa0791f208c94ab203a0a161c6d
Instruction Fuzzy Hash: 8EF03970A00219DFD740EFACC954AAEBBF5FF49700F6084AAD015DB260EB709A06CF91

Function 0B48E700 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4275bccf340edf5769d58c66e2c2ae2183a75f4de7d96f40ae002e1dcf1b9277
Instruction ID: cee888b9f8e99f7ec547236f4f31a29bb9f00c297409114a627e3d5c7c5d19bc
Opcode Fuzzy Hash: 4275bccf340edf5769d58c66e2c2ae2183a75f4de7d96f40ae002e1dcf1b9277
Instruction Fuzzy Hash: ECF02B34948108CFE714FBA5D5047AD7BBADB88300F00A53BC50967269CFB46A4BCB62

Function 0B48A561 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cd733f8d0245548cee8314fdc1f4baae2deb335c325587a8ca62025dea05db3
Instruction ID: 401c19bda1145c478329527588c178f66d3a9d6efd0b34e7dc956b52e3f3a204
Opcode Fuzzy Hash: 7cd733f8d0245548cee8314fdc1f4baae2deb335c325587a8ca62025dea05db3
Instruction Fuzzy Hash: C3F06270E012898FCB46DFA8C850AADBBB1AF0A300F0086AED8449B2A1C7745A90CB51

Function 0B48CA22 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e71de9852ee074cddae17cd4d4d5cfce7dfab65fc5482c9733befe6765bd37a
Instruction ID: 6c7111e8b616bc0c6a787cf0b6ca236948047147c6f90854f8193e1febf87656
Opcode Fuzzy Hash: 5e71de9852ee074cddae17cd4d4d5cfce7dfab65fc5482c9733befe6765bd37a
Instruction Fuzzy Hash: E6E0C930D0D504DBDB04EB59D4845BDF3BDFB4E701B14E156C42A56223C7389A828FA1

Function 0B48EA1F Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a444532068e16b03736fb9db7f96c33b3fd7225f5e1e1c9b30e8679a19b34f57
Instruction ID: f011838402511f039e1db653ec5ed8c13871a1f2c7282c18c996e627553ec09d
Opcode Fuzzy Hash: a444532068e16b03736fb9db7f96c33b3fd7225f5e1e1c9b30e8679a19b34f57
Instruction Fuzzy Hash: 49F0A03884824ACFDB04EB54D90866D7BB1FF84200B00919AC01897352C7314A43CF10

Function 0B482958 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89575af8fd06fa07306efa04c0b581736966195dd69a2d716f449547990466e7
Instruction ID: 4dbccbd6b4dba3d3162a1818410658da69a06e8ff3a7ca649b19e78fe8583fde
Opcode Fuzzy Hash: 89575af8fd06fa07306efa04c0b581736966195dd69a2d716f449547990466e7
Instruction Fuzzy Hash: 35E09235901714CFC7108F64E4849947770FF48326B1002F9E92A872E2CB328E81CF60

Function 0B4889C0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93ec3cb68939f0f160a3734fbe69fe1bbb1066d8468ac0d88711350f2513416c
Instruction ID: a660e9c02e16191c0ee0b769f645ca98b0b987cc8f03cc373b4a29e72ca8f6bf
Opcode Fuzzy Hash: 93ec3cb68939f0f160a3734fbe69fe1bbb1066d8468ac0d88711350f2513416c
Instruction Fuzzy Hash: C4F01C75D152849FCB84DFB9C44465CBFF0EF09220F4082EBC868972A2D6349A44CF01

Function 0B48ED51 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5ad7f5e0c503de3d5650cf0f149e81c495adffdfcaf35cef614b01f0a9936db
Instruction ID: 4a846dda9cfe25c85a326055bd0d5e45ad550a1ca0a4fe0ef6bf60a343dafb3a
Opcode Fuzzy Hash: e5ad7f5e0c503de3d5650cf0f149e81c495adffdfcaf35cef614b01f0a9936db
Instruction Fuzzy Hash: C5F0C978A01249CFCB08EFD4D9494ACBBB1EB89305B109959DD02AB74CDB789D4BCB11

Function 0B48ED10 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b981573c3529c14f444a7add273448fab7d84deeedd8f1320d42aa29cfa9c376
Instruction ID: 52aa8f7e4cf08c1fe925d850779901ed9926b3157051d736fdef61281b67a3b2
Opcode Fuzzy Hash: b981573c3529c14f444a7add273448fab7d84deeedd8f1320d42aa29cfa9c376
Instruction Fuzzy Hash: D8E0E578444246CFEB44EF68D5D49ECBFF9EF48365B142659D416AB32ADB342982CF00

Function 0B48B073 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 610ad522bfb5b6e1078c7cab866264dee5870364cb7baa4a161bf6e7117b94ec
Instruction ID: e36fae544f611a8e8b12a0d91a654930b79246989bb5dc7db21e86d01f98c125
Opcode Fuzzy Hash: 610ad522bfb5b6e1078c7cab866264dee5870364cb7baa4a161bf6e7117b94ec
Instruction Fuzzy Hash: 82E0E5349096448FDB12EFA0D884ABEBB79EF4A745F14104AD4266F29AD7765A02CB00

Function 0B4860A0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a0676fda6df5f849651d09f96eb61c333b92a2d50322f10cf5216c3d1ae6b16
Instruction ID: e2cc1e66b2f8d397af38d20032b6df4d000fad1d7edf0c8bc2e37c78262423c1
Opcode Fuzzy Hash: 8a0676fda6df5f849651d09f96eb61c333b92a2d50322f10cf5216c3d1ae6b16
Instruction Fuzzy Hash: 47E04F3090A285CFCB49DF74E4566987FB0AF07200F0045EAC4189B2A2DA341E45DB52

Function 0B48A570 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 941aaa38f246e11cafa776a1c902413d29a40c58cc24a1f8162ccf25d30acf4a
Instruction ID: 7a66776018c50622e19fb4b58979ec41da4e434025644b5b5d6e0afd59a4cac6
Opcode Fuzzy Hash: 941aaa38f246e11cafa776a1c902413d29a40c58cc24a1f8162ccf25d30acf4a
Instruction Fuzzy Hash: C3E0EDB4D01309DFCB45EFA8D8016AEBBF5FB48300F1085AAD814A3340D7719A91DF80

Function 0B4889D0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8d697dd737a23b069fe915aef3c04ded8470d3d9eddba95a231bee730dcba11
Instruction ID: 89b416cae576d28ac2dfab45782c74700d90da45be68c5b83a4d6b77e65fc52c
Opcode Fuzzy Hash: e8d697dd737a23b069fe915aef3c04ded8470d3d9eddba95a231bee730dcba11
Instruction Fuzzy Hash: 39E09A74D10248DFCB84DFA9D44565DBBF4EF08614F4081EAD818D7351E6759A40CF41

Function 0B482940 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2211da34b4bc10016abf7a4a6a05fdf43deb31a828c43ca511733d95c5a0d358
Instruction ID: 09543045c702b847dfb96fade917284b195a591f5ec7e8a2820eb8476cec183e
Opcode Fuzzy Hash: 2211da34b4bc10016abf7a4a6a05fdf43deb31a828c43ca511733d95c5a0d358
Instruction Fuzzy Hash: 50E01236701604DFD755EF64E5444D87B75FF85316B5001BAE50587262C732DA50CF50

Function 0B485248 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdae149df133bc1a34919a2b8f1860043b586d2ac924e0a0a5f6f8bed5637f5b
Instruction ID: bd7919fbbddfa1342aef16d80966949b35e186e0cbbbd10ac27f81fbf6e55e8f
Opcode Fuzzy Hash: cdae149df133bc1a34919a2b8f1860043b586d2ac924e0a0a5f6f8bed5637f5b
Instruction Fuzzy Hash: D0E0B6B0D40209DFDB80EFB9C905A5EBBF0BF08704F21C5AAD019EB221EB7496058F91

Function 0B48A5B0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61a7f90d07feb03bed80b20c435fe05d69eb99c6f06960fb134bca78a4b47f6b
Instruction ID: ecab198fa42193a3b22792630a063d1db1747c8729cf4359685e4b355f995e18
Opcode Fuzzy Hash: 61a7f90d07feb03bed80b20c435fe05d69eb99c6f06960fb134bca78a4b47f6b
Instruction Fuzzy Hash: AAD05E740093C09FE31AEBA0E8786247F30EF5B306F0915EED4498B5E2CAB05895DB21

Function 0B4887A0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6f8c4b3c5bd8a16a341ecd2d4947646b788fad19a1da27bb8f86d0bc35dd0e3
Instruction ID: 5d15d13991386cc545e62652ff67540d1f00d222f15caa0648924c5ea239ca17
Opcode Fuzzy Hash: a6f8c4b3c5bd8a16a341ecd2d4947646b788fad19a1da27bb8f86d0bc35dd0e3
Instruction Fuzzy Hash: C1E0E270D00208AFCB84EFA9D84539DBBF4AB44200F0081AA8818A3340E6745A44CF81

Function 0B4860B0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fba6e9b096c71cc623e4f0b591251236eeac4b73b4f93301eb2f7fad852624f3
Instruction ID: 006dac38c06c08ae6a3af4ff537188b4cdcee230ed79adee003f85cbba57a038
Opcode Fuzzy Hash: fba6e9b096c71cc623e4f0b591251236eeac4b73b4f93301eb2f7fad852624f3
Instruction Fuzzy Hash: A8D0A930C0224DDBCB84FBB8D80636EBBF4AB00200F1002B9C80893290EA705F44DB82

Function 0B48AB4A Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e03c03010472fd003169279bdf24abd24c7ad2f9e882f5fe224ee1f14f551b3
Instruction ID: 70495dc64f5245b715bc2c9aea4274d66f725f2ebf2a1af02d46035ecc3c26e3
Opcode Fuzzy Hash: 0e03c03010472fd003169279bdf24abd24c7ad2f9e882f5fe224ee1f14f551b3
Instruction Fuzzy Hash: 94D0523890A148DFEB10CB14EC40BECBBB4FBC4224F0022AAC10CA3110C7301E82CF00

Function 0B485340 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 553b2bcb9f1fa7b9f0468e12bb51c150211b7d3f26f63eb26415fde3d0e4b0fc
Instruction ID: 329155d0e23d94a7c6ed8f811f9cf67a503a5d24c6c1e2242b039741e49ee51e
Opcode Fuzzy Hash: 553b2bcb9f1fa7b9f0468e12bb51c150211b7d3f26f63eb26415fde3d0e4b0fc
Instruction Fuzzy Hash: 4BD0123614020C5FCF80EF94E800C5677DDBB247007448472F548C7520E721F574D751

Function 0B48C452 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c95bcdf0f320dc1fbfe8bcf42430cef37b8b82d3ff68c7d92c5aeb72b71c6077
Instruction ID: a5c8bf58a842e7398f2c51f362ef56b0d6c5f444bd80144a6ec44758f5f0e867
Opcode Fuzzy Hash: c95bcdf0f320dc1fbfe8bcf42430cef37b8b82d3ff68c7d92c5aeb72b71c6077
Instruction Fuzzy Hash: 8CD0C77884C105D7DB006FA9D8C017E7B64E71A6517146313C57785197C62441438FB2

Function 0B48A5C0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5525a45d4d82e102eacf25e43a904b24a80b7096e0212553d4b013acdf2dced4
Instruction ID: 301684c994ad1fcacd1e1dec301e3f4ba354a52f37ee1b2ab6009db0c6459314
Opcode Fuzzy Hash: 5525a45d4d82e102eacf25e43a904b24a80b7096e0212553d4b013acdf2dced4
Instruction Fuzzy Hash: 51C08C70000B088BE3043BA0E80C329B668E70820AF400029D50C101928AF058D1DF61

Function 0B48B0E5 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0a763f4d4e462885c8752cebf7c2da54b85ff5c6c7a7c9a340b431c6abf71d2
Instruction ID: caaf6fb45296f62c536dc4615b55c5171608744dddcfa98bd6acb3b2ab7b9d2e
Opcode Fuzzy Hash: f0a763f4d4e462885c8752cebf7c2da54b85ff5c6c7a7c9a340b431c6abf71d2
Instruction Fuzzy Hash: F3C01234D081088FCB14EFE8E8500ECBBB0EB89300B00801AC932EB284CA391906CF21

Function 0B487650 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38f445301d169550da45b9992f6b2fc75af16c1e95faf41e5f46802a2855e71a
Instruction ID: f60e338b4f7136f3e692070db9ac1b5c336325e772832e7035e52e25199da166
Opcode Fuzzy Hash: 38f445301d169550da45b9992f6b2fc75af16c1e95faf41e5f46802a2855e71a
Instruction Fuzzy Hash: 57C09BA6450500DED708B561645B7859B047735F19F34E8774D094D0554410516B8525

Function 0B485444 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 683b177f46dd4c36400c5c786e2670f8aec6b281f91b24e7078736601e329209
Instruction ID: 981192f1d25ce28500d12933af43a5a68f46f675c2d3c4d35783df15acb628c2
Opcode Fuzzy Hash: 683b177f46dd4c36400c5c786e2670f8aec6b281f91b24e7078736601e329209
Instruction Fuzzy Hash: 9AB012FD254104F5D1043E7D48D2F2EA900FBB1F00B50AC1B3718140C1CC60CE29911F

Function 0B48C3E8 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4245224f20662c3323f8475a325d3c4b91145352998e381545ab9bddfd1d36fb
Instruction ID: 0e3f5ed00ceb94766820ed2d0ca831283a8635d87022dc78461b746a905a4356
Opcode Fuzzy Hash: 4245224f20662c3323f8475a325d3c4b91145352998e381545ab9bddfd1d36fb
Instruction Fuzzy Hash: 22B09230108210CFC314DB28C6849A83BB6EB4A206B01449AD11A56253C735D981CE20

Non-executed Functions

Function 0B486A91 Relevance: 6.5, Strings: 5, Instructions: 292COMMON

Download Yara Rule

Strings

H4ux, xrefs: 0B486B5A
nay, xrefs: 0B486D6C
H4ux, xrefs: 0B486B78
nay, xrefs: 0B486D76
H4ux, xrefs: 0B486B61

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID: H4ux$H4ux$H4ux$nay$nay
API String ID: 0-1200253175
Opcode ID: f2133537f21baeb2d36e2f7ec506684e226fc130f9c7e8ce5e3dfbd511468743
Instruction ID: 4c444d1d15162d75b08e8eb795cb63d90e714f6b4a923f773ee3fb0687abe8db
Opcode Fuzzy Hash: f2133537f21baeb2d36e2f7ec506684e226fc130f9c7e8ce5e3dfbd511468743
Instruction Fuzzy Hash: E5D14A74E01219DFDB54DFA9C980AAEBBB2FF88304F20916AD518AB365D7309E41CF50

Function 0B483968 Relevance: 5.2, Strings: 4, Instructions: 174COMMON

Download Yara Rule

Strings

%O@8, xrefs: 0B483AD2
%O@8, xrefs: 0B483AC4
tQ=), xrefs: 0B4839FE
tQ=), xrefs: 0B483A05

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID: %O@8$%O@8$tQ=)$tQ=)
API String ID: 0-749352435
Opcode ID: fa1801e285660d06adf6dbf9ba5b80e928b458fac16d2d5db1814a7e299180d5
Instruction ID: 9a472f19ad0ce16c4505e6266e673513dc96ed846cda3f3c5d5b704f9f6ebac2
Opcode Fuzzy Hash: fa1801e285660d06adf6dbf9ba5b80e928b458fac16d2d5db1814a7e299180d5
Instruction Fuzzy Hash: 8071D0B4E052099FCB44CFA9D58499EFBF1FF88610F14856AE419AB324D734AA42CF94

Function 0B484518 Relevance: 5.2, Strings: 4, Instructions: 162COMMON

Download Yara Rule

Strings

aY, xrefs: 0B484709
18', xrefs: 0B484662
18', xrefs: 0B484654
aY, xrefs: 0B484702

Memory Dump Source

Source File: 00000008.00000002.2210980212.000000000B480000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b480000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID: 18'$18'$aY$aY
API String ID: 0-3687307736
Opcode ID: a8f32caa44bc8e742a092ce9de6f8e2e26f62dbe65557fef78a10675ceb23b0e
Instruction ID: 5b5b26f943148682eb3c11af87091aebca56e37ab66f31c1f395e9639455192e
Opcode Fuzzy Hash: a8f32caa44bc8e742a092ce9de6f8e2e26f62dbe65557fef78a10675ceb23b0e
Instruction Fuzzy Hash: 5B71F2B4E0120ACFCB04DF99C5809AEFBB1FF89750F14851AD525AB304D334AA82CF95

Analysis Process: NoCGdFUXaoNd.exePID: 6764, Parent PID: 5140COMMON

Executed Functions

Function 0309C530 Relevance: 4.3, Strings: 1, Instructions: 3069COMMON

Download Yara Rule

Strings

N, xrefs: 0309F910

Memory Dump Source

Source File: 0000000D.00000002.3395473456.0000000003090000.00000040.00000800.00020000.00000000.sdmp, Offset: 03090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_3090000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID: N
API String ID: 0-1130791706
Opcode ID: 6e34cd163932d211307a192a85f0f899b67baedcf5b8e065ba0859f9f1747cb4
Instruction ID: 17d85857887ceed34ba849c497f5962b39748d86bc111536f6db32a494714be4
Opcode Fuzzy Hash: 6e34cd163932d211307a192a85f0f899b67baedcf5b8e065ba0859f9f1747cb4
Instruction Fuzzy Hash: 4E73F331C1075A8EDB11EF68C854A9DF7B1FF99300F15D69AE4486B221EB70AAC5CF81

Function 05C6AF00 Relevance: .9, Instructions: 918COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3399266757.0000000005C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5c60000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4da0eb70d48feade77607cde644c4bd1de70985bd3a7621e256620a2f5f1625a
Instruction ID: 60061ec6667e60977e3f71bd7ee0d5d432d25dd361a3602a3877eef979ff06fc
Opcode Fuzzy Hash: 4da0eb70d48feade77607cde644c4bd1de70985bd3a7621e256620a2f5f1625a
Instruction Fuzzy Hash: FF726170A002199FDB14DF69C894AAEBBF6FF88304F148569E815EB365DB34DE41CB90

Function 05C6BC60 Relevance: .9, Instructions: 906COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3399266757.0000000005C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5c60000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3ef337b0f43a2e3d052c2b2ee14221edbff993b1dfade831d27d38959a56016
Instruction ID: a6e6fa97c4b5a7804f5bab4a335b9882e6d8f66d267cfa1189dc45445516907a
Opcode Fuzzy Hash: b3ef337b0f43a2e3d052c2b2ee14221edbff993b1dfade831d27d38959a56016
Instruction Fuzzy Hash: AA823C34A04209DFCB14CF69C9C4AAEBBF2BF88314F158959E946EB261D734EE41CB51

Function 05C689E0 Relevance: .7, Instructions: 745COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3399266757.0000000005C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5c60000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 745057c82696e46c56c55677306debb47c6f5866ebe77663898d82a2321d3daa
Instruction ID: 74b7224d219bd7a82a40aab7dfe5862d5e1036355b55db2b263373dae33b9a72
Opcode Fuzzy Hash: 745057c82696e46c56c55677306debb47c6f5866ebe77663898d82a2321d3daa
Instruction Fuzzy Hash: 97827F74E01228DFDB64DF69D898BDDBBB2BB89300F1081EA940DA7265DB705E81CF51

Function 030927B9 Relevance: .7, Instructions: 694COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3395473456.0000000003090000.00000040.00000800.00020000.00000000.sdmp, Offset: 03090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_3090000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ec9bcb4c822e499e1ec01b3220af9ea201e1759016ccb1cfd34e7e7a8ec5359
Instruction ID: 3da155fa88ed0cf7a3a4d15ef88b7a539fe3c7baef651a6c2df4f6c0f0d216d5
Opcode Fuzzy Hash: 9ec9bcb4c822e499e1ec01b3220af9ea201e1759016ccb1cfd34e7e7a8ec5359
Instruction Fuzzy Hash: 084209326562B49FDB2B9B34C4D73903FF2EF5B20475949E8D0C2CA17AE2791182DB06

Function 03099480 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3395473456.0000000003090000.00000040.00000800.00020000.00000000.sdmp, Offset: 03090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_3090000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6aa83d1f64e4b00165dad6b0cfebfe429636080812e6f7fbb68b38786508dc50
Instruction ID: f4bd327a651819c155c48dc71215f212f54c33943a087aaf9790eb805bf822af
Opcode Fuzzy Hash: 6aa83d1f64e4b00165dad6b0cfebfe429636080812e6f7fbb68b38786508dc50
Instruction Fuzzy Hash: E4C19F74E01218CFEB54DFA5D998B9DBBB2FB88300F2091AAD809A7365DB355D85CF10

Function 03092DD1 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3395473456.0000000003090000.00000040.00000800.00020000.00000000.sdmp, Offset: 03090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_3090000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 928d28483ecca1b6869b8788de6dee981431b7d09953fbc290ed3b4c909823d0
Instruction ID: b3e9d53df0789cbeb948ae9bc3381c2bca423e86d8984bf4317f0863705ac99a
Opcode Fuzzy Hash: 928d28483ecca1b6869b8788de6dee981431b7d09953fbc290ed3b4c909823d0
Instruction Fuzzy Hash: 3091C534B02259DBEF18DB74946427FBBB3BFC8710B05896EE446E7289DE3588019B91

Function 0309C521 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3395473456.0000000003090000.00000040.00000800.00020000.00000000.sdmp, Offset: 03090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_3090000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07f66797cbbded35722f325d62be938d3b73ea809fceccd9eec17b0629a11116
Instruction ID: 3e9ef79bc80d69f6906876212aacef2adbc306c0839596c4a32512375c6f31a0
Opcode Fuzzy Hash: 07f66797cbbded35722f325d62be938d3b73ea809fceccd9eec17b0629a11116
Instruction Fuzzy Hash: 7AA11571D016598FEB10DFA9C8447DDFBB1EF89300F14C6AAE4586B261EB709A85CF41

Function 03099A30 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3395473456.0000000003090000.00000040.00000800.00020000.00000000.sdmp, Offset: 03090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_3090000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ef04cd06ec0f6d8a34bd88f78a5247f7eff7f96bfd7290b586e9a141b9d54a3
Instruction ID: 8e69aca8fb8f2612b82eb1e4bdd8843add8e4497b90a4f5f7784144aeb3ff7db
Opcode Fuzzy Hash: 2ef04cd06ec0f6d8a34bd88f78a5247f7eff7f96bfd7290b586e9a141b9d54a3
Instruction Fuzzy Hash: 6BA12770D01208CFEB14DFA9C948BDDBBB1FF89304F24926AE408A72A1DB749985CF55

Function 03099D87 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3395473456.0000000003090000.00000040.00000800.00020000.00000000.sdmp, Offset: 03090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_3090000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38ec23715acd1a0185e5eb3a825913f5b495d02e2f5a42cd044d4c9808fb467c
Instruction ID: 64b9d9a598edb17aa1f985fd478abcccbb16f0bdffd8f0f8325055a8dd616572
Opcode Fuzzy Hash: 38ec23715acd1a0185e5eb3a825913f5b495d02e2f5a42cd044d4c9808fb467c
Instruction Fuzzy Hash: AB910474D01218CFEB10DFA8D988BDCBBB1FF49310F24925AE409AB2A1DB759985CF15

Function 05C66138 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3399266757.0000000005C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5c60000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba70257580f4331e003dcf5ca73f6520d5a0e7b2611b9523ae2a4fe3a000c68f
Instruction ID: d2089e49686b2daab967e2ae5aee22d2cb394546e84b447036110070ccaad402
Opcode Fuzzy Hash: ba70257580f4331e003dcf5ca73f6520d5a0e7b2611b9523ae2a4fe3a000c68f
Instruction Fuzzy Hash: 4881E474E01218CFDB58DFAAD9947ADBBF2BF89304F20846AD409AB354DB345A85CF50

Function 05C689D0 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3399266757.0000000005C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5c60000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d607ae999e131f12bdc8a263e83731cf6064ab4a181dea3b6be00d048bd57e2
Instruction ID: d58bcca8e5ff7084ab2a4dcb3eee26ec15f9bd7c5b1b4d11d5ffd46ce67a9f04
Opcode Fuzzy Hash: 3d607ae999e131f12bdc8a263e83731cf6064ab4a181dea3b6be00d048bd57e2
Instruction Fuzzy Hash: 70819074E422699FDB65DF29D994BDDBBF2BB89300F1080EAD809A7254DB305E81CF44

Function 0309946F Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3395473456.0000000003090000.00000040.00000800.00020000.00000000.sdmp, Offset: 03090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_3090000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50d36b2ef99165cd4c9eac06b5b56fc6c335192099da4d26e3d23e64dae8c213
Instruction ID: 24f1113560fd6209e4e6580911542a0eba9836403cb4c49179e1efa874b6a155
Opcode Fuzzy Hash: 50d36b2ef99165cd4c9eac06b5b56fc6c335192099da4d26e3d23e64dae8c213
Instruction Fuzzy Hash: 0341F774E01249CBEB18CFA6D45469EFBF2BF89300F24D16AD815AB365DB344945CF50

Function 0309AF73 Relevance: 1.5, Strings: 1, Instructions: 225COMMON

Download Yara Rule

Strings

, xrefs: 0309B065

Memory Dump Source

Source File: 0000000D.00000002.3395473456.0000000003090000.00000040.00000800.00020000.00000000.sdmp, Offset: 03090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_3090000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: a21bf3a264d984e39e452eb07ed26aa2446eda57db328bc9cb21a857a7a9572c
Instruction ID: 3618ffad04974fac25baf499481c54c9431438a8078810b4b6c3a41ceb160cc5
Opcode Fuzzy Hash: a21bf3a264d984e39e452eb07ed26aa2446eda57db328bc9cb21a857a7a9572c
Instruction Fuzzy Hash: 0E81F8307012089BEF69AF78E45826D7AEAEFC4770F54462AE9269B3D0DF358C01D791

Function 05C6CD28 Relevance: .8, Instructions: 801COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3399266757.0000000005C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5c60000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eca76b3a98c300cfd654da61773f097d4063cdc6686fd7c30ba9116c11f1edaf
Instruction ID: dc3d4db795b8f7ebdc37334cedf0a230de4ee3e458691618c7bcff830aa01437
Opcode Fuzzy Hash: eca76b3a98c300cfd654da61773f097d4063cdc6686fd7c30ba9116c11f1edaf
Instruction Fuzzy Hash: AD623034A00219CFEB559BE4C864B9EBBB2FF94340F1080A9D60AA7395DE359E85CF51

Function 05C6DA68 Relevance: .4, Instructions: 409COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3399266757.0000000005C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5c60000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4c2bf3682c9ac0f980b3f1e1997948f0ada674862697c3b7457020d73d2528f
Instruction ID: 2aadcd3401c661a8b97db6c2d80c2e542d8b5621c1b253160519434dfa37fccc
Opcode Fuzzy Hash: e4c2bf3682c9ac0f980b3f1e1997948f0ada674862697c3b7457020d73d2528f
Instruction Fuzzy Hash: BDF10B75B00219DFCB04CF69C9D89ADBBF2BF88311B1A8499E516AB361CB74ED41CB50

Function 0309B500 Relevance: .4, Instructions: 388COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3395473456.0000000003090000.00000040.00000800.00020000.00000000.sdmp, Offset: 03090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_3090000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdef1420f53a7c34cc77ca264946ef6e8ab04e3ab6734e917c99409929a50b5e
Instruction ID: 174ebb44d62afcda669a9a1f86ab47d0ca8f548e48380b202c09354094641403
Opcode Fuzzy Hash: bdef1420f53a7c34cc77ca264946ef6e8ab04e3ab6734e917c99409929a50b5e
Instruction Fuzzy Hash: AFD1D331B052088FEB55DB68D490BAEBBF6EFC9320F18446AD501EB3A1CA75DC41CB51

Function 05C6A620 Relevance: .3, Instructions: 342COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3399266757.0000000005C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5c60000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06436e5559f425482804a231543803786871dc69d0803ad3fcc30e02e91fc809
Instruction ID: 6a1f72e8e37334836cc0ea3ca999a8469de0cdc32ed7f14602eb14a401b4b117
Opcode Fuzzy Hash: 06436e5559f425482804a231543803786871dc69d0803ad3fcc30e02e91fc809
Instruction Fuzzy Hash: A0C1CA34304215DFDB159F35C898A6EBBE3FF88640F148929E9469B395DB34CE02CB91

Function 030919B8 Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3395473456.0000000003090000.00000040.00000800.00020000.00000000.sdmp, Offset: 03090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_3090000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 490372172e7df5f9f8bfae77b80f2b4eaa30fa84224e46edea04d18357fe3222
Instruction ID: c7d25286bf5d585490a6b493c2629ce3e45e2817360014c774c8320d62543c84
Opcode Fuzzy Hash: 490372172e7df5f9f8bfae77b80f2b4eaa30fa84224e46edea04d18357fe3222
Instruction Fuzzy Hash: 66C17E31A012398FDF699F78C4853A97FF6FF59300F0489A6D046DB268E7344A82CB42

Function 05C6AAE0 Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3399266757.0000000005C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5c60000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd5e67633306d4b46c50f483d91ae4754d990796e0aa73ec29dbb04c1b8b483b
Instruction ID: 320e919fc0fbb253fa403f067694ad162d208705556362247d6e1378844b00f8
Opcode Fuzzy Hash: bd5e67633306d4b46c50f483d91ae4754d990796e0aa73ec29dbb04c1b8b483b
Instruction Fuzzy Hash: 8D819C34B04109DFCB14CF69C8D496AB7B2FF89340B1889A9D406EB365DB35EE41CB90

Function 05C669E8 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3399266757.0000000005C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5c60000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8def8ce50333ee0e253240053ec144d51e000e72a8d5dc8b6b089dbc7a97ee3
Instruction ID: a77a082523909d51b237bc29b3544043e669d37428af43f08c614878fc720f4e
Opcode Fuzzy Hash: f8def8ce50333ee0e253240053ec144d51e000e72a8d5dc8b6b089dbc7a97ee3
Instruction Fuzzy Hash: CB718131F003599BDB15DFB5C8906AEBBB6AFC8740F14452AE406A7380DF709E45CB95

Function 03090B23 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3395473456.0000000003090000.00000040.00000800.00020000.00000000.sdmp, Offset: 03090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_3090000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18db6ae5b03c3eeede88ddaab9a26509e11e73d50908890c2138e187e3b74922
Instruction ID: 9c605aeb8013afc762bc4973d43191594a29ac1f2be5cb6b9de41fa404ab0b48
Opcode Fuzzy Hash: 18db6ae5b03c3eeede88ddaab9a26509e11e73d50908890c2138e187e3b74922
Instruction Fuzzy Hash: AAA1D274A0120ADFCB44DFA8F88899DBBB2FF88304B105669D505AB365DF786D05CF91

Function 03090B30 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3395473456.0000000003090000.00000040.00000800.00020000.00000000.sdmp, Offset: 03090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_3090000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d66a299aa7c2174089337a20cbe74ff19bc9fb559c235152c54da181cdf35c1
Instruction ID: 29fb0048488f9ffdfa290f3275585282bab90bae51e6d2502678d570f3f93bb3
Opcode Fuzzy Hash: 1d66a299aa7c2174089337a20cbe74ff19bc9fb559c235152c54da181cdf35c1
Instruction Fuzzy Hash: 32A1D274A0120ADFCB44DFA8F88899DBBB2FF88304B105669D505AB364EF786D05CF91

Function 0309BF6F Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3395473456.0000000003090000.00000040.00000800.00020000.00000000.sdmp, Offset: 03090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_3090000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3ec0eacef24038f711d401424dc9dbb624e7feeaa9bcb54194c716486cb81a2
Instruction ID: 5256a0f4d7cce09d4fa9af51a531eb1de094cb9b76b98525a102da49b94c1d6e
Opcode Fuzzy Hash: d3ec0eacef24038f711d401424dc9dbb624e7feeaa9bcb54194c716486cb81a2
Instruction Fuzzy Hash: D6510272B013059FEB18CA78D844A6FFBE9EBC9324F19862FE519C7750D632D8018790

Function 05C6C9D9 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3399266757.0000000005C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5c60000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdfeb152657094dbbd762b97e0469f271ea46546336e7af02b21b51530a0bcb2
Instruction ID: b2061dd9491c71ee386221f12f115c5f3680026a6fcedb5b7a5b4f8ce4b5cb37
Opcode Fuzzy Hash: bdfeb152657094dbbd762b97e0469f271ea46546336e7af02b21b51530a0bcb2
Instruction Fuzzy Hash: B051A1353141519FC714DF3AC8C8E7A7BEABF8965030549BAE496CB262EB70DE01CB60

Function 03093F78 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3395473456.0000000003090000.00000040.00000800.00020000.00000000.sdmp, Offset: 03090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_3090000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a70eaefb79d1a5b138512b8ade60c1139c044a56a61a35119436dd4698557612
Instruction ID: 0afd0c94ff9700b45f669c2fc799206600656c04bad2b3ad1dcc68a29efb620f
Opcode Fuzzy Hash: a70eaefb79d1a5b138512b8ade60c1139c044a56a61a35119436dd4698557612
Instruction Fuzzy Hash: 9951B574E01208DFDB48DFAAD484A9DBBF2FF89310F14846AE815AB364DB749942CF50

Function 05C669D8 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3399266757.0000000005C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5c60000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdf2ab5c4a3bd00def26657c6f375852ec61d2240fbe0c866f66102b4d57216a
Instruction ID: 81107e43442cbc9e47568c3f574f6b57ffaaa5a028a57cd3e63ed20daa8b432a
Opcode Fuzzy Hash: fdf2ab5c4a3bd00def26657c6f375852ec61d2240fbe0c866f66102b4d57216a
Instruction Fuzzy Hash: 97413371E1021ADFDB14DFA5C990ADEB7B5BFC8700F24852AE401B7240DB70AA85DB90

Function 05C6C7E8 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3399266757.0000000005C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5c60000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4c1c6451c294309cd86a0e391535371ba5724279b33ef5a037b277210e88fcd
Instruction ID: 419c116a5875d35d638fdb0833518ef4e4fa8b135b63b67b58ced7af37434ca0
Opcode Fuzzy Hash: d4c1c6451c294309cd86a0e391535371ba5724279b33ef5a037b277210e88fcd
Instruction Fuzzy Hash: 344145746002059FDB24DF29C888AAA3BB6FB8C350F000469E986CB3A0CB71DE50CB90

Function 03093168 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3395473456.0000000003090000.00000040.00000800.00020000.00000000.sdmp, Offset: 03090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_3090000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 348d39d7c81473cbf290fae354bfaec68a9f5912947b7fc1da2a5d6f581dbe9c
Instruction ID: 0b366bba83f1e92852f2110fbaae07ce144aba616869669b2c92b77c080fa97b
Opcode Fuzzy Hash: 348d39d7c81473cbf290fae354bfaec68a9f5912947b7fc1da2a5d6f581dbe9c
Instruction Fuzzy Hash: CB419378E01208DFDB48DFAAE48499DBBB2BF89300F24956AE405BB364DB355845CF14

Function 0309BC98 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3395473456.0000000003090000.00000040.00000800.00020000.00000000.sdmp, Offset: 03090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_3090000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9b8a2a18906d0c03e639f21377047f1f7b2cde1deeb1981bf6750a6d66a89d9
Instruction ID: 87ca5e35273288c3b721b1ab272f0065a8165ef98cd782f1e8f1b399b1e22586
Opcode Fuzzy Hash: c9b8a2a18906d0c03e639f21377047f1f7b2cde1deeb1981bf6750a6d66a89d9
Instruction Fuzzy Hash: FE31D235B013499FDB04EFB8D851AAEBBA6EFC9210F1445BAE5099F291DE308D02D790

Function 03099249 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3395473456.0000000003090000.00000040.00000800.00020000.00000000.sdmp, Offset: 03090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_3090000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b29153dbdc81c38050a40e9babeefb9c232a28fdbe5168cf6f862cfb2e07e5b7
Instruction ID: 99530bd0493b0b338a7f25ac0d96cfc4cdaa40821ea8d14918f369298abc00bf
Opcode Fuzzy Hash: b29153dbdc81c38050a40e9babeefb9c232a28fdbe5168cf6f862cfb2e07e5b7
Instruction Fuzzy Hash: 5131BA3047A24F8FD7802F21B6AE2BABEA8FB4F763B047D05F10A854659F7004849B55

Function 0309B869 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3395473456.0000000003090000.00000040.00000800.00020000.00000000.sdmp, Offset: 03090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_3090000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57fdddf4faeb762389667e15f5be1074c7b9a730ca6cc4bdea5354ccddada5ad
Instruction ID: ef041f6364cd5abd9395ad2b47ed38a1d3c58bad78fa0b9b8e2af2bd345c4b4f
Opcode Fuzzy Hash: 57fdddf4faeb762389667e15f5be1074c7b9a730ca6cc4bdea5354ccddada5ad
Instruction Fuzzy Hash: 20311535B102098FDB45DFA8C480E9DBBF6FF88230F195499E501AB365DA70EC81CB90

Function 05C69D48 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3399266757.0000000005C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5c60000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ba02845d47798cf80c5fcfb101bc90fa79030f88cef8d044daf94dfbf29b1aa
Instruction ID: fceb554af183e1a65a9ba043accb2cd4305e81498930864b39fbc198bb0a60e5
Opcode Fuzzy Hash: 1ba02845d47798cf80c5fcfb101bc90fa79030f88cef8d044daf94dfbf29b1aa
Instruction Fuzzy Hash: 72319F3130414A9FCF419F65D898ABE7BB6FB99340F008429FD1687254DB39CE61DB90

Function 0309B89D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3395473456.0000000003090000.00000040.00000800.00020000.00000000.sdmp, Offset: 03090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_3090000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7f222e9900181c99162546a3045bd5a60ce7683f40b0afdd1ae9c2c69aad5f1
Instruction ID: eddda6e6ce0c7fc76e43bda693930635dcc9dcb24a5235269f85a3b1dfbf50e6
Opcode Fuzzy Hash: f7f222e9900181c99162546a3045bd5a60ce7683f40b0afdd1ae9c2c69aad5f1
Instruction Fuzzy Hash: BF31F535B102098FDB45DBA8D480E9DBBF6EFC8320F195599E501AB365DA71EC81CB90

Function 05C6CC09 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3399266757.0000000005C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5c60000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 570e7fd70c1544f3c7d2be5bcc5be2c048bc65d0b52eae9a737eacff19b7c9b8
Instruction ID: eb786eb29ed4459e74bfa61ead939df6d50f93f32fdb97d77df62b3d4c17308f
Opcode Fuzzy Hash: 570e7fd70c1544f3c7d2be5bcc5be2c048bc65d0b52eae9a737eacff19b7c9b8
Instruction Fuzzy Hash: 32213B303012115FDB156B3A94E4A7D3A97BFC9614714483AE946CB398EF39DE41D740

Function 05C6CC18 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3399266757.0000000005C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5c60000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 417265e8653f377435bc3d3b5b2e40d11a602d05e7dbc13d7e84d99e43c37d03
Instruction ID: 90046f0803328f5cc234a17a7791fab555fa3112d3090ac9aea5b0fbeddc7047
Opcode Fuzzy Hash: 417265e8653f377435bc3d3b5b2e40d11a602d05e7dbc13d7e84d99e43c37d03
Instruction Fuzzy Hash: A321C9303041115BDB146A3AD4E4B7E3697BFC9754F248839D946CB398EE79DE42D780

Function 05C6DA58 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3399266757.0000000005C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5c60000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed65bccc7760db84f36a6e4cc758e3cae42c8f3550e51ab15b64143231a8764d
Instruction ID: 92c33c215798398aeb0211f0eb6699116f4225b8d41932d3a8558d068b387898
Opcode Fuzzy Hash: ed65bccc7760db84f36a6e4cc758e3cae42c8f3550e51ab15b64143231a8764d
Instruction Fuzzy Hash: 38319330B041098FCB04CF69C8C4AAEBBF6FFC5310B158599E956973A5CB709D41CB94

Function 05C6CB20 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3399266757.0000000005C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5c60000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e4e93ce52d1045cce62bec7d98d67c42db31c2bf00bf01bb6b6c2376bb5e4bc
Instruction ID: e9090c6ceb1306aee8d3c4689597eb9be41ccfecd5bd5860a2d5aa4929643d98
Opcode Fuzzy Hash: 1e4e93ce52d1045cce62bec7d98d67c42db31c2bf00bf01bb6b6c2376bb5e4bc
Instruction Fuzzy Hash: F22144317081558FD714CE6AA8C4ABB7BE6FBC9650B048836E892CB341DBB5DE50C7A0

Function 030918C8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3395473456.0000000003090000.00000040.00000800.00020000.00000000.sdmp, Offset: 03090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_3090000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ce5d65094d4f60e7da1f2806735c05367d71467052773caa62b8526605e5629
Instruction ID: 41bae9b1b208bef35d17e76899c753f90d0d16ef4bdb4bbae15b13a6f21af52c
Opcode Fuzzy Hash: 5ce5d65094d4f60e7da1f2806735c05367d71467052773caa62b8526605e5629
Instruction Fuzzy Hash: D921C135B01146AFDF58DB24D4409AE77A9EBC9360B54C49AEC1AAB340DB31EE06CBD1

Function 0146D006 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3394906402.000000000146D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_146d000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80ee46822c0254c58a4649f5ad36d332171ac2ab85510e3f96909e27aa5c9a66
Instruction ID: 4ef6864a27383ae2350fdcdb0f165f691db41cf61e8b6400959953b44dae394e
Opcode Fuzzy Hash: 80ee46822c0254c58a4649f5ad36d332171ac2ab85510e3f96909e27aa5c9a66
Instruction Fuzzy Hash: 87216D715093C09FCB03CF64D990711BF75AF46218F29C5DBD8898F2A7C23A980ACB62

Function 0146D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3394906402.000000000146D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_146d000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d1229c5cbdbc77d3563e284e890cb22c0a20bc7823749cf4beff3290b6cf221
Instruction ID: f08c2ab1421207c8ce6579dd699d83729e5982e77e8e65a9159f272ea9680c3f
Opcode Fuzzy Hash: 9d1229c5cbdbc77d3563e284e890cb22c0a20bc7823749cf4beff3290b6cf221
Instruction Fuzzy Hash: EB2125B1A04204DFDB15DF54D9C0B26BB69FB8431CF20C56ED98A4B362C776D447CA62

Function 03090EC8 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3395473456.0000000003090000.00000040.00000800.00020000.00000000.sdmp, Offset: 03090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_3090000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca0bc79cb4902ffc2c95fdeaaf7ab93f8a3d5380fd1d0ea5eb20b33d6626bf1f
Instruction ID: 4f3de3cc00301c28cffbc30345c35941673a85af8071a1ec156b594e204d8c5d
Opcode Fuzzy Hash: ca0bc79cb4902ffc2c95fdeaaf7ab93f8a3d5380fd1d0ea5eb20b33d6626bf1f
Instruction Fuzzy Hash: 1A213B74E012099FDB48EFB9D4106AEBBB6FF9A344F10846F88189B254DB744A41CF51

Function 05C66BC8 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3399266757.0000000005C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5c60000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dfe63e6b880dda54d122992343c35b802ebce76e2645c74ce6a24ddd6de5f0b
Instruction ID: b6f563e7ad9b341a1389a4339fa72402e4eb101fa5ed090af157b2eff95fa550
Opcode Fuzzy Hash: 1dfe63e6b880dda54d122992343c35b802ebce76e2645c74ce6a24ddd6de5f0b
Instruction Fuzzy Hash: 851138363083845FDB0AAF7448142AE7FB7EFC9640B04442AD945DB392CE354C06CBA6

Function 05C6B518 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3399266757.0000000005C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5c60000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1228ffa871776553269c8272472fd79ce579b093a2ed02bc48f825dd38e993a
Instruction ID: 811540c6215ced59994c5034a3ec4e6511d9e9af7a247b3af41553bfc1457dda
Opcode Fuzzy Hash: c1228ffa871776553269c8272472fd79ce579b093a2ed02bc48f825dd38e993a
Instruction Fuzzy Hash: E52190719002089FDB24DF54C888FAABBF6FB44318F00856AE55ADB251E771DE54CF90

Function 030917B8 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3395473456.0000000003090000.00000040.00000800.00020000.00000000.sdmp, Offset: 03090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_3090000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9adb463273b63ba356805f494e1646b2a680e4864806d721b6a007e6a2c370a2
Instruction ID: 440c7e347604a88e8a17ff5f25c18c28f6f5f831dcf2aee1fc87651da7d67f64
Opcode Fuzzy Hash: 9adb463273b63ba356805f494e1646b2a680e4864806d721b6a007e6a2c370a2
Instruction Fuzzy Hash: 78211470D1624A8FCF45EFB8C8445EEBFF0AF0A200F1441AAC405B7225EB345A85CBA5

Function 0309C108 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3395473456.0000000003090000.00000040.00000800.00020000.00000000.sdmp, Offset: 03090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_3090000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30aa566a02c4f1e4c45ffd30ece256ab2cfa84f4d003ac70b3fb48c8b3dba922
Instruction ID: 5460e1804c47d58b596031cb0d1675deb46864fd8ec7d11e8ded021696d7644d
Opcode Fuzzy Hash: 30aa566a02c4f1e4c45ffd30ece256ab2cfa84f4d003ac70b3fb48c8b3dba922
Instruction Fuzzy Hash: B7117039E013198BFF64EFBC995469EFBF6AF89250B04053AD419A7200DB319C4287E5

Function 03094850 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3395473456.0000000003090000.00000040.00000800.00020000.00000000.sdmp, Offset: 03090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_3090000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18ea2c9ed05e670f91507cb1804e3435f01b6d699c82dacc9a33c24cb008f41f
Instruction ID: 1c20e0e1cb25f90a9e8ab96baaeb606fd84357f51c23cc200bf2ffb68d382112
Opcode Fuzzy Hash: 18ea2c9ed05e670f91507cb1804e3435f01b6d699c82dacc9a33c24cb008f41f
Instruction Fuzzy Hash: B501F532F022554FEB54EBB6C84466F77EBAF8526031445BAD505C7294FE74C8018B51

Function 05C66E70 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3399266757.0000000005C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5c60000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01b570169cf2ed489c3416d40c38126bfdcb04b99342dcce612aa1d80b434b93
Instruction ID: 1da07ffb2515c88696b88e40f7e7e33b38fc71f3130cf1f6aaba9055c825de55
Opcode Fuzzy Hash: 01b570169cf2ed489c3416d40c38126bfdcb04b99342dcce612aa1d80b434b93
Instruction Fuzzy Hash: 1D2156B680024ADFDB10CF99C845BDEBFF4EF48320F14841AE658A7250C779A690DFA5

Function 0309BB46 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3395473456.0000000003090000.00000040.00000800.00020000.00000000.sdmp, Offset: 03090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_3090000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 556dcf1ca41fa55a2bd5a5977a2e56cba13f4f0b3cbab298ab306fdc32dbc458
Instruction ID: defb2f076110dc2e9550ef781b6f0d4862774e708ac33b6e4bf7ccfe20f5a2dd
Opcode Fuzzy Hash: 556dcf1ca41fa55a2bd5a5977a2e56cba13f4f0b3cbab298ab306fdc32dbc458
Instruction Fuzzy Hash: 73118C76301200CFEB54DF69E584A1AB7F6FF88721F2484AAD1498B3B4CBB1E804CB00

Function 05C667A0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3399266757.0000000005C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5c60000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7470d595a809903e2d815ace5c2accefa4d2dd1b5d0e36f6e69141993e449fc
Instruction ID: f9157b33a8bb78a64a063e002a35cbb31b433cdda9cc12657f7aaea75517fbb7
Opcode Fuzzy Hash: b7470d595a809903e2d815ace5c2accefa4d2dd1b5d0e36f6e69141993e449fc
Instruction Fuzzy Hash: 451159B6800309DFDB10CF99C844BEEBFF4EB48320F148419E614A7210C379AA50CFA1

Function 05C66399 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3399266757.0000000005C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5c60000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25f80abb163cb928dd3d57de51423834f4b73fb436653fbea76688b2012983e7
Instruction ID: 09d651ac3a997747af99390923494d584aae1588e6d1d2194f1bc7d12e9200ce
Opcode Fuzzy Hash: 25f80abb163cb928dd3d57de51423834f4b73fb436653fbea76688b2012983e7
Instruction Fuzzy Hash: CC115234F40158CFDB00DFF8D890BAEBBB1EB44315F01A465E809EB359EA7199828F50

Function 0309BEE9 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3395473456.0000000003090000.00000040.00000800.00020000.00000000.sdmp, Offset: 03090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_3090000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae27122395c382d8ab94eda43a970458f6507ac8fd75d24b05b3332fc54380a6
Instruction ID: 6616b41ccda9182e6d4ecae941ec04dd42b7d483f56eab949b7f37b965794801
Opcode Fuzzy Hash: ae27122395c382d8ab94eda43a970458f6507ac8fd75d24b05b3332fc54380a6
Instruction Fuzzy Hash: C70128353043085BCB056B7498195597FAAEBCA620B0941B7E549CB283DA36C842C791

Function 03094860 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3395473456.0000000003090000.00000040.00000800.00020000.00000000.sdmp, Offset: 03090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_3090000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91826e143a0784f9d63605eb74bedad9ec880eeebfe9556b6db559c2b0f67ffd
Instruction ID: c85340801d650e4278954292dc46f87d6140059ed99284cb5f9e866cc50fa66a
Opcode Fuzzy Hash: 91826e143a0784f9d63605eb74bedad9ec880eeebfe9556b6db559c2b0f67ffd
Instruction Fuzzy Hash: 93018631F022554FEB54EBBA884856F76EFAFC4561714457AD905C7354FEB0CC018B91

Function 05C6A580 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3399266757.0000000005C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5c60000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54654f39dbddc1d457a88e80d2894bfc19ec81d3a3a1b8fe69c1d70d22a2cc14
Instruction ID: aacb11794f43b190e8e49d76678f8e9eb6bc6a0dd14980830a52c18df7890b0a
Opcode Fuzzy Hash: 54654f39dbddc1d457a88e80d2894bfc19ec81d3a3a1b8fe69c1d70d22a2cc14
Instruction Fuzzy Hash: 33014932608208AFDB02CF519C00ADF3FA7EBC9B90F048026FD05D7240D630CA1597E0

Function 0309A508 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3395473456.0000000003090000.00000040.00000800.00020000.00000000.sdmp, Offset: 03090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_3090000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10e662a42f57fb689bff2a4e523db601674baad83b6615d227bdc2be8a14db06
Instruction ID: f001b7fcdb937b75d90544f2adbf4e88ae17b30b8c0f2bd1889ee372b4f086ba
Opcode Fuzzy Hash: 10e662a42f57fb689bff2a4e523db601674baad83b6615d227bdc2be8a14db06
Instruction Fuzzy Hash: 77018C71A102099BDF54DF68E8485AE7FBAEB88250B40443AF91A93240DB308D10DBA1

Function 0309BB48 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3395473456.0000000003090000.00000040.00000800.00020000.00000000.sdmp, Offset: 03090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_3090000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7345a6a989b8d80b3a43b271b9934bce0cb2b1ffa9f11912273ee51ec0ae0f52
Instruction ID: a8fd709c7e4489d8a620ccfc78365cddcfc19c6c2abd69e7a1d160ff275d3003
Opcode Fuzzy Hash: 7345a6a989b8d80b3a43b271b9934bce0cb2b1ffa9f11912273ee51ec0ae0f52
Instruction Fuzzy Hash: F7017571301214CFEB54DF29E944B16B7E9FF89721F1584AED1498B3A4CAB0EC04C750

Function 05C6A590 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3399266757.0000000005C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5c60000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab46021c60be3b1072c9d75703657b9e7709be30383006211752c17e6bda2efb
Instruction ID: 9e9f86fee92f70edcc42278d2070e708577ee690dbdf17dafb949c7124de2e05
Opcode Fuzzy Hash: ab46021c60be3b1072c9d75703657b9e7709be30383006211752c17e6bda2efb
Instruction Fuzzy Hash: A801DB327041186BDB45DE559C14AAF7BDBEBC8790F14802AFE06D7340DA71CD159794

Function 0309A4F9 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3395473456.0000000003090000.00000040.00000800.00020000.00000000.sdmp, Offset: 03090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_3090000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e286f6cc8bca1a3e0e01db42fdccd72f5838de750c6b0a7964689e76b92ea190
Instruction ID: 39cc3b9df25b72e8069726e2a7b2c85529678b25a726b949ea8b2d070980722c
Opcode Fuzzy Hash: e286f6cc8bca1a3e0e01db42fdccd72f5838de750c6b0a7964689e76b92ea190
Instruction Fuzzy Hash: AC015E71B0410A9FDF54DF68AC45AAE7FB9FB88351F00402AF91993290DB308910DBA1

Function 0309C1A0 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3395473456.0000000003090000.00000040.00000800.00020000.00000000.sdmp, Offset: 03090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_3090000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f34a50cae2c9a8d4005ff2b080e500be88d3c70375ed13df578e3a2ab6644169
Instruction ID: 7176390b42c25f69afdb301744485afc87ccfd42ba9e140f3e7aeaddb20227df
Opcode Fuzzy Hash: f34a50cae2c9a8d4005ff2b080e500be88d3c70375ed13df578e3a2ab6644169
Instruction Fuzzy Hash: 1EF0B436B457118FEB16DB78A55155DB7A5DBC5221B0900ABE108DF2E1CE71DC029B50

Function 030946C9 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3395473456.0000000003090000.00000040.00000800.00020000.00000000.sdmp, Offset: 03090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_3090000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11ae3367a6f86023087c9e5a234660e3fdf7bb4a102b2608343052a83aa1d96d
Instruction ID: 9e83cb854454d8cfdf50e32792e2d93a8e6dd0890901291f63f9c63d26f07f20
Opcode Fuzzy Hash: 11ae3367a6f86023087c9e5a234660e3fdf7bb4a102b2608343052a83aa1d96d
Instruction Fuzzy Hash: A7F0FE70415342CFD7215B24E8AC26A7B70EF0B35B7042D45D44ECA039DB301410CB13

Function 0309BE98 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3395473456.0000000003090000.00000040.00000800.00020000.00000000.sdmp, Offset: 03090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_3090000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67031b9857b4a31e2892f8f1189dd51ee499bc99e04416f5374d73ad70592c6f
Instruction ID: b183a7df7f45d63cc2a746183ed0af9bd314964e1d9eae02b9c6ce53b9f2296c
Opcode Fuzzy Hash: 67031b9857b4a31e2892f8f1189dd51ee499bc99e04416f5374d73ad70592c6f
Instruction Fuzzy Hash: 0CF05E35301105DFCB04CF5AD484D6ABBEAFF88720754406AF60987331CB719C11CB80

Function 0309B9EA Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3395473456.0000000003090000.00000040.00000800.00020000.00000000.sdmp, Offset: 03090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_3090000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d72960f0402d52045d0f144075a1fcb0f6f23fb69412eff3cf7866fd2d20466b
Instruction ID: 2374374d7e3476a4626deefbb6a8aea0cff8e9efdbcf1e0ceb8a06920ef94ddc
Opcode Fuzzy Hash: d72960f0402d52045d0f144075a1fcb0f6f23fb69412eff3cf7866fd2d20466b
Instruction Fuzzy Hash: 2CF02439A042059FCB10CF78D98099EFFF1BB88320B18866FD2454B191E7B09A0287C2

Function 0309BE93 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3395473456.0000000003090000.00000040.00000800.00020000.00000000.sdmp, Offset: 03090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_3090000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6044b13a0686067d3d536551cfae8c316d0e4c73c162d3cf7bc0db219fb21e91
Instruction ID: 92dc35d8884071e04d79f265e120ec870a04396d4ebaaa07865b9611fac91821
Opcode Fuzzy Hash: 6044b13a0686067d3d536551cfae8c316d0e4c73c162d3cf7bc0db219fb21e91
Instruction Fuzzy Hash: E7E06D322011199FCB059E5AE884E6EBFAEEF88320B94403AF60987220CA718C14CB90

Function 030946D8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3395473456.0000000003090000.00000040.00000800.00020000.00000000.sdmp, Offset: 03090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_3090000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77dd4fa7b68704f89009ff51079c1f2c81d56b1353613b027f5e84ef881564f3
Instruction ID: 9de7b7dc0dbd40bbe5d6849aa11b44c6a9188d882b095bef2822398b83516dcf
Opcode Fuzzy Hash: 77dd4fa7b68704f89009ff51079c1f2c81d56b1353613b027f5e84ef881564f3
Instruction Fuzzy Hash: 06E009B5062346CBE7606B61B5AC23EBAB5EB0B39BB442D05E00EC903D9F704854CB56

Function 03091877 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3395473456.0000000003090000.00000040.00000800.00020000.00000000.sdmp, Offset: 03090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_3090000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 283e0bede6b9fa83464eb02b5faac6cfc1a9c5ef1e964eb1d190fa6c5fffcb8a
Instruction ID: d35b61db4b358aac16562a829c2a44c19533093c3827b24e8fc9899a40fa8639
Opcode Fuzzy Hash: 283e0bede6b9fa83464eb02b5faac6cfc1a9c5ef1e964eb1d190fa6c5fffcb8a
Instruction Fuzzy Hash: 54E0DF31D213A74ACB02DBB0A8104EEFB30AE93310B0556A7E8107B040EB30164AC760

Function 05C6AD81 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3399266757.0000000005C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5c60000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbf41aef6849c48b6835a90d51ca218945c231ce2096c81aa4511e12dd6e3cad
Instruction ID: 9ee6e9770de08ac37efa29edf17722967d0495c2bb5547831a077ae77b0ef7d5
Opcode Fuzzy Hash: dbf41aef6849c48b6835a90d51ca218945c231ce2096c81aa4511e12dd6e3cad
Instruction Fuzzy Hash: 28E0CD340093864FC7465774AC685D33F6ADF91140705569EE5C14B157DEB82C4A8761

Function 03091888 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3395473456.0000000003090000.00000040.00000800.00020000.00000000.sdmp, Offset: 03090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_3090000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b99910f8601d621c17c4f20f008ea4305fa0e83684912e75978b95e049c5d622
Instruction ID: 73aaf64c7bb5018b7e65ebf16bc7ffe48f22b4e9635f271f6c0d446ca8962ddd
Opcode Fuzzy Hash: b99910f8601d621c17c4f20f008ea4305fa0e83684912e75978b95e049c5d622
Instruction Fuzzy Hash: 57D02B31D2022B53CB00E7A1FC004DFF738EEC1220B404222E91033000FB302658C6F0

Function 0309BE64 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3395473456.0000000003090000.00000040.00000800.00020000.00000000.sdmp, Offset: 03090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_3090000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67e1fd1ec80a5d6d5dae0231be6d159e916754764189542dfee7e65a65236184
Instruction ID: 58ce39a5823db9b5befd191a160fe0a12e6179d5c636fea8b337bc261e978499
Opcode Fuzzy Hash: 67e1fd1ec80a5d6d5dae0231be6d159e916754764189542dfee7e65a65236184
Instruction Fuzzy Hash: E4E0EC35301105CFDB00DF59D484C6CBBA5FF482253559066E6058B231CA31DC15DB40

Function 0309BF48 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3395473456.0000000003090000.00000040.00000800.00020000.00000000.sdmp, Offset: 03090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_3090000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b94ab7490208d4cfebba469951e7d0b09b4a9c033e8f5f844aaf65d7a050e65a
Instruction ID: 7a3b21611a56fbe0ffa31666fd12a6289de3efa9b409224a775c9610bea4fe17
Opcode Fuzzy Hash: b94ab7490208d4cfebba469951e7d0b09b4a9c033e8f5f844aaf65d7a050e65a
Instruction Fuzzy Hash: 1BD0C937310128AB4B052E49A8098AE7FAEEBCDB727048036F91983340CEB18D1297E5

Function 05C6D95D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3399266757.0000000005C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5c60000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8777bd9509472f01024e28819c03e60d394b42d1d56b85f847022948379b097d
Instruction ID: 450f08bd1ff0cb04c3e43e824c208cfe81ad68943b15331c269c102187ac394e
Opcode Fuzzy Hash: 8777bd9509472f01024e28819c03e60d394b42d1d56b85f847022948379b097d
Instruction Fuzzy Hash: 29D0677AB001089FDB049F98E8549DDF7B6FB98661B048126EE15A3260C6319925DB50

Function 05C6AD90 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3399266757.0000000005C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5c60000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af87e07c4ed3d31e54cc2ce94b504d509ac96dd05dac123bac9c9707c20f822d
Instruction ID: 50039e2a110f4921f4f3bf3869e3a2361ad640cf7faeb0ae021a187b76f4ed2b
Opcode Fuzzy Hash: af87e07c4ed3d31e54cc2ce94b504d509ac96dd05dac123bac9c9707c20f822d
Instruction Fuzzy Hash: 68C0123010030A8AD689E779F85C5153BAAEBD0340B409619D60505659DFFC1C455790

Function 03094831 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3395473456.0000000003090000.00000040.00000800.00020000.00000000.sdmp, Offset: 03090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_3090000_NoCGdFUXaoNd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f663e04af0aa6c3fd38bb99a3a13da7d5390697affc7adf70e2906841d2a0eb6
Instruction ID: f90095b78519a508f4eda1cf4c60024c5f8a1cd50b8c71860c50237e94c01811
Opcode Fuzzy Hash: f663e04af0aa6c3fd38bb99a3a13da7d5390697affc7adf70e2906841d2a0eb6
Instruction Fuzzy Hash: 2BC04C7144A2D08FCF1BDB74C4A55597BB0AE1B200B154CCBD041C709AD924A004C712

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NoCGdFUXaoNd.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_01oklfum.3x4.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_04jochd3.krr.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c0dpwzdr.vnd.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ztd4lsxz.hgd.ps1

C:\Users\user\AppData\Local\Temp\tmp70BF.tmp

C:\Users\user\AppData\Local\Temp\tmp7C49.tmp

C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe

C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe:Zone.Identifier

Static File Info

Windows Analysis Report
54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe

Function 09EF6008 Relevance: 2.7, Strings: 2, Instructions: 168
COMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre